February 27, 2021
Hot Topics:

Securing Virtual Private Networks (VPN)

  • By Fatima Ahmed
  • Send Email »
  • More Articles »

Initiating a New VPN Connection

IKE SA is established in "main mode" where our own generated key is provided. IPSec SA is established in "quick mode" where self generating keys—for example, session keysÿare generated. The session keys are for a certain time limit and are generated automatically by the IPSec for more security. There are multiple quick modes for one main mode.

Pre-share means that authentication keys are known before the data transfer through different ways such as personally telling anyone by telephone, e-mail, or face-to-face.

Click here for a larger image.

Modes of Configuring Encryption on VPN Networks

There are basically two modes for setting up an encryption policy for VPN:

  1. Tunnel mode
  2. Transport mode

Tunnel mode is the default mode. In tunnel mode, the encryption process is done by routers or gateways, whereas in transport mode, source computers do the encryption; in other words, the data source encrypts the data itself.

In tunnel mode, the IP header is also encrypted by the router and the router puts its own header with the source address as the IP address of its own interface and the destination address as the IP address of its peer router on the traffic path so this mode is more secured than transport mode.

Making Secure VPNs Through IDS and Firewalls

IDS (Intrusion Detection System) is a device or application used to inspect all network traffic and alert the user or administrator when there have been unauthorized attempts or access. The two primary methods of monitoring are signature-based and anomaly-based. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way.

Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods. Anomaly-based detection compares current network traffic to a known-good baseline to look for anything out of the ordinary. The IDS can be placed strategically on the network as a NIDS (network-based intrusion detection) that will inspect all network traffic, or it can be installed on each individual system as a HIDS (host-based intrusion detection) that inspects traffic to and from that specific device only.

A firewall is simply a device that shuts off everything, and then turns back on only a few well-chosen items. The reason we have firewalls is precisely because security holes are left open accidentally. We are all dependent on firewalls and other perimeter protection systems to protect our sites. It is virtually impossible to secure all the systems in a facility and keep them secured, so we turn to perimeter defenses.

Click here for a larger image.

SSH, SSL, and PPTP Technology in VPN

SSH (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports also can be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh, and rcp, and can be used to provide rdist and rsync with a secure communication channel.

SSL (Secure Socket Layer): The traditional VPN requires a special client installed on each computer, or can use a built-in VPN client in many operating systems. A VPN server/firewall terminates the connection on the enterprise side and allows access across the VPN encrypted tunnel to internal resources. The SSL/TLS VPN uses a browser as the front end, and delivers applications inside the browser terminating the connection behind a firewall at an SSL/TLS server which relays application data to appropriate internal resources.

VPN includes a a technology called PPTP (PPP over TCP) built into operating systems. This gives a machine two IP addresses—one on the Internet, and a virtual one on the corporate network. IPSec enhances the traditional IP protocol with security. While VPN vendors claim their product "enhance security," the reality is that they decrease corporate security. While the pipe itself is secure (authenticated, encrypted), either ends of the pipe are wide open.

The fundamentals of tunneling with SSH, SSL, IPSec and PPTP are out of the scope of this article. This article gives you an understanding on what is and how VPN encryption and authentication work. I hope it's helpful for the readers.

Page 3 of 3

This article was originally published on June 25, 2004

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date