by April 1, 1999 0 comments
VPN
security using IPSec
The
strongest security method are found in solutions that use IPSec, as it supports encryption
and key management as part of its specifications. The weakest link in the whole encryption
procedure is the exchange of keys between the sender and the receiver, which is managed by
key exchange procedures. The most common of these are the Diffie-Hellman key exchange
procedure and the RSA (Rivest Shamir Adleman) procedure. Both these procedures are based
on algorithms that are tough to break, if not impossible.

To beef up the procedure further, the senders of these keys are certified
using commercially available certificates. User authentication is also managed through the
normal method of passwords. The user once authenticated is allowed only as much access as
the VPN administrator deems fit.

So the question is, are VPNs secure with IPSec? Given the levels of
security and the lengths to which IPSec takes it, VPNs are a very secure affair. Security
itself is a broad area of activity. The only solace is that most encryption or
authentication mechanisms are tough enough to deter the most determined of crackers.

Today
there are a number of remote access solutions available for companies to interconnect
their networks. One option that is being widely used across the globe, and is likely to
catch on in India, is virtual private networking. This technology uses the Internet as the
backbone to implement a WAN link. Companies can access their network resources from
anywhere across the globe just by connecting to their local ISP. The biggest advantage of
VPNs is that they can be used to interconnect multiple networks. They can also be used to
give mobile users access to the company network from anywhere across the globe. Once a
user is logged into the company network through a VPN, he can access the resources as if
he were directly connected to it. The speed of connect is restricted by the availability
of bandwidth.

VPN software creates a channel over the Internet between the
ISP’s server and the VPN server–a process that is more commonly known as
tunneling. The tunnel is created using various tunneling protocols, which encapsulate the
data using their own algorithms.

VPN models

There are two broad models of tunneling: client-initiated and
client-transparent. In both the models, the basic requirement for setting up a VPN
solution is a VPN server and a VPN client. There are a number of companies offering these
solutions.

In client-initiated tunneling, the client dials into his local ISP
using his VPN client to connect to the VPN server. At this point, he is required to go
through an authentication process that depends on the tunneling protocol being used.
We’ll talk about these protocols a bit later.

In client-transparent tunneling, the ISP has a server dedicated for
VPN connectivity that is known as a tunnel-enabled server. This server has dedicated
connectivity with VPN servers of various companies. The clients connect to the local ISP
and access this server, which after authentication directs them to their respective VPN
servers. The clients then face their company’s security gateway and login.

The provision of such dedicated access servers entails an added cost
for the ISP but this also means higher throughput and dependability for the client’s
data. The availability of the same ISP in a remote location could be a problem, but
intra-ISP tie-ups could widen the reach of client-transparent services. Presently MTNL is
the only ISP in India to offer VPN services and that too only in Delhi.

VPNs can send data in two ways, encapsulation or encrypted
encapsulation. Encapsulation is simply bundling one protocol into another. Since the
Internet uses TCP/IP, most VPN data is encapsulated into TCP/IP. But simple encapsulation
doesn’t completely secure your data. That is why this method is not widely used. The
other method, which is more widely accepted, encrypts the encapsulated data before sending
it over the Internet.

Protocols used

VPN Protocols

Tunneling protocol

Authentication method

PPTP (Point to Point
Tunneling Protocol)

PAP, CHAP, NDS

L2TP (Layer 2 Tunneling
Protocol)

PAP, CHAP, EAP, RADIUS

L2F (Layer 2 Forwarding)

EAP, PAP, CHAP

IPSEC (IP Security)

RADIUS, SSL, CHAP

SOCKS CHAP, RADIUS, SSL

VPN solutions differ in
the tunneling protocols they use. The protocols themselves differ in the type of user
authentication protocols they support. The tunneling protocols used by VPNs and the
authentication methods each supports are given in the table “VPN Protocols”.

Out of these, the first three, PPTP, L2TP, and L2F are more suitable
for connecting mobile users to their networks than for inter-network connectivity. IPSec
is mostly used for inter-network connectivity and is currently the only protocol to have
encryption and key management schemes. This makes it more secure than the rest.

Among the authentication protocols, PAP (password authentication
protocol), CHAP (challenge handshake authentication protocol), and EAP (extended
authentication protocol) are a part of the PPP protocol, which are mostly used in dial-up
solutions.

Security in VPNs

There are two areas of concern in the security arrangements of a
VPN—data security and user authentication. Data security depends upon the tunneling
protocol being used, and user authentication is dependant on the authentication protocol
used.

Out of the various tunneling protocols discussed above, IPSec is the
only one that has data encryption as part of its specifications. The others just
encapsulate the data and transfer it. However, plans are underway so that other protocols
can use IPSec for data encryption. For authenticating users, some VPNs use digital
certificates (a detailed discussion of these is covered in a separate article in this
issue).

Currently, there are a number of VPN solutions available. The
simplest VPN can be set up using PPTP between two points. This feature is available in Win
NT, and the clients for accessing it can be easily set up in Win 9x.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<