Fingerprinting Tool Identifiies VPN Servers NTA Monitor releases IKE-scan tool for VPN scanning and identification NTA Monitor, Europe's leading Internet security testing company, has launched a tool to enable network administrators to scan and identify virtual private network (VPN) servers within their networks. The security-auditing tool will enable users to take corrective action if they identify VPN servers that have known flaws. The NTA Monitor VPN Fingerprinting tool (ike-scan) exploits transport characteristics in the Internet Key Exchange (IKE) service, the mechanism used by VPNs to establish a connection between a server and a remote client. The ike-scan tool scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence. The tool then remains silent and monitors retransmission packets. These retransmission responses are recorded, displayed and matched against a known set of VPN product fingerprints. NTA Monitor has identified that there is no standard for how IKE handles retransmission, in terms of delay before retransmission, frequency of retransmission and number of retransmissions. Each VPN vendor uses a different set of variables in its own products, resulting in a unique signature for each VPN product. NTA Monitor cautions network administrators to ensure that all VPNs in their network are running the manufacturer's latest secure software release. This guidance follows a series of high profile VPN vulnerabilities identified by NTA Monitor and other security vendors in the last few months. The NTA Monitor ike-scan tool currently identifies VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard. The detection of these products does not imply that any particular product is at fault, more that these are among the most commonly found VPN products. NTA Monitor aims to release updated versions of the ike-scan tool, as more VPN server signatures are developed through in-house development and contributions from the security community. "VPNs have been assumed to be an invisible and secure method of communication between a server and a remote connection. But such thinking is naive. NTA Monitor's ike-scan tool shows that VPNs cannot only be discovered but the manufacturer, and sometimes the version, can also identified. Network administrators need to ensure that they are aware of VPNs configured within their network and ensure that they are using the latest secure software release," said Roy Hills, technical director, NTA Monitor. The NTA Monitor ike-scan tool has been developed by technical director Roy Hills and is being released by NTA Monitor under the GNU General Public Licence (GPL). The tool and a white paper describing the issue of VPN backoff fingerprinting can be downloaded from NTA Monitor's Web site at: www.nta-monitor.com/ike-scan/ VPNs are much used today to provide remote offices or individual users with secure access to their organisations. A VPN works by using a shared public network while maintaining privacy through security procedures and encrypting data in transit. In effect, the tunneling protocols used, encrypt data at the sending end and decrypt it at the receiving end. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses. The ike-scan homepage is located at: http://www.nta-monitor.com/ike-scan/