Virtual Private Networks Survey on Information Assurance      TEL 581       Presented by Viswesh Prabhu Subramanian Gregory Michel Lincoln Jean Louis

Virtual Private Networks Contents: What is a VPN? VPN Types VPN Security VPN gateways Introduction to VPN protocols Pros and cons of VPN Tunneling protocols What is tunneling IPSec PPP Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) Layer 2 Forwarding (L2F) Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Protocol (Chap) PAP vs Chap Extensible Authentication Protocol. Summary. Access Guidelines

What is a VPN?

What is a VPN? Short video about VPN from Teracom Training Institute. http://www.yousearchblog.com/video/1Q6wKa1IaIA/Acronyms%20and%20Abbreviations

What is a VPN? A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. (http://lylebeckportfolio.com/vpn.htm)

What is a VPN? http://www.3linkserver.com/images/themes/3link/vpn_image.gif

What is a VPN Public networks are used to move information between trusted network segments using shared facilities like Frame Relay or ATM http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt

What is a VPN? A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the Internet http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt

Why?

VPN Types

VPN works via Crypto/Encapsulation http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt

VPN Security http://lylebeckportfolio.com/vpn.htm

VPN Gateways VPN gateways can be categorized as Standalone or Integrated. Standalone VPNs incorporate purpose-built devices between - the source of data and WAN link or between the modem and a data source in a remote office. Integrated implementations add VPN functionality to existing devices such as routers, firewalls.

Gateway Solutions Router based VPNs – adding encryption support to existing router(s) can keep the upgrade costs of VPN low. Firewall based VPNs – workable solution for small networks with low traffic volume. Software based VPNs – good solution for better understanding a VPN, software runs on existing servers and share resources with them

2 main VPN architectures: There are products based on IPSec and Point to Point Tunneling Protocol (PPTP) or L2TP (Layer 2 Tunneling Protocol) Although IP sec has become the de facto standard for LAN to LAN VPN’s, PPTP and L2TP are heavily used for single client to LAN connections. Therefore, many VPN products support IPSec, PPTP and L2TP.

Benefits of using VPN Lower costs – remote access costs have reduced by 80 percent while LAN-to-LAN connectivity costs is reduced by 20-40 percent. VPN provides low-cost alternative to backbone equipment, in-house terminal equipment and access modems. Connectivity Improvements – VPN based links are easy and inexpensive ways to meet changing business demands.

Benefits of VPN Anywhere anytime access – ubiquitous public internet offers transparent access to central corporate systems i.e. email, directories, internal-external web-sites. VPN technology is improving rapidly and promises a bright future for data communication, its cost-effective, and high returns on investment will outweigh any skittishness in investing in new technology.

Disadvantages of VPN The availability and performances of VPN networks are difficult to control VPN speeds are much slower than those experienced with a traditional connection VPN technologies from different creators may work poorly together. With time, this may improve. For now, however, this can cause frustration when implementing a VPN. One of the VPN's weakest links its users. When a remote telecommuter or an employee connects to his or her corporate office using a VPN from a laptop or home computer, security threats may result. This is because employees or telecommuters may use their personal computers for a variety of other applications in addition to connecting to the office via a VPN. As such, the corporate network may be vulnerable to attack because of security weaknesses on the employee's personal computer.

Tunneling Protocols

Tunneling Protocols What is tunneling IPSec PPP Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) Layer 2 Forwarding (L2F)

Tunneling Protocols A tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted. A packet based on one protocol is wrapped, or encapsulated, in a second packet based on a different protocol

What is tunneling? Example of situation where Tunneling is used: An Ethernet network is connected to an FDDI backbone, that FDDI network does not understand the Ethernet frame format Two networks use IPX and need to communicate across the Internet

What is tunneling? http://www.novell.com/documentation/nias41/iptuneun/graphics/rtc_021a.gif

What is tunneling? Tunneling is the main ingredient to a VPN, tunneling is used by VPN to creates its connection Three main tunneling protocols are used in VPN connections: PPTP L2TP IPSec

IPSec (Internet Protocol Security) Provides a method of setting up a secure channel for protected data exchange between two devices. More flexible and less expensive than end-to end and link encryption methods. Employed to establish virtual private networks (VPNs) among networks across the Internet.

IPSec (Internet Protocol Security) IPSec uses two basic security protocols: Authentication Header (AH): It is the authenticating protocol Encapsulating Security Payload (ESP): ESP is an authenticating and encrypting protocol that provide source authentication, confidentiality, and message integrity.

IPSec (Internet Protocol Security) IPSec can work in one of two modes: Transport mode, in which the payload of the message is protected Tunnel mode, in which the payload and the routing and header information are protected.

IPSec (Internet Protocol Security) CISSP Certification All in One Exam Guide pg 610

Point-to-Point Tunneling Protocol (PPTP) PPTP is a Microsoft protocol which allows remote users to set up a PPP connection to a local ISP and then create a secure VPN to their destination

Point-to-Point Tunneling Protocol (PPTP) CISSP Certification All in One Exam Guide pg 612

Point-to-Point Tunneling Protocol (PPTP) In PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MS-CHAP or EAP-TLS. The keys used in encrypting this data are generated during the authentication process between the user and the authentication server.

Point-to-Point Tunneling Protocol (PPTP) CISSP Certification All in One Exam Guide pg 613

Point-to-Point Tunneling Protocol (PPTP) One limitation of PPTP is that it can work only over IP networks, Other protocols must be used to move data over frame relay, X.25, and ATM links

Layer 2 Transport Protocol L2TP provides the functionality of PPTP, but it can work over networks other than just IP L2TP does not provide any encryption or authentication services. It needs to be combined with IPSec if encryption and authentication services are required.

Layer 2 Transport Protocol The processes that L2TP uses for encapsulation are similar to those used by PPTP

Layer 2 Transport Protocol PPTP can run only within IP networks. L2TP, on the can run within other protocols such as frame relay, X.25, and ATM. PPTP is an encryption protocol and L2TP is not L2TP supports TACACS+ and RADIUS, while PPTP does not.

Summary of tunneling Point-to-Point Tunneling Protocol (PPTP): Designed for client/server connectivity Sets up a single point-to-point connection between two computers Works at the data link layer Transmits over IP networks only

Summary of tunneling Layer 2 Tunneling Protocol (L2TP) Sets up a single point-to-point connection between two computers Works at the data link layer Transmits over multiple types of networks, not just IP Combined with IPSec for security

Summary of tunneling IPSec: Handles multiple connections at the same time Provides secure authentication and encryption Supports only IP networks

Authentication Protocols

Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Protocol (Chap) PAP vs Chap Extensible Authentication Protocol (EAP)

Authentication What is authentication? The process of determining that you are whom you say you are. “It provides identification and authentication of the user who is attempting to access a network from a remote system.” (CISSP Certification all-in-one exam guide, pg. 614)

Authentication How does one get authenticated? By username/password, token, etc. validation. If valid, then the user is granted access. If not valid, no access is provided.

Password Authentication Protocol (PAP) Used by remote users to authenticate over PPP lines. Users enter username and password before Authentication. The password and the username are sent over the network to the authentication server. The username and password are compared to the database that is stored on the authentication server. If username and password matches access is granted. Else access is denied.

Password Authentication Protocol (PAP) PAP Authentication process

Password Authentication Protocol (PAP) Problem!!!! PAP is very insecure. Credentials are sent in cleartext. This limitation allows for a sniffer software to obtain you credentials.

Challenge Handshake Authentication Protocol (CHAP) Uses a challenge/response mechanism to authenticate the user instead of a password. A challenge is a random value that is encrypted with the use of a predefined password as an encryption key.

Challenge Handshake Authentication Protocol (CHAP) The authentication process The host computer sends the authentication server a logon request. The server sends the user a random valued challenge. This challenge is encrypted with the use of a predefined password as an encryption key. The encrypted challenge value is returned to the server.

Challenge Handshake Authentication Protocol (CHAP) The Authentication process (con’t) The authentication server uses the predefined password as the encryption key to decrypt the challenge value. The Server compares the received value with the one stored in its database. If the results are the same, the server authenticates the user and grants access. Else, access will be denied.

Challenge Handshake Authentication Protocol (CHAP) Challenge Handshake Process

PAP vs CHAP PAP Sends credentials in cleartext during transmission Use has decreased because it does not provide a high level of security Supported by most networks NSAs CHAP Used the same way PAP is used but provides a higher degree of security. Authenticates using a challenge/response method. Used by remote users, routers, and NASs to provide authentication before providing connectivity.

Extensible Authentication Protocol (EAP) An authentication protocol which supports multiple authentication mechanisms. Used for PPP and 802.X connections.

Extensible Authentication Protocol (EAP) EAP support authentication schemes such as: Generic Token Card An example is secure ID. D:\VPN\Token card.jpg One Time Password (OTP) Message Digest 5 (MD5)-Challenge. Transport Layer Security (TLS) for smart card and digital certificate-based authentication SecurID is a hardware token card product (or software emulation thereof) produced by RSA Security, which is used for end-user authentication. MD5 (Message-Digest algorithm 5) is a widely used, insecure cryptographic hash function with a 128-bit hash value.

Extensible Authentication Protocol (EAP) Authentication Process: Peers negotiate to perform EAP during the connection authentication phase. When the connection authentication phase is reached, the peers negotiate the use of a specific EAP authentication. (https://www.microsoft.com/technet/network/eap/eap.mspx) After Negotiation, the client and server exchange messages between themselves. Authentication messages consist of requests and responses.

Extensible Authentication Protocol (EAP) EAP Authentication Process (https://www.microsoft.com/technet/network/eap/eap.mspx)

Conclusion

Remote Access Guidelines Users should be identified and authenticated. Utilize a strong level of security for authentication/authorization. Users’ activities should be audited to ensure no malicious activity is taking place. Users’ privileges should be reviewed periodically. Security policies should be presented and available to all remote users.

References http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt https://www.microsoft.com/technet/network/e ap/eap.mspx CISSP Certification All in One Exam Guide. http://lylebeckportfolio.com/vpn.htm