It perfectly makes sense to pen-test VPN access. Traffic may eventually be encrypted, and then confidential datas going over untrusted network could not be sniffed. But beyond that a VPN gateway is often a direct entry point to the internal network. Starting from here, all of your security relies on the the authentication used by the VPN gateway. If this one is not good enough, you might be in trouble. This is where the VPN pen-testing come. As for tools I don't really know any specific one. To me the steps for pen-testing would be quite classical, identifying the type of VPN that can be done with gateway (ie IKE/IPSec, PPTP, L2TP/IPSec...), finding what is exactly the type of the VPN gateway, then do specific vulnerability research on this gateway type, and start with the associated VPN client. Indeed various things can be done as a start depending of the solution, for example with Checkpoint VPN-1, you should be able to get the topology file... BR
David > -----Message d'origine----- > De: Carl Bysen [SMTP:[EMAIL PROTECTED]] > Date: samedi 23 f�vrier 2002 17:25 > �: [EMAIL PROTECTED] > Objet: pen test VPN > > Hi, > > what can be done to pen test a VPN setup? Which tools are available, > additionally does it make sense to pen-test a VPN setup (traffic is > encrypted)? > > > Regards, > --egonle > -- > > _______________________________________________ > > Sign-up for your own FREE Personalized E-mail at Mail.com > > http://www.mail.com/?sr=signup > > > > > > 1 cent a minute calls anywhere in the U.S.! > > > > http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http: > //www.getpennytalk.com > > > > > > -------------------------------------------------------------------------- > -- > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please > see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
