![]() Generate a long PSK with at least 30 chars, to resist a brute-force attack.Use a password/passphrase generator for the creation of the PSK.Generate a new/different PSK for every VPN tunnel. ![]() Thereby, a really complex key can be generated and used for the authentication of the VPN peer. Since the PSKs must be configured on each side only once, it should be no problem to write 20-40 letters on the firewall. That is: If the PSK is not complex enough, the attacker could succeed and would be able to establish a VPN connection to the network (if he furthermore knows the IDs of the site-to-site VPN peers which is no problem since they traverse through the Internet in plaintext, too). An attacker can do an offline brute-force attack against this hash. In this scenario, a hash from the PSK traverses the Internet. But: If one remote side has only a dynamic IP address, IKE must use the aggressive mode for its authentication.Even skilled hackers must be able to inject falsified BGP routes or to sit nearby the customers default gateway/router. This is quite unrealistic for normal persons with common ISP connections. That is: Even if an attacker has a PSK, he must spoof a public IP address to use it to authenticate against the other side. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |