With the rise of technology, one major extremely common issue is security. Businesses as well as individuals are concerned their information staying secure. An evolving technology known as a VPN, or a Virtual Private Network, is one way to provide such security. A lot of businesses in recent years have either had their data leaked or straight up stolen from outside sources. A VPN is what its name implies; it is a private network over virtual space. “A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link” (Microsoft). Employees are able to securely connect to their work network from anywhere over an internet connection. This provides huge benefits not only for the business but for the employee as well. The key point being in this whole implementation is that of security. Business need to keep their networks secure as well as the data of all of their employees and customers. VPNs help ensure that while providing other services as well.

There are different types of implementing VPNs. The two most popular types of VPNs are remote-access and site-to-site. Remote-access is the most commonly used. In business it is used so an employee can go home and still connect to the business’s private network. Site-to-site is also used especially in the merging of companies or when a company has various sites that are required to be connected to the same network. With the arrival of smart phones, there is a need in businesses for those devices to be connected securely. There is a lot of functionality in the same sense of a personal computer when connecting a smartphone to a VPN. Seeing how smartphones are practically miniature computers to begin with, this makes sense. You are able to connect them to VPNs much like any other client. With the ability to connect your smartphone to your businesses network through a VPN, it provides another layer of security within a network.

Image adapted from http://static.ddmcdn.com/gif/vpn-2.gif

The above diagram is an example of a site-to-site VPN. This is a less commonly used VPN but it is still very important for business all around the world. When dealing with company mergers for example, site-to-site VPNs are extremely important. A business will want its partner company to be able to connect to their intranet. However they need to be able to do this securely. A VPN provides a secure tunnel between networks over the internet allowing them to do exactly this. Remote-access works the same way except instead of a partner company, it’s usually an employee. Imagine one of those branch offices is an employee’s home. They would be able to work from home by connecting to the network at their business by use of VPNs.

However, this is not an end all solution to the issues of security. VPNs have flaws as well including security threats. Depending on the VPN you use, be it software or hardware, there are limitations to each. There are also security issues with the operating systems that run these VPNs that will cause problems depending on compatibility. There are also other differences between VPNs because there are many different types. These types are different than the implementation of VPNs. The types described here are the different functioning types of VPNs. There are both software and hardware VPNs made by a myriad of different companies. The hardware VPNs are seen to be the most secure because they are run by a proprietary piece of hardware. However as technology develops, so does the software. So software VPNs are becoming more viable in businesses around the world.

History of VPNs

To understand VPNs, it first must be explained how they came to exist. Businesses didn’t always have access to the internet. They used to have to keep all of their information and data within file cabinets. However with the introduction of computers, companies were able to be a lot more flexible with their information. A lot of companies created their own intranets to transfer data within their organization. They had enormous computers the size of rooms that they would use for processing and storing data. The whole idea of virtual private networks stems from the fact of these private networks that companies used to have. VPNs have to be a lot more secure though because they are used over the internet. Companies never had to worry that much about the internet a few decades ago. Most either didn’t use it that much, or didn’t worry about it that much because the internet has become a lot more malicious over the years.

In the modern day and age, companies from all across the globe can connect to each other, so it becomes difficult to maintain data security and integrity. Ever since the introduction of the internet, businesses have been trying to integrate that perfectly with their own businesses. It is an extremely useful resource that provides many different features. However security is always an issue. Cisco put it nicely in saying that “As the popularity of the Internet has grown, businesses have turned to it as a means of extending their own networks. First came intranets, which are sites designed for use only by company employees. Now, many companies create their own Virtual Private Networks (VPNs) to accommodate the needs of remote employees and distant offices” (Cisco). Many jobs now are purely technological or digital. This allows a lot of flexibility when it comes to working at your business, or in most people’s cases, from their own home. So clearly businesses want to stay secure when allowing people to work from home.

That is the main reason that VPNs were created in the first place. Microsoft defines a VPN as an “extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link. The act of configuring and creating a virtual private network is known as virtual private networking” (Microsoft). Figuratively speaking, companies have always had their own “private networks”; they aren’t limited to the use of digital media. Companies have always been focused on business within themselves. However with the introduction of the internet, commerce is becoming more of a global dilemma. As companies digital presence grows, their physical presence grows as well. That is why VPNs are so vital to the growth and prosperity of a business. Businesses need to be able to communicate with themselves across different physical sites.

VPN Technical Aspects

To understand exactly how VPNs work, it’s best to start from their origin. It’s hard to say when VPNs were actually originated from because it’s a very broad definition. A VPN can consist of thousands of computers or only a couple. However it’s important to know how VPNs function as well as how they came to fruition. Like most technologies relating to the internet, VPN started with a protocol. This protocol is known as the Point-to-Point Tunneling Protocol (PPTP). Galen Gruman of Computerworld.com defines PPTP as “Point-to-Point Tunneling Protocol is a way to encode information for transmission across networks that use the Internet Protocol. Originally designed to let remote users dial in to a network, it’s also used to connect one local network to another via the Internet in a system known as a virtual private network” (Gruman). It was originally designed to let users remote into their own network and that went by the name of Point-to-Point Protocol (PPP). This was a protocol that utilized their own network connection to allow users to remote into their network through their server. PPP was the basis for the protocol that most VPNs use today which is PPTP. PPTP’s major difference when compared to PPP is that it uses “the Internet as the connection medium, rather than requiring a direct connection between the user and the network” (Gruman). That means that PPTP is able to cover a lot more area by utilizing an internet connection. It also provides with a lot more flexibility than just having to connect to your own network through a dedicated server.

PPTP

There are two ways of describing how PPTP works. Gruman provides a good definition for laymen in saying that “The process of routing one protocol through another is called tunneling — it’s a bit like having an astronaut wear a spacesuit to go from one spacecraft to another. The suit maintains the air the astronaut needs. Think of the protocol — for example, Novell Inc.’s IPX or Apple Computer Inc.’s AppleTalk — as the suit he wears as he travels through a vacuum, or IP in the case of PPTP” (Gruman). This is extremely important in the world of security professionals, because you always want your data to be as secure as possible. Most people know that you can’t completely prevent security issues; you have to try your best to mitigate them. Using PPTP is a good way to do this. It provides a tunnel for you to direct your network traffic through. So you can think of the “astronaut suit” as protection for all of the data that you’ll be sending through the public space known as the Internet. The following image, courtesy of Microsoft, is to help with the more technical description of a PPTP connection.

Gruman gives a good three step process of using PPTP within a VPN. First “The remote client makes a point-to-point connection to the front-end processor via a modem” (Gruman). This is most commonly made by the user logging into their dedicated VPN software or program that their business will have provided after setting up their VPN. Next they use that connection to “establish a secure “tunnel” connection then functions as the network backbone” (Gruman). So the user connects to the VPN server at their business through PPTP and they now have a secure tunnel connection. Lastly “The remote access server handles the account management and supports data encryption through IP, IPX or NetBEUI protocols” (Gruman). Once you’ve made the connection of the internet to the business’s VPN server, the server has to make sure that you are who you say you are. Using Internet Protocol (IP) and Internetwork Packet Exchange (IPX), the VPN server is able to identify the user and then allow them into the network. These protocols also help to support encryption within the network. When dealing with your company’s network and any users remotely connection over public space, you want all of those exchanges to be encrypted.

However PPTP is not the only way to make a secure connection over the internet to a VPN. Two more recent protocols are designed with security in mind. The first is Internet Protocol Security (IPsec) and the other is Layer Two Tunneling Protocol (L2TP). Like their names suggest, these are improvements in the security department over PPTP.

L2TP

L2TP is a protocol that combines two existing protocols, PPTP and Layer 2 Forwarding (L2F). Layer 2 Forwarding is a protocol that was developed by Cisco. It was developed to provide virtual private network connections over the internet. (Cisco) One of its biggest flaws was that it provided no encryption. It based its security approach on the fact that you were using a tunnel within the internet. So in modern application, this would not be very useful as someone would just have to be able to get on the network or look at packets traveling within the tunnel.

L2TP takes the already established L2P protocol and then adds in PPTP as well. So what the VPN is left with is a more secure way to handle traffic. However L2TP isn’t usually used on its own. It’s most commonly used in conjunction with IPsec. The picture below helps to show a common L2TP connection. It’s still very insecure because L2TP uses authentication as its main source of security. The user creates a PPP connection through their ISP over the internet and to their company’s network. The ISP provides part of the authentication before going over the internet. Then the company’s L2TP server confirms the authentication and then terminates the PPP session. After this happens, the L2TP server gives those packets that were just transferred to the company’s LAN creating a connection to the remote user.

 

IPsec

IPsec is a protocol developed to protect the information contained within IP packets. Microsoft states that IPsec uses cryptographic security to protect networks. They do this on the third layer of the OSI model, the networking layer. IPsec provides “peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection” (Microsoft). So how exactly is this used within a VPN environment? When sending packets through a secure tunnel, that doesn’t mean that that information is entirely secure; those packets need to be secured as well. IPsec helps insure this in conjunction with other protocols. As stated before, this is most common with L2TP. When people categorize a L2TP VPN, they very rarely are describing a VPN without IPsec. These two protocols are found together quite often. This diagram from Microsoft helps explain exactly what is going on in an L2TP / IPsec VPN connection.

This is a common IP packet that is utilizing L2TP and IPsec. As explained before, L2TP utilizes PPP to transfer data. So for L2TP to transfer the IP packet through a tunnel, it surrounds the packet within a PPP payload. This is what is shown in the brown area. The light green section is where IPsec comes into play. A protocol within IPsec is ESP or Encapsulation Security Protocol. In short, ESP is a protocol designed for encryption and authentication. This is a client side authentication that is required on both clients that are being connected. It works as a certificate for added security when traveling through a VPN. That is why L2TP and IPsec work so well with each other. One handles the transportation of the packets, and the other handles the securing of the information contained within.

Authentication

As mentioned earlier, security is one of the most important issues when dealing with VPNs. There are security measures you want to uphold when setting up a VPN but you also need to keep in mind the functionality of the VPN. Microsoft says that “The solution must allow roaming or remote clients to connect to LAN resources, and the solution must allow remote offices to connect to each other to share resources and information (router-to-router connections)” (Microsoft). So when you have people connecting in from different locations, security becomes a big issue. You don’t want the wrong people connecting to your network and you also don’t want the wrong information being transferred throughout the network. One measure that can be taken is use authentication. Setting up a VPN and allowing anyone to connect to it defeats the purpose of the VPN in the first place. You want to have measures in place to force users to authenticate so you know that they are who they say they are. Another issue is with data encryption. When dealing with a VPN in a business, the user is usually handling important information relating to the business but they are using it outside of the business. So when you have this, you want to make sure that all the data that user is transferring is encrypted, especially when traveling over public spaces like the Internet.

Authentication is a large part of a lot of technological processes and VPNs are no exception. Different VPNs use different forms of authentication but almost all of them recommend having it. One industry standard protocol that’s popular for authentication is RAIDUS, or Remote Authentication Dial-in User Service. Microsoft gives a good explanation of how exactly RADIUS works. “When the RADIUS server receives the request, it first validates the RADIUS client. If the RADIUS client cannot be validated, the RADIUS server does not respond, not even to reject the connection request. After validating the RADIUS client, the RADIUS server then checks a user database to match the user making the request. The RADIUS server returns a response in the form of Access-Accept or Access-Deny to the client” (Microsoft). The first part of this is interesting because if the user fails to authenticate, the RADIUS server won’t even tell them that they weren’t validated. This also applies when a user doesn’t have authorization to the server. That leads to the next part about the RADIUS server checking the user database to make sure that it is indeed the correct user. It’s also checking that user’s permissions to make sure they are supposed to have access to what they are trying to log in to.

Another form of authentication is Computer-Level Authentication. There are two types of this authentication. One is computer certificates and the other is pre-shared keys. Computer certificates is the recommended form of infrastructure, Microsoft even says that pre-shared keys are most ideal for a lab environment and not in actual implementation of VPNs. The computer certificate method requires a public key infrastructure or PKI. This PKI is used in conjunction with L2TP and IPsec within a VPN connection. It provides a public key authentication method for users that increase the security of the network. It provides this security because it establishes a trust between the two computers communicating. That way the server is able to tell that the user is who they say they are. It also adds a layer of security to uphold data integrity.

Vulnerabilities

VPNs are an excellent tool when trying to secure traffic traveling in and out of your network. Much like many tools used to mitigate threats, there are vulnerabilities of VPNs. A VPN is only as strong as the network that it’s being used within. A VPN is not a tool that can be used to secure entire network connections. It is a tool that creates secured tunnels from one point to another. The biggest threat to VPNs though, is the users themselves. There are other vulnerabilities all well like software and hardware flaws but those are a lot harder to control.

User Threats

The main vulnerability of a VPN is the handling of the secured and encrypted information about that VPN. A paper was written by Roy Hills who works at NTA Monitor that outlines some VPN security flaws, however it was written in 2005. Some of the ideas pointed out in the paper still hold true today though. One large issue is the insecure storage of the authentication credentials of VPN clients. Some examples that he included were “storing the username unencrypted in a file or the registry, storing the password in a scrambled form, storing the plain-text password in memory, etc.” (Hills 7). The biggest threat to technology is always the user. So if a networking team doesn’t correctly configure their VPN, then they might not realize where the storage of their authentication information is being stored. There’s no need for a malicious attacker to work around a VPN if they are able to easily get certificates or authentication information. If that happens, they can easily impersonate as a client within the VPN and get in no problem.

Another issue that is created by unknowledgeable users is the creation of configuration files and proper documentation. This issue is so common among networking that it’s amazing that it still happens. With VPNs, there is usually a default configuration that comes with them be it from software or hardware. Roy stated that “The end-users generally assume that the default configuration is secure because they trust the vendor to choose sensible defaults” (Hills 14). A large mistake that most people make is that of complacency. People don’t bother changing configuration because they feel as if it should be secure enough out of the box. For example some software like OpenVPN may come with default configuration files. However it’s recommended to change them to accommodate the infrastructure of your network. Every network is different, and there are different configurations that will work for some and won’t work for others.

Hardware and Software Threats

Another threat to VPNs is the inevitable issues of software and hardware bugs. When dealing with hardware, there is always a chance that a piece will fail over time. Maybe something will short circuit or another piece might just cease functioning. With software there is the issue that a certain version release will contain a new vulnerability that was not present in prior releases. Either way, it’s hard to prevent these vulnerabilities as you usually have to treat them on a case by case basis.

Take Cisco for example. A lot of businesses use them for all of their networking needs; they’re a very trusted company. However, Cisco would be lying if they said that their hardware that they provide is flawless. A recent example of this is a VPN denial of service vulnerability that they found January 22, 2013. This information is gathered from one of their many vulnerability notices that they post about their hardware and software. Cisco stated that “The vulnerability is due to the improper interaction between the VPN driver and the operation system kernel on a device running the software” (Cisco). This vulnerability allows a VPN client to cause a denial of service attack within the system.

Project

Background

I’ve always been interested in VPNs. I never got to work on them much during my four years of college at Champlain. I got some experience with them in my routers class but other than that, my knowledge was not that extensive. The break before the start of this semester, I had a talk with my father about his company’s (AT&T) VPN that really peaked my interest. He talked about how is company is developing their VPN to allow the use of mobile devices as well as personal computers. The growing smart phone market in combination with my interest in VPNs made it clear about the project that I wanted to do. I wanted to set up various VPNs and test their capabilities. This most involved security advantages of different VPNs as well as bandwidth testing of the VPNs. I was interested in seeing if all the encryption that VPNs do leave an impact on the bandwidth of your network.

Materials

The main materials of this project were in the hardware department. I needed something to run the server and clients from for the VPNs that I was going to create. I also needed network devices that I was able to monitor bandwidth on. So I used my personal computer with has an i7-2600 CPU @3.40GHz, 12 GB of RAM and a normal Ethernet adapter. I also used my laptop with a duo core CPU T9550 @2.66GHz, 4 GB of RAM, and a normal Ethernet adapter as well as wireless NIC. I also used a Linksys wireless router, model no. WRT54GL. I used this as a switch to route VPN traffic through because the router in my room at my dormitory blocks a lot of ports. Lastly, I used my Samsung Galaxy S3 smartphone as the mobile device that I used for the mobile VPN client. So I was unable to properly set up a VPN within my network without the Linksys router. The different software that I used was Hamachi and OpenVPN. These are two open source VPN programs that allow you set up VPN servers and clients. They are both used very commonly and highly recommended. I wanted to work with hardware VPNs but was unable to allocate time properly to perform this.

Planning

The first thing I had to do was create an infrastructure for both of the VPNs that I was using. Hamachi was easier because I have worked with it before. Hamachi provides a lot of different features. They allow you to remote to other computers through their VPN service within a webpage. They also allow you to set up your own VPNs and then connect clients to them. However when connecting to them over the internet, you’re still connecting through Hamachi’s servers as well. Because Hamachi is so easy to use, this didn’t take long. Their VPNs come pre-configured and for the free version that I was using, there are not many other options. You can pay money in a subscription form to unlock more features that Hamachi provides. With this project, I just looked at the free version. They allow you to easily set up a VPN network in a few clicks and then the encryption and certificates are handled automatically.

OpenVPN was more of a challenge for me. I never worked with it before this point, so I had to kind of teach myself how to set it up. OpenVPN provides a lot more customizability than Hamachi simply because it provides everything for free. It provides it in the sense that you have to create configuration files that utilize its features. They had sample server and client configuration files that helped a lot in setting up my VPN. However I still had to set up the certificate server within the VPN. You have to create security keys for the server and client so they can authenticate in the first place. You then have to create certificates for each and every client manually and distribute these keys. These certificates act as tokens to prove to the server that the client is who they say they are. The biggest bonus that I saw with OpenVPN is the ability to provide mobile VPN functionality. This turned out to be a lot easier than I thought originally.

Implementation and Testing

I started my testing with Hamachi. I felt most comfortable with Hamachi and I felt as if it would provide the easiest results to obtain. I started by downloading and installing their software which his free. The software for their client and server is the same. The only difference is the creation of a network through their wizard that you go through on the server. This wizard is very easy to do; you really just input common information and then create it. Things like name of the network, the type of topology, size of it, etc. There’s no real configuration that goes on during this aspect. Once you have the server connected, it gives it an IP and creates a network adapter on the machine. The network adapter is a virtual networking adapter that Hamachi uses. A VPN is essentially another network so it makes sense that it would require another adapter. After that is set up, you simply go onto the client and connect to the server using the IP that was provided to you.

After this was completed, I had an up and running VPN server that I could do tests on. The nice thing about Hamachi was I was able to do bandwidth tests over the internet because it rerouted it to their servers. So I did a lot of bandwidth testing with the use of a tool called NetStress. What this tool does is create traffic artificially. It will throttle that traffic through the network address that you specific. So I specified that I wanted it to go from the Hamachi server to the Hamachi client. What I was doing with NetStress was to test the traffic when Hamachi had encryption turned on and when it had it turned off. Hamachi uses AES-256 bit encryption which is a very common encryption method. You can go into the preferences to turn off the encryption and that’s what I did.

These are an example of some of the bandwidth tests that I did within Hamachi. The top image is when it was encrypted and the bottom was when it was unencrypted. There is a difference in bandwidth however not as much as I would have hoped. It appears I underestimated just how efficient our encryption algorithms have gotten over the last few decades. Hamachi can utilize encryption without losing much bandwidth performance which is a very large positive.

The majority of my project was done with OpenVPN and I’m glad about that. I wanted to learn more about this tool because I never really used it before. I didn’t know what I was getting myself into so I started on their website and downloaded the software needed. They also have a service similar to Hamachi where I’m able to remove into their VPN servers and tunnel my traffic through them. However I didn’t do that because I wanted to be able to set up my own functioning VPN server and clients. OpenVPN is packaged with a lot of different files with its default configuration. The first thing I did was downloaded their default configuration files for both server and client. I used my desktop as a client and I used my laptop as a server. So the laptop is where I did most of the initial work. The initial configuration files have about 250 lines of text. However for this simple installation, I only needed about 20 or 30 of them. The first thing I did was create the key used for authentication. This was labeled as static.key. You create it using files that OpenVPN provides for you. You then give this key to both the server and the client. That is proof that they are both on the private network legitimately. Then I had to set up the certificate authority to provide certificates for each of the clients within the network. The first image below is the generation of the certificate for the server. It requires simple information like country, state, etc. You input this and it creates a certificate for the server. The second image is the same type of configuration but for the client. Again, the same type of information was required.

 

These certificates are required both on the server and the client. They are used to authenticate that the client connecting is in fact who they say they are. You have to create a client certificate for each different client on your network. Using the same certificate twice results in issues that I will talk about later on when I implemented mobile clients.

The other areas of the configuration of the client and server were fairly simple. I had to direct which IP they were heading too. Because I was using a switch and the two virtual adapters were on the same LAN, this was fairly simple. I just gave each computer IP addresses like 10.8.0.1 and 10.8.0.2. However because of technical difficulties with my router, I was never able to properly direct traffic through my router. It had ports closed, and I assume it had port 1194 closed which is where OpenVPN was trying to send traffic through. I was able to set up encryption successfully though. OpenVPN provides many more encryption methods than Hamachi does. For the free version, Hamachi only provides AES-256. OpenVPN provides any encryption method that’s contained within the OpenSSL libraries. This gives it about 15-20 different options of encryptions. In the sense of equality however, I went with AES-256 again. Below is part of the log file after I made successful connections to my VPN server through my client.

Sun Apr 14 08:37:17 2013 VERIFY OK: depth=1, C=US, ST=VT, L=Burlington, O=Champlain, OU=changeme, CN=Student, name=Student, [email protected]

Sun Apr 14 08:37:17 2013 VERIFY OK: depth=0, C=US, ST=VT, L=Burlington, O=Champlain, OU=changeme, CN=StudentServer, name=Student, [email protected]

Sun Apr 14 08:37:17 2013 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key

Sun Apr 14 08:37:17 2013 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Sun Apr 14 08:37:17 2013 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key

Sun Apr 14 08:37:17 2013 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Sun Apr 14 08:37:17 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Sun Apr 14 08:37:17 2013 [StudentServer] Peer Connection Initiated with [AF_INET]192.168.70.39:1194

What’s happening here is the certificate authentication and encryption initialization. The first two lines are the Student client has the CN (Certificate Name) of Student. It is connecting to the certificate server with a CN of StudentServer. They are exchanging certificate information to ensure that the certificate for the client was one that was created by my certificate server. The next five lines of text have to do with the encryption of the VPN. The encryption that I specified in the configuration file was AES-256 and it’s being initialized here. The other encryption that was in the configuration by default was the SHA1 for HMAC authentication. Then the last line of text is showing that I successfully created a connection with my server. The server is replying saying that the connection is es