Topic #2. Network Security: Practice
Virtual Private Network Security
22 November 2015
University of Windsor
This article is researched in the field of Virtual Private Network (VPN) Security. There is an increasing demand in the modern world to connect to internal network from far locations. Employees, students or the corporates frequently have the need to connect to internal private networks over the public Internet, from homes, airports or from other external networks which is generally insecure. Thus Security becomes a major consideration when employees, businesses or students have constant access to internal networks from insecure external locations. Virtual Private Network Security technology provides a way of protecting information being sent over the Internet, by allowing users to create a virtual private 'tunnel' to securely enter an internal network and access resources, data and communications through an insecure external network such as the Internet. This article provides a general overview of VPN, its types, security issues (threats), security mechanisms, benefits and its future.
A virtual private network (VPN) extends a private network across a public network, such as the Internet. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols, or traffic encryption.
It enables users to send and receive data across shared or public networks as if they were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network.
Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunnelling protocols, are designed to overcome this limitation.
VPNs allow employees to securely access the corporate intranet while outside the workplace. Similarly, VPNs can securely connect distant offices in various parts of the world of an organization, creating one interconnected network for them to communicate through securely.
VPN technology is also used by individual internet users to secure their IP addresses, bank transactions etc. and to bypass global internet restrictions enforced by countries and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.
II. Types of Virtual Private Network and Protocols
There are 2 types of VPN:
a) Site-to-site VPN
It consists of intranet and extranet based VPN. The encryption and decryption is done by the routers on both ends.
The intranet VPN connects 2 office LANs securely and transparently across the internet. Where as the extranet allows different offices of a company in various parts of the world to connect securely to share data across internet.
b) Remote access VPN
The remote access VPN allows users to create a secure connection using a remote computer network. Those users can securely access the resources on that network as if they were directly plugged into the network's servers. Another name for this type of VPN is Virtual Private Dial-up Network (VPDN).
Different types of VPN protocols available currently. The most commonly used VPN protocols are:
PPTP is short for Point-to-Point Tunnelling protocol. PPTP is the most common and widely used VPN protocol in the internet. PPTP uses a control channel over TCP and GRE tunnel to encapsulate PPP packets. It enables authorized remote users to connect to the VPN network using their existing internet connection and then log on to the VPN using password authentication. One of the down sides of PPTP is that it does not provide encryption and it relies on the PPP (Point-to-Point Protocol) to implement security measures for data packets.
As PPTP is the most commonly used protocol in the internet it has become a subject to serious security vulnerabilities. Since PPTP relies on PPP for encryption it is the biggest security issue.
L2TP or Layer to Tunnelling Protocol was developed by Microsoft and Cisco in the year 1999 as a standard RFC 2661. L2TP is developed from the older protocol versions of PPTP and L2F. L2TP also does not provide encryption and confidentiality and it relies on PPP protocol to do this. Unlike PPTP which provides only data confidentiality, L2TP provides data confidentiality and also data integrity.
According to RFC 3931 published in 2005 a newer version of L2TPv3 is released which provides the same as L2TP with additional security and better data encapsulation.
Internet Protocol Security was initially developed by the Internet Engineering Task Force (IETF) for IPv6 in the year December,1993, the software encryption protocol also known as swIPe was researched at Columbia University and AT&T Bell Labs by John Ioannidis and others. IPSec is a trusted protocol which uses cryptographic security services over networks and communicates by encrypting and authenticating each IP data packet of the current session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). A major disadvantage of IPSec is that it requires expensive and time consuming client installations.
IPSec uses the following protocols to perform its functions.
Authentication Headers: provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replays.
Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.[RFC 2406 ]
Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
Secure Socket Tunnelling Protocol (SSTP) is a type of VPN tunnel that provides mechanisms to transport PPP or L2TP traffic through SSL 3.0 channel. SSTP servers must first be authenticated by SSL before entering into the network. There may be cases where SSTP will originally built for remote client access.
Secure Socket Layer is a VPN accessible via https over web browser. SSL uses a cryptographic protocols when inside a network. SSL creates a secure session from your PC browser to the application server you're accessing. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. SSL allows SSTP to virtually pass through all firewalls and proxy servers except for authenticated web proxies. SSL 3.0 is the current version in use. It is an improved version over SSL 2.0, where the server is never able to complete a successful handshake as mentioned by firefox web browser. SSL 3.0 has newly added SHA-1 ciphers to encrypt and decrypt data.
III. Security Mechanisms of Virtual Private Network
To prevent leaking or stealing of private information VPNs typically allow only authenticated remote access using tunnelling protocols and encryption techniques.
VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security. To prevent disclosure of private information, VPNs typically allow only authenticated remote access using tunneling protocols and encryption techniques.
The VPN security model provides:
confidentiality such that even if the network traffic were sniffed at the packet level an attacker would only see encrypted data.
Sender authentication is used to prevent unauthorized users from accessing the VPN.
Message integrity and to detect any instances of tampering with transmitted messages The most important aspects of VPN security are authorization, authentication, data encryption, packet filtering and tunnelling. A well designed VPN uses several methods for keeping connection and data secure.
The SSL VPN Security has 3 categories which falls into the AAA Servers which stands for Authorization, Authentication and Accounting.
Authorization for VPN connections are only created for users and routers that have been authorized. If a user or router is not authorized for communicating in such connections, the server will disable them from using the VPN.
Authentication takes place at 2 levels.
a)User-level Authentication. It requires tunnel endpoints to be authenticated before secure VPN connections can be established. User created remote access may use passwords, RSAs, biometrics or other methods.
b) Machine-level Authentication. It allows Network-to-Network interaction and often uses preshared passwords or digital certificates such as VeriSign.
Accounting is a service provided by the network systems that keeps track of the users who access the resources. Network resources are commonly tracked through: disk space utilized, user logons and logoffs, files accessed, applications started and so on. In most places the admin is allowed to set limits and restrictions to the user and the amount and types of resources.
Data Encryption in a secure VPN uses several protocols that include SSL, IPSec, PPTP (described in section II. Types of Virtual Private Network). The protocols used to create VPN connections allow encrypted data to be sent over a network. Although it is possible to have a non-encrypted connection, this is not recommended. Data encryption for VPN connections does not provide end-to-end security, but only security between the client and the VPN server. In order to provide a secure end-to-end connection, the IPSec protocol can be used once a VPN connection has been established.
Packet Filtering is used to enhance security of the VPN, Packet filtering must be configured so that it only performs VPN routing.
Tunnelling is the mechanism for the transportation of network specific packets over foreign networks and is a part of IPSec. Tunnelling uses 3 types of protocols.
Carrier: The protocol used by the network in which the information is travelling.
Encapsulation: The protocols such as PPTP, IPSec, L2TP that wraps the data packets therefore encrypting the original data.
Passenger: The original data being carried.
Firewalls protects private networks over the internet, they control which files are allowed to leave the private network and, which port packets can pass through. Two commonly used types of firewalls are packet-level firewalls and application-level firewalls.
a) Packet-level firewall checks the source and destination address of every packet that is trying to passes through the network. Packet-level firewall only lets the user in and out of the organization's network only if the users have an acceptable packet with the correspondent source and destination address. The packet is checked individually through their TCP port ID and IP address, so that it knows where the packet is heading. Disadvantage of packet-level firewall is that it does not check the packet contents, or why they are being transmitted, and resources that are not disabled are available to all users.
b) Application-level firewall acts as a host computer between the organization's network and the Internet. Users who want to access the organization's network must first log in to the application-level firewall and only allow the information they are authorized for. Advantages for using application-level firewall are: users access level control, and resources authorization level. Only resources that are authorized are accessible. In contrast, the user will have to remember extra set of passwords when they try to login through the Internet.
IV. Security Issues (Threats) for using a VPN
As any network VPN has its own security issues and threats. These issues must be carefully handled to ensure confidentiality and integrity of data and information along with the network security.
Some of the security risks involved are:
a) User Authentication: Where the VPN security is only as strong as the users authentication (passwords). Simple passwords may lead to hacking attacks and cracking the password will be easy. Certificates are generally given to enhance the security of the authentication.
b) Digital Certificates: Are based on public/private key pairs. Each certificate contains a private key that identifies its end receiver. The trusted Certificate Authority such as enterprise networks produces the private key. The sender can verify the receiver certificate using a machine public key to decrypt the message.
c) Infecting the network: If the company does not meet the security requirements it will be open for infection from the local area networks in the form of worms, viruses, trojans, bots etc. Having a good anti-virus is mandatory which is up-to date.
d) Tunnelling: Tunnelling is a key part of a VPN. It is responsible for encapsulating data packets inside a protocol from the start to the end of the network. Split tunnelling takes place when a computer on the remote end of a VPN tunnel simultaneously exchanges network traffic with both the public network and the private network without first placing all of the network traffic inside the VPN tunnel. This provides an opportunity for attackers on the shared network to compromise the remote computer and use it to gain network access to the internal network. A host-based firewall is an effective way to defend against network-based attacks.
e) Domain Name Server Leakage (DNS Leakage): VPN ensures that the users data packets go through a private tunnel but on certain events there could be a DNS leakage where the network uses the users default DNS address instead of the DNS provided by the VPN.
V. Security Benefits of using a VPN
Virtual private networks offers a lot of benefits. The two most important benefits are cost savings and the network scalability. VPN allows easy maintenance. The cost for running a VPN network is cheap and helps reduce the company/business working costs. The various security benefits of VPN are discussed below.
a) Secure Data Transmission: VPN secures data at the packet level and therefore provides increased security when you are connected to a network. The data that you will send or receive is kept encrypted so it is not easy to hack.
b) Anonymity: VPN can help the user stay anonymous in the network and works better than hiding your IP addresses and proxy servers.
c) Increased Accessibility: VPN helps you access blocked or restricted information and is very popular in places where internet censorship and policies are used frequently.
d) Integrity Verification: VPN allows integrity where there is concern that someone will manipulate IP addresses. Integrity ensures to check that the packets have not been damaged, changed or recorded by hackers during the path from sender to receiver. Data encryption standard is the most commonly used encryption method in VPN.
e) Anti-Spoofing: VPN allows the developer to find and filter the data packets which are being duplicated and thereby helps prevent spoofing.
VI. Future of VPN technology
Future of VPN technology is appealing to the public due to decreases in the cost of long distance or leased lines, data security and privacy. A lot of corporates are debating whether to switch over to a VPN or if their networks are user friendly and if it would be worth the cost and expanding. Furthermore as VPNs are growing they are becoming more complex, thus, increasing costs for training. All these lead to hidden costs for the VPN technology, which may hinder the success of a VPN. However, we should expect VPNs to strengthen their standards and products and correct their flaws to avoid these uncertainties.
Factorization techniques are getting faster as the processors are becoming much better over time. It is possible that in future the encryption techniques may be cracked much faster as well thereby rendering them useless. VPNs have a lot of importance in this matter.
With the increasing trend of mobile phones, cloud computing and the internet connectivity almost everywhere, with lots of private information shared across these platforms, security is a top priority. Virtual private network is one such security methods with SSL VPNs being the most popular ones at the moment. VPNs are evolving with time and becoming much better and more useful in day-to-day life.
The security needs for mobile phones are different compared to applications used in computers. Since the mobile phone applications use internet to download or communicate and VPN secures the internet this becomes a perfect match for both computers and mobile phones and there is no need to create additional security software. However the mobile phones currently use old VPN protocols like SSL or IPSec that were mainly built for computers. However with the rising reliance on smart phones there are possibilities to see new VPN protocols developed specifically and purely for mobile phones.
A lot of small businesses are opting for cloud services offered by the likes of Amazon and Google in place of VPNs. This is certainly a worrying sign for VPN companies catering to businesses. To reverse the trend, some VPN companies are beginning to offer Cloud storage as a part of their VPN plans so that customers can get the best of both worlds. In addition, some VPN providers are also taking advantage of cloud and Peer-To-Peer technologies to offer Cloud and P2P based VPN services.
The future of VPN looks bright with the evolving technology. The next big change in the field of VPN is debatable but VPN does look promising to protect user privacy and security of the internet. VPNs will also help create better trust and relationship between businesses and customers with the provision of secured data and safety. Hopefully in the future, internet will be a less corrupted place and more free without too many restrictions. VPNs will play a major role in achieving this goal.
1. Kurose, J., & Ross, K. (2013).''Computer networking: A top-down approach''(6th ed.). Boston: Pearson.
2. Mason, Andrew G. (2002).Cisco Secure Virtual Private Network. Cisco Press. p.7.
3. Layer 2 Tunnelling Protocol. (1999). Cisco Systems. Introduction from
4. Microsoft Technet (2001)."Virtual Private Networking: An Overview".
5. Cisco Systems, et al. Internet working Technologies Handbook, Third Edition. Cisco Press, 2000, p. 232.
6. Lewis, Mark. Comparing, Designing. And Deploying VPNs. Cisco Press, 2006, p. 5
7. Technet Lab."IPv6 traffic over VPN connections"
8. ''Layer Two Tunneling Protocol "L2TP",''RFC 2661, W. Townsley''et al., August 1999
9. Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W. and G. Zorn, "Point-to-Point Tunneling Protocol (PPTP)", RFC 2637, July 1999.
10. Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
11. Valencia, et. al. 'Cisco L2F' Historic , Authentication, RFC 2341, May 1998 p.7
12 . ''Point-to-Point Tunneling Protocol (PPTP),''RFC 2637, K. Hamzeh''et al., July 1999
13. Lloyd, B. and W. Simpson, "PPP Authentication Protocols", RFC 1334, October 1992.
14. Simpson, W., editor, "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
16. Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
18. CERT, 'Packet Filtering for Firewall Systems,'
19. CERT, 'Advisory CA-96.21: TCP SYN Flooding and IP Spoofing Attacks,
20. Raju,PP 'Different Types of VPN Protocols' , March 2013
21. HowStuffWorks.com Contributors. "What are the three types of VPN?" 27 July 2011.
22. technet.microsoft.com, 'What is a VPN', 28 March 2003.
23. Introduction to VPN: VPNs utilize special purpose networking protocols, Computer networking from about.com
24. Pawel,G 'Firewalls and VPN', 14 August 2002
25. Jain, Samir (2007-01-17).''"SSTP FAQ - Part 2: Client Specific".''Microsoft TechNet. Retrieved''2015-10-17.
26. T. Dierks, E. Rescorla (August 2008).''"The Transport Layer Security (TLS) Protocol, Version 1.2"
27. Thayer, R.; Doraswamy, N.; Glenn, R. (November 1998).''IP Security Document Roadmap.''IETF. RFC 2411.
28. Hoffman, P. (December 2005).''Cryptographic Suites for IPsec.''IETF. RFC 4308.
29. Kent, S.; Atkinson, R. (November 1998).''IP Authentication Header.''IETF. RFC 2402.
30. Kent, S. (December 2005).''IP Authentication Header.''IETF. RFC 4302.
31. IETF (1999),''RFC 2661, Layer Two Tunnelling Protocol "L2TP"
32. D. Mitton, M. St.Johns, S. Barkley, D. Nelson, B. Patil, M. Stevens, B. Wolff, 'Authentication, Authorization, and Accounting: Protocol Evaluation', June 2001 RFC 3127
33. Kent, S.; Atkinson, R. (November 1998).''IP Encapsulating Security Payload (ESP).IETF. RFC 2406.
...(download the rest of the essay above)