[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

  • Subject: Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Sat, 20 Nov 2004 12:42:18 +1300

Michael Scheidell wrote:

Seriously - I think this sort of thing is happening more and more. We don't allow P2P - and our IDS could always pick it. Then along came Skype - changes port numbers at random, and encrypts traffic. But we managed to come up with a Snort rule for that too. Now it appears we have met the "perfect" implementation that can't be detected. Now I expect to see more and more of them.

I think there might be any number of us who would do it for a price...

Its all ones and zeros.  There has to be a way.

Just not an easy (eg: free) way.

I don't think any product - commercial or otherwise - could detect such things - if they are implemented correctly.

Most commercial "VPN" products available either don't work on our network (firewalled), or generate alerts from our IDS network. OpenVPN is the first thing I've tried that worked out-of-the-box and got under the radar (well done :-).

Only policy stands between it and open access. And if you have a policy, you at least need to be able to monitor to prove your policy is enforced. And I can't even detect OpenVPN.

The only way I can think of to detect something specifically written to remain hidden would be by traffic analysis techniques - looking for long-term HTTPS sessions/etc. Trouble is, 99% of sites cannot justify (money, time, administration, personnel) changing their network usage patterns in order to make such techniques actually practical. (i.e. if your network allows almost any type of traffic internally [like ours - we write network services amongst other things], then how can you define what is "known" traffic and therefore what isn't?). We certainly run our proxies as "allow all sites except those we don't" - compared with firewall "block everything except that we allow". To flip the proxy security principle would be impossible: we have 2500 employees in a variety of roles - how do you define what sites they're allowed to go to? Who decides? And how to manage the allowed sites list - it'd change on a minutely basis?!?!? Gah. Maybe sites (i.e. those not in the software dev industry) can define their Internet access totally via whitelists - I know we can't.

Fun, fun, fun. That's why I like this work :-)

This discussion isn't leading anywhere - but I'm enjoying it. That's why I'm keep CC'ing the Snort IDS list. Like myself, they are interested in knowing about everything on their networks (we're twisted like that) - and OpenVPN appears "unknowable".


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users