NVS1

Virtual Private Networks

THIS DOCUMENT DESCRIBES HOW VIRTUAL PRIVATE NETWORKS (VPNS) WORK. THE RESULTING BENEFITS AND IMPORTANT POINTS ARE ALSO MENTIONED.
DOMINIK HERKEL

STERREICH | WIEN | 1050 | Spengergasse 20

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Table of Contents
Virtual Private Networks ............................................................................................................ 2 General ................................................................................................................................... 2 History .................................................................................................................................... 2 Benefits for Business .............................................................................................................. 2 Implementation ...................................................................................................................... 3 Generic Routing Encapsulation (GRE) ................................................................................ 3 General ........................................................................................................................... 3 Process............................................................................................................................ 3 Advantages ..................................................................................................................... 4 Disadvantages ................................................................................................................ 4 Internet Protocol Security (IPsec) ...................................................................................... 4 General ........................................................................................................................... 4 Process............................................................................................................................ 6 Advantages ..................................................................................................................... 6 Disadvantages ................................................................................................................ 6 GRE over IPsec .................................................................................................................... 7 SSL/TLS................................................................................................................................ 7 General ........................................................................................................................... 7 Process............................................................................................................................ 7 Advantages ..................................................................................................................... 7 Disadvantages ................................................................................................................ 8 Cisco VPN Solutions ................................................................................................................ 8 Access Network Resources..................................................................................................... 8 Configuration .......................................................................................................................... 8 Bibliography.............................................................................................................................. 10

Page 1 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Virtual Private Networks

General
In the simplest sense, a Virtual Private Network (VPN) is used to create an end-to-end private network connection, or rather a tunnel over third party networks, such as the internet. Depending on the type of VPN used, the connection is less or more secure and its users have either full, or restricted access to internal network resources.

History
The term VPN has been associated with remote connectivity services such as the public telephone network and Frame Relay Permanent Virtual Circuits (PVCs). Nowadays its a synonym for IP-based data networking. (AnexGATE) Before modern VPNs came up, a company had to lease a dedicated link which connected the main business campus with its branch Offices to build a comprehensive Intranet. Companies which couldnt afford such high amount of resources and expertise were left ou t. Modern VPNs solve this problem. These days there is no longer the need to buy expensive infrastructure or lease dedicated lines. No, the solution is built up on existing infrastructure, which almost any company already has. Instead of using private circuits, the public internet serves as a medium to connect places in different locations. Now some people would say that this is questionable solution in relation to data security. Maybe it was in the past, but nowadays this counterargument is addressed with rise of the Internet Protocol Security (short IPsec) framework, or Secure Sockets Layer (short SSL) services. This new technologies paved the way for the shift to telecommuting. So its a fact that even some people say that they arent affected by such technical nonsense, they cant ignore the capabilities which progress offers.

Benefits for Business

When companies use VPNs they can benefit in the following points: Cost efficiency: In most cases the companies doesnt have to lease dedicated WAN links anymore. Even if the leased lines provided a reliable and fast solution, it would be a lot better for the companies to spend their money on high-bandwidth internet connection technologies. So all of the transmissions are fast and not only between the sites anymore. Security: When modern VPN technologies are used, the sent data is protected with the confidentiality and integrity during transit. This is realized through advanced encryption and authentication protocols. Scalability: Infrastructure which is already in place can be used to connect an office through a VPN connection. In most cases there are no additional costs, because either way the majority of companies have a high-bandwidth internet connection. (Cisco)

Page 2 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Compatibility: With VPNs branch offices, as well as remote home offices and mobile workers can connect to the corporate network. This type of access is compatible with broadband technologies among others. So flexibility and efficiency is provided, which are two of the most important points in todays business.

Implementation
A VPN connection can be made at either Layer 2, 3, or the upper layers of the OSI model. Common examples of methods to form a Virtual Private Network are Generic Routing Encapsulation (GRE), Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) to mention but a few.

Generic Routing Encapsulation (GRE)

General This protocol was originally developed by Cisco and later standardized as Request for Comments (RFC) 1701. GRE tunnels are stateless, just like the User Datagram Protocol (UDP). This means that each tunnel endpoint doesnt keep any information about the availability of the other endpoint. Due to its advantages it is still widely in use. Process GRE encapsulates the entire original IP packet with a tunneling IP header and a GRE header.
VPN Method Decision - Dominik Herkel

GRE packet - Dominik Herkel

Flags: Optional header fields. Protocol Types: Type of payload (0x800 is used for IP). Page 3 / 11

Virtual Private Networks (Cisco)

30.10.2012

Dominik Herkel 4AHIF

This results in an additional overhead of 24 bytes. Advantages GRE comes up with the following advantages: Multiprotocol support: GRE supports multiprotocol tunneling, this means that it isnt only narrowed to IP networks, but also to IPX or AppleTalk. Certainly it is a fact that IP networks are the most common nowadays. Routing protocol support: Another advantage of GRE as opposed to other VPN protocols is its routing protocol support. In a GRE tunnel, routers can advertise their Open Shortest Path First (OSPF), Routing Information Protocol (RIP) and Enhanced Interior Gateway Routing Protocol (EIGRP) routes to mention but a few. Multicast and Broadcast support: GRE doesnt only support unicasts, instead it can also handle multicasts and broadcasts.

Disadvantages Even if GRE has great advantages, it is also affected by some big disadvantages: Security: In general traffic which traverses through a GRE tunnel isnt protected by encryption or other security measurements. This is because when GRE was developed security wasnt a big concern. It can easily be altered or eavesdropped. Overhead: The GRE header together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets. (Cisco)

Internet Protocol Security (IPsec)

General This protocol is standardized in RFC 2401. One of the main characteristics of IPsec is that it isnt bound to any specific security technologies. Instead it is a framework of open standards that defines the rules for a secure communication process. Therefore IPsec itself doesnt come up with any new encryption algorithms to provide confidentiality of data. It uses already existing security standards. Furthermore IPsec operates at the network layer and in theory operates with all data link layer protocols, such like Ethernet or Token Ring of the OSI model. Although I couldnt find any real implementation of IPsec over Token Ring. The IPsec process and the security measurements are described below: Protocol: When using IPsec one of the protocols below must be selected. Both solutions can work either in transport, or tunnel mode.

Page 4 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Tunnel mode: Security for the complete original IP packet is provided. The original IP packet is encrypted and then encapsulated in another IP packet. This is known as IPin-IP encryption. The outside IP packet is used for routing it through the Internet. Transport mode: Different to tunnel mode, the original IP address is left in plaintext. Security is only provided for the rest of the packet. o Authentication Header (AH): It is the appropriate protocol when confidentiality is not required. Therefore it only provides authentication and integrity. Confidentiality through encryption isnt part of this method, consequently all data is sent in plaintext. o Encapsulating Security Payload (ESP): Just like AH, this protocol also supports authentication and integrity, with the big difference that data encryption is also provided. Confidentiality: To achieve this feature, the traffic IPsec Framework - Dominik Herkel is encrypted by symmetric algorithms. For example: Data Encryptions Standard (DES), Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) are used. Integrity: Keyed-Hash Message Authentication Code (HMAC) are used to proof integrity and authentication of data. Instead of only calculating a hash value out of the data, an additional shared secret key is added to the data before. Then the HMAC is calculated out of the key-data combination with a hash algorithm like MessageDigest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA-1, SHA-2 and SHA-3). Authentication: In a conversation it is necessary that both participating parties authenticate each other. To achieve this either pre-shared secret keys or RivestShamir-Adleman (RSA) signatures are used. Secure Key Exchange: In a symmetric key system it is important to ensure that all participating parties know the secret key prior to encrypt or decrypt data. Therefore the Diffie-Hellman (DH) key exchange method was developed. It is a mathematical algorithm that allows two parties to generate an identical shared secret, without having ever communicated before. The new shared key is never actually exchanged between the sender and receiver, but both parties now it. DH defines several groups, from number 1 to 24, which differ relating to strength of encryption.

Page 5 / 11

Virtual Private Networks Process

30.10.2012

Dominik Herkel 4AHIF

The operation of IPsec VPNs can be broken down into five steps: 1. Initiation: Interesting traffic which match the configured security policy starts the Internet Key Exchange process. 2. IKE phase 1: IPsec peers are authenticated and Security Associations (SAs) are negotiated. A secure channel is set up. 3. IKE phase 2: IPsec SA parameters are negotiated and matching IPsec SAs are set up. 4. Data transfer: Data can be securely transmitted between the IPsec peers. 5. IPsec tunnel termination: The tunnel is terminated, because it timed out, or manually terminated. A detailed description of these steps is beyond the scope of this presentation, because they require a comprehensive understanding of security in general, IPsec and the Internet Key Exchange (IKE). For further information use the internet or attend to a CCNA Security certification class. Advantages Security: Authentication, Confidentiality and Integrity is provided by IPsec VPNs. In fact security is the biggest concern. Based on existing algorithms: One of the biggest advantages of the IPsec suite is that it doesnt try to reinvent to wheel. Instead it is based on existing algorithms. Therefore even new inventions can be added to IPsec and used in the process.

Disadvantages Solely IP support: No other Layer 3 protocol are supported. So when AppleTalk or IPX should be used, the VPN couldnt be based on IPsec. Only unicasts: Multicasts and Broadcasts arent supported. Therefore only unicasts can be sent. Routing protocols not supported: Routing protocols like OSPF, RIP and EIGRP are not supported. In IPsec VPNs only static routes can be used.

VPN Method Decision - Dominik Herkel

(Cisco) Page 6 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

GRE over IPsec

As time passed the idea came up to use both GRE as well as IPsec together. So often there is no need to decide between the two tunnel technologies anymore. This method combines the benefits of GRE and IPsec into one solution. The security of the data is provided by the IPsec framework with the flexibility of GRE. Therefore GREs multiprotocol support, routing updates, multicasts and broadcasts can be sent encrypted and secured over the tunnel.

SSL/TLS
General The Secure Sockets Layer (SSL) protocol is the predecessor of the modern Transport Layer Security (TLS) protocol. Both work at the presentation layer of the OSI model, whereas the term SSL is often used for TLS too. SSL/TLS use asymmetric cryptography for their key exchange, HMACs for authentication and integrity and symmetric algorithms for bulk encryption. To authenticate the provider participant in the communication process, certificates delivered by third party Certification Authorities (CA), such as VeriSign are involved. One of SSL/TLS major operational area is Hypertext Transfer Protocol Secure (HTTPS). Process To ease this presentation the process of SSL/TLS is described in the YouTube video below: http://www.youtube.com/watch?v=SJJmoDZ3il8 Advantages Security: The communication process over a SSL/TLS VPN is secured by authentication, confidentiality and integrity. Almost everywhere available: One of the biggest advantages of SSL/TLS over other VPN technologies is that for most implementations only a generic modern web browser is needed. So no client software, like Cisco AnyConnect is needed.

Page 7 / 11

Virtual Private Networks Third party regulation: Entities which provide SSL/TLS VPNs, for example for secure shopping, are regulate and verified by third party organizations.

30.10.2012

Dominik Herkel 4AHIF

Disadvantages Faked SSL/TLS certificates: Users are lulled into a false sense of security with certificates from CAs. Its not uncommon that malicious attackers tamper VPNs - Dominik Herkel SSL/TLS certificates. Denial of Service (DoS) attacks: Its a fact that establishing a SSL/TLS VPN connection requires much more resources on the server than on the client computer. This fact can be exploited in a DoS attack.

Cisco VPN Solutions

Cisco provides a broad and comprehensive selection of VPN solutions: Cisco Integrated Services Router (ISR) with enabled VPN Cisco Private Internet eXchange (PIX) end of life (EOL), end of sale (EOS) Cisco Adaptive Security Appliance (ASA) 5500 Series Cisco VPN 3000 Series Concentrator end of life (EOL), end of sale (EOS) Small and Home Office (SOHO) Routers

Access Network Resources

There are several ways provided by Cisco to access network resources through VPNs: Site to Site Configuration Cisco VPN Client Cisco AnyConnect VPN Client

Configuration
To give only a short overview over the complexity of IPsec tunnel configuration, an excerpt of the commands which are needed to perform this type of VPN on a Cissco IOs Router:

Page 8 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

R1

R3

R1(config)#access-list 110 permit ip R3(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption aes R1(config-isakmp)#hash sha R1(config-isakmp)#authentication preshare R1(config-isakmp)#group 2 R1(config-isakmp)#lifetime 86400 R1(config-isakmp)#exit R1(config)#crypto isakmp key vpnpa55 address 10.2.2.2 0.0.0.0 R1(config)#crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac R1(config)#crypto map VPN-MAP 10 ipsecisakmp R1(config-crypto-map)#match address 110 R1(config-crypto-map)#set peer 10.2.2.2 R1(config-crypto-map)#set transform-set VPN-SET R1(config-crypto-map)#exit R1(config)#interface se0/0/0 R1(config-if)#crypto map VPN-MAP R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption aes R3(config-isakmp)#hash sha R3(config-isakmp)#authentication preshare R3(config-isakmp)#group 2 R3(config-isakmp)#lifetime 86400 R3(config-isakmp)#exit R3(config)#crypto isakmp key vpnpa55 address 10.1.1.2 0.0.0.0 R3(config)#crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac R3(config)#crypto map VPN-MAP 10 ipsecisakmp R3(config-crypto-map)#match address 110 R3(config-crypto-map)#set peer 10.1.1.2 R3(config-crypto-map)#set transform-set VPN-SET R3(config-crypto-map)#exit R3(config)#interface se0/0/1 R3(config-if)#crypto map VPN-MAP

Page 9 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Bibliography
AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf Cisco. (n.d.). Cisco. Retrieved from http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_exampl e09186a008009438e.shtml Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html Covenant. (n.d.). DSLreports. Retrieved from http://www.dslreports.com/faq/8228 Edwards, J. (n.d.). ITsecurity. Retrieved from http://www.itsecurity.com/features/vpnpopularity-021108/ Itif. (n.d.). Itif. Retrieved from http://www.itif.org/files/Telecommuting.pdf Kilpatrick, I. (n.d.). IT Pro Portal. Retrieved from http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/ Mason, A. (n.d.). CiscoPress. Retrieved from http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7 Pearson. (n.d.). Pearsoncmg. Retrieved from http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/1587201 50X_CH14.pdf Rager, A. T. (n.d.). SourceForge. Retrieved from http://ikecrack.sourceforge.net/ SANS Institute. (n.d.). GoogleDocs. Retrieved from https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_r oom/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsecimplementationpro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9 jnZscnGxhS2U9roAq Suida, D. (n.d.). WordPress. Retrieved from http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gretunnel/ Unknown. (n.d.). ETutorials. Retrieved from http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assess ing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/ Unknown. (n.d.). Journey2CCIE. Retrieved from http://journey2ccie.blogspot.co.at

Page 10 / 11

Virtual Private Networks

30.10.2012

Dominik Herkel 4AHIF

Unknown. (n.d.). Teleworkers Research Network. Retrieved from http://www.teleworkresearchnetwork.com/telecommuting-statistics Unknown. (n.d.). The Hackers Choice. Retrieved from http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/ Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statisti cs Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Transport_Layer_Security Zandi, S. (n.d.). Cisco LearningNetwork. Retrieved from https://learningnetwork.cisco.com/docs/DOC-2457

Page 11 / 11