Survey on Information Assurance 

 
 

TEL 581  

 
 

Presented by
Viswesh Prabhu Subramanian
Gregory Michel
Lincoln Jean Louis
 Contents:
◦ What is a VPN?
◦ VPN Types
◦ VPN Security
◦ VPN gateways
◦ Introduction to VPN protocols
◦ Pros and cons of VPN
◦ Tunneling protocols
 What is tunneling
 IPSec
 PPP
 Point-to-Point Tunneling Protocol (PPTP)
 Layer 2 Tunneling Protocol (L2TP)
 Layer 2 Forwarding (L2F)
◦ Authentication Protocols
 Password Authentication Protocol (PAP)
 Challenge Handshake Protocol (Chap)
 PAP vs Chap
 Extensible Authentication Protocol.
◦ Summary.
 Access Guidelines
 Short video about VPN from
Teracom Training Institute.

http://www.yousearchblog.com/video/1Q6wKa1IaIA/Acronyms%20and
%20Abbreviations
What is a VPN?

A virtual private network (VPN) is a network that

uses a public telecommunication infrastructure, such
as the Internet, to provide remote offices or
individual users with secure access to their
organization's network. (http://lylebeckportfolio.com/vpn.htm)
http://www.3linkserver.com/images/themes/3link/vpn_image.gif
Public networks are used to move information
between trusted network segments using shared
facilities like Frame Relay or ATM

http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt
A VIRTUAL Private Network replaces all of the above
utilizing the public Internet Performance and
availability depend on your ISP and the Internet

http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt
http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt
 VPN Security

http://lylebeckportfolio.com/vpn.htm
• VPN gateways can be categorized as Standalone
or Integrated.
• Standalone VPNs incorporate purpose-built
devices between - the source of data and WAN
link or between the modem and a data source in
a remote office.
• Integrated implementations add VPN
functionality to existing devices such as routers,
firewalls.
• Router based VPNs – adding encryption
support to existing router(s) can keep the
upgrade costs of VPN low.
• Firewall based VPNs – workable solution for
small networks with low traffic volume.
• Software based VPNs – good solution for better
understanding a VPN, software runs on existing
servers and share resources with them
2 main VPN architectures:
•There are products based on IPSec and Point to
Point Tunneling Protocol (PPTP) or L2TP (Layer 2
Tunneling Protocol)
•Although IP sec has become the de facto standard
for LAN to LAN VPN’s, PPTP and L2TP are heavily
used for single client to LAN connections.
•Therefore, many VPN products support IPSec, PPTP
and L2TP.
• Lower costs – remote access costs have reduced
by 80 percent while LAN-to-LAN connectivity
costs is reduced by 20-40 percent.
• VPN provides low-cost alternative to backbone
equipment, in-house terminal equipment and
access modems.
• Connectivity Improvements – VPN based links
are easy and inexpensive ways to meet changing
business demands.
• Anywhere anytime access – ubiquitous public
internet offers transparent access to central
corporate systems i.e. email, directories, internal-
external web-sites.
VPN technology is improving rapidly and
promises a bright future for data communication,
its cost-effective, and high returns on investment
will outweigh any skittishness in investing in new
technology.
Disadvantages of VPN
• The availability and performances of VPN networks are
difficult to control

• VPN speeds are much slower than those experienced

with a traditional connection

• VPN technologies from different creators may work

poorly together. With time, this may improve. For now,
however, this can cause frustration when
implementing a VPN.

• One of the VPN's weakest links its users.

◦ What is tunneling
◦ IPSec
◦ PPP
◦ Point-to-Point Tunneling Protocol (PPTP)
◦ Layer 2 Tunneling Protocol (L2TP)
◦ Layer 2 Forwarding (L2F)
o A tunnel is a virtual path across a network that
delivers packets that are encapsulated and
possibly encrypted.

o A packet based on one protocol is wrapped, or

encapsulated, in a second packet based on a
different protocol
 Example of situation where Tunneling is used:
◦ An Ethernet network is connected to an FDDI backbone,
that FDDI network does not understand the Ethernet frame
format
◦ Two networks use IPX and need to communicate across
the Internet
http://www.novell.com/documentation/nias41/iptuneun/graphics/rtc_021a.gi
f
• Tunneling is the main ingredient to a VPN,
tunneling is used by VPN to creates its
connection
 Three main tunneling protocols are used in VPN
connections:
 PPTP
 L2TP
 IPSec
 Provides a method of setting up a secure channel for
protected data exchange between two devices.

 More flexible and less expensive than end-to end

and link encryption methods.

 Employed to establish virtual private networks

(VPNs) among networks across the Internet.
 IPSec uses two basic security protocols:

◦ Authentication Header (AH): It is the authenticating

protocol

◦ Encapsulating Security Payload (ESP): ESP is an

authenticating and encrypting protocol that provide source
authentication, confidentiality, and message integrity.
 IPSec can work in one of two modes:

◦ Transport mode, in which the payload of the message is

protected

◦ Tunnel mode, in which the payload and the routing and

header information are protected.
CISSP Certification All in One Exam Guide pg 610
 PPTP is a Microsoft protocol which allows remote
users to set up a PPP connection to a local ISP and
then create a secure VPN to their destination
CISSP Certification All in One Exam Guide pg 612
 In PPTP, the PPP payload is encrypted with
Microsoft Point-to-Point Encryption (MPPE) using
MS-CHAP or EAP-TLS.

 The keys used in encrypting this data are generated

during the authentication process between the user
and the authentication server.
CISSP Certification All in One Exam Guide pg 613
 One limitation of PPTP is that it can work only over
IP networks, Other protocols must be used to move
data over frame relay, X.25, and ATM links
 L2TP provides the functionality of PPTP, but it can
work over networks other than just IP

 L2TP does not provide any encryption or

authentication services.

 It needs to be combined with IPSec if encryption

and authentication services are required.
 The processes that L2TP uses for encapsulation are
similar to those used by PPTP
 PPTP can run only within IP networks.

 L2TP, on the can run within other protocols such as

frame relay, X.25, and ATM.

 PPTP is an encryption protocol and L2TP is not

 L2TP supports TACACS+ and RADIUS, while PPTP

does not.
 Point-to-Point Tunneling Protocol (PPTP):

◦ Designed for client/server connectivity

◦ Sets up a single point-to-point connection between two

computers

◦ Works at the data link layer

◦ Transmits over IP networks only

 Layer 2 Tunneling Protocol (L2TP)

◦ Sets up a single point-to-point connection between two

computers

◦ Works at the data link layer

◦ Transmits over multiple types of networks, not just IP

◦ Combined with IPSec for security

 IPSec:

◦ Handles multiple connections at the same time

◦ Provides secure authentication and encryption

◦ Supports only IP networks

•Password Authentication Protocol (PAP)

•Challenge Handshake Protocol (Chap)

•PAP vs Chap

•Extensible Authentication Protocol (EAP)

Authentication
How does one get authenticated?

By username/password, token, etc. validation.

 If valid, then the user is granted access.

 If not valid, no access is provided.

 Used by remote users to authenticate over PPP
lines.
 Users enter username and password before
Authentication.

 The password and the username are sent over the

network to the authentication server.

 The username and password are compared to the

database that is stored on the authentication server.

 If username and password matches access is granted.

Else access is denied.
PAP Authentication process
Problem!!!!

◦ PAP is very insecure.

 Credentials are sent in cleartext. This limitation allows for a

sniffer software to obtain you credentials.
 Uses a challenge/response mechanism to
authenticate the user instead of a password.

 A challenge is a random value that is encrypted with the use of

a predefined password as an encryption key.
 The authentication process

◦ The host computer sends the authentication server a logon

request.

◦ The server sends the user a random valued challenge.

 This challenge is encrypted with the use of a predefined password
as an encryption key.

◦ The encrypted challenge value is returned to the server.

 The Authentication process (con’t)
◦ The authentication server uses the predefined password as
the encryption key to decrypt the challenge value.

◦ The Server compares the received value with the one

stored in its database.

◦ If the results are the same, the server authenticates the

user and grants access. Else, access will be denied.
Challenge Handshake Process
 PAP
 Sends credentials in cleartext during transmission

 Use has decreased because it does not provide a high

level of security

 Supported by most networks NSAs

 CHAP
 Used the same way PAP is used but provides a higher
degree of security.

 Authenticates using a challenge/response method.

 Used by remote users, routers, and NASs to provide

authentication before providing connectivity.
 An authentication protocol which supports
multiple authentication mechanisms.

 Used for PPP and 802.X connections.

 EAP support authentication schemes such as:

◦ Generic Token Card

 An example is secure ID. D:\VPN\Token card.jpg

◦ One Time Password (OTP)

◦ Message Digest 5 (MD5)-Challenge.

◦ Transport Layer Security (TLS) for smart card and

digital certificate-based authentication
 Authentication Process:

◦ Peers negotiate to perform EAP during the connection

authentication phase.

◦ When the connection authentication phase is reached, the

peers negotiate the use of a specific EAP authentication.
(https://www.microsoft.com/technet/network/eap/eap.mspx)

◦ After Negotiation, the client and server exchange messages

between themselves.
 Authentication messages consist of requests and responses.
 EAP Authentication Process
(https://www.microsoft.com/technet/network/eap/eap.mspx)
 Users should be identified and authenticated.

 Utilize a strong level of security for

authentication/authorization.

 Users’ activities should be audited to ensure no

malicious activity is taking place.

 Users’ privileges should be reviewed periodically.

 Security policies should be presented and available

to all remote users.
References
1. http://www.uniforum.chi.il.us/slides/baker-
vpn/vpn.ppt
2. https://www.microsoft.com/technet/network/e
ap/eap.mspx
3. CISSP Certification All in One Exam Guide.
4. http://lylebeckportfolio.com/vpn.htm