Virtual Private
Network (VPN)
By: Hisham M Mahmoud
What
is a VPN?
A
VPN is a connection that has the appearance and many of the advantages of a
dedicated link but occurs over a shared network. Using a technique called
“tunneling” data packets are transmitted across a public routed network, such
as the Internet or other commercially available network, in a private “tunnel”
that simulates a point-to-point connection. This approach enables network from
many sources to travel via separate tunnels across the same infrastructure. It
allows network protocols to traverse incompatible infrastructures.
·
Let
us say that you have a small office with 4 computers in the production
department. You would network these 4 computers with Ethernet cards so you can
share printers and disk drives. You use IP protocols, as you might want to
expand some day.
·
A
few months later you install 4 more computers for the accounting dept. You
decide to differentiate between your two departments by segmenting them. You assign
192.168.10.X to one side and 192.168.20.X to the other.
·
According
to the laws of IP, if these 2 networks want to speak to each other then you
must introduce a Gateway between them to route the packets from one subnet to
the other. This gateway is called a router and is the basis of connecting
networks together to form the Internet.
·
A
VPN acts exactly like this router. Imagine that 192.168.10.X and 192.168.20.X
are in different locations. Split the router box in half. By doing so you would
split the functionality of the single router into two separate routers, then
link these two halves through a public network containing public routable IP’s
(such as the Internet). Both your network segments would still be able to talk
to each other through a virtual tunnel even if they are separated by a great
distances. Provided you have made the tunnel secure, you now have a VPN.
Why use a VPN?
The Internet as it stands is a fairly hostile place.
In order to keep your information safe, your VPN must be able to insure the
following:
·
Confidentiality
– Make sure it is hard to anyone but the receiver to understand what data has
been communicated. You do not want anyone to see your passwords when logging
into a remote machine over the Internet.
·
Integrity
– Guarantee that the data does not get changed on the way to the receiver.
·
Authenticity
– sign your data so that others can see that it is really you that sent it
·
Replay
protection – You need a way to ensure a transaction can only be carried out
once and there is an authorization to repeat it.
A popular method of fulfilling the above requirements is to create a VPN with IPSec tunnels.
Authentication is used to prevent unauthorized users from gaining access to the secured network. There are two main security obstacles to overcome with authentication, the "Replay" attack and "Remote Client Impersonation." A "Replay" attack is when another computer taps into the conversation between the client and server computers, and captures the packets sent for authentication. Then, the third party computer can "replay" those packets to the server, mimicking the original computer, and gain access. "Remote Client Impersonation" is when an outside computer taps into the authentication process. Then when the authentication process is complete, severs the original client's connection and finishes the link establishment itself, becoming just as secure as the original computer would have been, but without having to authenticate. Password authentication Protocol, PAP provides no protection against replay or remote client impersonation attacks, and passes the username and password where it can be intercepted. An improvement to this is the Challenge-Handshake Authentication Protocol, CHAP, which uses a session ID and arbitrary challenge string to authenticate the user. The newest authentication protocol is EAP, Extensible Authentication Protocol, which allows for vendor specific plug-in modules providing continuous upgrade ability. Most of these protocols deal only with the client being authenticated by the server, but what happens if the server is impersonated? An addition to EAP, call Transaction-Level Security (EAP-TLS) handles this situation by presenting the client with a certificate to authenticate the server.
Encryption. There are two basic types of encryption, Symmetric
and Asymmetric. Symmetric, sometimes called "private key" encryption,
uses a shared secret key to do both the encrypting and decrypting of the
message. This secret key must be decided upon and exchanged between both
computers prior to secure communications. Algorithm that used currently are the
Data Encryption Standard (DES) and RSA, developed by Data Security Inc. RSA is
much faster than DES and has become a de-facto standard for High-speed data
encryption. Asymmetric encryption, or "public key" encryption,
provides an added level of security. Each person is assigned a Public key and a
Private key. The algorithm to encrypt and decrypt messages is asymmetric,
meaning that it only works one way. When you want to send a message to a
specific person, you can encrypt the message using their public key, and their
private key can only decrypt the message. To distribute these public keys, a
certificate is used. A Certificate Authority distributes a certificate
containing a person's public key and information about that key. The
certificate is encrypted with the Certificate Authority's private key and can
be decrypted with it's public key to verify that the certificate, and therein
the public key of the individual, is authentic.
Tunneling allows data to be
transferred from one network over another. For tunneling to work, both
endpoints of the tunnel need to be using the same tunneling protocols. With a
VPN the internetwork is the Internet. There is two main ways tunnels can be
created: Voluntary tunnels, and Compulsory tunnels. A voluntary tunnel uses the
user’s computer as the tunnel client, making it an endpoint in the tunnel. With
a Compulsory tunnel the user’s computer is not an endpoint, a remote access
server acts as the tunnel endpoint.
PPTP (Point to Point Tunneling Protocol): PPTP is a Data Link Layer
protocol. PPTP uses a TCP connection, where it encapsulates data in PPP frames
and IP datagrams to transverse an IP network. This data can be encrypted and/or
compressed.
L2F (Layer 2 Forwarding): L2F is a Data Link Layer
protocol. L2F also uses PPP in encapsulation but different than PPTP in that it
supports more than one connection. L2F functions in compulsory tunnels only.
L2TP (Layer 2 Tunneling Protocol): L2TP is a Data Link Layer.
L2TP is a combination of L2F and PPTP. Its designers structured it so that the
best features from each of these protocols would be incorporated in to one
superior tunneling protocol. L2TP encapsulates the data in PPP frames. They can
be sent over IP, X.25, Frame Relay, or ATM networks. In addition to the
security features of PPTP and L2F, L2TP has incorporated IPSec encryption
methods, creating a more secure tunnel.
IPSec (Internet Protocol Security): IPSec is a Network Layer
Protocol that encrypts IP packets, and then encapsulates them within another IP
header. Unfortunately IPSec only supports IP traffic. However IPSec is perhaps
the most secure of the protocols listed here. It is controlled by a security
policy, which is a set of filter-matching rules. This policy determines the
encryption, tunneling, and authentication methods in order of preference. When
there is traffic over the tunnel, the two endpoints of the tunnel perform
mutual authentication, and then negotiate the security options, such as
encryption. Then all traffic through the tunnel is encrypted and encapsulated
as specified.
The main element of the
VPN concept lays at the gateways between the private networks and the public
network. Be it software oriented, hardware oriented or a combination of the two
-this intermediate device acts on behalf of the private network that it
protects. When one of the local hosts sends data to another host in a remote network,
the data must first pass from the private network through the protecting
gateway device, travel through the public network, and then pass through the
gateway device that is protecting the host in the remote network at the
receiving end. A VPN safeguards the data by automatically encrypting it (thus,
making it comprehensible to a third party) before it is sent from one private
network to another, encapsulating it into an IP packet, and then automatically
decrypting the data at the receiving end. The gateway device can also double as
a Firewall for the local network, denying harmful or malicious data access to
the network, and managing the outgoing data to the public network (whether it
is encrypted or not).
How the VPN keeps data secure?
1) Certification - every
gateway device that wishes to join the VPN must be certified by a Certification
Authority. The certification is usually twofold and includes an electronic
token and a PIN (Personal Identification Number). In this manner, the user must
have something in his possession and something he memorizes. This drastically
reduces the probability of someone impersonating a user because he needs both
elements to access the system.
2) Encryption - Once
in the VPN, each gateway device sends its public key to all of his peers in the
VPN.
With the use of the public and private keys the data is
encrypted in such a way that it's mathematically impossible to decode without
knowledge of the keys. Once the encryption key is selected and implemented, it
is necessary to ensure that the keys are protected through a key management
system. Key management is the process of distributing the keys, refreshing them
at specific intervals and revoking them when necessary. A balance has to be
made between the key exchange intervals and the amount of data that is
exchanged. An interval that is too short overburdens the VPN servers with key
generation. On the other hand, a key exchange interval that is too long
compromises the key and the data it encrypts.
·
Intranet VPNs between internal corporate departments and branch offices
·
Remote
Access VPNs between a corporate network and remote or mobile employee
·
Extranet VPNs between a corporation and its strategic partners, customers, and
suppliers
Areas in which VPN technology would be beneficial to
an organization:
·
Remote
user access
·
Extranet
applications
·
International
sites
·
Diverse
geographical user base
·
The
need to support a diverse geographical customer base
·
Inexpensive
marketplace expansion
·
Modest
bandwidth requirements
·
Need
for low cost global reach
Areas in which VPN technology may not be beneficial:
·
Where
performance is premium
·
Where
latency is unacceptable
·
Where
nonstandard protocols that cannot be encapsulated with the IP protocol