Vpn – Remote Access Solutions
Essay Preview: Vpn – Remote Access Solutions
Report this essay
VPN stands for Virtual Private Network. VPN is the term used to refer to any device that is capable of creating a semi-permanent encrypted tunnel over the public network between two private machines or networks to pass non-protocol specific, or arbitrary, traffic. This tunnel can carry all forms of traffic between these two machines meaning it is encrypting on a link basis, not on a per application basis. VPNs are useful in situations where an entity is paying for dedicated leased lines due to security concerns or the need to provide layer two communications over a WAN link via transparent bridging, WINS servers, or other broadcast repeaters (Snyder, 2004).
The VPN allows the end points to connect to the Internet and have this same functionality without the need for expensive leased lines. The other common use for VPNs is to provide dial-up access or network extension for remote employees. Instead of making expensive calls and maintaining access servers with modem banks, a remote user can dial up and connect to the Internet locally, then use the VPN to access the main site securely over the Internet. This allows for reduction in phone bills and elimination of expensive and hard to secure modem banks and access servers. One of the key elements of VPNs is encryption. To protect sensitive or non-routable data as it passes over the public Internet, we need to create a virtual private tunnel (Snyder, 2004). This tunnel is built by encrypting the packets or frames and then encapsulating these in regular IP traffic between the two hosts or networks. The protection and encapsulation of these packets is vital to the function of a VPN and one of the most complex pieces to get right (Schneier and Ferguson, 2006). VPNs work by creating a virtual tunnel over the public Internet. In order to create this tunnel, symmetric encryption is used. Both sides of the tunnel share common encryption and decryption keys and use them to encrypt all traffic in both directions. Symmetric encryption is very fast and there are many solid algorithms available to implement this (Blowfish, AES, 3DES) (Dumon, 2006). There are two problems with symmetric encryption. To get these common keys to both sides of the tunnel is called key exchange or key agreement. To know we are exchanging keys with the correct entity is called authentication (Dumon, 2006). There are many ways to exchange keys. One way to exchange keys is to call the administrator on the other end of the tunnel and read them the key over the phone. Another way is to send them the key in an email using Pretty Good Privacy (PGP) to encrypt the exchange. Both of these methods will work, but they are not very effective. To overcome this cumbersome key exchange issue, VPNs often use certificates. Certificates use Public Key Cryptography, meaning a host generates public and private key pair that is mathematically related to one another. Any data encrypted with the public key can only be decrypted with the private key, and vice versa. Each end system has its own public/private key pair. The public key is given out to the world to encrypt traffic bound for the system, and the private key is kept secret to decrypt this traffic. The private key can also be used to prove that data was actually sent by a specific entity, which is called non-repudiation.
User-space SSL VPNs use the highly mature and widespread SSL/TLS protocol to handle the tunnel creation and cryptographic elements necessary to create a VPN. There are other commercial products available to create SSL VPNs, but most if not all of them miss the mark on creating a usable site-to-site VPN (Yonan, 2004). For a detailed explanation of this see the section below on other SSL VPNs. Open VPN is a user-space VPN that uses the well tested and mature SSL/TLS infrastructure to create the same site-to-site connection functionality found in IPSec VPNs. Open VPN is referred to as a user-space VPN because it does not require sophisticated intertwining with the OS’s kernel to function (Yonan, 2004). Usually, in order to do link encryption, an application must be intertwined with the kernel to provide low level access to the interface where the link is found. User space VPNs use a “virtual interface” they control and access without this kernel dependence. This gives user-space VPNs a more secure starting point than standard IPSec devices, as well as provided more flexibility in porting to other operating systems and ease of installation and maintenance. The flexibility of this architecture even allows it to exist on the same box with IPSec VPNs. You can install Open VPN on Windows machines without any conflicts between it and the Windows IPSec client which, as anyone who has tried to install a third party IPSec client on Windows knows is a pretty big plus (.Schneier and Ferguson, 2006). You can run an IPSec VPN from your Windows machine, and still have an SSL/TLS based VPN running at the same time. SSL/TLS is a standard protocol for encrypting Internet traffic (Schneier and Ferguson, 2006). It has been widely implemented and tested for vulnerabilities. As long as no one figures out how to factor large pseudo-prime numbers in a hurry, SSL/TLS appears to be in good shape to provide security for quite some time to come (Snyder, 2004). SSL/TLS is much easier to implement than IPSec and provides a platform that is solid, simple, and well-tested (Rescorla). It is important to note that SSL/TLS based VPNs are able to encrypt link traffic for site-to-site connectivity just like IPSec VPNs. The RSA handshake (or DH) is used exactly as IKE in IPSec, and the SSL crypto library is used to secure the symmetric tunnel after that, again using similar encryption techniques to those protecting IPSec tunnels (RSA Laboratories, 2004). This tunnel can pass arbitrary traffic, just like an IPSec VPN.
IPSec is a standard set of protocols and rules for their use that allow the creation of VPNs. The theory was if vendors implement IPSec to create their