Securing Virtual Private Networks (VPN)
This article introduces you to the Virtual Private Networks, the demand of today's growing networks, and its endangered security. This article highlights the following topics:
- What Is VPN?
- Security Threats to Public Networks
- How Intruders Break Into the Network System
- Symmetric Encryption
- Asymmetric Encryption
- Typical Example of the Use of Encryption
- IPSec Security Services
- Internet Key Exchange
- Initiating a New VPN Connection
- Modes of Configuring Encryption on a VPN
- Making Secure VPNs Through IDS and Firewalls
- SSH, SSL, and PPTP Technology in VPN
The widespread range of networks and the less expensive availability of Web access to the public gives rise to different security hazards that become bottlenecks for some important corporate, business, and military transactions to be performed on public data networks. Therefore, some multimillionaire sectors can afford to buy the complete data link and dedicate it for their private and secret data transfers; but what will the others do? They cannot afford to have such a dedicated link. Here comes the advent of Virtual Private Networks to the rescue and safeguard the private and secret data of these organizations.
Data transference on a shared network such as public data networks, for example, ATM (Asynchronous Transfer Mode) networks, Frame Relay networks, and IP (Internet Protocol) networks on which data is delivered securely by applying some security measures on the data packets and the machines on the path, for example hosts (source computer and destination computer), routers (such as gateway routers and peer routers), and bridges.
The most vulnerable threats found in networks to the secured and stable packet delivery are as follows:
- Loss of Privacy
- Loss of Integrity
- Denial of Service
The solutions of the above described security threats are possible and applied in Virtual Private Networks so that they are not vulnerable any more.
- To provide confidentiality for avoiding loss of privacy through the use of encryption or the art of cryptography.
- To provide a source of authenticity to avoid impersonation.
- To provide integrity.
- To provide satisfactory service at a reasonable cost.
Generally, an intruder follows these steps to break into a network or a computer:
The intruder does this by finding public information or appearing as a normal user. At this stage, it is difficult to detect them. The intruder might walk through your DNS tables to find the names of your machines. The intruder might search news articles and press releases about your company.
The intruder scans for information, but still doesn't do anything harmful. If required, they walk through all your Web pages and look for CGI scripts (CGI scripts are often easily hacked).
Exploit the system:
The intruder starts exploiting possible holes in the target machines. The intruder might attempt to exploit well-known buffer-overrun holes by sending large amounts of data. The intruder may start checking for login accounts with easily guessable (or empty) passwords.
Get hold of the system:
At this stage, the hacker has successfully gained a foothold in your network by hacking into a machine. The intruder's main goal is to hide evidence of the attacks (doctoring the audit trail and log files) and make sure they can get back in again. They may install 'toolkits' that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts.
Gain advantage of the attack:
The intruder takes advantage of their status to steal confidential data, misuse system resources (i.e. stage attacks at other sites from your site), or deface Web pages.
Encryption is a method by which the data is encoded through some encryption algorithm into some other (unreadable) form at the source computer before transmitting and then it is decoded at the destination by applying the reverse decryption algorithm.
There are two types of encryption:
- Symmetric encryption, also known as conventional encryption.
- Asymmetric encryption, also known as Public Key encryption.
The symmetric encryption scheme consists of the following components:
|Plain text||Constitutes our data that has to be sent securely over the network.|
|Encryption algorithm||Can be any technique of hiding the original data and making it unreadable to others.|
|Secret Key||Used because the encryption algorithm, if known to anyone, can be decrypted easily on the network but if a key just like a hidden password is used to lock the data, the data cannot be unlocked by the intruder even he/she gets to know the algorithm by any means and only the recipient can unlock it.|
|Cipher text (Encoded)||The encrypted text that is encoded in some other form and unreadable to others.|
|Decryption algorithm||The reverse algorithm that can be applied to decrypt or decode the encrypted data to make it readable again. This is done at the destination side.|