VPN Technology

What is VPN?

VPN (Virual Private Network) is a generic term used to describe a communication network that uses any combination of technologies to secure a connection tunnelled through an otherwise unsecured or untrusted network. Instead of using a dedicated connection, such as leased line, a "virtual" connection is made between geographically dispersed users and networks over a shared or public network, like the Internet. Data is transmitted as if it were passing through private connections.

VPN transmits data by means of tunnelling. Before a packet is transmitted, it is encapsulated (wrapped) in a new packet, with a new header. This header provides routing information so that it can transverse a shared or public network, before it reaches its tunnel endpoint. This logical path that the encapsulated packet travel through is called a tunnel. When each packet reaches the tunnel endpoint, it is "decapsulated" and forwarded to its final destination. Both tunnel endpoint need to support the same tunnelling protocol. Tunnelling protocols are operated at either the OSI(Open System Interconnection) layer two (data-link layer), or layer three (network layer). The most commonly used tunnelling procols are IPsec, L2TP, PPTP and SSL. A packet with a private non-routable IP address can be sent inside a packet with globally unique IP address, thereby extending a private network over the Internet.

VPN Security?

VPN uses encryption to provide data confidentiality. Once connected, the VPN makes use of the tunnelling mechanism described above to encapsulate encrypted data into a secure tunnel,  with  openly  read  headers  that  can  cross  a  public  network.  Packets  passed  over  a public network in this way are unreadable without proper decryption keys,thus ensuring that data is not disclosed or changed in any way during transmission.

VPN can also provide a data integrity check. This is typically performed using a message digest to ensure that the data has not been tampered with during transmission.

By default, VPN does not provide or enforce strong user authentication. Users can enter a simple  username  and  password  to  gain  access  to  an  internal  private  network  from  home or  via  other  insecure  networks.  Nevertheless,  VPN  does  support  add-on  authentication mechanisms, such as smart cards, tokens and RADIUS.

Business Considerations

VPN is mainly employed by organisations and enterprises in the following ways:

1. Remote  access  VPN:  This  is  a  user-to-network  connection  for  the  home,  or from  a  mobile  user  wishing  to  connect to  a  corporate  private  network  from  a remote  location.  This  kind  of  VPN  permits  secure,  encrypted  connections between a corporate private network and remote users.
2. Intranet VPN: Here, a VPN is used to make connections among fixed locations such  as  branch  offices.  This  kind  of  LAN-to-LAN  VPN  connection  joins multiple remote locations into a single private network.
3. Extranet VPN: This is where a VPN is used to connect business partners, such as suppliers and customers, together so as to allow various parties to work with secure data in a shared environment.
4. WAN  replacement:  Where  VPN  offers  an  alternative  to  WANs  (Wide  Area Networks).   Maintaining   a  WAN  can  become  expensive,  especially  when networks  are  geographically  dispersed.  VPN  often  requires  less  cost  and administration  overhead,  and  offers  greater  scalability  than  traditional  private networks  using  leased  lines.  However,  network  reliability  and  performance might  be  a  problem,  in  particular  when  data  and  connections  are  tunnelled through the Internet.

Types of VPN Product

VPNs can be broadly categorised as follows:

1. A  firewall-based  VPN  is  one  that  is  equipped  with  both  firewall  and  VPN capabilities.  This  type  of  VPN  makes  use  of  the  security  mechanisms  in firewalls  to  restrict  access  to  an  internal  network.  The  features  it  provides include address translation, user authentication, real time alarms and extensive logging.
2. A hardware-based VPN offers high network throughput, better performance and more reliability, since there is no processor overhead. However, it is also more expensive.
3. A software-based VPN provides the most flexibility in how traffic is managed. This type is suitable when VPN endpoints are not controlled by the same party, and where different firewalls and routers are used. It can be used with hardware encryption accelerators to enhance performance.
4. An  SSL  VPN allows  users  to  connect  to  VPN  devices  using  a  web  browser. The  SSL  (Secure  Sockets  Layer)  protocol  or  TLS  (Transport  Layer  Security) protocol is used to encrypt traffic between the web  browser  and  theSSL  VPN device. One advantage of using SSL VPNs is ease of use, because all standard web browsers support the SSL protocol,  therefore  users  do  not  need  to  do  any software installation or configuration.

Risks and Limitations of VPN

Hacking Attacks

A  client machine  may  become  a  target  of  attack,  or  a  staging  point  for  an  attack,  from within the connecting network. An intrudercould exploit bugs or mis-configuration  in  a client machine, or use other types of hackingtools to launch an attack. These can includeVPN hijacking or man-in-the-middle attacks:

1. VPN   hijacking   is   the   unauthorised   take-over   of   an   established   VPN connection  from  a  remote  client,  and  impersonating  that  client  on  the connecting network.
    
2. Man-in-the-middle  attacks  affect  traffic  being  sent  between  communicating parties, and can include interception, insertion, deletion, and modification of messages, reflecting messages back at the sender, replaying old messages and redirecting messages.

User Authentication

By default VPN does not provide / enforce strong user authentication. A VPN connection should  only  be  established  by an authenticated  user.  If  the  authentication  is  not  strong enough to restrict unauthorised access, an unauthorised party could access the connected network  and  its  resources.  Most  VPN  implementations  provide  limited  authentication methods.  For  example,  PAP,  used  in  PPTP,  transports  both  user  name  and  password  in  clear text. A third party could capture this information and use it to gain subsequent access to the network.

Client Side Risks

The  VPN  client  machines  of,  say,  home  users  may  be  connected  to  the  Internet  via  a standard  broadband  connection  while  at  the  same  time  holding  a  VPN  connection  to  a private network, using split tunnelling. This may pose a risk to the private network being connected to.

A  client  machine  may  also  be  shared  with  other  parties  who  are  not  fully  aware  of  the security implications. In addition, a laptop used by a mobile user may be connected to the Internet,  a  wireless  LAN  at  a  hotel,  airport  or on  other  foreign  networks.  However,  the security  protection  in  most  of  these  public  connection  points  is  inadequate  for  VPN access. If the VPN client machine is compromised, either before or during the connection, this poses a risk to the connecting network.

Virus/Malware Infections

A connecting network can be compromised if the client side is infected with a virus. If a virus or spyware infects a client machine, there is chance that the password for the VPN connection  might  be  leaked  to  an  attacker.  In  the  case  of  an  intranet  or  extranet  VPN connection, if one network is infected by a virus or worm, that virus / worm can be spread quickly to other networks if anti-virus protection systems are ineffective.

Incorrect Network Access Rights

Some client and/or connecting networks may have been granted more access rights than is actually needed.

Interoperability

Interoperability is also a concern. For example, IPsec compliant software from two different vendors may not always be able to work together.

Security Considerations

General VPN Security Considerations

The following is general security advice for VPN deployment:

1. VPN connections can be strengthened by the use of firewalls. 
2. An  IDS  /  IPS  (Intrusion  Detection  /  Prevention  System)  is  recommended  in order to monitor attacks more effectively. 
3. Anti-virus software should be installed on remote clients and network servers to prevent the spread of any virus / worm if either end is infected. 
4. Unsecured or  unmanaged  systems  with  simple  or  no  authentication  should  not be allowed to make VPN connections to the internal network.
5. Logging   and   auditing   functions   should   be   provided   to   record   network connections, especially any unauthorised attempts at access. The log should be reviewed regularly.
6. Training  should  be  given  to  network/security  administrators  and  supporting staff,  as  well  as  to  remote  users,  to  ensure  that  they  follow  security  best practices and policies during the implementation and ongoing use of the VPN. 
7. Security  policies  and  guidelines  on  the  appropriate  use  of  VPN  and  network support should be distributed to responsible parties to control and govern their use of the VPN.
8. Placing the VPN entry point in a Demilitarised Zone (DMZ)is recommended in order to protect the internal network. 
9. It  is  advisable  not  to  use  split  tunnelling  to  access  the  Internet  or  any  other insecure network simultaneously during a VPN connection. If split tunnelling is used, a firewall and IDS should be used to detect and prevent any potential attack coming from in secure networks.
10. Unneccessary access to internal networks should be restricted and controlled.

Common Security Features in VPN Products

The following are security features to look for when choosing a VPN product:

1. Support for strong authentication, e.g. TACACS+, RADIUS, smart cards / tokens.
2. Industry-proven strong encryption algorithms, with long key strength support to protect data confidentially during transmission.
3. Support for anti-virus software, and intrusion detection / prevention features.
4. Strong default security for all administration / maintenance ports.
5. Digital certificate support, such as using certificates for site to site authentication.
6. Address management support, such as the capability to assign a client address on the private network and ensuring all address are kept private.

 Conclusion

VPN  provides  a  means  of  accessing  a  secure,  private,  internal  network  over  insecure public networks such as the Internet. A number of VPN technologies have been outlined, among   which   IPsec   and   SSL   VPN   are   the   most   common.   Although   a   secure communication  channel  can  be  opened  and  tunneled  through  an  insecure  network  via VPN, client side security should not be overlooked.


Also read,

• Phishing and its Types 
• The Dark Web
• SQL Injection
• Information Gather and Its Techniques
• What is Wireshark?
• What is a Proxy Server and How Does it Work 2019?