Virtual Private Network (VPN)

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Information Security & Assurance

Assignment 2 White Paper Virtual Private Network (VPN)

By Lim Teck Boon (107593)

Page | 1

Virtual Private Network (VPN)

Table of Content
Introduction What is Virtual Private Network (VPN) Why VPN Categories of VPN VPN Topology Type of VPN Internet Protocol Security (IPsec) Two Modes in IPsec Risk and Limitation of VPN Conclusion References 3 3 4 5 7 8 12 15 17 18 18

Page | 2

Virtual Private Network (VPN)

Introduction
In this new high technology digital world, the usage of internet is increase rapidly. A lot of data or information may obtain from the internet. However, there is a problem for the usage of internet. That is the privacy. Data or information may be stealing or attacked by hacker in the process of transmission. There are various ways to protect our data. One of the examples is by using Virtual Private Network (VPN). VPN is a secure and private network connection between the system that use the data communication capability of an unsecured and public network.

What is Virtual Private Network (VPN)

Virtual mean in a different state of being or mean not real. In a VPN, private communication between two devices is achieved through a public network but the communication is virtually. Private mean that to keep the information or the communication between two users in secret. Network is a medium which consist of two or more devices which can communicate with each other via cable or wire. Therefore, a VPN is a secure and private network connection between the system that use the data communication capability of an unsecured and public network. In other word, VPN is a communications environment where the access is controlled to perform peer connections only within a trusted network and is constructed through some of the common underlying communication medium with the aim to maintaining privacy through the use of tunneling protocol and security procedures. [1]

Page | 3

Virtual Private Network (VPN)

VPN are commonly used to extend the intranets worldwide to disseminate information and news to a wide user base. There are three types of VPN which are Trusted VPN, Secure VPN and Hybrid VPN. Besides that, there are two mode of VPN which are Tunnel Mode and the Transport Mode.

Why VPN?
When we talk about Virtual Private Network (VPN), the key word private is the main issues. VPN is the best technology in the recent time to protect our data as it completely secures our data through military grade encryption in the transmission of important data. It creates a tunnel for the transmission and therefore not outsiders are allowed to view the data except the receiver. Hence, it is secure and privacy is protected. Besides that, VPN services will conceal the real IP and replace it with one of the IP of the services provider. In doing so, the connection or internet activity is anonymous and therefore prevent the attack from attacker or hacker to tracking your IP address. In addition, information transfer through public Wi-Fi is unsecure. There are a sentences that saying using Public Wi-Fi is like you are walking naked on the road but you dont want anyone to see you naked. The uses of VPN will ensure the public Wi-Fi connection in a secure mode. VPN will form tunnel around the connection that cannot be intercepted by any hacker or attacker. [2]

Page | 4

Virtual Private Network (VPN)

Categories of VPN
There are three main categories of VPN which are Trusted VPN, Secure VPN and Hybrid VPN.

Trusted VPN
Trusted VPN uses leased circuit from services provider and conducts packet switching over there leased circuit. The privacy afforded by Trusted VPN or also known as legacy VPN was only the communications provider assured the customer that no one else would use the same circuit. This allows customer who use it to have its own IP addressing and their own security policies. In addition, the VPN customer trusted the VPN services provider to maintain the integrity of the circuits and to use the best available business practices to avoid snooping of the network traffic. [1][5]

Secure VPN
Secure VPN are the network or the communication environment is constructed using encryption. It use security protocol and encrypt traffic transmitted across the communication network. Secure VPN will encrypt the traffic or data at the edge of one network or the sender and moved over the internet like any other data. Data will decrypt when it reached the receiver. This encrypt traffic will act like a secure

Page | 5

Virtual Private Network (VPN)

tunnel between the two network (sender and receiver). Even if there are any attacker can see the traffic, they cannot read it or change the direction of the traffic. Hence the communication is secure. [1][5]

Hybrid VPN
A Secure VPN can be run as a part of a Trusted VPN as well and this created the third type of VPN in the market which is Hybrid VPN. Hybrid VPN is the VPN that combine the characteristic of the two VPN discussed before which are Trusted VPN and Secure VPN. It provides the encrypted traffic or transmissions as in the Secure VPN over the entire Trusted VPN network. The secure part of the Hybrid VPN might be controlled by the customer or by the VPN services provider that provide Trusted VPN. [1][5]

Page | 6

Virtual Private Network (VPN)

VPN Topology
In this section, we will discuss about how a VPN work. To begin using VPN, first we may need an internet connection which can be leashed from an Internet Services Provider (ISP). Then a specially designed router or switch is needed for each Internet access circuit to provide access from the origin network to the VPN. A virtual circuit that resembles a leashed line is created through tunnels which allow the sender to encrypt their data in an IP packet that hide the underlying routing and switching infrastructure of the internet from both the senders and receiver is created. This circuit is known as Permanent Virtual Circuit (PVCs). The sender devices will then take the outgoing packet and encapsulates it to move through the VPN tunnel across the Internet to the receiver. This transmission of packet form the sender to the receiver is transparent to both of the sender and the receiver and even transparent to the ISP and the whole internet user. When it reached to the receiver, the receiver will strip off the VPN frame and deliver the original packet to the destination network. [3] Figure 1 show the two networks connected over an intranet.

Figure 1 VPN of two networks connected over an intranet.

[3]

Page | 7

Virtual Private Network (VPN)

Types of VPN
VPN are traditionally used for the three main purposes: Intranets, Remote Access and Extranets.

Intranet VPN
Intranets are used for the connection within an organization. The connection normally is created between the headquarters offices and its branch office. VPN is created within this location to protect the information of the organization from being stolen or attacked by any outsider. The connection within this organization is often used for some e-mail or file sharing. Intranet provides a virtual circuit between the organizations over the Internet. Figure 2 show the intranet VPN within organizations. The advantage of using Intranet VPN is it will reduce the WAN bandwidth cost of the organization. Intranet VPN allow the organization to use the WAN bandwidth efficiency and hence congestion avoidance with the use of bandwidth management traffic shaping. [3][5]

Page | 8

Virtual Private Network (VPN)

Figure 2 Intranet VPN

[3]

Remote Access VPN

Remote Access through VPN enables telecommuters and mobile workers to access email and business application. Although a dial-up connection enable the user to do so, but the cost for the dial-up connection is much higher than the Remote Access VPN. Remote Access VPN enable the mobile worker to connect to the local internet connection and the set up a secure IPsec-based BPN communication to their organization. The user connect to a local ISP that support VPN using plain old line (DSL) or etc. the VPN devices at the ISP accept the users login and then will establishes the tunnel to the VPN device at the organizations office. Then the tunnel will beginning forward packet over the Internet. The advantage of using Remote Access VPN is it will reduce the capital cost associated with connection if using dial-up connection as discuss before. Besides that, these techniques allow the organization to add new user easily and have a
Page | 9

Virtual Private Network (VPN)

greater scalability. Figure 3 show the Remote Access VPN implemented in an organization. [3][5]

Figure 3 Remote Accesses VPN[3]

There are two types of Access VPS which are Client-Initiated VPN and NAS-Initiated Access VPN. In the Client-Initiated VPN, the business operation initiate the VPN task by manage the client software to initiate the tunnel. This also ensures end-to-end security between the client and the host. Besides that, the client software will also be installed at the remote site which can terminate into a firewall for termination into the corporate network. The biggest advantage of this type of VPN is the service provider access network used for dialing to the point of presence is much more secured. In a NAS-Initiated VPN, the client software element is eliminated. The remote access user starts the connection by dialing to the services provider and obtains the
Page | 10

Virtual Private Network (VPN)

authentication from the services provider and in turn, initiates a secure, encrypted tunnel to the corporate network. This will then eliminated the client software issue and hence reduce the client management burden associated with the remote access VPN. In the other word, there is no end user client software for the corporate to maintain.

Extranet VPN
Extranet are secure connection between two or more organization. Due to the connection cost, time delays and access availability, IPsec-based VPN are ideal for extranet connection that connects two organizations. The concept of setting up an extranet VPN is similar to the intranet VPN. The only different is the user which is within an organization and one is between two or more organization. Figure 4 show the implementation of an Extranet VPN. [3][5]

Figure 4 Extranet VPN[3]

Page | 11

Virtual Private Network (VPN)

Internet Protocol Security (IPsec)

IPsec is a set of protocol developed by the IETF to support the exchange of secure packet or to protect the communication at the IP layer. It is also a standard suite of protocol that provides data integrity, confidentiality and authentication along the transmission of data between the communication points in the IP network. IPsec is then deployed widely and contribute in the implementation of VPN. [5] There are three main components in IPsec which are Encapsulating Security Payload (ESP), Authentication Header (AH) and Internet Key Exchange (IKE).

Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP) provide the authentication, integrity and confidentiality of data. It protects the data and provides message content protection. Besides that, ESP also provides the encryption services in IPsec. First, ESP will translate the message into some secret code or unreadable message with the aim that to hide the content of the message. This will prevent the unauthorized user from viewing the content of the message. ESP will also provide ESP authentication which will provide authentication for the payload and not the IP header. The ESP header is inserted into the package. Due to the encryption done by ESP, the payload changed. [5]
Page | 12

Virtual Private Network (VPN)

Figure 5 show the example of a packet of ESP.

Figure 5 Packet with IPsec Encapsulated Security Payload[5]

Authentication Header (AH)

Authentication Header (AH) provides the same authentication and integrity like ESP. Besides that, AH also provides optional anti-replay protection which is a services that protect against the retransmission of packet of unauthorized user. However, AH does not protect the data confidentiality. This means that the identity of the sender and the receiver can be known and the content of the message can be viewed. Therefore, to increase the security of data, both ESP and AH can be used at the same time. Figure 6 show the example of packet of AH. [5]

Page | 13

Virtual Private Network (VPN)

Figure 6 Packets with IPsec Authentication Header [5]

Internet Key Exchange (IKE)

Internet Key Exchange (IKE) provides the key management and the Security Association (SA). IPsec introduce the concept of SA which is a connection between two devices. An SA provides a data protection for the traffic between two devices. In addition, SA also enables an enterprise to control the usage of resources that may communicate securely. Hence, multiple SA is set up to enable multiple secure VPN. [5]

Page | 14

Virtual Private Network (VPN)

Two Modes in IPsec

There are two modes in IPsec which are the Transport Mode and the Tunnel Mode.

Transport Mode
In transport mode, the data is encrypted except the header information. Therefore, the IP packet can directly to be transmitting to the remote host by create a secure link between the sender and the receiver. The content of the packet is encrypted and protected. Transport mode VPN eliminates the need for special servers and tunneling software. Since the header of the packet is not encrypted in Transport mode, the destination of the packet may be known. Figure 7 show the package in Transport Mode. [1][6]

Figure 7 Packets in Transport Mode

[6]

Transport Mode is normally to be used in the end-to-end transport of encrypted data. Figure 8 show the Transport Mode VPN

Page | 15

Virtual Private Network (VPN)

Figure 8 Transport Mode VPN

[1]

Tunnel Mode
In Tunnel Mode, the entire packet is encrypted and protected. The original IP packet with its header or destination address is inserted into a new IP packet. ESP and AH are then applied to the new packet. It will then establish two perimeter tunnel server and the new IP header is pointed to the end point of the tunnel. Once the packet reach the destination point, the end point of the tunnel will then decrypt the packet. The advantage of using tunnel mode is the entire packet is protected and secure. The sender and the receiver location are not viewed by attacker. Figure 9 show the packet in Tunnel Mode. [1][6]

Figure 9 Packets in Tunnel Mode[6]

Figure 10 show the Tunnel Mode VPN

Page | 16

Virtual Private Network (VPN)

Figure 10 Tunnel Mode VPN

[1]

Risk and Limitation of VPN

Although there are lot of benefit in using VPN to provide a secure connection between the sender and the receiver, there are some limitation and risk for using VPN. The first limitation and risk is the general attack from hacker. The client of VPN may become the target of an attack. Those attacks are like VPN hijacking or man-inthe-middle attack. Besides that, if the authentication of the VPN is not strong enough to restrict those unauthorized user, this could be vulnerable to the unauthorized third party to access to the connection between the VPN users. This is due to the default VPN setting like PAP used in PPTP which transport both of the user name and password in a clear text without any encryption. The third party then could capture this information and use it to gain access to the connected network. In addition, a client machine in VPN network sometime will also be shared with some third party users which are not aware of the security implementation. They may use the machine to connect to other network like wireless LAN in hotel or restaurant.
Page | 17

Virtual Private Network (VPN)

This will then explore the vulnerability of the machine. If the client machine is compromised without the knowledge of the owner, and the owner connect his machine to the secure VPN network, finally this will poses a risk to the connecting network.

Conclusion
VPN is an emerging technology that has come a long way. VPNs technology is still developing, and this is a great advantage to businesses, which need to have technology that is able to scale and grow along with them. With VPN businesses now have alternative benefits to offer to their employees, employees can work from home, take care of children while still doing productive, and have access work related information at any time. In conclusion, VPN did contribute to the security field and protect the communication between two networks.

Page | 18

Virtual Private Network (VPN)

References
1. Michael E. Whitman, Herbert J. Mattord: Principles of Information Security, 2nd Edition, Thomson Course Technology, 2005 2. 5 reason VPN is a must taken from http://www.bestvpnservice.com/blog/5reasons-why-use-a-vpn 3. Virtual Private Network by Germaine Bacon, Lizzi Beduya, Jun Mitsuka, Betty Huang, Juliet Polintan in November 19, 2002 4. Virtual Private Network Architecture by T. Braun, M. Gnter, M. Kasumi, I. Khalil

5. 1Introduction to VPN VPN Concepts, Tips, and Techniques Version 1.0, July 2003
6. VPN SECURITY February 2008 by The Government of the Hong Kong

Special Administrative Region

7. What is a VPN? by Paul Ferguson, Geoff Huston published on April 1998

Page | 19