Thursday, July 24, 2008

Virtual Private Networking ( VPN )

What is VPN?
an insight for Linksys and Cisco

VPN stands for Virtual Private Network. A VPN connects the components of one LAN to another LAN. VPN accomplishes this by allowing the user to tunnel through the Internet or another public network using encryption and other security mechanisms to ensure that only authorized users can access the network and that the data can not be intercepted.

VPN is also the extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet.

A number of different protocols exist that each satisfy the key characteristics of a VPN. The most commonly recognized protocols are SOCKS, SSL, PPTP, IPSEC (often written as IPSec), and L2TP. For general VPN use the most important are IPSec, PPTP, and L2TP.

Internet Protocol Security (IPsec)

IPSec is the deFacto standard for Virtual Private Networks and is a TCP/IP-based protocol.
IPSec is way to authenticate and optionally encrypt IP packets. IPSec transport mode allows for authenticated and encrypted sessions between two nodes and can carry any kind of IP traffic (except multicast).
Most vendors have gone along with the inevitable and have moved towards emphasizing IPSec.

---Introducing IPSec

IPSec is the long-term direction for secure networking. It provides a key line of defense against private network and Internet attacks, balancing security with ease of use.

IPSec has two goals:

1. To protect the contents of IP packets.
2. To provide a defense against network attacks through packet filtering and the enforcement of trusted communication.

Both goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. This foundation provides both the strength and flexibility to protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific traffic types. IPSec is based on an end-to-end security model, establishing trust and security from a source IP to a destination IP address. The IP address itself does not necessarily have to be considered an identity, rather the system behind the IP address has an identity that is validated through an authentication process. The only computers that must know about the traffic being secured are the sending and receiving computers. Each computer handles security at its respective end, with the assumption that the medium over which the communication takes place is not secure. Any computers that only route data from source to destination are not required to support IPSec, unless firewall-type packet filtering or network address translation is being done between the two computers. This model allows IPSec to be successfully deployed for the following enterprise scenarios:
Local area network (LAN): client/server and peer-to-peer
Wide area network (WAN): router-to-router and gateway-to-gateway
Remote access: dial-up clients and Internet access from private networks

Typically both sides require IPSec configuration (called an IPSec policy), to set options and security settings that will allow two systems to agree on how to secure traffic between them.

Common use of the protocols:

PPTP - road warrior or remote workers, remote connection to your home, telecommuting

IPSec - office to office communication, branch office to head office communication

Point-to-Point Tunneling Protocol (PPTP)

You can access a private network through the Internet or other public network by using a virtual private network (VPN) connection with the Point-to-Point Tunneling Protocol (PPTP).

PPTP enables the secure transfer of data from a remote computer to a private server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet.

Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level of enhanced security and multiprotocol communications over the Internet. Specifically, by using the new Extensible Authentication Protocol (EAP), data transfer through a PPTP-enabled VPN is as secure as within a single LAN at a corporate site.

PPTP tunnels, or encapsulates, IP or IPX protocols inside of PPP datagrams. This means that you can remotely run programs that are dependent upon particular network protocols. The tunnel server performs all security checks and validations, and enables data encryption, which makes it much safer to send information over non-secure networks. You can also use PPTP in private LAN-to-LAN networking.

PPTP does not require a dial-up connection. It does, however, require IP connectivity between your computer and the server. If you are directly attached to an IP LAN and can reach a server, then you can establish a PPTP tunnel across the LAN. However, if you are creating a tunnel over the Internet, and your normal Internet access is a dial-up connection to an ISP, you must dial up your Internet connection before you can establish the tunnel.

PPTP (Point to Point Tunneling Protocol) is compatible with most network protocols and is characterized by being generally easy to set up. Clients for PPTP tend to be in many operating systems with an abundance of 3rd-party clients available.
PPTP uses GRE, generic routing encapsulation. PPTP wraps IP packets in GRE packets before sending them down the tunnel.
PPTP is Point to Point Tunneling Protocol, an invention by a consortium including Microsoft. PPTP is a popular protocol because it is well-supported and documented, provides a good level of security, and generally is included with Microsoft operating systems so there is no need to purchase a third-party client software.

PPTP has been considered to be not very insecure but since version 2 many of the security issues have been addressed. PPTP is "good enough" for most purposes as long as a sensible password is chosen - one not easily guessed. IPSec is generally considered to be more secure and is the protocol of choice for particularly sensitive information. Many "road warriors" or remote workers are quite happy with PPTP because it is a lighter weight protocol that is very simple to set up and use.

Layer Two Tunneling Protocol (L2TP)

You can access a private network through the Internet or other public network by using a virtual private network (VPN) connection with the Layer Two Tunneling Protocol (L2TP). L2TP is an industry-standard Internet tunneling protocol with roughly the same functionality as the Point-to-Point Tunneling Protocol (PPTP). The Windows XP implementation of L2TP is designed to run natively over IP networks. This implementation of L2TP does not support native tunneling over X.25, Frame Relay, or ATM networks.

Based on the Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP) specifications, you can use L2TP to set up tunnels across intervening networks. Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which then encapsulate IP or IPX protocols, allowing users to remotely run programs that are dependent on specific network protocols.

With L2TP, the computer running Windows 2000 Server that you are logging on to performs all security checks and validations. It also enables data encryption, which makes it much safer to send information over non-secure networks. By using the new Internet Protocol security (IPSec) authentication and encryption protocol, data transfer through a L2TP-enabled VPN is as secure as within a single LAN at a corporate site.

Secure Sockets Layer (SSL)

SSL is a proposed open standard for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well.

SSL, working only with TCP/IP protocols, is the primary protocol for secure connections from web browsers to to web servers, usually for secure credit card connections or for sensitive data. SSL requires a valid site certificate issued from an authorized certificate authority.


SOCKS is a VPN protocol that operates at a higher network layer than the others which typically operate at layer two or three. Functioning at a higher level allows network administrators to limit VPN traffic to certain applications but it is generally considered to be a market failure due to the requirement to be specially compiled into systems and applications. Suitable for Unix/Linux use but out of popular favour for common desktop systems.

50 - IPsec
47 - PPTP GRE packets
1723 – ISAKMP

1701 –L2TP/IPsec
4500 – L2TP/IPsec

A fixed-size result that is obtained by applying a one-way mathematical function (sometimes called a hash algorithm) to an arbitrary amount of data. If there is a change in the input data, the hash changes. The hash can be used in many operations, including authentication and digital signing. A hash is also called a message digest.

Hash Algorithm
An algorithm used to produce a hash value of some piece of data, such as a message or session key. A good hash algorithm has a quality where changes in the input data can change every bit in the resulting hash value; for this reason, hashes are useful in detecting any modification in a large data object, such as a message. Furthermore, a good hash algorithm makes it computationally infeasible to construct two independent inputs that have the same hash. Typical hash algorithms include MD2, MD4, MD5, and SHA-1. Hash algorithm is also called a hash function.

Message Digest-5 (MD5)
A hashing scheme is a method for transforming data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. The CHAP authentication protocol uses challenge-response with one-way MD5 (128-bit hashing scheme) hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network.

Secure Hash Algorithm (SHA-1)
A message digest hash algorithm that generates a 160-bit hash value. SHA-1 is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), among other places.

Data Encryption Standard (DES)
Data Encryption Standard (DES) to provide confidentiality (data encryption). IPSec enables the ability to frequently regenerate keys during a communication. This prevents the entire data set from being compromised if one DES key is broken.

DES is a block cipher that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.

Cipher block chaining (CBC) is also used to hide patterns of identical blocks of data within a packet. An initialization vector (an initial random number) is used as the first random block to encrypt and decrypt a block of data. Different random blocks are used in conjunction with the secret key to encrypt each successive block. This ensures that identical sets of unsecured data (plaintext) result in unique, encrypted data blocks. Used when the high security and overhead of 3DES are not necessary.

3 Data Encryption Standard (3DES)
Used when high security is required. 3DES processes each block three times, using a unique 56-bit key each time:
Encryption on the block with key 1
Decryption on the block with key 2
Encryption on the block with key 3
This process is reversed if the computer is decrypting a packet.


sherliez said...

this is so tech-ee! this article is really helpful :)

voodoomox said...

thanks sherliez, expect more tech-ee stuff to come, i will include my blog during Cisco review.