![]() |
A Virtual Private Network Breakdown
Author: Shai Hulud (shai_hulud@fatelabs.com) www.fatelabs.com |
What is a VPN |
A Virtual Private Network (VPN) is used to provide secure, encrypted communication between a network and a remote host or other remote network over the public Internet. VPN's allow 2 separate locations to establish 3 DES encrypted tunnels between nodes in order to prevent MITM (man in the middle) attacks and other security weaknesses found in the IP protocol.
|
The VPN Difference |
Virtual Private Networks differs from a regular Internet connection in the way the connection is
protected.
|
Encryption |
By default the software client for the VPN server uses DES 56-bit encryption. This however, is not the highest encryption available through Virtual Private Networks. Although United States export restrictions prevent shipping high-encryption devices over single DES to other countries, all VPNs deployed within the borders of the US are encouraged to use (3) Triple DES. VPNs use a combination of encryption algorithms to prevent the inherent problems found in the IP protocol. Those used in the VPN transactions are ESP (Encapsulating Security Payload), SHA (Secure Hash Algorithm), and Diffie-Hellman 1024-bit Group 2 key exchange. |
IP SECURITY |
Rapid advances in communication technology have accentuated the need for
security in the Internet. The IP Security Protocol Working Group (IPSEC) has
develop mechanisms to protect client protocols of IP. A security protocol in
the network layer will be developed to provide cryptographic security
services that will flexibly support combinations of authentication, integrity,
access control, and confidentiality.
The protocol formats for the IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP) will be independent of the cryptographic algorithm. The preliminary goals will specifically pursue host-to-host security followed by subnet-to-subnet and host-to-subnet topologies. IPSEC focuses on the security that can be provided by the IP-layer of the network. It does not concern itself with application level security such as PGP for instance. We can divide the security requirements into two distinct parts:
Confidentiality is the property of communicating such that the intended recipients know what was being sent, but unintended parties cannot determine it. A mechanism commonly used for providing confidentiality is called encryption. IPSEC provides confidentiality services through Encapsulating Security Payload (ESP). ESP can also provide data origin authentication, connectionless integrity, and anti-reply service (a form of partial sequence integrity). Confidentiality can be selected independent of all other services. There are two modes for providing confidentiality using ESP. One is transport mode, and the other is tunnel mode. Tunnel mode encapsulates an entire IP datagram within the ESP header. Transport mode, encapsulates the transport layer frame inside ESP (the term 'transport mode' should not be misconstrued as restricting its use to TCP and UDP). When incorporating the ESP into the IP system (IPv4, IPv6, or Extension) the protocol header immediately preceding the ESP header will contain the value 50 in its Protocol (IPv4) or Next Header (IPv6) field. In order to use the security mechanisms, we must agree on how they are going to be used. Security Association (SA) is a set of security information relating to a given network connection or set of connections. The concept of a SA is fundamental to both the IP ESP and the IP AH. The combination of a given Security Parameter Index (SPI) and destination address uniquely identifies a particular SA. This model is required by the implementation of IPSEC, which may support also other options. A SA normally includes the following parameters: |
Required |
Authentication algorithm and algorithm mode being used with the IP AH.
Key(s) used with the authentication algorithm in use with the AH. Encryption algorithm, algorithm mode, and transform being used with the IP ESP. Key(s) used with encryption algorithm in use with the ESP. Presence/absence and size of a cryptographic synchronization or initialization vector field for the encryption algorithm |
Recommended |
Authentication algorithm and mode used with the ESP transform (if any in use)
Authentication key(s) used with the authentication algorithm that is part of the ESP transform (if any). Lifetime of the key or time when key change should occur Source address(es) of the SA, might be a wild-card address if more than one sending system shares the same SA with the destination. Sensitivity level (for example: Secret or Unclassified) of the protected data [required for all system claiming to provide multi-level security, recommended for all other systems]. |