VPN: Virtual Private Network
A virtual private network (VPN) provides connection between two or more private networks across the public network i.e. Internet
Using a VPN computers can send and receive data through a shared or public network giving the experience as if they are directly connected and still uses the functionality such as security and management policies of any private network.
- Virtual point-to-point connections are established with the use of dedicated connection and encryption.
- The access to resources is same as accessing on an internal or private network and the user does not feel any difference in it.
- VPN uses encryption to allow IP traffic to securely travel over the TCP/IP Network.
- VPN uses a tunneling protocol to encrypt packet contents and wrap them in an unencrypted packet.
- The devices at end point of the tunnel encrypt and decry pt packets. The end points for a secure communication channel which is secure.
- The decryption and unwrapping can only be done by the destination tunnel endpoint.
Benefits of VPN
There are several benefits of using a VPN on your network and allowing remote user to access the services and services seamlessly.
- Security: As you are using a public network for connecting and communication Security is of a great concern but it is handled very well in VPN with the use of advanced encryption and authentication protocols. This way your network is protected from unauthorized access.
- Saving costs: Creating VPN tunnels for communication over remote office is much cheaper than using leased lines.
- Scalability: The benefits for user that travel and are mostly mobile VPNs are a very good option to be connected while travelling.
Under the Security benefits of VPN we have:
Confidentiality: Keeps data confidential, i.e. if would protect the information or data from being available to unauthorized users.
Authentication: The use of authentication would ensure that the sender of the VPN packet is a genuine or legitimate device/ source and not some device that is used by an attacker.
Integrity: This feature helps in ensuring that the data has not changed in the course of transmission from source to destination. Protects against any alteration during transmission.
Anti-replay: Using this feature or service a receiver can reject old or duplicate packets for it to protect itself against any replay attacks.
Non-repudiation: This means a third party can prove that some communication took place between two other parties. Non-repudiation would be desirable if you want your communications to be traced and prove that they occurred.
Some VPN technologies that are used include:
1. IP Sec (Internet Protocol Security)
- This is the most famous and widely used VPN technology.
- It is used with the IP protocols and can encrypt all the traffic that is supported by the IP Protocol.
- Digital signatures or pre-shared keys are required in this implementation.
2. SSL (Secure Socket Layer)
- This protocol provides an Internet based Client and server interactions securely.
- Authentication between Server and client is using digital certificates and public key cryptography.
- The entire communication session is encrypted. It also protects the traffic for http, ftp, email etc.
3. TLS (Transport Layer Security)
- This is based on the previously discussed SSL, and digital certificates are required from both client and server.
- This is used to provide security to traffic that fall in category above the transport layer.
4. PPTP (Point-to-Point Tunneling Protocol)
- This is a Microsoft VPN technology that uses standard authentication technology such as CHAP (Challenge Handshake Authentication Protocol) or the PAP (Password Authentication Protocol).
- Only TCP/IP is supported in this technology.
- LAN protocols are encapsulated to carry data over IP network securely.
- Data is not encrypted using this protocol, for encryption another Microsoft support encryption mechanism should be used along with PPTP.
5. L2TP (Layer 2 Tunneling Protocol)
- This is an open standard protocol for secure multi-protocol routing.
- IP Sec is used for encryption.
- Multiple protocols are support not only IP.
- This may not be supported by older version of Operating systems.
Types of VPN
1. Site-to-Site VPNs
- They connect the entire network to each other e.g. a branch office network to a head office network.
- IP Sec is used to encrypt all the traffic between sites
- VPN client software is not available on the hosts. Traffic is sent and received through a VPN Gateway such as Cisco’s ASA ( Adaptive Security Appliance)
- It’s the responsibility of the VPN Gateway to encapsulate and encrypt the outbound traffic and send it through a VPN tunnel over the Internet to reach the remote site’s peer VPN gateway.
- Once the encrypted packets are received by the remote VPN gateway (peer), the headers of the received packets are stripped and then decrypted then traffic is sent to the actual target host in the private network.
- This type of VPNs is implemented on both Intranet (within same organizations) and Extranet (between different organizations) networks.
2. Remote Access VPNs
- This is used to connect individual hosts to their private networks, e.g. for people or staff who regularly travel and need to access their office networks securely.
- IP Sec and SSL are used to encrypt the traffic between the host and the target site.
- The host does the encapsulating and encrypting of outbound traffic and send it through a VPN tunnel over the Internet to a remote site’s peer VPN gateway.
- The hosts would need to have a VPN client software when is used IP Sec for encryption.
- For hosts that use SSL would require a web browser that supports SSL.
IP Sec VPN
IP Sec is a framework of protocols and algorithms that are used for secure data communication over an IP based network. IP Sec operates ate the Layer 3 of the OSI model.
IP Sec is used to provide encryption to both site-to-site and remote access VPNs.
Authentication Header (AH): This is used for authentication in IP Sec, it provides integrity and authentication.
A message integrity check is provided with the HMAC (Hashed Key Message Authentication Code) In HMAC, before a message is hashed a symmetric key is embedded into a message. At the recipient’s end the recipient’s symmetric key is added to the message before the message is hashed, a matching value proves integrity of the message.
The SHA-1 (Secure Hashing Algorithm – 1) or the MD 5 (Message Digest v5) is used by AH for integrity validation.
Encapsulation Security Payload (ESP): This is used to provide encryption, integrity, a not so strong authentication and anti-replay. The following standards are used with ESP for encryption.
- DES : Data Encryption Standard, has a 56-bit key which can be compromised easily
- 3DES: Triple DES: This applies DES thrice and uses a 168- bit key. This is among the strongest and at the same time the slowest method of encryption in IP Sec.
AES: Advanced Encryption Standard: It uses variable key length i.e. from 128, or 192 or 256 bit keys and is capable to handle all known attacks. It is considered computationally more efficient than a 3DES.
Internet Key Exchange (IKE): this is used for negotiation of a connection. While we use two endpoints through a secure IP sec connection, they need to negotiate for establishing the communication. This is called the Security Associations (SA). For the communication and inbound and outbound SA is required for each remote point connection.
The below functions are used with the IKE:
- ISAKMP (Internet Security Association Key Management Protocol), which is framework for the negotiation.
- Diffie-Hellman Key Exchange, used for generating symmetric keys which are used in encryption of the negotiation of SA.
- It provides the key but no services related to cryptography.
- Works on calculation discrete algorithms
- Is prone to man-in-the middle attack and thus requires a string authentication for end point validation.
IP Sec Modes
- Tunnel Mode: Used for site-to site communications. The entire data packet is encapsulated in a new packet. The new packet will have unencrypted Layer 2 and Layer 3 headers with contain address information and required AH and ESP information.
- Transport Mode: this is used for end-to-end data encryption. End devices are the tunnel end points. The data in the packet is encrypted leaving the headers for devices like routers to read the headers. Use for encrypting Layer 4 and upwards.