0

I have two physical sites each with edge router/firewall running pfSense they are directly connected through a WAN link. I've deployed site-to-site OpenVPN using pre-shared key to create tunnel on top of this WAN. I'm using this connection only to connect my core infrastructure of the organization (DFS, Root DC replication, NTP sync). One of my pfSenses is also a host-to-Site OpenVPN server used by my admins & devs to make remote connections to the infrastructure. My only ports open on the public facing WAN's are 443 for my web-servers and 1194 for my host to site (cert + radius authentication), i have also some narrow rules for NTP and exchange.

Given that my routers are directly connected should I be really concern about possibility of somebody sniffing traffic on this WAN and reversing the keys? Is there a way to capture the traffic going between those routers without compromising them? If my traffic is already encrypted before entering the tunnel may it be considered secure, or should I work towards something even more secure like OpenVPN with the certs?

nethero
  • 482
  • 2
  • 6

1 Answers1

1

... possibility of somebody sniffing traffic on this WAN

If you fully control every part of the WAN then you should know if somebody can sniff or not. If you don't fully control every part you should probably assume that somebody is able to sniff, even if the routers are directly connected, i.e. no router, switch or something like this in between. It is still possible to intercept traffic directly by splicing the line and adding an interception device, no matter if you use Ethernet, fiber or similar for the WAN.

If my traffic is already encrypted before entering the tunnel may it be considered secure ...

It can be considered more secure then unencrypted traffic but it depends on the details if it can be considered secure enough. These details are for example the quality of the encryption or if sniffing of meta data (who connects with whom, how long, how many bytes...) is considered a risk which need to be addressed or not.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Organization is a school, I know that tapping into physical medium is possible but it shouldn't be my concern since providing security to a physical connection is in hands of the fiber provider. The traffic on the WAN is generated by Windows Servers. We have root DC on one site and secondary DC on another. Campus users have no direct connection to infrastructure, they are routed through layer 3 switches to the public interfaces of the organization (except for workers residing on separate networks). – nethero Jun 12 '17 at 12:24