Cyber Security III

Security for VPN and Next Generation

Technologies

Dr. Smita Kachole

• Security for VPN and Next Generation
Technologies
• 1. VPN Security
• 2. Security in Multimedia Networks
• 3. Various Computing Platforms: HPC,
Cluster and Computing Grids
• 4. Virtualization and Cloud Technology and
Security
 VPN-Virtual Private Network
• As the popularity of the Internet has grown,
businesses have turned to it as a means of
extending their own networks. First came
intranets, which are sites designed for use
only by company employees. Now, many
companies create their own Virtual Private
Networks (VPNs) to accommodate the
needs of remote employees and distant
offices.
 VPN-Virtual Private Network
• A VPN is a private network that uses a
public network (usually the Internet) to
connect remote sites or users together.
Instead of using a dedicated, real−world
connection, such as leased line, a VPN uses
"virtual" connections routed through the
Internet from the company's private
network to the remote site or employee.
 Types
• Remote−AccessVirtual Private Dial−up Network (VPDN), is
a user−to−LAN connection used by a company that has
employees who need to connect to the private network
from various remote locations. A corporation provides
Internet dial−up account to their users using an Internet
service provider (ISP).
• The telecommuters can then dial a 1−800 number to reach
the Internet and use their VPN client software to access
the corporate network.
• An example- a large firm with hundreds of sales people in
the field. Remote−access VPNs permit secure, encrypted
connections between a company's private network and
remote users through a third−party service provider
 Types
• Site−to−SiteThrough the use of dedicated equipment
and large−scale encryption, a company can connect
multiple fixed sites over a public network such as the
Internet.
• Each site needs only a local connection to the same
public network, thereby saving money on long private
leased−lines. Site−to−site VPNs can be further
categorized into intranets or extranets.
• A site−to−site VPN built between offices of the same
company is said to be an intranet VPN, while a VPN
built to connect the company to its partner or customer
is referred to as an extranet VPN.
 Benefits
• Extend geographic connectivity
• Reduce operational costs versus traditional WANs
• Reduce transit times and traveling costs for remote
users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
• Provide faster Return On Investment (ROI) than
traditional WAN
 VPN-Virtual Private Network
• A well−designed VPN? It should incorporate
following
• Security
• Reliability
• Scalability
• Network Management
• Policy Management
 VPN-Virtual Private Network
• A well−designed VPN uses several methods in
order to keep your connection and data secure.
• Data Confidentiality-This is perhaps the most
important service provided by any VPN
implementation. Since your private data travels
over a public network, data confidentiality is vital
and can be attained by encrypting the data. This
is the process of taking all the data that one
computer is sending to another and encoding it
into a form that only the other computer will be
able to decode.
 VPN-Virtual Private Network
• Data Integrity- While it is important that your
data is encrypted over a public network, it is just
as important to verify that it has not been
changed while in transit. For example, IPsec has a
mechanism to ensure that the encrypted portion
of the packet, or the entire header and data
portion of the packet, has not been tampered
with. If tampering is detected, the packet is
dropped. Data integrity can also involve
authenticating the remote peer.
 VPN-Virtual Private Network
• Data Origin Authentication-It is extremely
important to verify the identity of the
source of the data that is sent. This is
necessary to guard against a number of
attacks that depend on spoofing the
identity of the sender.
• Anti Replay-This is the ability to detect and
reject replayed packets and helps prevent
spoofing
 VPN-Virtual Private Network
• Data Tunnelling /Traffic Flow Confidentiality-
Tunnelling is the process of encapsulating an
entire packet within another packet and
sending it over a network. Data tunneling is
helpful in cases where it is desirable to hide the
identity of the device originating the traffic. For
example, a single device that uses IPsec
encapsulates traffic that belongs to a number of
hosts behind it and adds its own header on top
of the existing packets.
 VPN-Virtual Private Network
• By encrypting the original packet and header
(and routing the packet based on the
additional layer 3 header added on top), the
tunneling device effectively hides the actual
source of the packet. Only the trusted peer is
able to determine the true source, after it
strips away the additional header and
decrypts the original header
 VPN-Virtual Private Network
• AAA Authentication, authorization, and accounting -is
used for more secure access in a remote−access VPN
environment. Without user authentication, anyone who
sits at a laptop/PC with pre−configured VPN client
software can establish a secure connection into the
remote network.
• With user authentication however, a valid username and
password also has to be entered before the connection is
completed. Usernames and passwords can be stored on
the VPN termination device itself, or on an external AAA
server, which can provide authentication to numerous
other databases such as Windows NT, Novell, LDAP, and
so on.
 VPN-Virtual Private Network
• Non-repudiation -In certain data transfers,
especially those related to financial transactions,
Non-repudiation is a highly desirable feature.
• This is helpful in preventing situations where one
end denies having taken part in a transaction.
Much like a bank requires your signature before
honouring your check, non-repudiation works by
attaching a digital signature to the sent message,
thus precluding
 VPN-Virtual Private Network
• Based on the type of VPN (remote−access or
site−to−site), you need to put in place certain
components to build your VPN. These might include:
• Desktop software client for each remote user
• Dedicated hardware such as a Cisco VPN
Concentrator or a Cisco Secure PIX Firewall
• Dedicated VPN server for dial−up services
• Network Access Server (NAS) used by service
provider for remote user VPN access
• Private network and policy management center
 TYPES OF VPN PRODUCT

• A firewall-based VPN is one that is equipped

with both firewall and VPN capabilities. This
type of VPN makes use of the security
mechanisms in firewalls to restrict access to
an internal network. The features it provides
include address translation, user
authentication, real time alarms and
extensive logging.
 TYPES OF VPN PRODUCT

• A hardware-based VPN offers high network

throughput, better performance and more
reliability, since there is no processor
overhead. However, it is also more expensive.
• A software-based VPN provides the most
flexibility in how traffic is managed. This type
is suitable when VPN endpoints are not
controlled by the same party, and where
different firewalls and routers are used. It can
be used with hardware encryption
accelerators to enhance performance.
 TYPES OF VPN PRODUCT

• An SSL VPN allows users to connect to VPN

devices using a web browser. The SSL (Secure
Sockets Layer) protocol or TLS (Transport Layer
Security) protocol is used to encrypt traffic
between the web browser and the SSL VPN
device. One advantage of using SSL VPNs is
ease of use, because all standard web
browsers support the SSL protocol, therefore
users do not need to do any software
installation or configuration.
 RISKS & LIMITATIONS OF VPN
• HACKING ATTACKS -A client machine may
become a target of attack, or a staging point
for an attack, from within the connecting
network. An intruder could exploit bugs or
mis-configuration in a client machine, or use
other types of hacking tools to launch an
attack. These can include VPN hijacking or
man-in-the-middle attacks:
 RISKS & LIMITATIONS OF VPN

1. VPN hijacking is the unauthorised take-over of an

established VPN connection from a remote client,
and impersonating that client on the connecting
network.
2. Man-in-the-middle attacks affect traffic being sent
between communicating parties, and can include
interception, insertion, deletion, and modification
of messages, reflecting messages back at the
sender, replaying old messages and redirecting
messages.
 RISKS & LIMITATIONS OF VPN
• USER AUTHENTICATION -By default VPN does
not provide / enforce strong user
authentication. A VPN connection should only
be established by an authenticated user. If the
authentication is not strong enough to restrict
unauthorised access, an unauthorised party
could access the connected network and its
resources. Most VPN implementations provide
limited authentication methods.
 RISKS & LIMITATIONS OF VPN
• CLIENT SIDE RISKS -The VPN client machines
of, say, home users may be connected to the
Internet via a standard broadband connection
while at the same time holding a VPN
connection to a private network, using split
tunnelling. This may pose a risk to the private
network being connected to.
• client machine may also be shared with other
parties
 RISKS & LIMITATIONS OF VPN
• CLIENT SIDE RISKS - A laptop used by a mobile
user may be connected to the Internet, a
wireless LAN at a hotel, airport or on other
foreign networks. However, the security
protection in most of these public connection
points is inadequate for VPN access.
• Compromised VPN client machine poses a risk
to the connecting network
 RISKS & LIMITATIONS OF VPN
• VIRUS / MALWARE INFECTIONS -A connecting
network can be compromised if the client side is
infected with a virus. If a virus or spyware infects a
client machine, there is chance that the password
for the VPN connection might be leaked to an
attacker. In the case of an intranet or extranet VPN
connection, if one network is infected by a virus or
worm, that virus / worm can be spread quickly to
other networks if anti-virus protection systems are
ineffective.
 RISKS & LIMITATIONS OF VPN
• INCORRECT NETWORK ACCESS RIGHTS -Some
client and/or connecting networks may have
been granted more access rights than is
actually needed.
• INTEROPERABILITY / COMPATIBILITY-
Software from different vendors may not be
interoperable
 GENERAL VPN SECURITY CONSIDERATIONS

• VPN connections can be strengthened by the

use of firewalls.
• An IDS / IPS (Intrusion Detection / Prevention
System) is recommended in order to monitor
attacks more effectively
• Anti-virus software should be installed on
remote clients and network servers to prevent
the spread of any virus / worm if either end is
infected.
 GENERAL VPN SECURITY CONSIDERATIONS

• Unsecured or unmanaged systems with simple or no

authentication should not be allowed to make VPN
connections to the internal network
• Logging and auditing functions should be provided to
record network connections, especially any
unauthorised attempts at access. The log should be
reviewed regularly.
• Training should be given to network/security
administrators and supporting staff, as well as to remote
users, to ensure that they follow security best practices
and policies during the implementation and ongoing use
of the VPN.
 GENERAL VPN SECURITY CONSIDERATIONS

• Security policies and guidelines on the

appropriate use of VPN and network support
should be distributed to responsible parties to
control and govern their use of the VPN.
• Placing the VPN entry point in a Demilitarised
Zone (DMZ) is recommended in order to protect
the internal network
• It is advisable not to use split tunnelling to access
the Internet or any other insecure network
simultaneously during a VPN connection
 GENERAL VPN SECURITY CONSIDERATIONS

• If split tunnelling is used, a firewall and IDS

should be used to detect and prevent any
potential attack coming from insecure
networks

• Unnecessary access to internal networks

should be restricted and controlled.
 EXTRANET VPN SECURITY CONSIDERATIONS
The following are additional security considerations for
extranet VPN deployment:
1. Strong user authentication mechanisms should be
enforced.
2. The VPN entry point should be placed inside a DMZ to
prevent partners from accessing the internal network.
3. Access rights should be granted on an as-needed
basis. Only necessary resources should be available to
external partners. Owners of these resources should
review access permissions regularly.
 CLIENT SIDE VPN SECURITY CONSIDERATIONS
• Strong authentication is required -
• By means of certificates and/or smart cards, or
tokens
• A smart card is used to store a user profile,
encryption keys and algorithms. A PIN number is
usually required to invoke the smart card. A token
card provides a one-time password. When the user
authenticates correctly on the token by entering
the correct PIN number, the card will display a
one-time passcode that will allow access to the
network.
 CLIENT SIDE VPN SECURITY CONSIDERATIONS

• By means of add-on authentication system,

like TACACS+, RADIUS.
• This kind of central authentication system
contains a profile of all VPN users, controlling
the access to the private network
 CLIENT SIDE VPN SECURITY CONSIDERATIONS

• Personal firewalls should be installed and configured

properly on client VPN machines to block
unauthorised access to the client, ensuring it is safe
from attack. Many of the more recent remote access
VPN clients include personal firewalls.
• Some may also include other configuration checks,
such as the client not being able to connect to the
network if anti-virus software is not running, or if virus
signatures are out of date
 CLIENT SIDE VPN SECURITY CONSIDERATIONS

• The client machine should have anti-virus software

installed, with up-to-date signatures, to detect and
prevent virus infections.
• The user should remain aware of the physical security
of the machine, in particular when authentication
information is stored on the machine.
• All users should be educated on good Internet security
practices. Access from home should be considered an
insecure channel, as traffic is routed over the Internet.