VPN - Tutorial - 612

A Virtual private network (VPN) is a secure connection between two or

more endpoints. It can also be seen as an extension to a private network.

A VPN is commonly used to provide secure connectivity to a site in order

to share resources between two organisations or departments or to
facilitate remote users with their corporate services as if they were in
sitting at their desk in the office. There are two key scenarios where you
would deploy VPN technology, that are known as Site-to-Site VPN and Remote
Access VPN.

Site-to-Site VPN
Square In site-to-site VPN, data is encrypted from one VPN gateway to
another VPN gateway, providing a secure link between two
sites\organisations\departments over the internet. This would enable both
sites to share resources such as documents and other types of data over
the secure VPN link. The following figure illustrates a site-to-site VPN
deployment, where an organisation has two offices and would like to
provide a secure VPN link between the two offices to share resources.

1|Page
Remote Access VPN
In a remote access VPN scenario, which is sometimes known as mobile VPN, a
secure connection would be made from an individual computer to a VPN
gateway device that is situated at the organisation's data centre. This VPN
device would enable a user to access their e-mail, files and other resources
at work from anywhere in the world, providing they have an internet
connection. There are two common forms of frameworks\technology that
exists in remote access VPN known as IPsec and SSL that are covered
further within this article. The following figure illustrates a remote access
user VPN deployment.

VPN Use Case

A site-to-site VPN is a cost effective solution which provides a secure
connection that enables sharing of IT resources between multiple
organisations or offices. This saves companies from renting expensive
dedicated leased lines, and can save companies from investing in additional
IT infrastructure services because all of the services can be accessed over
a VPN connection at the head office.

2|Page
Remote access VPN technology provides the ability for users to work
remotely, as if they were in the office sitting at their desks. This saves
companies from investing in larger offices to facilitate employees and the
need for various office supplies.

In many real world scenarios, organisations grow and introduce additional

working environments. For example, a company may be situated in the US
and locates at its head office in the over there in the US, and due to growth,
open a new branch office within the UK. The US office will already have a
complete IT infrastructure, including network and storage and all the other
infrastructure hardware and software in place which consists of services
such as Active Directory, email and so on. The UK branch office may only
consist of a small number of users, let’s say ten employees. To make this
particular scenario cost effective, a VPN connection between the US and UK
offices would be the best solution. Implementing a VPN tunnel between the
UK and US offices would save on cost from the need to install IT
infrastructure within the UK, as employees can utilise the existing
infrastructure within the US over the VPN tunnel.

Another cost saving use case and a perfectly valid scenario to the example
above would be to allow employees based within the UK to work from
remote locations, such as from within their home offices, and this can be
achieved by implementing a remote access VPN solution at the corporate
head office within the US. The UK based employees would only require an
internet connection and configured VPN client software enabling them to
securely connect to their corporate network within the US. Additionally, If
it was for very specific access to a few resources, these can be made
available to the UK based employees with the use of web based VPN portals,
which can be accessed over a web browser, and this would mean they
would not even require a configured client side VPN software application;
they would browse to a URL address, and then login with their credentials
before they find links to corporate resources such as the intranet and their
emails.

VPN technology provides a superb and cost effective solution for companies
with several branch offices, partners, and remote users being able to share
data and connect to corporate network resources in a secure and private
manner.

Sending data via a VPN tunnel, VPN client software encapsulates all data
packets providing high levels of security. If VPN traffic was sniffed by a
potential hacker over the internet, the packets would be unreadable, and if
modified this would also be detected by the VPN gateway solution.

3|Page
VPN Networking Protocols
VPN tunnels use one of four main networking protocols, which provide
sufficient level of security as detailed below.

1.Point to Point Tunnelling Protocol (PPTP)

PPTP is a protocol or technology that supports the use of VPN technology.

Using PPTP, remote users can access their corporate networks securely
using the Microsoft Windows Platforms and other PPP (Point to Point
tunnelling Protocols) enabled systems. This is achieved with remote users
dialling into their local internet security providers to connect securely to
their networks via the internet.

PPTP has its issues and is considered a weak security protocol according to
many experts, although Microsoft continues to improve the use of PPTP and
claims issues within PPTP have now been corrected. Although PPTP is easier
to use and configure than IPsec, IPsec outweighs PPTP in other areas, such
as being more secure and a robust protocol.

2.Layer 2 Tunnelling Protocol (L2TP)

L2TP is an extension of the Point to point tunnelling protocol (PPTP), and

used by internet service providers to provide VPN services over the
internet. L2TP combines the functionality of PPTP and Layer 2 forwarding
protocol (L2F) with some additional functions using some of the IPsec
functionality. L2TP can be used in conjunction with IPsec to provide
encryption, authentication and integrity. IPsec is considered better than the
layer 2 VPN protocols such as PPTP and L2TP and this is why security
vendors have integrated the IPsec framework into their technologies.

IPsec (IP Security)

IPsec operates at layer 3 of the OSI model and for this reason can protect
any protocol that runs on top of IP. IPsec is a framework consisting of
various protocols and algorithms which can be added to the framework.
IPsec provides flexibility and strength in depth, and is an almost perfect
solution for securing VPN tunnels. The only drawback to IPsec is it requires
setting up on the corporate network and on the client side devices, and is
a complex framework to work with. IPsec is used for both site-to-site and
remote user VPN connectivity.

4|Page
3.Secure Socket Layer (SSL) VPN

SSL VPN provides excellent ease of use, flexibility and security for remote
access users. SSL is already heavily used such as when you shop online,
and when accessing your bank account online, you will notice an SSL
protected page when you see the “https” in your browser URL bar.

When it comes to remote access VPN technology, one of the main

differences between using SSL VPN and IPsec is with IPsec a remote user
would require a preconfigured fat client software which would need
installing and configuring where there has been known issues around the
use of fat pre-configured clients and limited support through certain
firewalls and public Internet services, i.e. Wireless Hot Spots. IPsec VPN
requires a number of protocols to work, therefore the need to open multiple
firewall rules. However with SSL client software, it is optional as to whether
you download and install a client, and SSL uses a single port of 443. SSL
VPN can be configured with a web portal with user defined resources. The
portal is a GUI interface that is accessed via a web browser and contains
tools and utilities in order to access applications on the network, for
example applications such as RDP and Outlook. SSL can also imitate the
way IPsec works by providing a secure tunnel via either installing
lightweight client software, or by clicking on connect directly from the web
VPN portal. If a user required client SSL software, it can be installed with
very little effort via a browser which simplifies the process in securely
accessing the corporate network.

Using SSL VPN, makes simple work of provisioning thousands of end users
who would be able to access the corporate network resources with very
little effort. The end user would need to know the web page address of the
SSL VPN portal and the login credentials, and that's pretty much it. With
SSL VPN, being a browser based technology, web portals can be created
with links to corporate resources defined within the portals, and this is
another advantage with SSL VPN technology in that users do not have to
rely on a configured client side VPN software application and are able to
connect from any client side device with a web browser.

5|Page
Advantages and Disadvantages to using a
Site-to-Site VPN Technology

Advantages

VPN’s eliminate the need for expensive leased lines. Historically T1 lines
have been used connecting office locations together in a secure manner. If
the office locations are further away, the cost of renting these least lines
can be unbearable. A VPN though, only requires you to have a broadband
internet connection, and so avoiding paying a hefty sum of monthly rental
on dedicated leased lines. VPN’s are also a replacement for remote access
servers and dial up network connections although rarely used anymore.

Through the use of link balancing and link bonding, VPN's can use two or
more internet connections, where if one connection experienced a failure,
VPN traffic would automatically traverse over the remaining connections.
Once the failed connection is back online, VPN traffic would automatically
use the original connection when it is back up again.

Disadvantages

You have to remember, having a VPN tunnel means having to rely on the
Internet, and having to rely that your ISP (Internet Service Provider) is
reliable, although this problem can be reduced by having two or more ISP’s
and using the 2nd connection in a VPN failover scenario.

Also VPN’s require careful configuration, and possibly some

troubleshooting, and the terminology can be overwhelming for
administrators not familiar with the technology.

Setting up an IPsec Site-to-Site VPN Tunnel

Below is a basic overview in the typical way a site-to-site VPN is configured

using IPsec. IPsec the most commonly used method framework used to
create VPN tunnels and is known to be a solid, robust and secure VPN
technology framework.

6|Page
If you are new to VPN technology and the IPsec framework, a lot of the
terminology can be overwhelming at the beginning, however, clicking on
the links in this VPN article will give you a good understanding to the
different terminologies used within the guide below.

Setting up a site-to-site VPN with IPsec

The information below covers what is required to set up a VPN connection

on a VPN gateway device using IPsec. It is not really aimed at any specific
vendor and is fairly generic.

To start with, you would need to decide how you are going to authenticate
both VPN peer devices to each other. You need to either agree upon a Pre-
shared key or install digital certificates. This is used for authentication and to
ensure the VPN gateway devices are authorised. This would prove their
identities to each other. Both gateways must use the same type of
credentials, so either both sides will use pre-shared keys or both sides will
use digital certificates. Also if you are using pre-shared keys, then both
keys would have to match.

VPN Authentication - IPsec VPN cont….

Authentication is used to prove a user or entity is allowed access, and so

provides a form of access control. For example when your logging on to
your Windows desktop, and when you specify a username and password at
the logon screen, you are authenticating yourself. You are telling Windows
you're a valid and authenticated user, and you prove this by providing a
username and password.

Generally speaking, there are two types of authentication methods used

within site-to-site VPN gateways, and these are either pre-shared keys or
digital signatures. By using a pre-shared key, two organisations who want
to setup a VPN tunnel between each other would configure and share the
same key on their VPN devices to be able to authenticate to each other.
Although this is not a scalable option in large networks, majority of VPN
requirements are simple site-to-site VPN deployments between two parties,
and therefore a pre-shared key is more than sufficient and simple to setup.
A pre-shared key by the way, is like a password, made up of multiple
random characters, that will be shared between the parties who are

7|Page
creating a VPN tunnel between their VPN devices, and the more complex
and longer the key is, the more secure.

Using digital Certificates is a scalable option; however, the digital

certificates would have to be purchased from a CA (Certification
Authority) such as Verisign, GoDaddy and others. With that being said,
it's also possible to use an internal public key infrastructure (PKI). This is
a very common scenario where the head office has multiple VPN
connections setup to remote branch offices, and all firewalls obtain
certificates from the organisation's enterprise internal certificate authority
server. A third option is, to setup one of the firewalls as an internal
certificate authority, which is able to generate certificates for both ends of
the VPN connection.

IPsec VPN Traffic

IPsec works at the network layer of the OSI model and is a framework
consisting of protocols and algorithms for protecting data through an un-
trusted network such as the internet. IPsec provides data security in
various ways such as encrypting and authenticating data, protection
against masquerading and manipulation. IPsec is a complex framework
consisting of many settings, which is why it provides a powerful and
flexible set of security features that can be used.

IPsec is a collection of different protocols or algorithms and can be

configured using over 30 different settings. IPsec is used to secure traffic
between site-to-site VPN gateway devices or between remote access
users and VPN gateway devices. As the world of IT and network security
is constantly changing, this very much fits in well with IPsec, simply
because IPsec is a framework, which allows you to add new and better
algorithms as they are developed and released, and keep up to the pace
in line with other IT evolvements and security standards.

When a VPN tunnel is to be created between two IPsec VPN gateway

devices, the devices negotiate on various settings and parameters and
must make an agreement on the parameters used. For example the type
of authentication and encryption that will be used within the VPN tunnel,
and both sides must use the exact same algorithms, otherwise it doesn't
work. This is generally called VPN negotiation.

IPsec typically uses the following algorithms as detailed below:

8|Page
- Encryption: 3DES, AES 128, AES 192, AES 256 for encryption of data,

- Authentication: MD5, Sha1, Sha26, Sha384, Sha512 are common

authentication algorithms used

- Peer Authentication or Internet Key Exchange algorithms:

-- RSA is one common algorithm used for internet key exchange used
during the peer authentication phase, to ensure the other side is
authentic and who they say they are.

-- Diffie-Hellman is another commonly used algorithm, and the higher the

Diffie-Hellman group, the more secure it is, but also has an impact on
performance. Some VPN devices provide the option to support a wide
range of groups such as the ones detailed below.

Diffie-Hellman Group, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29,
30, 31, 32

Four key functions or services of IPsec are as follows:

1 Confidentiality – by encrypting data, this scrambling of data to make it

unreadable.

2 Data Integrity – to ensure data has not been changed, whilst in transit.

3 Data Authentication – to ensure both sides trust the end other of the
VPN tunnel, to prove both sender & receiver are who they say they are.

4 Anti-replay – to verify each packet is unique, and has not been

duplicated or intercepted.

There are five phases of IPsec negotiation as detailed

below:

1 Definition interesting traffic - the IP subnets that have been identified

that is to be encrypted within the tunnel

2 IKE phase 1 – this is the IPsec key exchange phase

3 IKE phase 2 – IPsec policy and transform sets are processed and agreed

4 Transfer data – After the tunnel has been established, data can be
transferred between the hosts defined within the interesting traffic

9|Page
5 Tear down the tunnel - after the transfer of data, the tunnel is removed
(unless its a permanent tunnel)

IPsec uses two different protocols to encapsulate the data over a VPN
tunnel:

Encapsulation Security Payload (ESP): IP Protocol 50

Authentication Header (AH): IP Protocol 51

ESP is more secure as it provides data encryption. AH provides

authentication only.

L2TP (Layer 2 Tunneling Protocol)

L2TP is an extension of the PPTP (Point to point tunnelling protocol), used

by Internet service providers to provide VPN services over the internet.
L2TP combines the functionality of PPTP and L2F (Layer 2 forwarding
protocol) with some additional functions using some of the IPsec
functionality. L2TP uses the authentication methods of PPP, in PAP
(Password Authentication Protocol) and CHAP (Challenge Handshake
Authentication Protocol), and uses NCP (Network Control Protocol) to
negotiate IP address assignment.

L2TP is seen as the replacement for PPTP and L2F. L2TP's other main
advantage is that it is routable over other networks as well as IP. PPTP is
only routable over IP. Also L2TP can be used in conjunction with IPsec to
provide encryption, authentication and integrity. Ultimately IPsec is the way
forward and is considered better than the layer 2 VPN’s such as PPTP and
L2TP.

10 | P a g e
 Secure Socket Layer (SSL) VPN Web Portal

The Secure Socket Layer (SSL) application layer protocol is commonly used
in conjunction with VPN connectivity. SSL provides excellent security for
remote access users as well as ease of use.

The SSL protocol is already heavily used by many online web services such
as when you shop online or access your bank account online, and when
doing so you will notice an SSL protected web page as indicated by the
“https” characters in the browser URL. The difference between SSL and
IPsec VPNs is that when using IPsec, a remote user would require client
software installed on his\her device, which would need to be configured
before use. Once configured, the end user would be able to connect via the
client and have access to his\her network resources. However with SSL VPN
technology, you do not have to install any client software, as you log into
a web portal, you just need the public facing IP address or the URL address
and a web browser to access the portal. The portal is a web GUI interface
that is accessed via a web browser and contains tools and utilities in order
to access applications on the network, such as RDP and Outlook.

SSL VPN can imitate the way IPsec works via a lightweight software client
that can be configured and installed directly from the same portal you log
into, without much effort.

Key points between IPsec and SSL VPN's

The term 'SSL VPN' is when a user connects to a web portal via a public
facing IP address or domain name, and after a secure https connection has
been established between the client and the VPN gateway device, the user
is able to log into the web portal. Once logged into the portal, a user would
be able to access the configured enterprise applications, or download the
VPN client software. Using an IPsec client on the other hand, the client
would need to be installed and configured on the end user device before
being able to use it to connect to resources on the corporate network.

Here are some comparisons between the IPsec client and the SSL VPN
portal:

- The IPsec protocol is sometimes blocked in public places such as hotels

and cafe's where SSL tends to be open.

- IPsec software has to be installed and configured on all client systems.

With the use of SSL VPN portal, the remote user only requires a web
browser such as Internet Explorer or Mozilla Firefox.

11 | P a g e
- The IPsec VPN client provides access on an IP level to all network
resources without too much control at the application layer, where with the
SSL VPN portal you are able to provide access to certain applications,
provide posture checking services such as ensuring remote clients are
compliant before allowing them access and including other tools such as
the use of virtual desktop functionality for very secure environments

- IPsec can be used for site-to-site or remote access VPN connectivity where
SSL VPN is mainly used for remote access only.

This document is compiled by referring the following link

Reference :

http://www.internet-computer-security.com/VPN-Guide/VPN-Tutorial-Guide.html

12 | P a g e