VIRTUAL PRIVATE NETWORKS

 

“VIRTUAL PRIVATE NETWORKS (VPN)”

Introduction

            I.      UNDERSTANDING VPN AND THE NEED FOR SECURITY IN VPN    

1.    Purpose Of VPN Security                 

2.    Motivation For Using VPNS           

3.    Concerns                                       

         II.      POTENTIAL VULNERABILITIES OF VPNS           

1.    Explaining Network Vulnerabilities                  

2.    Common Network Vulnerabilities And Flaws  

     III.      SECURITY MECHANISMS IN VPNS                   

1.    Basic Security Measures                             

2.    Advanced Security Measures                     

Conclusion           

Introduction

Data communication via networks increased to such an extent that we are now in the “Information Age”. As a result, information has become the raw material of our society. In this game, networks security continually attracts the attention of the entire world due to the high sensitivity of information. Thus the most daunting challenge is to keep data safe and secure while being available anytime-anywhere for remote users. Hence the adoption of mechanisms such as Virtual Private Networks: a secure point-to-point connection between two private networks or between two networks devices that uses a public networks instead of a private communication channel as a backbone for data transmission. However many security threats and breaches are still observed. Then the issue of “Security in VPNs” rises. Does VPN offer a complete end-to-end security? In fact, first, what are the securities flaws undermining VPNs? Second, what are the measures susceptible to mitigate the risks? Better what are the security mechanisms used to enforce security in VPNs? Before all, we shall understand the need for security in VPNs.

            I.      Understanding the need for security in vpn

1.     Purpose of vpn security.

 When you attempt to access information from outside the corporate firewall, there is a security exposure that does not exist when you log on from inside. That is where VPNs come in play. In fact VPNs are implemented to allow computers or networks to talk to each other over a transport media that is not secure. To achieve this goal VPNs use a computer at each of the two or more points on the various ends of the transport media such as the internet. Each point at the end of the transport media (internet) is called a Point Of Presence (POP). Therefore the firewall will be configured to allow only certain type of remote access.

Of course instead of a dedicated, physical, leased-line connection, VPNs indeed use public networks such as the internet, using virtual connections. Actually these virtual connections are called tunnels. Tunneling is the method used to route data. In this mode of transmission data packets are encrypted and then encapsulated with the IP address of the device that interfaces with the public network, usually a firewall.

1.     Motivation for using vpn.

Attractions of VPNs to organizations include:

• Due to shared facilities, may be cheaper, especially in Capital Expense (CAPEX) than traditional routed networks over dedicated facilities.
• Can rapidly link enterprise offices, as well as small-and-home-office and mobile workers.
• Allow customization of security and quality of service as needed for specific applications
• Especially when provider-provisioned on shared infrastructure, can scale to meet sudden demands.
• Reduce Operational Expense (OPEX) by outsourcing support and facilities.

Taking into account these advantages, virtual connection is widely adopted to carry out all kind of data. That is why VPN is an attractive target to hack. 

1.     concerns

Security issue is then the main concern in implementing VPNs. In fact VPNs must be designed and operated under well-thought-out security policies. Organizations using them must have clear and appropriate security rules. When access goes beyond traditional office facilities, where there may be no professional administrators, security must be maintained as transparently as possible to end users.

In sum, VPN is a tunnel designed to securely route data via publics networks allowing anytime-anywhere access. Due to the high sensitivity of the information carried they become a privileged target to hacker.  

         II.      Potential vulnerabilities of VPN.

1.     Explaining networks vulnerabilities.

Network vulnerabilities define how exposed an organization’s network and data are to security threats. For instance, an employee might disclose a user name or password over the phone or through e-mail to an imposter pretending to be one of the organization network security technicians. A network technician might forget to update a virus definition, leaving the network expose and open to an infiltration. A denial of service attack might crash a server, leaving all the information on the computer inaccessible.  Unauthorized employees might install rogue program that collect user names and password with the intent to disclose confidential information. At the very least, attackers, hackers, and unauthorized information seekers target organization’s information to leave their Personal Mark; that is called the “graffiti of the 21^st century”. In the most diabolical of security breaches valuable information is copied stolen, or severely damaged, leaving the information’s owners to undertake expensive and time-consuming recovery measures as well as implement reinforced security. At the worst, your valuable information can be sold to others entities, including corporations and persons, potentially negating its value to you causing you great expense to recover.
Although the following vulnerabilities are by no means comprehensive, they provide a good start toward building a list of some of the common flaws that can affect the security planning of an organization.

2.     Common network vulnerabilities and security flaws.
 

Ø  Social Engineering                                                                                   a method of exploiting the people components of a security equation rather than the hardware or software components to gain access to computer networks and valuable data. Example includes a phone call from individuals who pretend to be fellow employee while urgently and politely request your assistance. The request could be something like a user name and password to get login.

Ø   Eavesdropping And Data Interception                                                  Eavesdropping is the act to secretly listening in on voice and data communications channels. While Data Interception involves recording eavesdropped data without modifying the data in any way. One simplest method of eavesdropping is watching someone enter his user name and password. Remembering it is Data Interception. Currently eavesdropping method involved Keystrokes Loggers; programs that are delivered through e-mail viruses to track all user’s keystrokes and mouse movements. Spyware can be used as data-recording service.

Ø  Denial of Service Attack
an attack in which hackers disrupt the normal flow of the network and business activity by bombarding an organization’s network with specific patterns or types of traffic design to harm or halt network and business functions or data flow. Common DoS attacks are: Ping Storms (flood a service-providing computer with a barrage of ping commands. The volume of incoming pings prevents the computer from responding to other legitimate requests) then, Spoofing (attempts to gain unauthorized access by utilizing one of the legitimate IP addresses on the network to trick other computer on your network into allowing access to network resources and information’s) and E-Mail Cluster Bomb(attackers flood a victim computer with e-mail messages so as to consume a computer resource)

Ø  Malicious Programs
In fact Malicious Programs such as worms represent another important security threats that can devastate your organization’s operations. They come in different forms and can be introduced through many different media. Internet is the pivotal channel in the spreading of Malicious Programs.

To resume, the capability of sending data is via network specially VPNs is easy. But taking into account all those vulnerabilities, efficient security measures are required to make VPN a much more complex subject to hack. By the way, in addition to tunneling technology, encryption and encapsulation VPN needs to provide some basics network security measures.

            I.      Security mechanisms in VPNs.

1.     Basic security measures.

·   The first measure to take is to protect the users systems and the server with software capable of eliminating hacking tools and eliminate all potential viruses.

·   The second measure is Authentication. This process identifies a user when he accesses the network (network resources). Then the identity of a user is verified. So making sure the data is from where it is supposed to be from.

·   The third measure is Access Control. After the authentication, this process limits users’ right and privileges on network resources. So that only authorized users can gain access to some specifics resource.

·   The fourth measure is Users Education. By the way users should be trained on how to use efficiently and securely the VPNs. They are indeed the operators so they shall not disclose certain tremendous information susceptible to affect the network.

2.     Advanced security measures.

Typical VPNs utilizes encryption and encapsulation method to create a secure communication channel between two networks (or networking devices) in a mode of transmission known as tunneling. In tunnels, data packets are encrypted and then encapsulated with the IP address of the device that interfaces with the public network, generally a firewall. The encapsulation hides the IP address of the true source from any would-be internet snooping sleuths (this is the tunnel), while encryption scramble the data so that only the intended receiving device can decrypt and read the sender’s information. In another mode known as Transport Mode, only the data portion of each packet is encrypted; the source and destination IP address remain intact.  
This is an overview of encryption and tunneling technologies.                                                                                      

·   Encryption is the process of turning Plaintext or Cleartext, that is to say data in its original and readable character and numeric format, into scrambled information known as Ciphertext (encrypted cleartext). It is accomplished through software or hardware by applying an Encryption Key to an Encryption Algorithm (also known as cipher is the sequence of mathematical instruction that perform the encryption). In this context the more bits is the encryption key, the stronger is the encryption. The reverse of this process is Decryption.
There are Secret Key Encryption(symmetric encryption) using a single shared key along with an encryption algorithm at both ends of the communication channel to encrypt or decrypt data transmissions on the one hand, and Public Key Encryption (asymmetric encryption) using two encryption keys, a public key and a private key. The following are some encryption protocols: CIPE, SSL, IPSec
 

·   Recall that tunneling is a method of using an internetwork infrastructure to transfer data for one network over another network. Instead of sending packets (frames) as it is produced by the originating node, the tunneling protocols encapsulates the frames in an additional header that provides routing information so that the encapsulated transfer traverse the intermediate internetwork. For a tunnel to be established, both the tunnel client and the tunnel server must be using the same tunneling protocol. Tunneling technology can be based on (with windows 2003) either a Layer 2 or a Layer 3 tunneling protocol. These layers correspond to the Open Systems Interconnection (OSI) Reference Model. Layer 2 protocols correspond to the data-link layer and use frames as their unit of exchange. PPTP and L2TP are Layer 2 tunneling protocols; both encapsulate the payload in a PPP frame to be sent across an internetwork. Layer 3 protocols correspond to the Network layer, and use packets. IPSec tunnel mode is an example of a Layer 3 tunneling protocol and encapsulates IP packets with an additional IP header before sending them across an IP internetwork.

To mitigate the security vulnerabilities, mentioned earlier, these are the security mechanisms used.

 

Conclusion

Network security, VPN or not is a major concern. In fact security in VPNs is pre-eminent to its usage as alternative to wan. If it is true organizations think VPN is a secure network, actually there many reports or alerts that disclose loopholes in VPNs.

Then it is wisest to mention that complete end-to-end security is not guarantee. Thus system patches, antivirus software with firewall, additional encryption of data between user application and server application and vigilance on the part of the administrator is needed.