WLAN:VPN SECURITY

Zena Mohammed

What is VPN?

o A VPN is a closed (private) network provided on shared infrastructure.

o A Virtual Private Network (VPN) connects the components and resources of a private network over a public network.

o VPNs can be provided over both packet-switched and circuit-switched public networks.

o The shared infrastructure can be the Internet, Frame Relay, or ATM network, or the Public Voice Networks (PSTN).

Objectives of VPN

From the user’s perspective, the VPN is a point-to-point connection between the user’s computer and a corporate server.

VPNs allow tele-commuters, remote employees, or even branch offices to connect in a secure fashion.

Is VPN a Solution to All Online Security Threats?

the manager faces a fundamental requirement: security. Use of a public network exposes corporate traffic to eavesdropping and provides an entry point for unauthorized users. To counter this problem, a VPN is needed. In essence, a VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption and authentication system at both ends. The encryption may be performed by firewall software or possibly by routers. The most common protocol mechanism used for this purpose is at the IP level and is known as IPsec.

Brief Overview of How it Works

oTwo connections – one is made to the Internet and the second is made to the VPN.

oDatagrams – contains data, destination and source information.

o Firewalls – VPNs allow authorized users to pass through the firewalls.

o Protocols – protocols create the VPN tunnels.

Four Critical Functions

Authentication – validates that the data was sent from the sender.

Access control – limiting unauthorized users from accessing the network.

Confidentiality – preventing the data to be read or copied as the data is being transported.

Data Integrity – ensuring that the data has not been altered

Encryption

o Encryption -- is a method of “scrambling” data before transmitting it onto the Internet.

o Public Key Encryption Technique

oDigital signature – for authentication

Network Isolation:VPN

Idea: I want to create a collection of hosts which operate in a coordinated way E.g., a virtual security perimeter over physical network Hosts work as if they are isolated from malicious hosts

Solution: Virtual Private Networks Create virtual network topology over physical network Use communications security protocol suites to secure virtual links

“tunneling” Manage networks as if they are physically separate

Hosts can route traffic to regular networks (split-tunneling)

Tunneling

A virtual point-to-point connection made through a public network.It transports encapsulated datagrams

Encrypted Inner Datagram

Original Datagram

Outer Datagram Data AreaDatagram Header

Data Encapsulation [From Comer]

Two types of end points:

Remote Access Site-to-Site

Remote Access Virtual Private Network

Remote User Access over the Internet • To connect remote users to a corporate intranet using an Internet Service Provider (ISP)

network. • The VPN software creates a secure connection between the dial-up user and the

corporate intranet over the Internet.

Site-to-Site VPNs

Figure 19.7b shows how tunnel mode operation can be used to setup a virtual private network.

Case 2. Security is provided only between gateways (routers, firewalls, etc.)and no hosts implement IPsec. This case illustrates simple virtual private networksupport. The security architecture document specifies that only a single tunnel SA isneeded for this case. The tunnel could support AH, ESP, or ESP with the authenticationoption. Nested tunnels are not required, because the IPsec services apply tothe entire inner packet.

Four Protocols used in VPN

PPTP : Point-to-Point Tunneling Protocol

L2TP : Layer 2 Tunneling Protocol

IPsec : Internet Protocol Security

SOCKS : is not used as much as the ones above

PPTP VPN

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets

It is a VPN protocol only, and relies on various authentication methods to provide security

Pros Client built-in to just about all platforms Very easy to set up Fast

Cons Not at all secure (the vulnerable MS CHAPv2 authentication is still the most common

in use) Definitely compromised by the NSA

L2TP

Layer 2 Tunnel Protocol is a VPN protocol that on its own does not provide any encryption or confidentiality to traffic that passes through it. For this reason it is usually implemented with the IPsec encryption suite (similar to a cipher) to provide security and privacy.

Pros Usually considered very secure Easy to set up Available on all modern platforms Cons Faster than OpenVPNCons May be compromised by the NSA

(unproven) Likely deliberately weakened by the NSA

( unproven) Can struggle with restrictive firewalls

IPSec and SOCKS VPN

Device Types: Hardware

Usually a VPN type of router

Proso Highest network throughputo Plug and Play o Dual-purpose

Conso Costo Lack of flexibility

Device Types: Firewall

Pros “Harden” Operating

System Tri-purpose Cost-effective

Cons• Still relatively costly

Device Types: Software

o Ideal for 2 end points not in same org.o Great when different firewalls implemented

Proso Flexibleo Low relative

cost

Cons• Lack of efficiency

• More labor training required• Lower productivity;

higher labor costs

Advantages:

Cost Savings Reducing the long-distance telephone charges for remote

access. Transferring the support burden to the service providers Operational costs

Scalability Flexibility of growth Efficiency with broadband technology

Disadvantages

Requirements for Internet-Based VPNs

Security Requirements: User Authentication , User’s identity must be verified, and VPN access must be restricted to authorized users.

Address Management and Privacy: Clients’ addresses on the private network must be kept private and managed securely.

Data Integrity: Data carried on the public network must be rendered unreadable to unauthorized clients.

Security can be implemented in hardware or software.

VPN stands for…

a) Virtual Public Network b) Virtual Private Network

c) Virtual Protocol Network d) Virtual Perimeter Network

Q.1

A.1

b) Virtual Private Network VPN stands for…

VPN stands for "Virtual Private Network" or "Virtual Private Networking." A VPN is a private network in the sense that it carries controlled information, protected by various security mechanisms, between known parties. VPNs are only "virtually" private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.

What are the acronyms for the 3 most common VPN protocols?

Q.2

A.2

• PPTP• L2TP• IPsec

3 most common VPN protocols are…

PPTP, IPsec, and L2TP are three of today's most popular VPN tunneling protocols. Each one of these is capable of supporting a secure VPN connection.

What is the main benefit of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up?

a) better network performance b) less downtime on average c) reduced cost d) improved security

A.3

c) reduced costThe main benefit of VPNs is…

The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial up networking. These savings come with a certain amount of risk, however, particularly when using the public Internet as the delivery mechanism for VPN data.

Q.3

Q.4In VPNs, the term "tunneling" refers to

a) an optional feature that increases network performance if it is turned on

b) the encapsulation of packets inside packets of a different protocol to create and maintain the virtual circuit

c) the method a system administrator uses to detect hackers on the network

d) a marketing strategy that involves selling VPN products for very low prices in return for expensive service contracts

A.4

b) the encapsulation of packets inside packets of a different protocol to create and maintain the virtual circuit

In VPNs, the term "tunneling" refers to…