VPN Fundamentals

VPNs try to provide secure features similar to what a leased line can do. For instance, a router on one end of a leased line knows with confidence the identity of the device on the other of the link.

Some of these feature that they provide are:

• Privacy – preventing anyone from the Internet from capturing transmitted data and reading them.
• Authentication – verfying that the sender of the packet is legitimate and not an impostor.
• Data Integrity – The packet that was sent arrives as intended and not altered.
• Antireplay – Prevents someone on the Internet to capture a packet, change it, and resend it to appear to be legitimate.

VPN tunnel
Two devices near the edge of the Internet are set up to create VPN connection. These devices add headers to the original packet with fields that allow the VPN devices to perform all the functions. The VPN devices also encrypt the original IP packet so that the contents of the original packets are undecipherable to anyone who captures it.

Types of VPN:

• Intranet – Connects two sites of the same organization
• Extranet – Connects two partner sites that are not necessarily the same organization.
• Access – Connects individual users to the enterprise users, typically mobile or home users.

Building a VPN network requires several devices that understand VPN standards and protocols at each site. Devices include software and hardware such as:

• Routers – perform VPN functions in addition to routing. Add-on cards can also help with more powerful encryption
• Adaptive Security Appliances (ASA) – Cisco appliance that does a lot of functions, including VPN, firewall, endpoint for VPN tunnel, etc.
• PIX firewalls – firewall and VPN. Replaced by ASA
• VPN Concentrators – act as endpoint of a VPN tunnel. Replaced by ASA
• VPN client – Client installed on a laptop to perform VPN functions.

IPsec VPN

IPsec is an IP networks’ security architecture or framework. It is defined by RFC 4301, Security Architecture for the Internet Protocol, more generally called IP security, or IPsec. It defines a set of functions such encryption and authentication.

As an architecture, it allows changes and additions to it over time as improvements in security are made.

The following components of IPsec are summarized in the next bullet points:

• IPsec Encryption
  • Uses mathematical algorithms to meet certain criteria. These are:
    • To hide (encrypt) the data
    • Re-create (decrypt) the original data from the encrypted version.
  • You will need an encryption key (a password) to decrypt the data. Also known as session key, shared key, or shared session key.
  • Even if an attacker is able to capture and decrypt one packet, he’ll have to decrypt the other packets that completes it to make any sense of the data.
  • A sample packet:
    

    IP Header

    VPN Header

    Encrypted Data

  • Encryption Algorithms:
    • Data Encryption Standard (DES) – 56-bit in length. Older and less secure than current options available.
    • Triple DES (3DES) – Key length is 56×3 bits. It applies three different 56-bit DES keys in succession, improving DES.
    • Advanced Encryption Standard (AES) – 128-bit or 256-bit in length. Current best practice, with strong encryption and less computation than 3DES.
• IPsec Key Exchange
  • To make the encryption work between to devices there needs to be some kind of exchange of common key (a shared common key value, also called symmetric keys) or password between the two. The inherent problem with that is how to send both keys to each other without it being intercepted over the line as clear text.
  • One solution is to use Pre-Shared Keys (PSK) – manually configuring the values on both devices. The common way to do it is calling the engineer on the other site and giving him the key to be configured, or sending it through the mail. The problem is that since it is manually configured, it is almost always never changed.
  • In a move to find a more secure process of using a dynamic key exchange, RFC 4306, Internet Key Exchange (IKE) calls for the use of a process called Diffie-Hellman (DH) key exchange – named after its inventors. It is an algorithm that allows the devices to make up and exchange keys securely. This key can then be used to encrypt subsequent data.
  • There are several options that can be configured for DH key exchange but they all depend on the length of the keys. The longer the encryption key that needs to be exchanged, the longer the DH key needs to be.
    • DH-1 is 768-bit long
    • DH-2 is 1024-bit long
    • DH-5 is 1536-bit long
• IPsec Authentication and Message Integrity
  • Authentication is generally a process by which a receiving VPN device can confirm that a received packet is really sent by a trusted VPN peer.
  • Message integrity confirms that the message received is really the original message sent.
  • Message Integrity checks are performed by the Authentication Header (AH) protocol with the use of a shared (symmetric) key concept. It is similar to the encryption process, except it uses a hash function, where the key is not actually sent over the Internet.
    • The hash process, called Hash-based Message Authentication Code (HMAC), calculates a hash value and sends the result in the VPN header
    • The receiver receives the hash and recomputes it (using the same key as the sender) and compares the result with the value listed in the VPN header.
    • The integrity check functions with HMAC typically use a secret key that needs to be at least twice as long as the encryption key that encrypts the message. For example, MD5 standard that uses a 128-bit key can support VPNs that use the 56-bit encryption key length.
  • The authentication process uses a public/private key concept similar to DH key exchange.
    • The idea is that the sender uses a private key to encrypt a value and the sender’s public key is used to decrypt it.
    • The sender calculates a value using the sender’s private key. The sender puts that value in the VPN header. The receiver then uses the sender’s public key to decrypt the transmitted value.
    • Specific protocols and tools available for IPsec authentication and message integrity
      • Message Integrity
        • HMAC-MD5 – uses 128-bit shared key, generating a 128-bit hash value
        • HMAC-SHA – HMAC-Secure Hash Algorithm defines different key sizes (for example, SHA-1[160], SHA-256[256], and SHA-512[512]) to support different encryption key sizes. This is considered better than MD5 but requires more compute time.
      • Authentication
        • Pre-shared Keys – Both VPN devices must be pre-configured with the same secret key
        • Digital signatures – aka Rivest, Shamir, and Adelman (RSA) signatures. The sender encrypts a value with its private key; the receiver decrypts with the sender’s public key and compares with the value listed by the sender in the header.

The ESP and AH Security Protocols

• There are two types of VPN headers that stores information for various VPN functions:
  • Encapsulating Security Payload (ESP) – Defines rules for performing the main four functions for VPN: supports authentication (weak), message integrity, encryption, and antireplay.
  • IP Authentication Header (AH) – supports strong authentication and message integrity.

IPsec Implementation Consideration

• IPsec VPNs provide secure connection through the Internet as if they are connected directly to the enterprise LAN. Site-to-site VPNs allow the users to see connect to applications and resources in the company as if it were local.
• Remote access VPNs allow the users to do the same thing as site-to-site VPN users. However the users require the use of a VPN client installed on their local machine.
• Cisco Easy VPN allows the installation and configuration of VPNs easier. A Cisco Easy VPN server, an ASA for example, is installed to dynamically inform the remote site devices as to their IPsec VPN configurations. The devices (routers or laptops with VPN clients) act as Easy VPN clients, connecting to the Easy VPN server and downloading the configuration settings.

SSL VPNs

• SSL, Secure Socket Layer, allows common browser to send data across the Internet securely. A similar standard called Transport Layer Security (TLS) does similar things
• SSL uses port 443. Data sent between the browser and the server is encrypted, the user is authenticated, then HTTP messages are sent over the SSL connection.
• Web VPN – similar to IPsec VPN, but typically only allows web traffic instead of general traffic to go through.
  • To use Web VPN, the user connects to a Cisco Web VPN server. The Web VPN server acts as a web server. The web page presented to the user contains a list of applications available to the user.
  • The Web VPN server can be implemented by various devices. For example, an ASA. The connection uses SSL.
• The drawback is that Web VPN needs to use a web browser to use an application. To circumvent this limitation, the users can load an SSL-based thin client that could connect to hte Web VPN and the Web VPN would simply pass traffic from the PC to the local LAN.