Re: Is the Draytek 2955 router SSL mode any good?

On 31/03/10 16:26, occassionally-(E-Mail Removed) wrote:

> Reading the above Draytek stuff, they seem to just use a standard www
> browser as the client, but this obviously works only with host apps
> which interact with an HTTPS browser (I cannot think of any such app
> myself;

Quite. Web servers that aren't capable of SSL that one would want remote
access to must be few and far between.

> They also offer the option of a download of a client tunneling program
> (a java active-x thingy) which then gives a normal VPN functionality.
> This is the bit I would need for e.g. pc/anywhere which is the main
> app I run over the VPN.

You mentioned elsewhere that you wanted this to work with phones etc.
You can forget about installing an ActiveX control on a Nokia phone.

> Also curiously one needs to enable the remote management mode in the
> router, on HTTPS only, for the SSL VPN to work. I can understand this,
> but surely this means port 443 is going to be hacked mercilessly.

So pick a good username and password - but you should be doing that anyway!

> Maybe a response to a port sniffer on port 443 is just an unavoidable
> side effect of any SSL VPN?

If you want to able to access it from anywhere [eg use it from a mobile
network], then it will have to respond to connection attempts from
anywhere to port 443.

> Which begs the question of which ports does a PPTP VPN appear on? I
> got somebody to do a port scan on my IP and apart from the obvious
> ports he found nothing open.

http://en.wikipedia.org/wiki/PPTP

Port 1723 + GRE.

> I would expect a VPN router to not respond to port sniffers unless it
> first receives a data packet which contains a part of the user's
> password or something like that.

Not how TCP works. Data [ie packets that would confirm the user's
identity] won't start flowing until the connection has been established.

<http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establish ment>

> Otherwise, this opens up the router to an easy DOS attack, especially
> on an ADSL connection with a fast downlink speed e.g. 8Mbits/sec

Bad news I'm afraid: if you're using DSL [or any kind of low-bandwidth
connection for that matter] you're already an easy target for a DOS.
Doesn't matter if your router responds or not.

> The other thing I can't get my head around is how would one run an
> HTTPS server behind this router. Currently we run an HTTP server
> behind ours, which is trivial. Presumably the 2955 must be
> configurable for an automatic "pass-through" so any traffic not
> destined for the remote admin function, and not destined for one of
> the VPN users, gets passed through to the internal network?

But how would it know?

This problem is not unique to a router offering SSL VPN; for customers
who have HTTPS servers and only one public IP address, I would usually
put the router or firewall management interface on a different port. If
one wanted to be clever, one could use squid as a reverse proxy
listening on 443, and route connections to the relevant internal host by
the URL requested. No guarantees this will work, especially if the SSL
VPN isn't HTTPS.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
20:40:30 up 56 days, 44 min, 1 user, load average: 0.63, 0.27, 0.21
It is better to have been wasted and then sober
than to never have been wasted at all

alexd <(E-Mail Removed)> wrote

>You mentioned elsewhere that you wanted this to work with phones etc.
>You can forget about installing an ActiveX control on a Nokia phone.

Not on the phone.

99% of my travelling internet access is plain pop, smtp, www. The VPN
would be used only for laptop use and

1) when I am collecting email and doing stuff where the logins are in
the clear and the place I am in is potentially dodgy (e.g. my laptop
is in an internet cafe in some 3rd world country)

2) to run pc/anywhere to sort out some emergency in the office; in
this case one has an alternative which is to open up the two pc/a
ports in the router and this avoids a VPN but IMHO this is a lot less
secure because a) any port sniffer will find the pc/a ports instantly
and b) one needs to use the 'encrypted' mode of pc/a which I found
really slows it down. I suspect the same applies to winXP remote
desktop, VNC and other solutions which can be run without a VPN and
with their own end-end encryption and login authentication.

>> I would expect a VPN router to not respond to port sniffers unless it
>> first receives a data packet which contains a part of the user's
>> password or something like that.
>
>Not how TCP works. Data [ie packets that would confirm the user's
>identity] won't start flowing until the connection has been established.
>
><http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establish ment>

OK...

But this is not how I would have implemented a VPN if I was also
supplying the client side driver I would send a UDP packet first,
with some piece of the user identity, and this would then open up the
VPN to normal comms. Nonstandard I suppose.

>> The other thing I can't get my head around is how would one run an
>> HTTPS server behind this router. Currently we run an HTTP server
>> behind ours, which is trivial. Presumably the 2955 must be
>> configurable for an automatic "pass-through" so any traffic not
>> destined for the remote admin function, and not destined for one of
>> the VPN users, gets passed through to the internal network?
>
>But how would it know?
>
>This problem is not unique to a router offering SSL VPN; for customers
>who have HTTPS servers and only one public IP address, I would usually
>put the router or firewall management interface on a different port. If
>one wanted to be clever, one could use squid as a reverse proxy
>listening on 443, and route connections to the relevant internal host by
>the URL requested. No guarantees this will work, especially if the SSL
>VPN isn't HTTPS.

OK, I suppose this means that if one wanted to run an HTTPS website
one would need to get a second IP for it.

On 01/04/10 10:37, occassionally-(E-Mail Removed) wrote:
> On the draytek.co.uk forum there is a question (like most, not
> answered):
>
>> Just updated to 2955 and trying to create a secure SSL VPN (teleworker to 2955)
>>
>> But the User/Password combination seems to be the only protection. I have tried
>> to invoke a certificate and/or shared key but it will not allow me
to select
>>them.
>
> Is this correct? I suppose it is OK because I know of private HTTPS
> websites which use just a login/pwd and the browser reports the
> certificate is invalid.
>

I think that poster is actually asking about client-side SSL
certificates, which is something you would issue to a client in order
for the router to verify the client's identity [which is how OpenVPN
works, for example]. This would be a factor of security in addition to
username/password, and ensures that someone can't log in by guessing a
password.

On your second point, yes the browser would cry about the SSL cert being
self-signed. If this bothers you, it is possible to get a free cert from
startssl.com. Not sure if it's possible to import them into a Draytek,
however.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
20:00:17 up 57 days, 27 min, 1 user, load average: 0.16, 0.14, 0.16
It is better to have been wasted and then sober
than to never have been wasted at all