Sunday, October 27, 2019

Overview of VPN Evolution of Private Networks

Overview of VPN Evolution of Private Networks Before the emergence and popularity virtual private networks have gained as a secure and cheaper medium for sensitive information to be accessed and transmitted between two or more corporate network over a public network such as the internet, other network technologies have been innovated and used to connect within business sites and across to other sites that are miles away from each other. In the sixties, sites were connected together to enable data transfer through the use of analog phone lines and 2,400-bps modems leased from ATT, businesses had no other faster modems they could choose from because the telephone companies were controlled by the government. It was not until the early eighties that businesses were able to connect to sites at higher speed using 9,600-bps modems because other telephone companies emerged as a result of the changes in government control and policy on telephone. During this period, there were not much mobile workers besides the modem links were static not as dynamic as what is available now. The analog phone lines were permanently wired to the sites and were specially selected lines (called conditional lines) that were specifically built for full time use by companies; these lines are different from regular phone lines. This technology ensured full bandwidth and privacy but this came at a great cost, i.e. payment is expected for the full ba ndwidth even if the line was used or not. Another innovation that was used for connecting sites which came out in the mid 1970s was the Digital Data Service (DDS). This was the first digital service with a connection of 56 Kbps and was used for private line. This service later became a major and useful innovation for wide area networks, which grew into other services that are popularly used today such as the T1 service which consists of 24 separate channels and each can carry up to 64 Kbps of either data or voice traffic. In the late 1970s the idea of VPN was initiated with the introduction of an innovation called the X.25. It is a Virtual Connection (VC) form of WAN packet switching which logically separates data streams. With this function, the service provider is able to send as many point-to-point VCs across a switch network infrastructure, depending each endpoints have a device that facilitates communication in the site. Sometime in the early 1980s, X.25 service providers offered VPN services to customers (i.e. businesses) who used network protocols at the time as well as early adopters of TCP/IP. Over years, in the 1990s other networking technologies were deployed for connecting private networks such as the high speed Frame relay and Asynchronous Transfer Mode (ATM) switching. This networking technologies were provided to give virtual connection to businesses at the speed of up to OC3 (155 Mbps). The components for setting up this kind of technologies involved the use of customer IP routers (customer premise equipment, or CPE) interconnected in a partial or full mesh of frame relay or ATM VCs to other CPE devices, in other words less equipments are needed for its set up. – Metz, C. (2003). Based on some definitions and some researchers like Mangan, T. (2001), the frame relay and ATM technology are referred the standard for VPN technology. These technologies gained so much popularity after the leased line in connecting sites and they were also easy to set up. With the increasing speed at which businesses grow and expand globally, thereby allowing staffs to be mobile and work offsite, the frame relay is not the best technology to use for remote access since it is just an overlay technology. In as much as the leased line is a better technology alternative for connecting business sites, it is excessively expensive to be owned. With the advent of the internet and its wide use in everyday transaction, businesses have adopted the technology for transmitting and accessing data across various sites by implementing a VPN connection, which is relatively cheap, flexible and scalable, between both sites in order to secure the data that are sent across the insecure internet from being tampered by unauthorized persons. VPN definition There are various definitions of a Virtual Private Network (VPN) which are given by various vendors which best describes their products. Several books, journals, whitepapers, conference papers and internet sites have various definitions of what the technology is, and these definitions are usually put in different words and sentence structure but mostly they say the same thing. In order to get a good understand of what the technology is all about, definitions given by several people from different sources will be looked at and a concise definition will be formulated from all definitions that will be used throughout this research work. â€Å"A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organizations network.† SearchSecurity.com (2008). â€Å"A VPN is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access that communicates securely over a public network.† (Calsoft labs whitepaper, 2007) Aoyagi, S. et al. (2005) A Virtual Private Network (VPN) enables a private connection to a LAN through a public network such as the Internet. With a VPN, data is sent between two nodes across a public network in a manner that emulates a dial-link. There are two types of VPN systems, one is used for connecting LANs across the Internet, and the other is used to connect a remote node to a LAN across the Internet. â€Å"A VPN tunnel encapsulates data within IP packets to transport information that requires additional security or does not conform to internet addressing standards. The result is that remote users act as virtual nodes on the network into which they have tunnelled.† – Kaeo, M. (2004) p135. â€Å"A VPN is a virtual network connection that uses the internet to establish a connection that is secure.† Holden, G. (2003), p 286. â€Å"A VPN uses a public network, such as the internet, to facilitate communication; however it adds a layer of security by encrypting the data travelling between companies and authenticating users to ensure that only authorized users can access the VPN connection†. Mackey, D. (2003) p157 Randall, K. et al. (2002), p377 likened a Virtual Private Network (VPN) to a Tunnel Mode, as a means of transmitting data between two security gateways, such as two routers, that encrypts the entire IP packet and appends a new IP header entering the receiving gateways address in the destination address. â€Å"VPNs enable companies to connect geographically dispersed offices and remote workers via secure links to the private company network, using the public Internet as a backbone.† Lee, H. et al (2000) Looking at all these definitions closely from various authors, they all stress on security and connectivity. These are the essential features of VPNs because they are able to create a connection between two private networks over a public network by encapsulation and tunnelling protocols in transmitting data and also provide security by encryption and authentication in order to control access to data and resources on the company’s network. In other words a VPN is a network technology that securely connects two or more private networks over an insecure public network such as the internet, so as to enable internal access to files and resources and data transfer. Types of VPN There are three different VPN connectivity models that can be implemented over a public network: Remote-access VPNs: It provides remote access to an enterprise customer’s intranet or extranet over a shared infrastructure. Deploying a remote-access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructures of internet service providers. At the same time VPN allows mobile workers, telecommuters, and day extenders to take advantage of broadband connectivity. Access VPNs impose security over analog, dial, ISDN, digital subscriber line (DSL), Mobile IP, and cable technologies that connect mobile users, telecommuters, and branch offices. Intranet VPNs: It links enterprise customer headquarters, remote offices, and branch offices in an internal network over a shared infrastructure. Remote and branch offices can use VPNs over existing Internet connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs. Intranet VPNs allow access only to enterprise customer’s employees. Extranet VPNs: It links outside customers, partners, or communities of interest to an enterprise customer’s network over a shared infrastructure. Extranet VPNs differ from intranet VPNs in that they allow access to uses outside the enterprise. VPN configurations There are two main types of VPN configurations for deploying the VPN connection over a public network. These are; Site-to-site VPNs: This is sometimes referred to as secure gateway-to-gateway connections over the internet, private or outsourced networks. This configuration secures information sent across multiple LANS and between two or more office networks and this can be done effectively by routing packets across a secure VPN tunnel over the network between two gateway devices or routers. The secure VPN tunnel enables two private networks (sites) to share data through an insecure network without fear that the data will be intercepted by unauthorized persons outside the sites. The site-to-site VPN establishes a one-to-one peer relationship between two networks via the VPN tunnel Kaeo, M. (2004. Also Holden, G. (2003), describes a site-to-site VPN as a link between two or networks. This is mostly used in Intranet VPNs and sometimes in extranet VPNs. Client-to-Site VPNs: This is a configuration that involves a client at an insecure remote location who wants to access an internal data from outside the organization network’s LAN. Holden, G. (2003) explains a client-to-site VPN as a network made accessible to remote users who need dial-in access. While Kaeo, M. (2004) defined a client-to-site VPN as a collection of many tunnels that terminate on a common shared end point on the LAN side. In this configuration, the user needs to establish a connection to the VPN server in order to gain a secure route into the site’s LAN and this can be done by configuring a VPN client which could either be a computer operating system or hardware VPN – such as a router. By so doing, the connection enables the client to access and use internal network resources. This kind of configuration is also referred to as secure client-to-gateway connection. This is usually used in access VPNs and sometimes in extranet VPNs. VPN Topology VPN Components To create a VPN connection between sites or networks, it involves the use of some components. These components however contain some elements that need to be properly set up in order to aid the transmission of data from one network endpoint to another. These elements include: VPN server: This is either a computer system or router configured to accept connections from the client (i.e. a remote computer) who gains access by dialling in or connecting directly through the internet. This serves as one endpoint of the VPN tunnel. VPN client: This can either be a hardware based system; usually a router that serves as the endpoint of a gateway-to-gateway VPN connection, or a software based system; either an inbuilt or downloaded software program on the computer operating system that can be configured to function as an endpoint in a VPN, such as Windows XP, 2000 or vista or checkpoint client software. Tunnel – this is the link between the VPN server and client endpoints through which the data is sent. VPN protocols – These are set of standardised data transmission technologies the software and hardware systems use to create security rules and policies on data sent along the VPN. Types of VPN Systems The VPN components form the endpoints of the VPN connection from one private network to another through the public network. The choice of what components to use is dependent on various factors such as the size of the organization – is it a small, large or growing organization, the cost involved in implementing a VPN either by using new components or existing components and lastly, the choice of which of the components will is best for the connection. There are three components that can be used to set up a VPN connection, also a combination of any of these components can be used to set up a VPN connection. One way to set up a VPN is to use Hardware device. The hardware device is a VPN component that is designed to connect gateways or multiple LANS together over the public network by using secure protocols to ensure network and data security. There are two devices that are commonly used that perform these functions. One typical hardware based VPN device used is a router, which is used to encrypt and decrypt data that goes in and out of the network gateways. Another device is a VPN appliance, its objective is to terminate VPNs connection and join multiple LANs (Holden, G. 2003). This device creates a connection between multiple users or networks. The VPN hardware devices are more cost effective for fast growing organizations since they are built to handle more network traffic. It is a better choice when considering the network throughput and processing overhead. It is also a good choice when the routers used at each network ends are the same and controlled by the same organization. Another way to set up a VPN is to use a Software based component. The software component is a program, otherwise stored on the operating system of the system, which can be used to set up a VPN connection. It is easy to configure and more flexible and cost effective than the hardware VPN. They are suitable in networks that use different routers and firewalls or are best used between different organizations and network administrators – such as partner companies. The software VPNs allow traffic to be tunnelled based on address or protocols unlike hardware-based products, which generally tunnel all traffic that it handles. But software-based systems are generally harder to manage than hardware based systems. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes (Calsoft labs whitepaper, 2007). The third component, is the Firewall based VPN; it makes use of the firewall’s mechanisms as well as restricting access to the internal network. This kind of component ensures that the VPN traffic passes through the network gateway of the desired destination and non-VPN traffic is filtered according to the organization’s security policy, this is achieved by it performing address translation, making sure that requirements for strong authentication are in order and serving up real-time alarms and extensive logging. These three components can be combined together to set up a VPN in order add layers of security on the network. This can be a combination of hardware and software VPN or a combination of all three in the same device. There are several Hardware based VPN packages that offer software –only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices (Calsoft labs whitepaper, 2007). An example of such device is the Cisco 3000 Series VPN concentrator which gives users the option of operating in two modes: client and network extension mode. In the client mode the device acts as a software client enabling a client-to-host VPN connection while in the extension mode it acts as a hardware system enabling a site-to-site VPN connection. Also a combination of all these components by different vendors can be used to set up a VPN connection, but this comes with some challenges. The solution as proposed by Holden, G (2004) is to use a standard security protocol that is widely used and supported by all products. VPN Security Features The main purpose of VPN is to ensure security and connectivity (tunnel) over a public network and this cannot be done without some key activities being performed and policies set up. For VPNs to provide a cost–effective and better way of securing data over an insecure network it applies some security principles/measures. Data sent over the internet using the TCP/IP rule are called packets. A packet consists of the data and an IP header. The first thing that happens to a data being sent across a VPN is that it gets encrypted at the source endpoint and decrypted at the destination endpoint. Encryption is a method of protecting information from unauthorised persons by coding the information that can only be read by the recipient. The method, encryption, is done by using an algorithm which generates a key that allows information to be coded as unreadable by all and only readable to the recipient. The larger the number of data bits used to generate the key, the stronger the encryption and the harder it can be broken by intruders. Data encryption can be done in two ways; it can either be encrypted by transport mode or tunnel mode. These modes are process of transmitting data securely between two private networks. In transport mode, the data part (otherwise known as the payload) of the IP packet is encrypted and decrypted but not the header by both endpoint hosts. While in the tunnel mode both the data part and header of the IP packet are encrypted and decrypted between the gateways of the source computer and the destination computer. Another security measure implemented by VPN on data is IP Encapsulation. The VPN uses the principle of IP encapsulation to protect packets from being intercepted on the network by intruders by enclosing the actual IP packet in another IP packet having the source and destination address of the VPN gateways, therefore hiding the data being sent and the private networks IP address which â€Å"does not conform to internet addressing standards†. The third security measure is Authentication. This is a method of identifying a user by proving that the user is actually authorized to access and use internal files. Authenticating a, host, user or a computer that uses the VPN depends on the tunneling protocol established and also encryption for added security. The tunneling protocols that are widely used for authentication over a network are IPSec, PPTP, LT2P and SSL but the most commonly used is the IPSec. The hosts using VPN establish a Security Association (SA) and authenticate one another by exchanging keys which are generated by an algorithm (mathematical formula). These keys can either be symmetric key which is a private key that are exactly the same and only known by the hosts to verify the identity of one another or asymmetric key where each hosts has a private key that can be used to generate a public key. The sending host uses the other’s public key to encrypt information that can only be decrypted by the receiving host private key. The Point-to-Point Tunneling Protocol uses the Microsoft Challenge/Response Authentication Protocol (MS-CHAP) to authenticate computers using VPN by exchanging authentication packets to one another. Also the users connecting to VPN can be authenticated by what the user knows- a password (shared secret), what the user has – a smart card and what the user is – biometrics e.g. finger prints. VPN Tunnelling Protocols VPNs create secure connections, called tunnels, through public shared communication infrastructures such as the Internet. These tunnels are not physical entities, but logical constructs, created using encryption, security standards, and protocols Clemente, F. et al (2005). The VPN tunnelling protocol are set of standardised rules and policy that are employed on the transmitted data. There are various standard of protocol technologies used to create a VPN tunnel and each of these protocols is specially built with some unique security features. In this research work the protocols explained in this section are the most widely used. Internet Protocol Security (IPSec) The Internet Protocol Security (IPSec) has proposed in Internet Engineering Task Force (IETF) Request for Comment (RFC) database in RFC (2401), provides data packet integrity, confidentiality and authentication over IP networks. The IPSec policy consists of sets of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm. (Jason, K. 2003, Hamed, H. et al 2005, Shue, C. et al 2005, Berger, T. 2006, Clemente, F. et al 2005, Liu, L. and Gao, W. 2007). The IPSec protocol provides security at the network layer and offers a collection of methods, protocols, algorithms and techniques to establish a secure VPN connection. There are two basic modes of IPSec connections, Transport mode and Tunnel mode. The transport mode, attaches an IPSec header to the IP header of the packet. The Tunnel mode is more flexible compared to the transport mode; it encapsulates the IP packet into another IP packet, also attaching an IPSec header to the outer IP packet. This mode protects the entire IP packet. The IPSec modes, are determined and agreed on by both corporate networks at each end of the VPN connection, are contained in the Security Association(SA) among other things. The SA is a set of policy and keys used to protect information such as the IPSec modes, symmetric ciphers, and keys which are used during secure data transmission. The IPSec uses two main protocols that are usually used with any of the modes, the Authentication Header (AH), and Encapsulating Security Payload (ESP). The authentication header contains a Security Parameter Index(SPI) and provides data authentication and integrity (MD5 or SHA-1 hash) on the whole IP packet but does not guarantee privacy (confidentiality) on the data. ESP guarantees privacy (confidentiality) on the data in addition to all the features AH provides. The ESP header includes an initialization field, which is used by symmetric block ciphers (Berger, T. 2006). Another essential protocol that IPSec uses in establishing the VPN tunnel is the Internet Key Exchange protocol (IKE). This protocol exchanges encryption keys and shares authentication data (RFC 2409) through UDP packets at port 500, and also relies on the Internet security association and key management protocol(ISAKMP) – this protocol allows both endpoints share a public key and authenticate themselves with digital certificates (RFC 2408). To create a VPN tunnel using the IPSec protocol, two things needs to be done. First, both networks need to agree on the SA for the IKE and this is done by using the Diffie – Hellman key exchange method to authenticate one another. After this is done, both network endpoints need to set the parameters for the VPN tunnel including symmetric cipher keys (and key expiry information), security policy, network routes, and other connection-relevant information. Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks (Microsoft TechNet, 2008). PPTP operates at Layer 2 of the OSI model. PPTP, as specified in the RFC 2637 document, is a protocol that describes a means for carrying Point-to-Point protocol (PPP) – described in RFC 1661 – over an IP based network. It is created by a vendor consortium known as the PPTP industry forum which includes Microsoft Corporation, Ascend Communications, 3Com/Primary Access, ECI Telematics, US Robotics and Copper Mountain Networks. PPTP is the most commonly used protocol for dial-up access to the internet. Microsoft included PPTP support in Windows NT Server (version 4) and released a Dial-up Networking pack in Windows 95 and since then PPTP is supported in any Microsoft Windows version. The PPTP transfers two different types of packets over a VPN connection. The first is the Generic Routing Encapsulation (GRE) (described in RFC 1701 and RFC 1702) packet. It encapsulates PPP frames as tunneled data by attaching a GRE header to the PPP packet or frame. The PPP frame contains the initial PPP payload which is encrypted and encapsulated with PPP while the GRE header contains various control bits, sequence and tunnel numbers. The function of the GRE is to provide a flow- and congestion-control encapsulated datagram service for carrying PPP packets. The total sum up of the packet consists of a Data link header, IP header, GRE Header, PPP Header, Encrypted PPP payload and Data link trailer. The second type of packet is the PPTP control message or packet. The PPTP control packet includes control information such as connection requests and responses, connection parameters, and error messages and it consists of IP header, TCP header, PPTP control message and a data link traile r. In order to create, maintain and terminate the VPN tunnel, the PPTP uses a control connection between the remote client and the server using the TCP port 1723. This two different packets used by PPTP does not ensure privacy on the packet payload, so in order to enhance security on these packets, the PPTP supports encryption and authentication method same as used in PPP connections (Berger, T, 2006 and vpntools.com, 2006). To authenticate packets that pass through the VPN tunnel, PPTP uses any of the following protocols; Extensible Authentication protocol – Transport Layer Security (EAP-TLS), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Shiva Password Authentication protocol (SPAP) and Password Authentication Protocol (PAP). For encryption, PPTP uses either the Microsoft Point to Point Encryption (MPPE) to encrypt PPP packets that passes between the remote computer and the remote access server by enhancing the confidentiality of PPP encapsulated packets (as described in RCF 3078) or uses the symmetric RC4 stream cipher to encrypt the GRE payload is encrypted. Layer 2 Tunneling Protocol (L2TP) The L2TP is an IETF standard established as a result of combining the best features of two protocols: Cisco’s Layer 2 Forwarding (L2F) protocol (described in RFC 2341) and Microsoft’s PPTP (Cisco Systems, 2008). L2TP facilitates the tunneling of PPP frames across an intervening network in a way that is as transparent as possible to both end-users and applications (RFC 2661). L2TP encapsulates the PPP packet (whose payload can either be encrypted or compressed or both can be done) into a User Datagram Protocol (UDP) packet at transport layer. The L2TP can be used over the internet as well as over private intranet and also can send PPP packets over X.25, Frame relay or ATM networks. The UDP packet consists of the following in this order: UDP header with source and destination address using port 1701, control bits representing options like version and length of the packet, sequence number and tunnel ID fields which is used to track the packet and identify the tunnel, the l ayer 2 frame which contains the following also: Media Access Code (MAC) addresses and the payload. To ensure security and enhance authenticity of the L2TP packet it is combined with IPSec by attaching an IPSec ESP header, using the IPSec transport mode. After combining IPSec to L2TP, the UDP packet is encrypted and encapsulated with an IPSec ESP header and trailer and ESP authentication trailer. The L2TP packet now consists the following: data link header, IP Header, IPSec ESP Header, UDP header, L2TP frame, IPSec ESP trailer, IPSec ESP Authentication trailer and Data Link trailer, resulting in excessive protocol overhead (Berger, T, 2006 and vpntools.com, 2006). Secure Socket Layer (SSL) Multiprotocol Label Switching Literature Review VPN Protocol Overhead The tunneling protocols also affect the performance of the network by adding processing overhead on the VPN connection. Implementing these secure technologies on any insecure public network like the internet comes with some weaknesses and this can be as a result of either the specific standards are not sophisticated enough to provide secure, stable and fast data links, or interaction with lower levelled protocols causes serious problems (Berger, T., 2006).For example the IPSec technology employs three kinds of protocols namely AH, ESP and IKE; in order to ensure security over the public network, this in turn adds overhead on the packet being sent. The IPSec uses two modes for transferring packets: transport and tunneling mode. The tunneling mode is the widely used because the tunnel can be used to access several resources and it encapsulate and encrypts all part of the IP packet within another IP packet. In a research paper by Shue, C. Et al (2005), an analysis was carried out in ord er to evaluate the performance of the overhead associated with IPSec on VPN servers, and the tunneling mode was used. The tunneling mode uses different technologies to ensure added security on the packet: it uses two different kinds of protocols namely ESP and IKE and various encryption algorithm and cryptographic key sizes, by so doing doubling the size of the packet. It is reported that overheads of the IKE protocol are considerably higher than those incurred by ESP for processing a data packet, also cryptographic operations contribute 32 − 60% of the overheads for IKE and 34 − 55% for ESP, and lastly, digital signature generation and Diffie-Hellman computations are the largest contributor of overheads during the IKE process and only a small amount of the overheads can be attributed to the symmetric key encryption and hashing. Also the layer 2 Tunneling Protocol (L2TP) implemented on the VPN connection originally does not cause any overhead since encryption, authentication and privacy mechanism is not used on the data packet. But when this protocol is combined with IPSec, it adds all the aforementioned mechanism on the packet and makes it very secure but this comes with added problems – protocol overhead, among other things. In this case both the IPSec and L2TP headers are added to the data packet which increases the size of the packet and by so doing, it decreases the VPN performance. (Berger, T., 2006) The Internet, the Problem. There are some articles and journals that clearly argues that VPN does not directly incur processing overhead on the network instead the internet affects the performance. According to an article that was posted on the internet by VPN Consultants in San Francisco Bay Area on FAQ on Security, it was argued that most performance slowdowns will in fact result from inconsistent Internet connections rather than by encryption processing overhead. Also, according to Liu, L. and Gao, W. (2007), explains that IPv4 ( this is an internet protocol that is widely deployed) based networks have inherent deficiencies which have become obstacles to the evolution of networks. They argue that VPNs implemented on the network i.e. the internet automatically inherits some of these problems, such as, big overhead of the net-transport, lack of quality assurance of Service (QoS), NAT traversing problem, and so on. They propose that VPNs implemented on IPv6 (Internet Protocol version 6), which is known as â€Å"the next generation protocol† can solve this problems effectively. Packet Loss A VPN tunnel can sometimes suffer high packet loss and reordering of packets problems. Reordering can cause problems for some bridged protocols, and high pack

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.