1

We are installing a vendor-supplied ASP.net application on IIS 7.5, giving access to sensitive customer details for remote access by our staff. I am wondering whether it is necessary to use a VPN to secure it. Using a VPN would be considerably more inconvenient for the staff and provide more access for connected clients to the rest of the network than I would like.

With no VPN, the application would be secured by HTTPS using TLS. The only part of the software that should be accessible to the web at large would be the login page. The application can be set to either use a completely built-in authentication method or Active Directory authentication via NTLM (probably preferably).

I am slightly concerned about the application's security-soundness. The developer has not had any 3rd-party penetration testing done and it appears from my investigation that passwords for the built-in authentication are stored with reversible encryption rather than hashed.

How much additional security do you think using a VPN would offer over relying on HTTPS and the application's authentication? Are the any questions I could ask the developer or ways I could test the application to check for vulnerabilities?

VPN Security Versus Plain Old TLS - Similar question that was useful, but not focused on assessing a supplied application

Community
  • 1
Surreal
  • 285
  • 1
  • 3
  • 6

3 Answers3

1

Both "VPN" and "HTTPS" have no inherent security. You must specify minimum security measures each takes in securing a connection. The configuration of either is a vital piece of information you'll need in order to determine which is appropriate for your situation.

So figure out what the minimum security measures you require are, say AES-128 encryption, SHA-1 integrity, and some sort of authentication (NTLM is weak; I'd suggest HTTP-DIGEST, or Kerberos if you can swing that).

Then compare that requirement to the minimum security allowed by each type of connection. HTTPS is going to be more convenient, so if it's minimums are at or above your requirement it should be used. If neither VPN nor HTTPS meet your requirements, time to reassess your requirements or the vendor's product.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • That is a reasonably point. TLS using AES-128 and SHA-1 would be adequately secure for the encryption and integrity of data traffic. What I am most concerned about is the web app client authentication system: to judge any plausible weakness in that against possible VPN authentication systems using username and password or client certificates. I suppose I am still not really giving enough information to decide. – Surreal Apr 22 '11 at 23:14
  • I understand NTLM is insecure on its own, but the main problem with it seems to be a weakness to man-in-the-middle attacks, which I would expect TLS to prevent. Does that sound correct? – Surreal Apr 22 '11 at 23:14
  • 1
    NTLM also has replay attacks; specifically if your computer has cached credentials (enabled by default in every version of Windows) and someone compromises your computer (easily done stealing a laptop) they can replay the cached hash to gain access. TLS would have no effect on that. Certificate renegotiation has its own issues as well (for client authentication); though the most current software has fixed it. – Chris S Apr 23 '11 at 00:02
  • Thanks, that is an attack possibility I had missed. I will see if we can avoid NTLM. – Surreal Apr 23 '11 at 00:45
1

The things that you are mentioning as security concerns really aren't apropos to a discussion of IPSec VPN vs. SSL.

If the vendor is using bad practices to secure their applications, they probably are skimping on other areas as well.

If you said that you were worried about your customer's having their SSL sessions hijacked, that might be an argument in favor of an IPSec vpn.

duffbeer703
  • 20,797
  • 4
  • 31
  • 39
  • My concern is certainly over what bad practices in the few areas I can check might indicate. What I would really like to know is whether there is anything plausible that they might have done wrong that would leave a significant risk of non-staff users getting to the data. My title may be misleading: I should perhaps have left out "with HTTPS" altogether. I am more interested in the extent to which a VPN (Whether PPTP, IPSec or SSTP) is useful or necessary protect us from application developer mistakes, than in IPSec vs SSL – Surreal Apr 23 '11 at 01:04
0

I would say, that if it can't be proven and demonstrated that the application is 100% secure from the vendor without the need for an extra layer, then go ahead and use the VPN.

You will incur the overhead of the VPN, depending on the level of encryption used, but will provide you the peace of mind.

Basically, to answer the original question. A web application can be trusted when it is shown to be.

DanBig
  • 11,423
  • 1
  • 29
  • 53
  • I am not sure that anyone could ever prove that an application is entirely secure. However I see your argument in taking the precaution of a VPN if I have any significant doubts about the application. – Surreal Apr 22 '11 at 23:17
  • I think in retrospect my question was too specific to be clearly answered without more details of the exact circumstances. However caution was definitely the correct approach in this case. It turned out from more examination that the web application contained an authentication vulnerability allowing complete access to the system. – Surreal Jun 23 '11 at 21:07