TOPIC:

“SECURITY IN
Hh
VPNS”
Gfderwr34rewwsassdddfdddf

Developed by:

Name : REMORAKING

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 1

 Acknowledgement
I am grateful to the many individuals whose efforts and
contributions were helpful to the development of this ISAS report.

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 2

CONTENTS
“SECURITY IN VIRTUAL PRIVATE NETWORKS (VPN)”

Introduction
I. UNDERSTANDING VPN AND THE NEED FOR SECURITY
IN VPN (4)

1. Purpose Of VPN Security (4)

2. Motivation For Using VPNS (5)
3. Concerns (5)

II. POTENTIAL VULNERABILITIES OF VPNS (6)

1. Explaining Network Vulnerabilities (6)

2. Common Network Vulnerabilities And Flaws (6)

III. SECURITY MECHANISMS IN VPNS (8)

1. Basic Security Measures (8)

2. Advanced Security Measures (8)

Conclusion (10)

Annex (11)

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 3

 Introduction
Data communication via networks increased to such an extent that we are now in the
“Information Age”. As a result, information has become the raw material of our society.
In this game, networks security continually attracts the attention of the entire world due
to the high sensitivity of information. Thus the most daunting challenge is to keep data
safe and secure while being available anytime-anywhere for remote users. Hence the
adoption of mechanisms such as Virtual Private Networks: a secure point-to-point
connection between two private networks or between two networks devices that uses a
public networks instead of a private communication channel as a backbone for data
transmission. However many security threats and breaches are still observed. Then the
issue of “Security in VPNs” rises. Does VPN offer a complete end-to-end security? In
fact, first, what are the securities flaws undermining VPNs? Second, what are the
measures susceptible to mitigate the risks? Better what are the security mechanisms used
to enforce security in VPNs? Before all, we shall understand the need for security in
VPNs.

I. Understanding the need for security in vpn

1. Purpose of vpn security.

When you attempt to access information from outside the corporate firewall, there is a
security exposure that does not exist when you log on from inside. That is where VPNs
come in play. In fact VPNs are implemented to allow computers or networks to talk to
each other over a transport media that is not secure. To achieve this goal VPNs use a
computer at each of the two or more points on the various ends of the transport media
such as the internet. Each point at the end of the transport media (internet) is called a
Point Of Presence (POP). Therefore the firewall will be configured to allow only certain
type of remote access.

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 4

Of course instead of a dedicated, physical, leased-line connection, VPNs indeed use
public networks such as the internet, using virtual connections. Actually these virtual
connections are called tunnels. Tunneling is the method used to route data. In this mode
of transmission data packets are encrypted and then encapsulated with the IP address of
the device that interfaces with the public network, usually a firewall.

2. Motivation for using vpn.

Attractions of VPNs to organizations include:

 Due to shared facilities, may be cheaper, especially in Capital Expense (CAPEX)

than traditional routed networks over dedicated facilities.
 Can rapidly link enterprise offices, as well as small-and-home-office and mobile
workers.
 Allow customization of security and quality of service as needed for specific
applications
 Especially when provider-provisioned on shared infrastructure, can scale to meet
sudden demands.
 Reduce Operational Expense (OPEX) by outsourcing support and facilities.

Taking into account these advantages, virtual connection is widely adopted to carry out
all kind of data. That is why VPN is an attractive target to hack.

3. concerns
Security issue is then the main concern in implementing VPNs. In fact VPNs must be
designed and operated under well-thought-out security policies. Organizations using
them must have clear and appropriate security rules. When access goes beyond traditional
office facilities, where there may be no professional administrators, security must be
maintained as transparently as possible to end users.

In sum, VPN is a tunnel designed to securely route data via publics networks allowing
anytime-anywhere access. Due to the high sensitivity of the information carried they
become a privileged target to hacker.
Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 5
 II. Potential vulnerabilities of VPN.

1. Explaining networks vulnerabilities.

Network vulnerabilities define how exposed an organization’s network and data are to
security threats. For instance, an employee might disclose a user name or password over
the phone or through e-mail to an imposter pretending to be one of the organization
network security technicians. A network technician might forget to update a virus
definition, leaving the network expose and open to an infiltration. A denial of service
attack might crash a server, leaving all the information on the computer inaccessible.
Unauthorized employees might install rogue program that collect user names and
password with the intent to disclose confidential information. At the very least, attackers,
hackers, and unauthorized information seekers target organization’s information to leave
their Personal Mark; that is called the “graffiti of the 21st century”. In the most
diabolical of security breaches valuable information is copied stolen, or severely
damaged, leaving the information’s owners to undertake expensive and time-consuming
recovery measures as well as implement reinforced security. At the worst, your valuable
information can be sold to others entities, including corporations and persons, potentially
negating its value to you causing you great expense to recover.
Although the following vulnerabilities are by no means comprehensive, they provide a
good start toward building a list of some of the common flaws that can affect the security
planning of an organization.

2. Common network vulnerabilities and security flaws.

 Social Engineering
a method of exploiting the people components of a security
equation rather than the hardware or software components to
gain access to computer networks and valuable data.
Example includes a phone call from individuals who pretend
to be fellow employee while urgently and politely request
your assistance. The request could be something like a user
name and password to get login.
 Eavesdropping And Data Interception
Eavesdropping is the act to secretly listening in on voice and
data communications channels. While Data Interception
involves recording eavesdropped data without modifying the
data in any way. One simplest method of eavesdropping is
watching someone enter his user name and password.
Remembering it is Data Interception. Currently
eavesdropping method involved Keystrokes Loggers;
programs that are delivered through e-mail viruses to track

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 6

 all user’s keystrokes and mouse movements. Spyware can be
used as data-recording service.
 Denial of Service Attack
an attack in which hackers disrupt the normal flow of the
network and business activity by bombarding an
organization’s network with specific patterns or types of
traffic design to harm or halt network and business functions
or data flow. Common DoS attacks are: Ping Storms (flood
a service-providing computer with a barrage of ping
commands. The volume of incoming pings prevents the
computer from responding to other legitimate requests) then,
Spoofing (attempts to gain unauthorized access by utilizing
one of the legitimate IP addresses on the network to trick
other computer on your network into allowing access to
network resources and information’s) and E-Mail Cluster
Bomb(attackers flood a victim computer with e-mail
messages so as to consume a computer resource)
 Malicious Programs
In fact Malicious Programs such as worms represent another
important security threats that can devastate your
organization’s operations. They come in different forms and
can be introduced through many different media. Internet is
the pivotal channel in the spreading of Malicious Programs.

The following illustrate some attacked threatening VPNs:

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 7

To resume, the capability of sending data is via network specially VPNs is easy. But
taking into account all those vulnerabilities, efficient security measures are required to
make VPN a much more complex subject to hack. By the way, in addition to tunneling
technology, encryption and encapsulation VPN needs to provide some basics network
security measures.

III. Security mechanisms in VPNs.

1. Basic security measures.

 The first measure to take is to protect the users systems and the
server with software capable of eliminating hacking tools and
eliminate all potential viruses.
 The second measure is Authentication. This process identifies a user
when he accesses the network (network resources). Then the identity
of a user is verified. So making sure the data is from where it is
supposed to be from.
 The third measure is Access Control. After the authentication, this
process limits users’ right and privileges on network resources. So
that only authorized users can gain access to some specifics resource.
 The fourth measure is Users Education. By the way users should be
trained on how to use efficiently and securely the VPNs. They are
indeed the operators so they shall not disclose certain tremendous
information susceptible to affect the network.

2. Advanced security measures.

Typical VPNs utilizes encryption and encapsulation method to create a secure
communication channel between two networks (or networking devices) in a mode of
transmission known as tunneling. In tunnels, data packets are encrypted and then
encapsulated with the IP address of the device that interfaces with the public network,
generally a firewall. The encapsulation hides the IP address of the true source from any
would-be internet snooping sleuths (this is the tunnel), while encryption scramble the
data so that only the intended receiving device can decrypt and read the sender’s
information. In another mode known as Transport Mode, only the data portion of each
packet is encrypted; the source and destination IP address remain intact.
This is an overview of encryption and tunneling technologies.

 Encryption is the process of turning Plaintext or Cleartext, that is to

say data in its original and readable character and numeric format,
into scrambled information known as Ciphertext (encrypted
cleartext). It is accomplished through software or hardware by
applying an Encryption Key to an Encryption Algorithm (also

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 8

 known as cipher is the sequence of mathematical instruction that
perform the encryption). In this context the more bits is the encryption
key, the stronger is the encryption. The reverse of this process is
Decryption.
There are Secret Key Encryption(symmetric encryption) using a
single shared key along with an encryption algorithm at both ends of
the communication channel to encrypt or decrypt data transmissions
on the one hand, and Public Key Encryption (asymmetric
encryption) using two encryption keys, a public key and a private key.
The following are some encryption protocols: CIPE, SSL, IPSec

 Recall that tunneling is a method of using an internetwork

infrastructure to transfer data for one network over another network.
Instead of sending packets (frames) as it is produced by the
originating node, the tunneling protocols encapsulates the frames in
an additional header that provides routing information so that the
encapsulated transfer traverse the intermediate internetwork. For a
tunnel to be established, both the tunnel client and the tunnel server
must be using the same tunneling protocol. Tunneling technology can
be based on (with windows 2003) either a Layer 2 or a Layer 3
tunneling protocol. These layers correspond to the Open Systems
Interconnection (OSI) Reference Model. Layer 2 protocols
correspond to the data-link layer and use frames as their unit of
exchange. PPTP and L2TP are Layer 2 tunneling protocols; both
encapsulate the payload in a PPP frame to be sent across an
internetwork. Layer 3 protocols correspond to the Network layer, and
use packets. IPSec tunnel mode is an example of a Layer 3 tunneling
protocol and encapsulates IP packets with an additional IP header
before sending them across an IP internetwork.

To mitigate the security vulnerabilities, mentioned earlier, these are the security
mechanisms used.

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 9

 Conclusion
Network security, VPN or not is a major concern. In fact security in VPNs is pre-eminent
to its usage as alternative to wan. If it is true organizations think VPN is a secure
network, actually there many reports or alerts that disclose loopholes in VPNs.
Then it is wisest to mention that complete end-to-end security is not guarantee. Thus
system patches, antivirus software with firewall, additional encryption of data between
user application and server application and vigilance on the part of the administrator is
needed.

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 10

 Additional information on VPNs protocol

:
Point-To-Point Protocol (PPP) transport IP-based data packets across point-to-point
links. The protocol encapsulates data before transporting it over the link. PPP uses two-
way connection, also referred to as duplex connection.

Point-To-Point Tunneling Protocol (PPTP): an extension of PPP, which allows the use
of Public Switched Telephone, networks (PSTNs) to transmit data.

Layer 2 Forwarding (L2F) protocol: is used for remote access technology. It means a
remote user can access a private network using a single dial up connection. It main asset
is that it supports multiple session simultaneously within the tunnel.

Layer 2 Tunneling Protocol (L2TP): is a combination of PPTP and L2F protocol. So it

provides the features of both. That means scalable and low-cost remote access like l2f and
point-to-point connection similar to PPTP.

IP Security Protocol (IPSec) is an Internet protocol security, developed by IETF, and

implemented at layer 3. It is a collection of security measures that address data privacy,
integrity, authentication, and key management, in addition to tunneling. It does not cover
key management.

CIPE – stands for Crypto IP Encapsulation. It is used as encryption protocol.

Secure Sockets Layer (SSL): is an industry-standard public-key encryption technique

developed by Netscape communication that is used to secure web-based communication
and transactions. It is activate in your web browser when you create a digital certificate
with a certificate authority.

Kerberos is a secret key encryption that is used in client/server environment for secure
authentication between computers. Common implementations of Kerberos include
encrypted communication between client and servers for application like telnet and ftp,
which would otherwise be unsecured. It also distributes the shared secret-key between
computers.

For more articles, join us on:

http://computershark.blogspot.com

Remora. COMPUTERSHARK.BLOGSPOT.com REMORAKING Page 11