Virtual Private Networks

CS-480b Dick Steflik

Virtual Private Networks (VPNs)

Used to connect two private networks together via the Internet Used to connect remote users to a private network via the Internet This could be done by opening your firewall to the LAN networking
protocols (NETBIOS, NFS NetWare, AppleTalk)) But it would also make those protocols available to any one on the
Internet and they could come into your LAN at will Effectively make the whole Internet your LAN Exposes all of your data Anyone can easily take advantage of vulnerabilities in your internal hosts No privacy

Better solution is to use a VPN in conjunction with your firewall

VPNs
Since we all understand that IP is used to transport information
between LANs if we add some security stuff to IP then this transport can be made more secure Can be done two ways: At the network level using IPSec
Currently the most widely used method
But requires special client installation on each workstation (more IT $)

At the Transport level using SSL

Quickly gaining popularity because there are no special software installation
requirements for end user workstations
All thats required is a browser with SSL support Mozilla Internet Explorer Netscape Opera

IP Based VPNs
Fundamental Components
IP Encapsulation Cryptographic based authentication
Secret Key Encryption
Single shared secret key for encrypt and decrypt

Public Key Encryption

Unidirectional keys Encrypt or decrypt (not both)

Data Payload Encryption

Encrypt payload but not header (method depends on OEM/Vendor solution)

IP/IP Encapsulation
Makes remotely located LANs appear to be adjacent Makes non-routable addresses (10.a.b.c a,d 192.168.c.d) routable

VPN Characteristics
Cheaper than WANs
dedicated leased lines are very expensive Easier to establish than WANs ISPs will usually help make the initial IP connection hours for VPNs vs. weeks for WANs slower than LANs encryption/dectyption takes time typical LANS are 10-100 Mbps
endpoints connected by VPM may go through many router hops
minimize by using same ISP for everything

dial in users are going to be typically 56Kbps less reliable than WANs with WANs routers are under your control and performance is negotiated
with provider, not so with VPN you only control initial IP connection

less secure than isolated LANs or WANs

because Internet is used hackers can find you VPN protocol is one more thing to be attacked

Types of VPNs
Server based

Firewall based

Router based (including VPN appliances

Server based
Windows
Routing and Remote Access Service
NT supports only PPTP, W/2000 supports PPTP, L2TP and IPSec comes with everything needed to establish a VPN

Linux
Blowfish, Free S/WAN, PPP over SSL, PPTP, L2TP with IP masquerading/IP Chains and additional open source software can
be used to create a very robust VPN

UNIX
many incorporating IPSec into their TCP/IP stacks Be aware that VPN traffic leaving your LAN traverses the LAN twice once to the RRAS service as regular LAN traffic, once encapsulated to the
firewall

Firewall based VPNs

Since firewalls already do all kinds of packet analysis, adding IP
tunneling is relatively easy Rapid acceptance of IPSec and IKE are making VPNing at the firewall more common not all vendors versions of IPSec+IKE work together
make sure that remote clients software works with your firewall VPN

Router based VPNs

Typically used on big networks
specialized devices for to isolate internal LAN traffic and quickly convey
inter-LAN traffic

IBM 2210 CISCO Routers running IOS Ascends MAX switches

VPN Architectures
Mesh
each participant has a direct security relationship with every other user Hub and spoke each participant has a single security association with a single VPN router
that has a security association with every VPN device

Hybrid
combination of both
mesh of hubs star of hubs

Implementations
IPSec Tunnel Mode
RFC 2401

Point-to-Point Tunneling Protocol (PPTP)

RFC 2637

Layer 2 Tunneling Protocol (L2TP)

RFC 2661

Point-to-Point Protocol over Secure Sockets Layer (PPP/SSL) or

Point-to-Point Protocol over Secure Shell (PPP/SSL) considered to be hacks not standards

VPN Best Practices

Use a real firewall Secure the base operating system Use a single ISP
minimize routing hops and insure cooperation

Use packet filtering to reject unknown hosts

Use public-key encryption and secure Authentication

Compress before you encrypt

stream compression will help overall performance

Secure remote hosts

NIAP
National Information Assurance Partnership (NIAP)
U.S. Government initiative originated to meet the security testing
needs of both information technology (IT) consumers and producers. NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under PL 100-235 (Computer Security Act of 1987). combines the extensive IT security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate measures for evaluating those products and systems.

NIAP Goals
The long-term goal of NIAP is to help increase the level of
trust consumers have in their information systems and networks through the use of cost-effective security testing, evaluation, and validation programs. In meeting this goal, NIAP seeks to:
Promote the development and use of evaluated IT products and

systems; Champion the development and use of national and international standards for IT security; Foster research and development in IT security requirements definition, test methods, tools, techniques, and assurance metrics; Support a framework for international recognition and acceptance of IT security testing and evaluation results; and Facilitate the development and growth of a commercial security testing industry within the U.S.

CCEVS
Common Criteria Evaluation and Validation Scheme
jointly managed activity of NIST and NSA (NIAP) the validation body focus of the CCEVS is to establish a national program for the
evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation. Common Criteria Testing Laboratory (CCTL) an approved testing laboratory Validation body reviews products tested by CCTL awards certification (or not) maintains a list of validated products (VPL)

Evaluation Assurance Levels

EAL1 Functionally tested EAL2 Structurally tested EAL3 Methodically tested and checked EAL4 Methodically designed, tested and reviewed EAL5 Semi formally designed and tested EAL6 Semi formally verified design and tested EAL7 Formally verified design and tested

SSL Based VPNs

Browser based
PositivePRO Positive Networks ; Connectra
Checkpoint Software
No special client needed
can be used on any device that is web enabled that supports SSL (PDA, Cell phones...) OS independent

Cant access desktop applications

Netifice
Browser based Java Agent Based SSL Windows client for desktop access

SSL-Explorer Open Source

SSL Based VPNs

Non-browser based
OpenVPN

requires client software be installed for each user Open Source (free) very good track record (Since 2002) Runs on most OSs compatible with with:
SSL/TLS RSA Certificates X509 PKI NAT DHCP TUN/TAP virtual devices