Virtual Private Network (VPN)

Objectives
You should be able to understand the following after completing this Unit
1. Describe the purposed of VPN
2. Differentiate VPN Components
3. Differentiate between Hardware versus software VPNs
4. Differentiate Tunneling Protocols
5. Distinguish Encryption Standards Used by VPNs

• Virtual Private Network (VPN) enables computers to

– Communicate securely over insecure channels
– Exchange private encrypted messages that others cannot decipher
– Extends an organization’s network

Why Establish a VPN?

• Business incentives driving VPN adoption
– VPNs are cost-effective
– VPNs provide secure connection for remote users
• Contractors
• Traveling employees
 • Partners and suppliers
• VPN Components
– VPN server or host
• Configured to accept connections from clients
– VPN client or guest
• Endpoints connecting to a VPN
– Tunnel
• Connection through which data is sent
– VPN protocols
• Sets of standardized communication settings
• Used to encrypt data sent along the VPN
 Types of VPNs
 Site-to-site VPN - Gateway-to-gateway VPN --- refers to a connection set
up between multiple networks. This could be a corporate network where
multiple offices work in conjunction with each other or a branch office
network with a central office and multiple branch locations.
 Client-to-site VPN / Remote access VPN --- A remote access VPN refers
to a temporary connection set up between two or more users and a central
location. In most cases, a remote access VPN is used to give each location
access to a data center.
• Hardware versus software VPNs
– Hardware-based VPNs - are typically physical devices that connect to an
end-user device. When coupled with software installed at the server-side
within the main network, encrypt communication between the two.
• Connect one gateway to another
• Routers at each network gateway encrypt and decrypt packets
• VPN appliance
• Designed to serve as VPN endpoint
• Join multiple LANs
• Benefits
• Scalable
• Better security
 – Software-based VPNs - will encrypt data that is transmitted between the
end-user device and the main network.
• Integrated with firewalls
• Appropriate when participating networks use different routers and
firewalls
• Benefits
– More cost-effective
– Offer maximum flexibility
– Combining VPN hardware with software adds layers of network security
– Points to consider when selecting VPNs
• Compatibility
• Scalability
• Security
• Cost
• Vendor support
– Core set of VPN activities
– Encapsulation
– Encryption
– Authentication
– Encapsulation
– Encloses a packet within another
• That has different IP source and destination
 – Protects integrity of the data
Understanding Tunneling Protocols
A. Point-to-Point Tunneling Protocol (PPTP)
• Encrypt data that passes between the remote computer and the remote
access server

B. Layer 2 Tunneling Protocol (L2TP)

L2TP uses IPSec encryption
Internet Protocol Security (IPSec) - is a suite of protocols that secure network
communication across IP networks by encrypting all network traffic.
 More secure and widely supported
 Provides better security through IPSec
 IPSec enables L2TP to perform
• Authentication
• Encapsulation
• Encryption
• Characteristics
• Works at layer 3
• Can encrypt an entire TCP/IP packet
• Originally developed for use with IPv6
• Provides authentication of source and destination computers
• IPsec uses the following protocols to secure the IP network traffic:
• Authentication Header (AH) – this protocol provides data origin
authentication, data integrity, and replay protection. However, AH does not
provide data confidentiality, which means that all of your data is sent in the
clear.
The Authentication header protects data within the IP packet from tampering.
Tampering means anyone trying to change the contents of the packet sent from
the server to the client.
IPSec digitally signs the contents of the entire packet (including payload)
using an Authentication Header thereby providing protection against
 replay attacks, spoofing, and tampering. While the authentication header
protects data from tampering, it will not stop anyone from seeing it.

• Encapsulation Security Payload (ESP) - This protocol encrypts the payload

of a data packet and provides authentication, replay proofing, and integrity
checking. It provides confidentiality through encryption of the packet.

• Internet Key Exchange (IKE) – IKE protocol allows hosts at both ends of a
VPN tunnel to encrypt and decrypt data packets using mutually agreed upon
keys/certificate and method for encryption.

IPSec can be usually configured to operate in the following two modes:

 Transport Mode – Transport mode is used for end to end
communications, for example, communication between a host and
server. In this case, data contents (IP payload) are protected, but
anyone looking at the network traffic can see network traffic
patterns. In transport mode, the responsibility to perform any
cryptographic operations like encryption etc. depends on the sender and
receiver
 Tunnel Mode – Tunnel mode encrypts the entire IP packet. Usually,
it is used to encrypt traffic between two routers/gateways connected
over the Internet via IPSEC VPN tunnels. In tunnel mode,
cryptographic operations like encryption etc., are handled by
gateways/routers at both ends of the tunnels, in addition to the sender and
receiver

Authentication Header in Tunnel and Transport Modes

 Encapsulation Security Payload (ESP) in Tunnel and Transport Modes
– ESP in tunnel mode
• Encrypts both the header and data part of each packet
• Data cannot pass through a firewall using NAT
– ESP in transport mode
• Encrypts only data portion of the packet
• Data can pass through a firewall
– IPSec should be configured to work with transport mode

Encryption Standards Used by VPNs

1. Data Encryption Standard (DES_ encryption Accepted as a standard of encryption in
the 1970s, DES encryption is no longer considered to be safe on its own. It encrypts
just 56-bits of data at a time and it was found to be easily hacked not long after its
introduction.

2. Triple Data Encryption Standard (3DES) – this is the more modern 3DES is a version
of block cipher used today. Triple Data Encryption Standard (3DES) works as its name
implies, instead of using a single 56-bit key, it uses three separate 56-bit keys for triple
protection.

The drawback to 3DES is that it takes longer to encrypt data. Also, the shorter
block lengths are encrypted three times, but they can still be hacked.

3. Advanced Encryption Standard (AES) - the AES is a symmetric-key cipher

established in 2001 by The National Institute of Standards and Technology (NIST). It
essentially represents the ‘gold standard’ of the contemporary VPN industry. Because
 it is the most secure encryption types, it is used by governments and security
organizations as well as everyday businesses for classified communications.

AES differs from other encryption types in that it encrypts data in a single block,
instead of as individual bits of data. The block sizes determine the name for each kind
of AES encrypted data:
 AES-128 encrypts blocks of a 128-bit size
 AES-192 encrypts blocks of a 192-bit size
 AES-256 encrypts blocks of a 256-bit size
In addition to having different block sizes, each encryption method has a different
number of rounds. These rounds are the processes of changing a plaintext piece of
data into encrypted data or ciphered text. AES-128, for example, uses 10 rounds, and
AES-256 uses 14 rounds.

Hashing Algorithms
is a one-way encryption process such that a hash value cannot be reverse engineered to
get to the original plain text. Hashing is used in encryption to secure the information shared
between two parties. The passwords are transformed into hash values so that even if a security
breach occurs, PINs stay protected.
1. Message Digest algorithm fifth version (MD5) - MD5 creates 128-bit outputs. MD5
is considered weak and insecure; an attacker can easily use an MD5 collision to
forge valid digital certificates. The most well-known example of this type of attack
is when attackers forged a Microsoft Windows code-signing certificate and used it
to sign the Flame malware.
2. SHA-1: This is the second version of the Secure Hash Algorithm standard, SHA-0
being the first. SHA-1 creates 160-bit outputs. SHA-1 is one of the main algorithms
that began to replace MD5, after vulnerabilities were found. SHA-1 gained widespread
use and acceptance. SHA-1 was actually designated as a FIPS 140 compliant hashing
algorithm.
3. SHA-2: This is actually a suite of hashing algorithms. The suite contains SHA-224,
SHA-256, SHA-384, and SHA-512. Each algorithm is represented by the length of its
output. SHA-2 algorithms are more secure than SHA-1 algorithms, but SHA-2 has not
gained widespread use.