Abstract: VirtualPrivate Network (VPN) usage has grown in the last couple of years due to theincreasing need of more private, secure and anonymous connection. VPN providers claim to provide theneeds of anonymity, privacy and security, but, the question is how well arethey living up to their claim? Since VPN services claim to provide secure useraccess and they are less expensive than a dedicated leased line, they havebecome more attractive to enterprises. However, there are still a lot ofconcerns regarding VPNs. VPN services are not as secure as they claim to be.They can be unreliable for end users. So, this paper introduces VPN, how itworks, different types of VPN protocols like Point-to-Point Tunneling Protocol(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to addressvarious security issues of VPN services, analyze their claims of privacy andsecurity, discuss how do the VPN services suffer from ipv6 leakage and finally explorepossible solutions and alternatives for these vulnerabilities. Introduction: Inbrief, Virtual Private Network (VPN) is a secured, encrypted connection betweena user and a service provider designed to keep the communications private. Theencryption is to provide data confidentiality.
VPN uses the tunneling mechanismto encapsulate encrypted data into a secure tunnel. VPN tunneling requiresestablishing a network connection and maintaining the connection. There arevarious types of tunneling protocols which will be discussed later. VPN alsoclaims to provide data integrity. When we browse through the Internet, ourcomputer a request for a specific page then that request goes to our ISP’sserver, then the ISP translate the requested domain name into an IP(InternetProtocol) address and requests the page on our behalf and finally sends the results back to ourcomputer What VPN does is that It replaces our IP address with thatof the VPN. However, VPN doe more than that otherwise it wouldn’t be any different from a proxyserver which are very insecure because whatever is send using a proxy, a hackercan just read it if he or she wants. The reason is proxy doesn’t use any encryption.
This is what makes VPN different from a proxy server. A VPN creates a so-calledsecure tunnel between your computer to the VPN server. All your traffic isrouted through this tunnel and no one can check what’s going on there becauseof one, or sometimes even several, layers of encryption.
Note that this meansthat the VPN service itself does know what you’re up to, unless they have a “nologs” policy in place. Most decent services will not keep your logs (exceptmaybe for some basic information, known as metadata), though sorrowfully enoughthere are plenty of unscrupulous services out there, too. VPNs provide a means for organizations and individuals toconnect their various resources over the Internet (a very public network), butnot make the resources available to the public, instead only making them availableto those that are part of the VPN.
VPNs provide a means for such users to haveresources scattered all over the world, and still be connected as though theywere all in the same building on the same network together, with all the easeof use and benefits of being interconnected in such a manner. Normally, withouta VPN, if such a private connection was desired, the company would have toexpend considerable resources in finances, time, training, personnel, hardwareand software to setup dedicated communication lines. These dedicatedconnections could be a variety of technologies such as 56k leased lines,dedicated ISDN, dedicated private T1/T3/etc. connections, satellite, microwaveand other wireless technologies. Setting up an organization’s private networkover these dedicated connections tends to be very expensive. With a VPN, thecompany can use their existing Internet connections and infrastructure(routers, servers, software, etc.) and basically “tunnel” or “piggyback” theirprivate network inside the public network traffic, and realize a considerablesavings in resources and costs compared to dedicated connections.
A VPNsolution is also able to provide more flexible options to remote workersinstead of only dial-up speeds and choices, they can connect from anywhere inthe world for just the cost of their Internet connection, at whatever speedtheir ISP services may provide. There have been many VPN technologies developedin recent years, and many more on the way. They vary widely from simple, to verydifficult to setup and administrate, from free to very expensive, from lightsecurity to much heavier protection, from software based to dedicated hardwaresolutions, and even some managed services providers (for examplewww.devtodev.com or www.iss.net ) now entering into the market to increase theVPN choices available.
Most VPNs operate using various forms of “tunneling”combined with many choices for encryption and authentication. In this document”tunneling” is over IP based networks, though other technologies exist as well(such as ATM based). This document will focus on technologies that deliver VPNsolutions over IP based networks, and refer to them generically as “public” or”Internet” based networks, and only delve into the specific “carrier” protocolwhen appropriate (IPX, ATM, and other protocols are also used, but as IP hasbecome quite dominant, many are now focused on IP). This document will onlycover IPv4 not IPv6. Use of MS PPTP over 802.11b wireless technologies willalso be briefly covered.
The data of the “private network” is carried or”tunneled” inside the public network packet, this also allows other protocols,even normally “non-routable” protocols to become usable across widely dispersedlocations. For example, Microsoft’s legacy NetBEUI protocol can be carriedinside such a tunnel, and thus a remote user is able to act as part of theremote LAN or two small LANS, in two very different locations, would actuallybe able to “see” each other, and work together, over many hops of routers, andstill function, with a protocol that normally would not route across theInternet, although there are many consequences in trying to stretch such aprotocol beyond it’s intended use. Tunneling in and of itself is not sufficientsecurity.
For example, let’s use IP as the carrier public protocol, carryingIPX inside as the private protocol. Anyone sniffing the “public” network’spackets could easily extract the clear text information of the IPX packetscarried within the IP packets. This means that sufficient encryption of thecarried IPX packets is necessary to protect their data. These two technologiessuffice to provide a basic VPN, but will be weak if a third part is missing orlax (as we will show in various examples throughout this document). This thirdpart would be anything related to authentication, traffic control, and relatedtechnologies. If there aren’t sufficient authentication technologies in placethen it is quite simple for an intruder to intercept various VPN connectionsand “hijack” them with many “man/monkey in the middle attacks” and easilycapture all data going back and forth between the VPN nodes, and eventually beable to compromise data, and potentially all networks and their resources,connected by the VPN.
This document is based on research and lab testingperformed from March 1st through June 30th, 2002. The setup of the lab willalso be briefly detailed to assist others who may wish to go into greater depthwith this testing, and to help clarify under what circumstances the lab informationwas gathered. Literature review: A Recentreport 1 suggested that VPNs are not as secure as they claim to be. VPNservices claim that they provide privacy and anonymity. They studied theseclaims in various VPN services.
They analyzed a few of the most popular VPNs. Theydecided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring iswhen a user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Web serverwhich pretends to be a popular site like Twitter2. What theirexperiment revealed is very agitating, that most of the VPN services suffer fromIPv6 traf?c leakage and most of the VPN services leaked information and notonly the information of the websites but also the user’s. They went on to studyvarious mobile platforms which use VPNs and found that these platforms are muchsecure when an iOS is being used, however, were vulnerable when an Androidplatform is being used. They also talkedabout more sophisticated DNS hijacking attacks that allow all traf?c to be transparentlycaptured. To make thingsworse, most of the VPNs that were part of the experiment used Point-to-Point TunnelingProtocol with MS-CHAPv2 authentications, which according to TechReport, makesthem vulnerable to brute force hacks 10.
Akamai argued that VPNs cannot be a wise Security Solution and that it canbe a drawback for remote access for third party. If you have an institutionthat requires interacting with third parties in a regular basis who need remoteaccess to enterprise applications hosted in your hybrid cloud, a VPN is no waya good solution because, why would you hand over the access of the wholenetwork to a third party when that party only needs access to a specificapplication only. Usually, a third party needs access just to a specific programfor a specific amount of time. It will take a lot of time to configure anddeploy different subnets for other partiesand on top of that monitoring users, adding users, they are all time consuming.So clearly this is a drawback.
VPN services are considered to be a way of transfer privatedata . They are well known across the world. However, recently the SOX mandateshave urged organizations to install end-to-end VPN security, which can onlymean one thing that the VPN is no longer enough by itself. Moreover, VPNsystems cannot be managed easily and maintaining the security of the clients isalso a complicated process.
It will require keeping the clients up to date. Another research 9 revealedthat 90% SSL VPNs use age-old encryption method and eventually it will putcorporate data at risk. An Internet research publicly-accessible SSL VPNservers was conducted by HTB(High Tech Bridge). From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems:1. Quite a few VPN services haveSSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which isbeing considered obsolete now. Both these protocols have various vulnerabilitiesand both are unsafe.
2. About 76 per cent of SSL VPNSuse an untrusted SSL certificate, which might result in a man-in-the-middle attacks. 3. A similar 74 per cent ofcertificates have an insecure SHA-1 signature, while five per cent make use ofeven older MD5 technology.
By 1 January 2017, the majority of web browsers planto deprecate and stop accepting SHA-1 signed certificates, since the ageingtechnology is no strong enough to withstand potential attacks. 4. Around 41 per cent of SSLVPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate isused for authentication and encryption key exchange. RSA key lengths below 2048are considered insecure because they open the door to attacks, some based on advancesin code breaking and crypto-analysis.
5. 1% of SSL VPNs that use OpenSSL are vulnerable to Heartbleed.This vulnerability was found in 2014. Heartbleedaffected all products that use OpenSSL.
It allowed hackers to retrieve personaldata like encryption keys 6. 97% of examined SSL VPNs are not fulfilling the PCI DSSrequirements, and all of them were not in compliant with NIST guidelines. VPNs can be broadly categorizedas follows: 1.
A firewall-based VPN is onethat is equipped with both firewall and VPN capabilities. This type of VPNmakes use of the security mechanisms in firewalls to restrict access to aninternal network. The features it provides include address translation, userauthentication, real time alarms and extensive logging. 2. A hardware-based VPN offershigh network throughput, better performance and more reliability, since thereis no processor overhead. However, it is also more expensive.
3. A software-based VPN providesthe most flexibility in how traffic is managed. This type is suitable when VPNendpoints are not controlled by the same party, and where different firewallsand routers are used. It can be used with hardware encryption accelerators toenhance performance. 4. An SSL VPN3 allows users toconnect to VPN devices using a web browser. The SSL (Secure Sockets Layer)protocol or TLS (Transport Layer Security) protocol is used to encrypt trafficbetween the web browser and the SSL VPN device. One advantage of using SSL VPNsis ease of use, because all standard web browsers support the SSL protocol,therefore users do not need to do any software installation or configuration.
VPNTunnelingThereare two types of tunneling that are being commonly used-1.Voluntary and 2.Compulsory. Involuntary tunneling, the VPN client manages connection setup.
The client firstmakes a connection to the carrier network provider (an ISP in the case ofInternet VPNs). Then, the VPN client application creates the tunnel to a VPN serverover this live connection.Incompulsory tunneling, the carrier network provider manages VPN connectionsetup. When the client first makes an ordinary connection to the carrier, thecarrier in turn immediately brokers a VPN connection between that client and aVPN server. From the client point of view, VPN connections are set up in justone step compared to the two-step procedure required for voluntary tunnels.CompulsoryVPN tunneling authenticates clients and associates them with specific VPN serversusing logic built into the broker device.
This network device is sometimescalled the VPN Front End Processor (FEP), Network Access Server (NAS) or Pointof Presence Server (POS) 9. Tunneling ProtocolsSeveralcomputer network protocols have been implemented specifically for use with VPNtunnels. The three most popular VPN tunneling protocols listed below 9continue to compete with each other for acceptance in the industry. Theseprotocols are generally incompatible with each other.Point-to-Point TunnelingProtocol (PPTP)Severalcorporations worked together to create the PPTP specification. People generallyassociate PPTP with Microsoft because nearly all flavors of Windows includebuilt-in client support for this protocol. The initial releases of PPTP forWindows by Microsoft contained security features that some experts claimed weretoo weak for serious use. Microsoft continues to improve its PPTP support,though.
LayerTwo Tunneling Protocol (L2TP)Theoriginal competitor to PPTP for VPN tunneling was L2F, a protocol implementedprimarily in Cisco products. In an attempt to improve on L2F, the best featuresof it and PPTP were combined to create a new standard called L2TP. Like PPTP,L2TP exists at the data link layer (Layer Two) in the OSI model — thus theorigin of its name.
Internet Protocol Security(IPsec)IPsecis actually a collection of multiple related protocols. It can be used as acomplete VPN protocol solution or simply as the encryption scheme within L2TPor PPTP. Security concerns OF VPN: Tunneling in and of itself is not sufficient security. For example,let’s use IP as the carrier public protocol, carrying IPX inside as the privateprotocol. Anyone sniffing the “public” network’s packets could easily extractthe clear text information of the IPX packets carried within the IP packets.This means that sufficient encryption of the carried IPX packets is necessaryto protect their data.
These two technologies suffice to provide a basic VPN,but will be weak if a third part is missing or lax (as we will show in variousexamples throughout this document). This third part would be anything relatedto authentication, traffic control, and related technologies. If there aren’tsufficient authentication technologies in place then it is quite simple for anintruder to intercept various VPN connections and “hijack” them with many”man/monkey in the middle attacks” and easily capture all data going back andforth between the VPN nodes, and eventually be able to compromise data, andpotentially all networks and their resources, connected by the VPN. Thisdocument is based on research and lab testing performed from March 1st throughJune 30th, 2002. The setup of the lab will also be briefly detailed to assistothers who may wish to go into greater depth with this testing, and to helpclarify under what circumstances the lab information was gathered 7.Following are the 5HACKING ATTACKS A client machine maybecome a target of attack, or a staging point for an attack, from within theconnecting network. An intruder could exploit bugs or mis-configuration in aclient machine, or use other types of hacking tools to launch an attack.
Thesecan include VPN hijacking or man-in-the-middle attacks: 1. VPN hijacking is theunauthorized take-over of an established VPN connection from a remote client,and impersonating that client on the connecting network. 2. Man-in-the-middleattacks affect traffic being sent between communicating parties, and caninclude interception, insertion, deletion, and modification of messages,reflecting messages back at the sender, replaying old messages and redirectingmessages. USER AUTHENTICATION By default VPN does not provide / enforce stronguser authentication. A VPN connection should only be established by anauthenticated user.
If the authentication is not strong enough to restrict unauthorizedaccess, an unauthorized party could access the connected network and itsresources. Most VPN implementations provide limited authentication methods. Forexample, PAP, used in PPTP, transports both user name and password in cleartext. A third party could capture this information and use it to gainsubsequent access to the network.CLIENT SIDE RISKS The VPNclient machines of, say, home users may be connected to the Internet via astandard broadband connection while at the same time holding a VPN connectionto a private network, using split tunneling. This may pose a risk to theprivate network being connected to.
A client machine may also be shared withother parties who are not fully aware of the security implications. Inaddition, a laptop used by a mobile user may be connected to the Internet, awireless LAN at a hotel, airport or on other foreign networks. However, thesecurity protection in most of these public connection points is inadequate forVPN access.
If the VPN client machine is compromised, either before or duringthe connection, this poses a risk to the connecting network.VIRUS / MALWARE INFECTIONS Aconnecting network can be compromised if the client side is infected with avirus. If a virus or spyware infects a client machine, there is chance that thepassword for the VPN connection might be leaked to an attacker. In the case ofan intranet or extranet VPN connection, if one network is infected by a virusor worm, that virus / worm can be spread quickly to other networks ifanti-virus protection systems are ineffective.
INCORRECT NETWORK ACCESS RIGHTSSome client and/or connecting networks may have been granted more access rightsthan is actually needed. INTEROPERABILITY Interoperabilityis also a concern. For example, IPsec compliant software from two differentvendors may not always be able to work together. Conclusion: As we find ourselves relying more andmore on cloud services and multiple devices all connected to the Internet, itis vital that we stay informed and take steps to ensure our privacy online.VPN services claim to offer a private, secure network.
There are a fewVPN technologies amongst which IPsec and SSL VPN are most popular. However,there are a lot of vulnerabilities that needs to be addressed. A reportsuggested that NSA had the ability to remotely extract confidential keys fromCisco VPNs for over a decade, Mustafa Al-Bassam, a security researcher atpayments processing firm Secure Trading, told Ars.
“This explains how theywere able to decrypt thousands of VPN connections per minute as shown indocuments previously published by Der Spiegel.” So, careful considerationmust be given to the risk involved. Security features such as support forstrong authentication, support for anti-virus software, and intrusion detection,industry-proven strong encryption algorithms and so on are need to consideredif we decide to go for a VPN product. GENERAL VPN SECURITY CONSIDERATIONSThe following is general security advice for VPN deployment: 1. VPN connectionscan be strengthened by the use of firewalls. 2. An IDS / IPS (IntrusionDetection / Prevention System) is recommended in order to monitor attacks moreeffectively. 3.
Anti-virus software should be installed on remote clients andnetwork servers to prevent the spread of any virus / worm if either end isinfected. 4. Unsecured or unmanaged systems with simple or no authenticationshould not be allowed to make VPN connections to the internal network.
5.Logging and auditing functions should be provided to record networkconnections, especially any unauthorised attempts at access. The log should bereviewed regularly. 6.
Training should be given to network/security administratorsand supporting staff, as well as to remote users, to ensure that they followsecurity best practices and policies during the implementation and ongoing useof the VPN. 7. Security policies and guidelines on the appropriate use of VPNand network support should be distributed to responsible parties to control andgovern their use of the VPN. 8. Placing the VPN entry point in a DemilitarizedZone (DMZ) is recommended in order to protect the internal network. 9.
It isadvisable not to use split tunnelling to access the Internet or any otherinsecure network simultaneously during a VPN connection. If split tunneling is References: A. A. Author of article. “Title of article,” 1. G. Tyson, “A Glance through the VPN LookingGlass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients “.
17-Feb.-2015.2. K. Noyes, “Beware, VPN users: You may not be as safe as you think youare.” 1 July, 2015.
Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html. 3. Crace, James. “VPN Security: What You Need to Know.
” Cloudwards,25 Sept, 2017. Online. Available: www.cloudwards.
net/vpn-security-what-you-need-to-know/.4. O’Sullivan, Fergus. Beginners Guide: What Is aVPN? 3 Dec. 2017, www.
cloudwards.net/what-is-a-vpn/ 5. R. Harrell, “VPN security: Where are the vulnerabilities?”October20056. J. Leyden, “90% of SSL VPNs are’hopelessly insecure’, say researchers”7.
H. Robinson, “MicrosoftPPTP VPN Vulnerabilities Exploits in Action.” August 22nd 20029. B. Mitchell, “VPN Tunnels Tutorial”.July 21, 2017. Online.
Available: https://www.lifewire.com/vpn-tunneling-explained-818174. 10. J.
Martindale, “Many big VPNs haveglaring security problems.” 8. The Government of the Hong Kong Special Administrative Region, VPNSECURITY. February, 2008 Australian Bureau of Statistics, EngineeringConstruction Activity (cat. no. 8762.0). Canberra: ABS, 2010.
Online. Available from AusStats, http://www.abs.gov.au/ausstats.Accessed: Sept.