Topic #2. Network Security: Practice
Virtual Private Network Security
22 November 2015
This article is researched in the field of Virtual Private Network (VPN) Security. There is an increasing demand in the modern world to connect to internal network from far locations. Employees, students or the corporates frequently have the need to connect to internal private networks over the public Internet, from homes, airports or from other external networks which is generally insecure. Thus Security becomes a major consideration when employees, businesses or students have constant access to internal networks from insecure external locations. Virtual Private Network Security technology provides a way of protecting information being sent over the Internet, by allowing users to create a virtual private “tunnel” to securely enter an internal network and access resources, data and communications through an insecure external network such as the Internet. This article provides a general overview of VPN, its types, security issues (threats), security mechanisms, benefits and its future.
A virtual private network (VPN) extends a private network across a public network, such as the Internet. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols, or traffic encryption.
It enables users to send and receive data across shared or public networks as if they were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network.
Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunnelling protocols, are designed to overcome this limitation.
VPNs allow employees to securely access the corporate intranet while outside the workplace. Similarly, VPNs can securely connect distant offices in various parts of the world of an organization, creating one interconnected network for them to communicate through securely.
VPN technology is also used by individual internet users to secure their IP addresses, bank transactions etc. and to bypass global internet restrictions enforced by countries and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.
II. Types of Virtual Private Network and Protocols
There are 2 types of VPN:
a) Site-to-site VPN
It consists of intranet and extranet based VPN. The encryption and decryption is done by the routers on both ends.
The intranet VPN connects 2 office LANs securely and transparently across the internet. Where as the extranet allows different offices of a company in various parts of the world to connect securely to share data across internet.
b) Remote access VPN
The remote access VPN allows users to create a secure connection using a remote computer network. Those users can securely access the resources on that network as if they were directly plugged into the network’s servers. Another name for this type of VPN is Virtual Private Dial-up Network (VPDN).
Different types of VPN protocols available currently. The most commonly used VPN protocols are:
PPTP is short for Point-to-Point Tunnelling protocol. PPTP is the most common and widely used VPN protocol in the internet. PPTP uses a control channel over TCP and GRE tunnel to encapsulate PPP packets. It enables authorized remote users to connect to the VPN network using their existing internet connection and then log on to the VPN using password authentication. One of the down sides of PPTP is that it does not provide encryption and it relies on the PPP (Point-to-Point Protocol) to implement security measures for data packets.
As PPTP is the most commonly used protocol in the internet it has become a subject to serious security vulnerabilities. Since PPTP relies on PPP for encryption it is the biggest security issue.
L2TP or Layer to Tunnelling Protocol was developed by Microsoft and Cisco in the year 1999 as a standard RFC 2661. L2TP is developed from the older protocol versions of PPTP and L2F. L2TP also does not provide encryption and confidentiality and it relies on PPP protocol to do this. Unlike PPTP which provides only data confidentiality, L2TP provides data confidentiality and also data integrity.
According to RFC 3931 published in 2005 a newer version of L2TPv3 is released which provides the same as L2TP with additional security and better data encapsulation.
Internet Protocol Security was initially developed by the Internet Engineering Task Force (IETF) for IPv6 in the year December,1993, the software encryption protocol also known as swIPe was researched at Columbia University and AT&T Bell Labs by John Ioannidis and others. IPSec is a trusted protocol which uses cryptographic security services over networks and communicates by encrypting and authenticating each IP data packet of the current session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). A major disadvantage of IPSec is that it requires expensive and time consuming client installations.
IPSec uses the following protocols to perform its functions.
Authentication Headers: provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replays.
Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.[RFC 2406 ]
Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
Secure Socket Tunnelling Protocol (SSTP) is a type of VPN tunnel that provides mechanisms to transport PPP or L2TP traffic through SSL 3.0 channel. SSTP servers must first be authenticated by SSL before entering into the network. There may be cases where SSTP will originally built for remote client access.
Secure Socket Layer is a VPN accessible via https over web browser. SSL uses a cryptographic protocols when inside a network. SSL creates a secure session from your PC browser to the application server you’re accessing. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. SSL allows SSTP to virtually pass through all firewalls and proxy servers except for authenticated web proxies. SSL 3.0 is the current version in use. It is an improved version over SSL 2.0, where the server is never able to complete a successful handshake as mentioned by firefox web browser. SSL 3.0 has newly added SHA-1 ciphers to encrypt and decrypt data.
III. Security Mechanisms of Virtual Private Network
To prevent leaking or stealing of private information VPNs typically allow only authenticated remote access using tunnelling protocols and encryption techniques.
VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security. To prevent disclosure of private information, VPNs typically allow only authenticated remote access using tunneling protocols and encryption techniques.
The VPN security model provides:
confidentiality such that even if the network traffic were sniffed at the packet level an attacker would only see encrypted data.
Sender authentication is used to prevent unauthorized users from accessing the VPN.
Message integrity and to detect any instances of tampering with transmitted messages The most important aspects of VPN security are authorization, authentication, data encryption, packet filtering and tunnelling. A well designed VPN uses several methods for keeping connection and data secure.
The SSL VPN Security has 3 categories which falls into the AAA Servers which stands for Authorization, Authentication and Accounting.
Authorization for VPN connections are only created for users and routers that have been authorized. If a user or router is not authorized for communicating in such connections, the server will disable them from using the VPN.
Authentication takes place at 2 levels.
a)User-level Authentication. It requires tunnel endpoints to be authenticated before secure VPN connections can be established. User created remote access may use passwords, RSAs, biometrics or other methods.
b) Machine-level Authentication. It allows Network-to-Network interaction and often uses preshared passwords or digital certificates such as VeriSign.
Accounting is a service provided by the network systems that keeps track of the users who access the resources. Network resources are commonly tracked through: disk space utilized, user logons and logoffs, files accessed, applications started and so on. In most places the admin is allowed to set limits and restrictions to the user and the amount and types of resources.
Data Encryption in a secure VPN uses several protocols that include SSL, IPSec, PPTP (described in section II. Types of Virtual Private Network). The protocols used to create VPN connections allow encrypted data to be sent over a network. Although it is possible to have a non-encrypted connection, this is not recommended. Data encryption for VPN connections does not provide end-to-end security, but only security between the client and the VPN server. In order to provide a secure end-to-end connection, the IPSec protocol can be used once a VPN connection has been established.
Packet Filtering is used to enhance security of the VPN, Packet filtering must be configured so that it only performs VPN routing.
Tunnelling is the mechanism for the transportation of network specific packets over foreign networks and is a part of IPSec. Tunnelling uses 3 types of protocols.
Carrier: The protocol used by the network in which the information is travelling.
Encapsulation: The protocols such as PPTP, IPSec, L2TP that wraps the data packets therefore encrypting the original data.
Passenger: The original data being carried.
Firewalls protects private networks over the internet, they control which files are allowed to leave the private network and, which port packets can pass through. Two commonly used types of firewalls are packet-level firewalls and application-level firewalls.
a) Packet-level firewall checks the source and destination address of every packet that is trying to passes through the network. Packet-level firewall only lets the user in and out of the organization’s network only if the users have an acceptable packet with the correspondent source and destination address. The packet is checked individually through their TCP port ID and IP address, so that it knows where the packet is heading. Disadvantage of packet-level firewall is that it does not check the packet contents, or why they are being transmitted, and resources that are not disabled are available to all users.
b) Application-level firewall acts as a host computer between the organization’s network and the Internet. Users who want to access the organization’s network must first log in to the application-level firewall and only allow the information they are authorized for. Advantages for using application-level firewall are: users access level control, and resources authorization level. Only resources that are authorized are accessible. In contrast, the user will have to remember extra set of passwords when they try to login through the Internet.
...(download the rest of the essay above)