Virtual Private Network (VPN)


By: Hisham M Mahmoud

What is a VPN?


A VPN is a connection that has the appearance and many of the advantages of a dedicated link but occurs over a shared network. Using a technique called “tunneling” data packets are transmitted across a public routed network, such as the Internet or other commercially available network, in a private “tunnel” that simulates a point-to-point connection. This approach enables network from many sources to travel via separate tunnels across the same infrastructure. It allows network protocols to traverse incompatible infrastructures.

Concept behind a VPN


·         Let us say that you have a small office with 4 computers in the production department. You would network these 4 computers with Ethernet cards so you can share printers and disk drives. You use IP protocols, as you might want to expand some day.

·         A few months later you install 4 more computers for the accounting dept. You decide to differentiate between your two departments by segmenting them. You assign 192.168.10.X to one side and 192.168.20.X to the other.

·         According to the laws of IP, if these 2 networks want to speak to each other then you must introduce a Gateway between them to route the packets from one subnet to the other. This gateway is called a router and is the basis of connecting networks together to form the Internet.

·         A VPN acts exactly like this router. Imagine that 192.168.10.X and 192.168.20.X are in different locations. Split the router box in half. By doing so you would split the functionality of the single router into two separate routers, then link these two halves through a public network containing public routable IP’s (such as the Internet). Both your network segments would still be able to talk to each other through a virtual tunnel even if they are separated by a great distances. Provided you have made the tunnel secure, you now have a VPN.

Why use a VPN?


The Internet as it stands is a fairly hostile place. In order to keep your information safe, your VPN must be able to insure the following:

·         Confidentiality – Make sure it is hard to anyone but the receiver to understand what data has been communicated. You do not want anyone to see your passwords when logging into a remote machine over the Internet.

·         Integrity – Guarantee that the data does not get changed on the way to the receiver.

·         Authenticity – sign your data so that others can see that it is really you that sent it

·         Replay protection – You need a way to ensure a transaction can only be carried out once and there is an authorization to repeat it.

A popular method of fulfilling the above requirements is to create a VPN with IPSec tunnels.

The security components that make a VPN possible


Authentication is used to prevent unauthorized users from gaining access to the secured network. There are two main security obstacles to overcome with authentication, the "Replay" attack and "Remote Client Impersonation." A "Replay" attack is when another computer taps into the conversation between the client and server computers, and captures the packets sent for authentication. Then, the third party computer can "replay" those packets to the server, mimicking the original computer, and gain access. "Remote Client Impersonation" is when an outside computer taps into the authentication process. Then when the authentication process is complete, severs the original client's connection and finishes the link establishment itself, becoming just as secure as the original computer would have been, but without having to authenticate. Password authentication Protocol, PAP provides no protection against replay or remote client impersonation attacks, and passes the username and password where it can be intercepted. An improvement to this is the Challenge-Handshake Authentication Protocol, CHAP, which uses a session ID and arbitrary challenge string to authenticate the user. The newest authentication protocol is EAP, Extensible Authentication Protocol, which allows for vendor specific plug-in modules providing continuous upgrade ability. Most of these protocols deal only with the client being authenticated by the server, but what happens if the server is impersonated? An addition to EAP, call Transaction-Level Security (EAP-TLS) handles this situation by presenting the client with a certificate to authenticate the server.

Encryption. There are two basic types of encryption, Symmetric and Asymmetric. Symmetric, sometimes called "private key" encryption, uses a shared secret key to do both the encrypting and decrypting of the message. This secret key must be decided upon and exchanged between both computers prior to secure communications. Algorithm that used currently are the Data Encryption Standard (DES) and RSA, developed by Data Security Inc. RSA is much faster than DES and has become a de-facto standard for High-speed data encryption. Asymmetric encryption, or "public key" encryption, provides an added level of security. Each person is assigned a Public key and a Private key. The algorithm to encrypt and decrypt messages is asymmetric, meaning that it only works one way. When you want to send a message to a specific person, you can encrypt the message using their public key, and their private key can only decrypt the message. To distribute these public keys, a certificate is used. A Certificate Authority distributes a certificate containing a person's public key and information about that key. The certificate is encrypted with the Certificate Authority's private key and can be decrypted with it's public key to verify that the certificate, and therein the public key of the individual, is authentic.

Tunneling allows data to be transferred from one network over another. For tunneling to work, both endpoints of the tunnel need to be using the same tunneling protocols. With a VPN the internetwork is the Internet. There is two main ways tunnels can be created: Voluntary tunnels, and Compulsory tunnels. A voluntary tunnel uses the user’s computer as the tunnel client, making it an endpoint in the tunnel. With a Compulsory tunnel the user’s computer is not an endpoint, a remote access server acts as the tunnel endpoint.

Tunneling Protocols


PPTP (Point to Point Tunneling Protocol): PPTP is a Data Link Layer protocol. PPTP uses a TCP connection, where it encapsulates data in PPP frames and IP datagrams to transverse an IP network. This data can be encrypted and/or compressed.

L2F (Layer 2 Forwarding): L2F is a Data Link Layer protocol. L2F also uses PPP in encapsulation but different than PPTP in that it supports more than one connection. L2F functions in compulsory tunnels only.

L2TP (Layer 2 Tunneling Protocol): L2TP is a Data Link Layer. L2TP is a combination of L2F and PPTP. Its designers structured it so that the best features from each of these protocols would be incorporated in to one superior tunneling protocol. L2TP encapsulates the data in PPP frames. They can be sent over IP, X.25, Frame Relay, or ATM networks. In addition to the security features of PPTP and L2F, L2TP has incorporated IPSec encryption methods, creating a more secure tunnel.

IPSec (Internet Protocol Security): IPSec is a Network Layer Protocol that encrypts IP packets, and then encapsulates them within another IP header. Unfortunately IPSec only supports IP traffic. However IPSec is perhaps the most secure of the protocols listed here. It is controlled by a security policy, which is a set of filter-matching rules. This policy determines the encryption, tunneling, and authentication methods in order of preference. When there is traffic over the tunnel, the two endpoints of the tunnel perform mutual authentication, and then negotiate the security options, such as encryption. Then all traffic through the tunnel is encrypted and encapsulated as specified.

How does the VPN work?


The main element of the VPN concept lays at the gateways between the private networks and the public network. Be it software oriented, hardware oriented or a combination of the two -this intermediate device acts on behalf of the private network that it protects. When one of the local hosts sends data to another host in a remote network, the data must first pass from the private network through the protecting gateway device, travel through the public network, and then pass through the gateway device that is protecting the host in the remote network at the receiving end. A VPN safeguards the data by automatically encrypting it (thus, making it comprehensible to a third party) before it is sent from one private network to another, encapsulating it into an IP packet, and then automatically decrypting the data at the receiving end. The gateway device can also double as a Firewall for the local network, denying harmful or malicious data access to the network, and managing the outgoing data to the public network (whether it is encrypted or not).
How the VPN keeps data secure?

Certification - every gateway device that wishes to join the VPN must be certified by a Certification Authority. The certification is usually twofold and includes an electronic token and a PIN (Personal Identification Number). In this manner, the user must have something in his possession and something he memorizes. This drastically reduces the probability of someone impersonating a user because he needs both elements to access the system.
Encryption - Once in the VPN, each gateway device sends its public key to all of his peers in the VPN.
With the use of the public and private keys the data is encrypted in such a way that it's mathematically impossible to decode without knowledge of the keys. Once the encryption key is selected and implemented, it is necessary to ensure that the keys are protected through a key management system. Key management is the process of distributing the keys, refreshing them at specific intervals and revoking them when necessary. A balance has to be made between the key exchange intervals and the amount of data that is exchanged. An interval that is too short overburdens the VPN servers with key generation. On the other hand, a key exchange interval that is too long compromises the key and the data it encrypts.

Typical VPN Implementations

·         Intranet VPNs between internal corporate departments and branch offices

·         Remote Access VPNs between a corporate network and remote or mobile employee

·         Extranet VPNs between a corporation and its strategic partners, customers, and suppliers

Areas in which VPN technology would be beneficial to an organization:

·         Remote user access

·         Extranet applications

·         International sites

·         Diverse geographical user base

·         The need to support a diverse geographical customer base

·         Inexpensive marketplace expansion

·         Modest bandwidth requirements

·         Need for low cost global reach

Areas in which VPN technology may not be beneficial:

·         Where performance is premium

·         Where latency is unacceptable

·         Where nonstandard protocols that cannot be encapsulated with the IP protocol