Abstract: does is that It replaces our IP

Abstract: Virtual
Private Network (VPN) usage has grown in the last couple of years due to the
increasing need of more private, secure and anonymous connection. VPN providers claim to provide the
needs of anonymity, privacy and security, but, the question is how well are
they living up to their claim? Since VPN services claim to provide secure user
access and they are less expensive than a dedicated leased line, they have
become more attractive to enterprises. However, there are still a lot of
concerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how it
works, different types of VPN protocols like Point-to-Point Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to address
various security issues of VPN services, analyze their claims of privacy and
security, discuss how do the VPN services suffer from ipv6 leakage and finally explore
possible solutions and alternatives for these vulnerabilities.

 

 

Introduction: In
brief, Virtual Private Network (VPN) is a secured, encrypted connection between
a user and a service provider designed to keep the communications private. The
encryption is to provide data confidentiality. VPN uses the tunneling mechanism
to encapsulate encrypted data into a secure tunnel. VPN tunneling requires
establishing a network connection and maintaining the connection. There are
various types of tunneling protocols which will be discussed later. VPN also
claims to provide data integrity. When we browse through the Internet, our
computer a request for a specific page then that request goes to our ISP’s
server, then the ISP translate the requested domain name into an IP(Internet
Protocol) address and requests the page on our behalf  and finally sends the results back to our
computer

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

 

What VPN does is that It replaces our IP address with that
of the VPN. However, VPN doe more than that otherwise  it wouldn’t be any different from a proxy
server which are very insecure because whatever is send using a proxy, a hacker
can just read it if he or she wants. The reason is proxy doesn’t use any encryption.
This is what makes VPN different from a proxy server. A VPN creates a so-called
secure tunnel between your computer to the VPN server. All your traffic is
routed through this tunnel and no one can check what’s going on there because
of one, or sometimes even several, layers of encryption. Note that this means
that the VPN service itself does know what you’re up to, unless they have a “no
logs” policy in place. Most decent services will not keep your logs (except
maybe for some basic information, known as metadata), though sorrowfully enough
there are plenty of unscrupulous services out there, too.            

 

VPNs provide a means for organizations and individuals to
connect their various resources over the Internet (a very public network), but
not make the resources available to the public, instead only making them available
to those that are part of the VPN. VPNs provide a means for such users to have
resources scattered all over the world, and still be connected as though they
were all in the same building on the same network together, with all the ease
of use and benefits of being interconnected in such a manner. Normally, without
a VPN, if such a private connection was desired, the company would have to
expend considerable resources in finances, time, training, personnel, hardware
and software to setup dedicated communication lines. These dedicated
connections could be a variety of technologies such as 56k leased lines,
dedicated ISDN, dedicated private T1/T3/etc. connections, satellite, microwave
and other wireless technologies. Setting up an organization’s private network
over these dedicated connections tends to be very expensive. With a VPN, the
company can use their existing Internet connections and infrastructure
(routers, servers, software, etc.) and basically “tunnel” or “piggyback” their
private network inside the public network traffic, and realize a considerable
savings in resources and costs compared to dedicated connections. A VPN
solution is also able to provide more flexible options to remote workers
instead of only dial-up speeds and choices, they can connect from anywhere in
the world for just the cost of their Internet connection, at whatever speed
their ISP services may provide. There have been many VPN technologies developed
in recent years, and many more on the way. They vary widely from simple, to very
difficult to setup and administrate, from free to very expensive, from light
security to much heavier protection, from software based to dedicated hardware
solutions, and even some managed services providers (for example
www.devtodev.com or www.iss.net ) now entering into the market to increase the
VPN choices available. Most VPNs operate using various forms of “tunneling”
combined with many choices for encryption and authentication. In this document
“tunneling” is over IP based networks, though other technologies exist as well
(such as ATM based). This document will focus on technologies that deliver VPN
solutions over IP based networks, and refer to them generically as “public” or
“Internet” based networks, and only delve into the specific “carrier” protocol
when appropriate (IPX, ATM, and other protocols are also used, but as IP has
become quite dominant, many are now focused on IP). This document will only
cover IPv4 not IPv6. Use of MS PPTP over 802.11b wireless technologies will
also be briefly covered. The data of the “private network” is carried or
“tunneled” inside the public network packet, this also allows other protocols,
even normally “non-routable” protocols to become usable across widely dispersed
locations. For example, Microsoft’s legacy NetBEUI protocol can be carried
inside such a tunnel, and thus a remote user is able to act as part of the
remote LAN or two small LANS, in two very different locations, would actually
be able to “see” each other, and work together, over many hops of routers, and
still function, with a protocol that normally would not route across the
Internet, although there are many consequences in trying to stretch such a
protocol beyond it’s intended use. Tunneling in and of itself is not sufficient
security. For example, let’s use IP as the carrier public protocol, carrying
IPX inside as the private protocol. Anyone sniffing the “public” network’s
packets could easily extract the clear text information of the IPX packets
carried within the IP packets. This means that sufficient encryption of the
carried IPX packets is necessary to protect their data. These two technologies
suffice to provide a basic VPN, but will be weak if a third part is missing or
lax (as we will show in various examples throughout this document). This third
part would be anything related to authentication, traffic control, and related
technologies. If there aren’t sufficient authentication technologies in place
then it is quite simple for an intruder to intercept various VPN connections
and “hijack” them with many “man/monkey in the middle attacks” and easily
capture all data going back and forth between the VPN nodes, and eventually be
able to compromise data, and potentially all networks and their resources,
connected by the VPN. This document is based on research and lab testing
performed from March 1st through June 30th, 2002. The setup of the lab will
also be briefly detailed to assist others who may wish to go into greater depth
with this testing, and to help clarify under what circumstances the lab information
was gathered.

 

Literature review: A Recent
report 1 suggested that VPNs are not as secure as they claim to be. VPN
services claim that they provide privacy and anonymity. They studied these
claims in various VPN services. They analyzed a few of the most popular VPNs. They
decided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is
when a user’s unencrypted information is collected by a third party, and DNS
hijacking is when the user’s browser is being redirected to a controlled Web server
which pretends to be a popular site like Twitter2. What their
experiment revealed is very agitating, that most of the VPN services suffer from
IPv6 traf?c leakage and most of the VPN services leaked information and not
only the information of the websites but also the user’s. They went on to study
various mobile platforms which use VPNs and found that these platforms are much
secure when an iOS is being used, however, were vulnerable when an Android
platform is being used.  They also talked
about more sophisticated DNS hijacking attacks that allow all traf?c to be transparently
captured. To make things
worse, most of the VPNs that were part of the experiment used Point-to-Point Tunneling
Protocol with MS-CHAPv2 authentications, which according to TechReport, makes
them vulnerable to brute force hacks 10.

Akamai argued that VPNs cannot be a wise Security Solution and that it can
be a drawback for remote access for third party. If you have an institution
that requires interacting with third parties in a regular basis who need remote
access to enterprise applications hosted in your hybrid cloud, a VPN is no way
a good solution because, why would you hand over the access of the whole
network to a third party when that party only needs access to a specific
application only. Usually, a third party needs access just to a specific program
for a specific amount of time. It will take a lot of time to configure and
deploy  different subnets for other parties
and on top of that monitoring users, adding users, they are all time consuming.
So clearly this is a drawback.

VPN services are considered to be a way of transfer private
data . They are well known across the world. However, recently the SOX mandates
have urged organizations to install end-to-end VPN security, which can only
mean one thing that the VPN is no longer enough by itself. Moreover, VPN
systems cannot be managed easily and maintaining the security of the clients is
also a complicated process. It will require keeping the clients up to date.

Another research 9 revealed
that 90% SSL VPNs use age-old encryption method and eventually it will put
corporate data at risk. An Internet research publicly-accessible SSL VPN
servers was conducted by HTB(High Tech Bridge).  From of four million randomly selected IPv4
addresses including popular suppliers such as Cisco, 10,436 randomly selected
publicly available SSL VPN servers were scanned which revealed the following
problems:

1. Quite a few VPN services have
SSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which is
being considered obsolete now. Both these protocols have various vulnerabilities
and both are unsafe.

 

2. About 76 per cent of SSL VPNS
use an untrusted SSL certificate, which might result in a man-in-the-middle attacks.

 

3. A similar 74 per cent of
certificates have an insecure SHA-1 signature, while five per cent make use of
even older MD5 technology. By 1 January 2017, the majority of web browsers plan
to deprecate and stop accepting SHA-1 signed certificates, since the ageing
technology is no strong enough to withstand potential attacks.

 

4. Around 41 per cent of SSL
VPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate is
used for authentication and encryption key exchange. RSA key lengths below 2048
are considered insecure because they open the door to attacks, some based on advances
in code breaking and crypto-analysis.

 

5. 1% of SSL VPNs  that use OpenSSL are vulnerable to Heartbleed.
This vulnerability was found in 2014.  Heartbleed
affected all products that use OpenSSL. It allowed hackers to retrieve personal
data like encryption keys

 

6. 97% of examined SSL VPNs are not fulfilling the PCI DSS
requirements, and all of them were not in compliant with NIST guidelines.

 

 

 

VPNs can be broadly categorized
as follows:

1. A firewall-based VPN is one
that is equipped with both firewall and VPN capabilities. This type of VPN
makes use of the security mechanisms in firewalls to restrict access to an
internal network. The features it provides include address translation, user
authentication, real time alarms and extensive logging.

2. A hardware-based VPN offers
high network throughput, better performance and more reliability, since there
is no processor overhead. However, it is also more expensive.

3. A software-based VPN provides
the most flexibility in how traffic is managed. This type is suitable when VPN
endpoints are not controlled by the same party, and where different firewalls
and routers are used. It can be used with hardware encryption accelerators to
enhance performance.

4. An SSL VPN3 allows users to
connect to VPN devices using a web browser. The SSL (Secure Sockets Layer)
protocol or TLS (Transport Layer Security) protocol is used to encrypt traffic
between the web browser and the SSL VPN device. One advantage of using SSL VPNs
is ease of use, because all standard web browsers support the SSL protocol,
therefore users do not need to do any software installation or configuration.

VPN
Tunneling

There
are two types of tunneling that are being commonly used-

1.
Voluntary and

2.
Compulsory.

In
voluntary tunneling, the VPN client manages connection setup. The client first
makes a connection to the carrier network provider (an ISP in the case of
Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server
over this live connection.

In
compulsory tunneling, the carrier network provider manages VPN connection
setup. When the client first makes an ordinary connection to the carrier, the
carrier in turn immediately brokers a VPN connection between that client and a
VPN server. From the client point of view, VPN connections are set up in just
one step compared to the two-step procedure required for voluntary tunnels.

Compulsory
VPN tunneling authenticates clients and associates them with specific VPN servers
using logic built into the broker device. This network device is sometimes
called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point
of Presence Server (POS) 9.

Tunneling Protocols

Several
computer network protocols have been implemented specifically for use with VPN
tunnels. The three most popular VPN tunneling protocols listed below 9
continue to compete with each other for acceptance in the industry. These
protocols are generally incompatible with each other.

Point-to-Point Tunneling
Protocol (PPTP)

Several
corporations worked together to create the PPTP specification. People generally
associate PPTP with Microsoft because nearly all flavors of Windows include
built-in client support for this protocol. The initial releases of PPTP for
Windows by Microsoft contained security features that some experts claimed were
too weak for serious use. Microsoft continues to improve its PPTP support,
though.

Layer
Two Tunneling Protocol (L2TP)

The
original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features
of it and PPTP were combined to create a new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI model — thus the
origin of its name.

Internet Protocol Security
(IPsec)

IPsec
is actually a collection of multiple related protocols. It can be used as a
complete VPN protocol solution or simply as the encryption scheme within L2TP
or PPTP. 

 

Security concerns OF VPN:

Tunneling in and of itself is not sufficient security. For example,
let’s use IP as the carrier public protocol, carrying IPX inside as the private
protocol. Anyone sniffing the “public” network’s packets could easily extract
the clear text information of the IPX packets carried within the IP packets.
This means that sufficient encryption of the carried IPX packets is necessary
to protect their data. These two technologies suffice to provide a basic VPN,
but will be weak if a third part is missing or lax (as we will show in various
examples throughout this document). This third part would be anything related
to authentication, traffic control, and related technologies. If there aren’t
sufficient authentication technologies in place then it is quite simple for an
intruder to intercept various VPN connections and “hijack” them with many
“man/monkey in the middle attacks” and easily capture all data going back and
forth between the VPN nodes, and eventually be able to compromise data, and
potentially all networks and their resources, connected by the VPN. This
document is based on research and lab testing performed from March 1st through
June 30th, 2002. The setup of the lab will also be briefly detailed to assist
others who may wish to go into greater depth with this testing, and to help
clarify under what circumstances the lab information was gathered 7.
Following are the 5

HACKING ATTACKS A client machine may
become a target of attack, or a staging point for an attack, from within the
connecting network. An intruder could exploit bugs or mis-configuration in a
client machine, or use other types of hacking tools to launch an attack. These
can include VPN hijacking or man-in-the-middle attacks: 1. VPN hijacking is the
unauthorized take-over of an established VPN connection from a remote client,
and impersonating that client on the connecting network. 2. Man-in-the-middle
attacks affect traffic being sent between communicating parties, and can
include interception, insertion, deletion, and modification of messages,
reflecting messages back at the sender, replaying old messages and redirecting
messages. USER AUTHENTICATION By default VPN does not provide / enforce strong
user authentication. A VPN connection should only be established by an
authenticated user. If the authentication is not strong enough to restrict unauthorized
access, an unauthorized party could access the connected network and its
resources. Most VPN implementations provide limited authentication methods. For
example, PAP, used in PPTP, transports both user name and password in clear
text. A third party could capture this information and use it to gain
subsequent access to the network.

CLIENT SIDE RISKS The VPN
client machines of, say, home users may be connected to the Internet via a
standard broadband connection while at the same time holding a VPN connection
to a private network, using split tunneling. This may pose a risk to the
private network being connected to. A client machine may also be shared with
other parties who are not fully aware of the security implications. In
addition, a laptop used by a mobile user may be connected to the Internet, a
wireless LAN at a hotel, airport or on other foreign networks. However, the
security protection in most of these public connection points is inadequate for
VPN access. If the VPN client machine is compromised, either before or during
the connection, this poses a risk to the connecting network.

VIRUS / MALWARE INFECTIONS A
connecting network can be compromised if the client side is infected with a
virus. If a virus or spyware infects a client machine, there is chance that the
password for the VPN connection might be leaked to an attacker. In the case of
an intranet or extranet VPN connection, if one network is infected by a virus
or worm, that virus / worm can be spread quickly to other networks if
anti-virus protection systems are ineffective.

INCORRECT NETWORK ACCESS RIGHTS
Some client and/or connecting networks may have been granted more access rights
than is actually needed.

 

INTEROPERABILITY Interoperability
is also a concern. For example, IPsec compliant software from two different
vendors may not always be able to work together.

 

Conclusion: As we find ourselves relying more and
more on cloud services and multiple devices all connected to the Internet, it
is vital that we stay informed and take steps to ensure our privacy online.
VPN services claim to offer a private, secure network. There are a few
VPN technologies amongst which IPsec and SSL VPN are most popular. However,
there are a lot of vulnerabilities that needs to be addressed. A report
suggested that NSA had the ability to remotely extract confidential keys from
Cisco VPNs for over a decade, Mustafa Al-Bassam, a security researcher at
payments processing firm Secure Trading, told Ars. “This explains how they
were able to decrypt thousands of VPN connections per minute as shown in
documents previously published by Der Spiegel.” So, careful consideration
must be given to the risk involved. Security features such as support for
strong authentication, support for anti-virus software, and intrusion detection,
industry-proven strong encryption algorithms and so on are need to considered
if we decide to go for a VPN product.

 

GENERAL VPN SECURITY CONSIDERATIONS
The following is general security advice for VPN deployment: 1. VPN connections
can be strengthened by the use of firewalls. 2. An IDS / IPS (Intrusion
Detection / Prevention System) is recommended in order to monitor attacks more
effectively. 3. Anti-virus software should be installed on remote clients and
network servers to prevent the spread of any virus / worm if either end is
infected. 4. Unsecured or unmanaged systems with simple or no authentication
should not be allowed to make VPN connections to the internal network. 5.
Logging and auditing functions should be provided to record network
connections, especially any unauthorised attempts at access. The log should be
reviewed regularly. 6. Training should be given to network/security administrators
and supporting staff, as well as to remote users, to ensure that they follow
security best practices and policies during the implementation and ongoing use
of the VPN. 7. Security policies and guidelines on the appropriate use of VPN
and network support should be distributed to responsible parties to control and
govern their use of the VPN. 8. Placing the VPN entry point in a Demilitarized
Zone (DMZ) is recommended in order to protect the internal network. 9. It is
advisable not to use split tunnelling to access the Internet or any other
insecure network simultaneously during a VPN connection. If split tunneling is

 

 

References:

 A. A. Author of article. “Title of article,”

1. G. Tyson, “A Glance through the VPN Looking
Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients “.
17-Feb.-2015.

2. K. Noyes, “Beware, VPN users: You may not be as safe as you think you
are.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html.

 

3. Crace, James. “VPN Security: What You Need to Know.” Cloudwards,
25 Sept, 2017. Online. Available: www.cloudwards.net/vpn-security-what-you-need-to-know/.

4. O’Sullivan, Fergus. Beginners Guide: What Is a
VPN? 3 Dec. 2017, www.cloudwards.net/what-is-a-vpn/

5. R. Harrell, “VPN security: Where are the vulnerabilities?”
October
2005

6.  J. Leyden, “90% of SSL VPNs are
‘hopelessly insecure’, say researchers”

7. H. Robinson, “Microsoft
PPTP VPN Vulnerabilities Exploits in Action.” August 22nd 2002

9. B. Mitchell, “VPN Tunnels Tutorial”.July 21, 2017. Online.
Available: https://www.lifewire.com/vpn-tunneling-explained-818174.

 

10. J. Martindale, “Many big VPNs have
glaring security problems.”

 

8. The Government of the Hong Kong Special Administrative Region, VPN
SECURITY. February, 2008

 

Australian Bureau of Statistics, Engineering
Construction Activity (cat. no. 8762.0). Canberra: ABS, 2010.
Online. Available from AusStats,  http://www.abs.gov.au/ausstats.
Accessed: Sept. 7, 2010.

 

 

BACK TO TOP
x

Hi!
I'm Angelica!

Would you like to get a custom essay? How about receiving a customized one?

Check it out