VIRTUAL PRIVATE NETWORK SECURITY

“INTRODUCTION TO VPN”

Tremendous strides in computer networking have increased the productivity of todays workers in todays workplace. The security risk in networking today has also grown. VPN routing uses virtual connections (instead of the traditional dialed line or a leased line) to connect users in remote offices to a private network over a public network. VPN networking offers many benefits. It allows for extended geographic connectivity, improves security, and is much more cost effective, than traditional wide area network (WAN) connectivity. Never before have so many people been able to connect almost seamlessly to their corporate network from home and on the road, which instantly allows real-time communication with their corporate LAN. VPNs are private networks, used by a company over an existing WAN infrastructure. A secure VPN uses tunneling protocols to provide security, authentication, and integrity to VPN users. Business needs are constantly evolving and, with that evolution, the need to access information from a central location is even more prevalent. The VPN is highly sought after by companies interested in expanding the capabilities of their networks. VPNs are prevalent in most business and homes where users are able to securely log in to the corporate LANs. VPN technology is very beneficial to people who travel often. They find that VPN allows them the flexibility of checking corporate applications virtually anywhere in the world. Because the access of data is instantaneous, information is shared in real time. A VPN is very cost-effective as well. Unlike traditional private leased lines, VPN technology utilizes existing cabling and routers to connect one site to another in a virtual manner, over a public network (most often the Internet).

APPLICATION & REQUIREMENTS OF VPN

VPN PROTOCOLS AND STANDARDS

A few protocols have been introduced to accommodate VPN technology, including the following:

  1. Secure Sockets Layer (SSL)
  2. Public Key Infrastructure (PKI)
  3. Secure ID
  4. Internet Protocol Security (IPSec)
  5. Layer 2 Forwarding (L2F)
  6. Point-to-Point Tunneling Protocol (PPTP)
  7. Layer 2 Tunneling Protocol (L2TP)
  8. Generic Routing Encapsulation (GRE)

we will discuss the protocols and get an understanding of what each does. Secure Sockets Layer Secure Sockets Layer (SSL) is a networking standard that is used to improve safety and security of network communications, through the use of encryption. SSL utilizes several security standards, including certificates, private keys, and public keys. An SSL session starts with the handshake that first establishes a TCP/IP session. Once the TCP/IP session has been established, then a client is authenticated with a public key. After the authentication is complete, the server determines the level of security that is required for the client by choosing the strongest algorithm that is supported by the client and the server. The last step that is taken is the establishment of a shared secret that is used to encrypt data being passed between the server and the client. Finally, the SSL session is established. Encryption services are very CPU-intensive and, therefore, an SSL session is established only when the transfer of sensitive data occurs. You can often determine if SSL has been employed by looking at a URL address field in a Web browser and seeing a ― ―s‖ following the ―http‖ (that is, ―https”). SSL uses several components to verify the digital identity of an inquiring node. To establish an SSL session, these components are used for the purposes of performing checks and verifications made between the end nodes. These components are as follows:

  • Certificates
  • Certificate Authority
  • Keys
  • Shared Secret

Certificates
SSL uses certificates, which are digital records that identify a person, group, or organization. Certificates are personal digital identification used for a variety of security reasons. Certificates are used in conjunction with public keys to identify the owner of the key and provide a way to pass sensitive data. Certificate Authority Certificates are assigned by a Certificate Authority (CA). Once the certificate is issued, it is then made available to the public. The certificate basically is confirmation that the CA verifies information to be true and secure, and that the public key attached to the certificate is valid.

Keys
A key is a series of bits used by algorithms to encrypt and decrypt data messages. An encryption algorithm will take a message and a key. Based on the keys bits, a new, encrypted message is generated and sent to the destination. Sometimes the same key is used to decrypt the data, but most often the destination has a key (which will be the only key that can decrypt the data and restore it back to the original message). Keys are used to provide the necessary encryption and decryption methods used to protect and secure data transmissions. When a sending station wants to send encrypted data, a pair of keys is assigned: One of the keys is given to the sender and one to the destination. Data is then encrypted by one key and decrypted by the other. No other key can decrypt this information. Shared Secret A shared secret is widely used because it is one password that is shared between users. The problem with a shared secret is that it stands a chance of being compromised because it is shared. Shared secrets are pre-shared keys that are allocated to source and destination devices prior to the transfer of data. Public Key Infrastructure Public Key Infrastructure (PKI) is a way of verifying identities. It allows the users to be united with a public key. PKI allows users to be known to each other through authentication. It allows the sharing of data by establishing the relationship and then sharing certificates to decrypt and encrypt information. PKI encompasses the hardware, software, and the procedures that are needed to provide these services. It ensures that all users use a private key to provide a digital signal to one another, which allows users to establish secrecy and integrity in the data they are sharing. Secure ID Developed by RSA Security, Secure ID is a technology that provides user authentication to network resources. The Secure ID mechanism contains hardware (known as a token) that is assigned to an individual user. The token generates authentication codes that regenerate periodically, using a built-in clocking device. The authentication codes are also set and are generated by the token ̳s corresponding Secure ID server.

VPN TUNNELING PROTOCOLS

The following VPN tunneling protocols are supported:

  • Internet Protocol Security (IPSec)
  • Layer 2 Tunneling Protocol (L2TP)
  • Point to Point Tunneling Protocol (PPTP)
  • Secure Sockets Layer (SSL) Services

Internet Protocol Security Internet Protocol Security
IPSec is the standard that has been established for Internet Protocol communication. IPSec provides authentication and encryption for IP packets. As discussed earlier, IPSec is a collection of several related protocols. It can be used on its own or can work with other tunnel protocols to provide an encryption scheme within them. IPSec operates at Layer 3 of the OSI Reference Model. It is capable of protecting both UDP and TCP traffic. IPSec is designed to provide for key exchange and for securing the flow of packets. Securing packet flow is accomplished by using an Authentication Header (AH) and Encapsulating Security Payload (ESP). Currently, key exchanges are handled with the Internet Key Exchange (IKE) protocol.

Layer 2 Tunneling Protocols
Layer 2 Tunneling Protocol (L2TP) combines the features found in both the L2F and PPTP tunneling protocols. It may be implemented as either a provider-based service that requires a Layer 2 Access Controller (LAC), or through the use of client software utilizing a client/server relationship between the user PC and the VPN device to establish the tunnel. Figure illustrates both
implementations. In Figure, two users are accessing an ISP that provides both RAS and L2TP capabilities. One user is using dialup services to connect to the ISP forming a PPP connection utilizing the L2TP services that the ISP is providing to access services, and servers that are located on the central site private network.

Point-to-Point Tunneling Protocol
The Point-to-Point Tunneling Protocol (PPTP) was developed to allow PPP to be tunneled through an IP network. It does not modify any part of the PPP protocol, but provides a transport for that traffic. It is based on client/server architecture and, thus, eliminates the need for an NAS, which L2F relies on. PPTP allows for the direct connection to VPN devices to gain access to the private network. Figure shows the client/server relationship with a user utilizing a PPTP-based client to gain access to the private network. For a user to create a VPN tunnel to a central office utilizing PPTP requires that PPTP client software be loaded on the computer being used. PPTP clients are available for all Microsoft Windows operating systems and various versions of Linux, as well as Mac OS X. The user ̳s PPTP client negotiates a connection with the VPN device.

PPTP client authentication is accomplished with Microsoft Challenge Handshake Protocol (MS-CHAP). Once a PPTP tunnel has been negotiated and established, the user is able to communicate with services and servers available on the central site office ̳s private network.

With the appropriate hardware and licensing, VPN Router software will support the SSL standard. SSL is a cryptographic protocol that provides secure communications over the Internet.

User/Client Tunnel User or Client Tunnels may be originated directly from a user PC or a VPN enabled device acting as a client. If originating from a user ̳s PC, software will be required to allow for a secure tunnel connection to the VPN Router. Following are the most widely used secure connection types:

  • Layer 2 Tunneling Protocol (L2TP)
  • Point-to-Point Tunnel Protocol (PPTP)
  • Layer 2 Forwarding protocol (L2F)
  • IP Security (IPSec)
  • PC-Based VPN Tunnels

PCs running VPN tunneling software can make secure connections directly to VPN Routers. These users must be authorized for use of that VPN Router by being on the approved access list of the device or the network to which they are attempting to attach. A user is either permitted or denied access to resources on the network behind the VPN Router by the level of permissions that has been granted to the user directly or by inherited rights from a group association that the user is a member of. Users can be restricted in what resources are available to them utilizing the authentication process to set their permission level upon access.