• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

VPN secure?

Just  question..  how secure is VPN?
I know its 128-bit encryption which means you need to have atleast a 16 char encryption 'password', which I guess is pretty hard to crack.
but does that make it ultra secure?
would anyone recommend changing the encryption 'password' every few months or so?
0
dr_binks
Asked:
dr_binks
2 Solutions
 
JammyPakCommented:
Here's some interesting commentary:
http://www.mycrypto.net/encryption/encryption_crack.html

From the above link:
"As key lengths increase, the number of combinations that must be tried for a brute force attack increase exponentially. For example a 128-bit key would have 2^128 (3.402823669209e+38) total possible combinations. For example, to theoretically crack the 128-bit IDEA key using brute force one would have to:

develop a CPU that can test 1 billion IDEA keys per second
build a parallel machine that consists of one million of these processors
mass produce them to an extent that everyone can own one hundred of these machines
network them all together and start working through the 128 bit key space"

That said, of course, most encryption cracking isn't necessarily going to be brute force, they will come up with better methods. Something like AirCrack, for example, cracks WEP keys, but doesn't use brute force.

Bottom line is that at the moment, 128-bit encryption, assuming it's properly implemented by the software with no bugs and vulnerabilities, it pretty darn safe. This just means that someone sniffing the encrypted traffic is very unlikely to be able to decrypt it.

What you REALLY have to worry about is: users with bad VPN passwords, users that share their VPN passwords, users that leave the company and aren't properly removed, users that save their VPN password in cache and then lose their laptop, unpatched software vulnerabilities in the VPN server or client, etc, etc, etc.

I wouldn't worry about changing the encryption password unless too many people know it. At 128-bits, I wouldn't worry about the strength of your encryption key. I would worry about educating users on best safety practices, and creating good practices and policies for the IT staff.
0
 
Rich RumbleSecurity SamuraiCommented:
128 is good enough, if the algo is secure. 128-bit (single)DES would be pushing it, as DES is very outdated, and they now have specialized hardware for cracking it- not the public mind you, but "they" do. Propriatary encryption schemes are typically very insecure, if the VPN is using a "respectable" encryption method, such as IDEA, BlowFish, TwoFish, AES, MD5, 3DES etc... then your probably ok.

Something that people tend to overlook is that just like electricty, hackers, crackers and other nastie people who want information, follow the path of least resistance to get it. A keylogger that emails or send an IRC message to someone is much better at getting a password than cracking or brute-forcing them. The Govt does the same thing, even the NSA with it's super computers and specialized equipment, resort to a keylogger or a FakeGina to capture keystrokes. They can even use a TEMPEST device, an antenna for electromagnetic signals, point it at your building, and look at what is on your monitor. But if your pass is behind ****'s that's all they see ;) but the Klogger will see it all.
-rich
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now