Home » VPN Security Testing Methodology

VPN Security Testing Methodology

This document sets out BestVPNReviews Internet security testing methodology; a set of rules and guidelines for solid penetration testing, ethical hacking, and information security analysis including the use of open source testing tools for the standardization of security testing and the improvement of automated vulnerability testing tools. It is by far not complete but should provide the reader with some understanding of BestVPNReview’s methodology and capabilities.
We ask permission from each VPN service to test the servers and network before we perform any test or survey. If a VPN service does not permit us to evaluate server security, we deduct 50% from the server security points available.


A security test is performed with two types of attack. A passive attack is often a form of data collection which does not directly influence or trespass the network. An intrusive attack however does trespass the network and can be logged and trigger the alarm of the network.

The process in any security test can be broken down into the following:


Visibility is what can be seen on the Internet presence. This includes but is not limited to open or filtered ports, the types of systems, the architecture, the applications, email addresses, employee names, the skills of the new sys admin being hired through a job search online, the circulation of the service’s software products, and the websites visited by employees and everything they download. Invisibility includes being able to step on wet sand without leaving a footprint.

Access is for what one invites visitors to an Internet presence. This includes but is not limited to a web page, an e-business, a P2P server to content map, a DNS server, streaming video, or anything in which a service or application supports the definition of quasi-public, where a computer interacts with another computer within a given network. Limiting access means denying all accept what is expressly stated in the server plan.

Trust is the type and amount of authentication, non-repudiation, data integrity, access control, accountability, data confidentiality, and data integrity. This includes but is not limited to VPNs, PKIs, HTTPS, SSH, B2B connectors, database to server connections, e-mail, employee web surfing, or any communication between two computers which causes interdependency between two computers whether server/server, server/client, or P2P. Trust is the first four-lettered word in Internet security.

Alarm is the timeliness and appropriateness of alert to activities which violate or attempt to violate Visibility, Access, or Trust. This includes but is not limited to log file analysis, port watching, traffic monitoring, intrusion detection systems, or sniffing/snooping. Alarm is often the weakest link in appropriate security measures.

Internet presence points

Security testing is a strategic effort. While there are many different ways and many different tools to test many of the same parameters, there are very few ways in the order in which to test them. Although some of the parameters mentioned here (specifically 2, 11, and 13) are not Internet presence points, they are worth noting due to the electronic nature and the lack of places where they may fit in as a test of their own.

1. Network Surveying
2. Port Scanning
3. System Fingerprinting
4. Wireless Leak Tests
5. Services Probing
• Web Tracks
• Mail Tracks
• Name Services
• Visible Documents
• Anti-Virus and Trojan
6. Redundant Automated Vulnerability Scanning
7. Exploit Research
8. Manual Vulnerability Testing and Verification
9. Application Testing
10. Firewall & ACL Testing
11. Security Policy Review
12. Intrusion Detection System (IDS) Testing
13. Voicemail, & PBX Testing
14. Doc Grinding (Electronic Dumpster Diving)
• News, Trade, and Business Sources
• Job, Board, and Chat Searches
• Newsgroups
• Cracks, Serials, and Underground
• FTP, Gopher
• Web
• P2P
15. Social Engineering
16. Trusted Systems Testing
17. Password Cracking
18. Denial of Service Testing
19. Privacy Policy Review
20. Cookie & Web Bug Analysis
21. IDS & Server Logs Review

There is a great amount of data to collect and analyze. The above steps can be graphed into a more visual form to better understand the test flow methodology.


Parameter interdependency

In the above methodology we see a certain order in the flow and the possibility of running certain tests in parallel. For instance, IDS testing does not interfere with wardialing (which is not conducted in these types of tests) and neither needs previous knowledge from the results of the other. However, both are dependent upon the review of the security policy to define certain parameters.

Below is more info on the different interdependencies and which tests are dependent on what information.

Test parameter Definition

Defining and listing the various testing steps:
The parameters listed here are far from complete. The desired formula for each parameter is more in-depth than what is found here but it gives a view onto our systematic approach.

The introduction to the systems to be tested is best defined as a combination of data collection and information searches. BestVPNReviews always requests and obtains the permission from the VPN services before it begins to test their server networks.
Detailed under the network survey are techniques that may also be valid under Firewall & ACL or IDS Testing. However, rather than stressing the Firewall and IDS, the point of this exercise is to find the number of reachable systems which you can test without exceeding the legal parameters of what you may test or go beyond the scope of permission we receive from the network we are testing. After all, we are trying to determine the efficaciousness of the network server security and its hardness, not more than that.

- Examine broadcast responses from the network
- Examine e-mail headers, bounced mails, and read receipts for server trails and internal network information
- Search web logs and intrusion logs for system trails from the network
- Examine web server source code and scripts for names, application servers and internal links
- Search newsgroups for posted information
- Use multiple traces to the gateway to define the outer network layer and routers
- Search Whois for domains and network addresses owned by the VPN service
- Use FTP and Proxies to bounce scans to the inside of the DMZ
- Utilize inverse scanning techniques to enumerate systems
- Perform name lookups on all systems for activity
- Determine the number of IPs blacklisted for SPAM or cited for SPAM harvesting.

Port scanning is the invasive probing of ports on a live system. The ports will be filtered, opened, or closed. Half scans, FIN scans, Xmas scans, and any other type of stealth scanning techniques will be covered in Firewall, ACL, and IDS testing. This phase is to find quasi-public services.

- Examine broadcast responses from the network
- Examine system responsiveness to ICMP echo requests at all levels
- Examine all 65,536 TCP and UDP ports for open, closed, and filtered states

System fingerprinting is the invasive probing of a system for responses which can be categorized as unique systems to a version level. Be aware that results may lead to false assumptions (see IP Personality at http://sourceforge.net/projects/ippersonality/)

- Examine system responses to matriculate operating system type and patch level
- Gather server uptime
- Search postings for server and application information
- Search tech bulletin boards and newsgroups for server and application information
- Match information gathered to system responses for more accurate results

- Verify the distance in which the wireless communication extends beyond the physical boundaries of the organization
- Verify that the communication is secure and cannot be challenged or tampered with
- Probe network for possible DOS problems

- Match each open port to a service
- Identify server uptime to latest patch releases
- Identify the application behind the service and the patch level using banners or fingerprinting
- Verify the application to the system and note the latest version open-source security testing methodology manual of 23 March 2001

- Attempt to match vulnerabilities to applications
- Attempt to determine application type and service by vulnerability
- Perform redundant automated scanning as per service

- Identify all vulnerabilities according to applications found
- Identify all vulnerabilities according to operating systems found

- Verify all vulnerabilities found during the exploit research phase for false positives
- Attempt to exploit positives but within the boundaries of the network permission granted

- Abnormal field values
- Communication
- Trust
- Variables

- Verify the firewall fingerprint with information collected from job boards
- Stealth scanning (SYN) (FIN)

These are generally what should be addressed in a security policy (where applicable in these tests):

- Electronic components of physical security (swipe cards)
- Desktop system security
- Passwords / Passphrases
- Information Security
- Encryption and level of strength
- Use of the Extranet or working with Partners and Contractors
- Mobile security
- Use of presentation rooms
- Internet and e-mail acceptable use
- Telephone, GSM, and voicemail

- Obfuscated URLs
- Speed adjustments in packet sending
- Source port adjustments

- Examine web databases concerning the organization and key people
- Verify key persons to personal homepages, published resumes, and organizational affiliations open-source security testing methodology manual 23 March 2001
- Search job databases for skill sets technology hires need to possess in the reviewed organization
- Search newsgroups for references to and submissions from within the organization and key people

CI Scouting is the scavenged information from an Internet presence which can be analyzed as business intelligence. As opposed to intellectual property theft found in industrial espionage or hacking, CI lends to be non-invasive. It is a good example of how the Internet presence extends far beyond the hosts in the DMZ. Using CI in a penetration test gives business value to the components and can help in finding business justifications for implementing various services or not.

- Map and weigh the directory structure of the web servers
- Map the weigh the directory structure of the FTP servers
- Examine the DNS Whois databases for business services relating to registered host names
- Estimate the IT cost of the Internet infrastructure based on OS, Applications, and Hardware.
- Measure the buzz (feedback) of the organization based on newsgroups, web boards, and industry feedback sites
- Estimate the number of products found in P2P sources, wares sites, available cracks up to specific versions, and documentation both internal and third party about the products


- Map system trusts within the DMZ

- NMAP DDOS emulation, SSYN flood and TCP stress testing


- Verify policy to actual practice
- Identify data collected
- Identify storage location of data
- Perform risk analysis of data store

- Identify cookie types
- Identify expiration times and persistency
- Identify information stored in cookie
- Identify IP tracking and collecting through cookies
- Verify encryption methods

- Identify server location of web bug
- Identify database type and size for storing data
- Identify data gathered and returned to server

- Match IDS alerts to vulnerability scans
- Match IDS alerts to trusted system tests
- Verify TCP and UDP scanning to server logs
- Verify automated vulnerability scans