VPN vs Leased Line - Comparing The Security
In my earlier article - Leased Line vs VPN – Which Technology Is Right For YOUR Business? - I explained the major differences between VPN and leased line solutions. This article focuses more on the theoretical security risks of both technologies, particularly with regard to issues that could compromise the privacy or accessibility of corporate data. I want to stress that these are THEORETICAL risks. In practice, few businesses need to worry about these threats.
Leased Line Security Risks
- Wiretapping at your office building e.g. someone physically connects to the communications equipment in the basement of your building. This is unlikely to happen unless your company is a high-value target, as it's a high risk strategy.
- Wiretapping at manholes through which your leased line circuits pass - Less conspicuous, but very difficult to do successfully. An attacker would need experts who knew how to splice into fibre networks and figure out which fibre carries your data.
- Wiretapping at undersea cable landing stations - This only affects international traffic. The NSA leaker Edward Snowden released documents that suggested some government agencies routinely monitor traffic into and out of the UK and the US. As you're not involved in terrorism, this shouldn't concern you unless you're a non-UK firm competing against UK/US firms for multi-billion dollar contracts.
- The hacking of your leased line provider - Even if the hackers manage to take control of a PC on the LAN of your leased line supplier, turning that control into control of the routers through which your traffic passes is likely to be quite difficult, as it requires specialist networking knowledge, such as how to reconfigure a core router to forward packets from your network to an external destination.
- Distributed denial of service attack on the public IP addresses of the hardware upon which your leased line circuits rely - This could bring down your leased line, even if it's been configured to run without publicly addressable IP addresses. That said, this requires serious fire-power from the attacker, as the core routers they would be attacking are extremely powerful and capable of processing gigabits of requests per second.
- Accidental disconnection when workmen dig up the street - This is a distinct possibility. The usual way to guard against this is to install two links, preferably from two different carriers, so that if one link goes down, there's still another one available.
- Intentional disconnection of the physical circuit to create a 'denial of service' - e.g. opening a manhole cover under which your circuit travels and cutting the fibre-optic cables (or copper wires) through which your data flows. This would only be effective in the short term, as carriers monitor their networks and would spot if a circuit (or dozens of circuits) went down. If the attacker cut through all the cables, they'd complicate the job of fixing the fault, but cause the troubleshooting to be prioritised (as lots of other customer circuits would be affected too). There's not much value in deliberately disconnecting your circuits, unless they're used for alarm systems. Even then, the disconnection is likely to trigger an alarm in itself.
VPN Security Risks
- PPTP has security weaknesses - The most widely used VPN technology (Point-to-Point-Tunneling Protocol) has known security weaknesses.
- SSL VPN 'man in the middle attacks' - SSL VPNs are popular, but if poorly configured they can be vulnerable to 'man-in-the-middle' attacks, where the users securely connect to the attacker, who then connects to the target system using the credentials supplied by the target.
- Unpatched flaws in the software of your VPN appliances - Most firewalls and VPN appliances have bugs in their software. Thankfully, these tend to be difficult to spot and exploit. When vendors are alerted to the problems, they tend to be good at patching them, however these patches won't always be applied expeditiously, creating a window of opportunity for potential attackers.
- Home network insecurity - VPNs are often used by staff working from home, or using their personal laptops. Often these devices have not been patched sufficiently. Even if the devices connecting to your network have been patched, other devices on their home network may be more open to being compromised, creating a security risk. Sometimes the home WiFi connection is configured insecurely, allowing unauthorised devices to connect to the network, where they can try to compromise the home router, or spy on the traffic passing through the home network.
- Total loss of underlying connectivity - The availability of the VPN connection is wholly dependent on their being underlying connectivity. If the underlying connection is lost, the VPN is unusable, impacting business processes that rely on the VPN functioning.
- Partial loss of capacity due to network congestion - Where the VPN traffic travels over contended connections (such as broadband) the availability of bandwidth may fall at peak times, causing a degradation in service which impacts the usability of the VPN.
Don't Let The Above Information Scare You
These are just theoretical risks. In practice, you're unlikely to have to worry about most of them.
Your data is probably not worth the cost of the attack - With the exception of the PPTP flaws, most of the security flaws require a high level of skill to exploit. These skills aren't cheap to hire. Most organisation's data isn't worth the cost of paying someone to compromise it.
'VPN vs Leased Line' comparisons often ignore that both technologies have theoretic security risks
It's unlikely that your competitors would risk an attack - The companies that have most to gain from your data (or a denial-of-service-attack that affects your clients) have a great deal to lose were such an attack to be traced back to them. Their corporate reputations would be damaged. The executives responsible would be jailed and their careers would be finished.
There are easier ways for attackers to compromise your company's data security than attacking your leased lines or VPN - Such as spearphishing attacks that trick named employees into visiting compromised web sites that take advantage of browser security flaws. Social engineering is likely to be easier than splicing into a fibre network and tapping the right fibre.
Widespread use of site-to-site VPNs reduces the expected pay-off of attacking leased lines - Why spend a fortune trying to tap a leased line when the odds are high that any data you manage to see is encrypted by a VPN. All major targets (e.g. banks, aerospace firms etc) use VPNs without fail when transmitting sensitive data. Attackers know this, so are less likely to attack the underlying leased line connections.
Take Sensible Security Measures - That Includes Using VPNs and Leased Lines
Use a VPN to encrypt traffic between your offices - VPN security may not always be theoretically perfect, but it's usually good enough in practice, and is far superior to having no encryption at all, and no authentication.
Use a VPN to encrypt traffic between your offices and homeworkers - This provides some protection from the insecurity of the home users' networks. Their kids' PCs might have malware installed, but if you have set up the VPN correctly, at least the compromised PC can only sniff encrypted traffic. It won't be able to send and receive data to your LAN, as it lacks the appropriate credentials.
If you need resilient connectivity, get two connections - Ideally these should use two separate underlying carriers, and separate routes. If you're really serious about uptime, the connections should terminate at different data centres, and be configured so that if one circuit goes down, the data is re-routed through the other one.
Periodically Review VPN logons, checking for suspicious activity - Does your Managing Director really log on at 3am from an IP address originating in china? Do ex-employees log on? Do any employees log on from several IP addresses simultaneously?
Enforce Strong Passwords. Make Users Change Them Regularly - No-one likes them. It stops them using the same password everywhere. This is a GOOD thing, even though your users will complain.
Find Out More About Our VPN and Leased Line Services
hSo provides UK businesses enterprise-class firewalls, IPsec VPNs, SSL VPNs and leased line circuits. For more information, give us a call on 020 7847 4510.