Private Network (VPN) usage has grown in the last couple of years due to the
increasing need of more private, secure and anonymous connection. VPN providers claim to provide the
needs of anonymity, privacy and security, but, the question is how well are
they living up to their claim? Since VPN services claim to provide secure user
access and they are less expensive than a dedicated leased line, they have
become more attractive to enterprises. However, there are still a lot of
concerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how it
works, different types of VPN protocols like Point-to-Point Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to address
various security issues of VPN services, analyze their claims of privacy and
security, discuss how do the VPN services suffer from ipv6 leakage and finally explore
possible solutions and alternatives for these vulnerabilities.
1.0 Introduction: In
brief, Virtual Private Network (VPN) is a secured, encrypted connection between
a user and a service provider designed to keep the communications private. The
encryption is to provide data confidentiality. VPN uses the tunneling mechanism
to encapsulate encrypted data into a secure tunnel. VPN tunneling requires
establishing a network connection and maintaining the connection. There are
various types of tunneling protocols which will be discussed later. VPN also
claims to provide data integrity. When we browse through the Internet, our
computer a request for a specific page then that request goes to our ISP’s
server, then the ISP translate the requested domain name into an IP(Internet
Protocol) address and requests the page on our behalf and finally sends the results back to our
computer. What VPN does is that it replaces our IP
address with that of the VPN 1. However, VPN does more than that otherwise it
wouldn’t be any different from a proxy server which are very insecure because
whatever is send using a proxy, a hacker can just read it if he or she wants. The
reason is proxy doesn’t use any encryption. This is what makes VPN different
from a proxy server. A VPN creates a so-called secure tunnel between your
computer and the VPN server. All your traffic is routed through this tunnel and
no one can check what’s going on there because of one, or sometimes even
several, layers of encryption. Note that this means that the VPN service itself
does know what you’re up to, unless they have a “no logs” policy in place. Most
decent services will not keep your logs (except maybe for some basic
information, known as metadata), though sorrowfully enough there are plenty of
unscrupulous services out there, too 2.
(2002) explained 3 how VPNs provide a means for organizations and
individuals to connect their various resources over the Internet (a very public
network), but not make the resources available to the public, instead only
making them available to those that are part of the VPN. VPNs provide a means
for such users to have resources scattered all over the world, and still be
connected as though they were all in the same building on the same network together,
with all the ease of use and benefits of being interconnected in such a manner.
Normally, without a VPN, if such a private connection was desired, the company
would have to expend considerable resources in finances, time, training,
personnel, hardware and software to setup dedicated communication lines. These
dedicated connections could be a variety of technologies such as 56k leased
lines, dedicated ISDN, dedicated private T1/T3/ and so on, connections,
satellite, microwave and other wireless technologies. Setting up an
organization’s private network over these dedicated connections tends to be
very expensive. With a VPN, the company can use their existing Internet
connections and infrastructure (routers, servers, software, etc.) and basically
“tunnel” or “piggyback” their private network inside the public network
traffic, and realize a considerable savings in resources and costs compared to
dedicated connections. A VPN solution is also able to provide more flexible
options to remote workers instead of only dial-up speeds and choices, they can
connect from anywhere in the world for just the cost of their Internet
connection, at whatever speed their ISP services may provide. There have been
many VPN technologies developed in recent years, and many more on the way. They
vary widely from simple, to very difficult to setup and administrate, from free
to very expensive, from light security to much heavier protection, from
software based to dedicated hardware solutions, and even some managed services
providers (for example www.devtodev.com or www.iss.net ) now entering into the
market to increase the VPN choices available. Most VPNs operate using various
forms of “tunneling” combined with many choices for encryption and
authentication. In this document “tunneling” is over IP based networks, though
other technologies exist as well (such as ATM based). This document will focus
on technologies that deliver VPN solutions over IP based networks, and refer to
them generically as “public” or “Internet” based networks, and only delve into
the specific “carrier” protocol when appropriate (IPX, ATM, and other protocols
are also used, but as IP has become quite dominant, many are now focused on
IP). This document will only cover IPv4 not IPv6. Use of MS PPTP over 802.11b wireless
technologies will also be briefly covered. The data of the “private network” is
carried or “tunneled” inside the public network packet, this also allows other
protocols, even normally “non-routable” protocols to become usable across
widely dispersed locations. For example, Microsoft’s legacy NetBEUI protocol
can be carried inside such a tunnel, and thus a remote user is able to act as
part of the remote LAN or two small LANS, in two very different locations,
would actually be able to “see” each other, and work together, over many hops
of routers, and still function, with a protocol that normally would not route
across the Internet, although there are many consequences in trying to stretch
such a protocol beyond it’s intended use. Tunneling in and of itself is not
sufficient security. For example, let’s use IP as the carrier public protocol,
carrying IPX inside as the private protocol. Anyone sniffing the “public”
network’s packets could easily extract the clear text information of the IPX
packets carried within the IP packets. This means that sufficient encryption of
the carried IPX packets is necessary to protect their data. These two
technologies suffice to provide a basic VPN, but will be weak if a third part
is missing or lax (as we will show in various examples throughout this
document). This third part would be anything related to authentication, traffic
control, and related technologies. If there aren’t sufficient authentication
technologies in place then it is quite simple for an intruder to intercept
various VPN connections and “hijack” them with many “man/monkey in the middle
attacks” and easily capture all data going back and forth between the VPN
nodes, and eventually be able to compromise data, and potentially all networks
and their resources, connected by the VPN. This document is based on research
and lab testing performed from March 1st through June 30th, 2002. The setup of
the lab will also be briefly detailed to assist others who may wish to go into
greater depth with this testing, and to help clarify under what circumstances
the lab information was gathered.
2.0 Literature review: A Recent
report 4 suggested that VPNs are not as secure as they claim to be. VPN
services claim that they provide privacy and anonymity. They studied these claims
in various VPN services. They analyzed a few of the most popular VPNs. They
decided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is when
a user’s unencrypted information is collected by a third party, and DNS
hijacking is when the user’s browser is being redirected to a controlled Web
server which pretends to be a popular site like Twitter5. What their
experiment revealed is very agitating, that most of the VPN services suffer
from IPv6 traf?c leakage and most of the VPN services leaked information and
not only the information of the websites but also the user’s. They went on to
study various mobile platforms which use VPNs and found that these platforms
are much secure when an iOS is being used, however, were vulnerable when an
Android platform is being used. They
also talked about more sophisticated DNS hijacking attacks that allow all traf?c
to be transparently captured. To
make things worse, most of the VPNs that were part of the experiment used
Point-to-Point Tunneling Protocol with MS-CHAPv2 authentications, which
according to TechReport, makes them vulnerable to brute force hacks 6.
Akamai argued that VPNs cannot be a wise Security Solution and that it can
be a drawback for remote access for third party. If you have an institution
that requires interacting with third parties in a regular basis who need remote
access to enterprise applications hosted in your hybrid cloud, a VPN is no way
a good solution because, why would you hand over the access of the whole
network to a third party when that party only needs access to a specific
application only. Usually, a third party needs access just to a specific
program for a specific amount of time. It will take a lot of time to configure
and deploy different subnets for other parties and on top of that monitoring
users, adding users, they are all time consuming. So clearly this is a drawback.
VPN services are considered to be a way of transfer private
data. They are well known across the world. However, recently7 the SOX
mandates have urged organizations to install end-to-end VPN security, which can
only mean one thing that the VPN is no longer enough by itself. Moreover, VPN
systems cannot be managed easily and maintaining the security of the clients is
also a complicated process. It will require keeping the clients up to date.
Another research 8
revealed that 90% SSL VPNs use age-old encryption method and eventually it will
put corporate data at risk. An Internet research publicly-accessible SSL VPN
servers was conducted by HTB (High Tech Bridge). From of four million randomly selected IPv4
addresses including popular suppliers such as Cisco, 10,436 randomly selected
publicly available SSL VPN servers were scanned which revealed the following
1. Quite a few VPN services have
SSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which is
being considered obsolete now. Both these protocols have various vulnerabilities
and both are unsafe.
2. About 76 per cent of SSL VPNS
use an untrusted SSL certificate, which might result in a man-in-the-middle attacks.
3. A similar 74 per cent of
certificates have an insecure SHA-1 signature, while five per cent make use of
even older MD5 technology. By 1 January 2017, the majority of web browsers plan
to deprecate and stop accepting SHA-1 signed certificates, since the ageing
technology is no strong enough to withstand potential attacks.
4. Around 41 per cent of SSL
VPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate is
used for authentication and encryption key exchange. RSA key lengths below 2048
are considered insecure because they open the door to attacks, some based on
advances in code breaking and crypto-analysis.
5. 1% of SSL VPNs that use OpenSSL are vulnerable to
Heartbleed. This vulnerability was found in 2014. Heartbleed affected all products that use OpenSSL.
It allowed hackers to retrieve personal data like encryption keys
6. 97% of examined SSL VPNs are not fulfilling the PCI DSS
requirements, and all of them were not in compliant with NIST guidelines.
VPNs can be categorized as
1. A firewall-based VPN is one
that is equipped with both firewall and VPN capabilities. This type of VPN
makes use of the security mechanisms in firewalls to restrict access to an
internal network. The features it provides include address translation, user
authentication, real time alarms and extensive logging.
2. A hardware-based VPN offers
high network throughput, better performance and more reliability, since there
is no processor overhead. However, it is also more expensive.
3. A software-based VPN provides
the most flexibility in how traffic is managed. This type is suitable when VPN
endpoints are not controlled by the same party, and where different firewalls
and routers are used. It can be used with hardware encryption accelerators to
4. An SSL VPN3 allows users to
connect to VPN devices using a web browser. The SSL (Secure Sockets Layer)
protocol or TLS (Transport Layer Security) protocol is used to encrypt traffic
between the web browser and the SSL VPN device. One advantage of using SSL VPNs
is ease of use, because all standard web browsers support the SSL protocol,
therefore users do not need to do any software installation or configuration.
are two types of tunneling that are being commonly used-
voluntary tunneling, the VPN client manages connection setup. The client first
makes a connection to the carrier network provider (an ISP in the case of
Internet VPNs). Then, the VPN client application creates the tunnel to a VPN
server over this live connection.
compulsory tunneling, the carrier network provider manages VPN connection
setup. When the client first makes an ordinary connection to the carrier, the
carrier in turn immediately brokers a VPN connection between that client and a
VPN server. From the client point of view, VPN connections are set up in just
one step compared to the two-step procedure required for voluntary tunnels.
VPN tunneling authenticates clients and associates them with specific VPN
servers using logic built into the broker device. This network device is
sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS)
or Point of Presence Server (POS) 9.
computer network protocols have been implemented specifically for use with VPN
tunnels. There are a few tunneling protocols but the three most popular VPN
tunneling protocols listed below 9 continue to compete with each other for
acceptance in the industry. These protocols are generally incompatible with
Point-to-Point Tunneling Protocol (PPTP)
corporations worked together to create the PPTP specification. People generally
associate PPTP with Microsoft because nearly all flavors of Windows include built-in
client support for this protocol. The initial releases of PPTP for Windows by
Microsoft contained security features that some experts claimed were too weak
for serious use. Microsoft continues to improve its PPTP support, though.
Layer Two Tunneling Protocol (L2TP)
original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features
of it and PPTP were combined to create a new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI model — thus the
origin of its name.
Internet Protocol Security (IPsec)
is actually a collection of multiple related protocols. It can be used as a
complete VPN protocol solution or simply as the encryption scheme within L2TP
3.3.0 Security concerns OF VPN:
Tunneling in and of itself is not sufficient security. For example,
let’s use IP as the carrier public protocol, carrying IPX inside as the private
protocol. Anyone sniffing the “public” network’s packets could easily extract
the clear text information of the IPX packets carried within the IP packets.
This means that sufficient encryption of the carried IPX packets is necessary
to protect their data. These two technologies suffice to provide a basic VPN,
but will be weak if a third part is missing or lax (as we will show in various
examples throughout this document). This third part would be anything related
to authentication, traffic control, and related technologies. If there aren’t
sufficient authentication technologies in place then it is quite simple for an
intruder to intercept various VPN connections and “hijack” them with many
“man/monkey in the middle attacks” and easily capture all data going back and
forth between the VPN nodes, and eventually be able to compromise data, and
potentially all networks and their resources, connected by the VPN. This
document is based on research and lab testing performed from March 1st through
June 30th, 2002. The setup of the lab will also be briefly detailed to assist
others who may wish to go into greater depth with this testing, and to help
clarify under what circumstances the lab information was gathered 3.
Followings are the potential risks of VPN 10-
3.3.1 Hacking Attack: A client
machine may become a target of attack, or a staging point for an attack, from
within the connecting network. An intruder could exploit bugs or
mis-configuration in a client machine, or use other types of hacking tools to
launch an attack. These can include VPN hijacking or man-in-the-middle attacks:
1. VPN hijacking is the unauthorized take-over of an established VPN connection
from a remote client, and impersonating that client on the connecting network.
2. Man-in-the-middle attacks affect traffic being sent between communicating
parties, and can include interception, insertion, deletion, and modification of
messages, reflecting messages back at the sender, replaying old messages and
redirecting messages. USER AUTHENTICATION By default VPN does not provide /
enforce strong user authentication. A VPN connection should only be established
by an authenticated user. If the authentication is not strong enough to
restrict unauthorized access, an unauthorized party could access the connected
network and its resources. Most VPN implementations provide limited
authentication methods. For example, PAP, used in PPTP, transports both user
name and password in clear text. A third party could capture this information
and use it to gain subsequent access to the network.
3.3.2 CLIENT SIDE RISKS The
VPN client machines of, say, home users may be connected to the Internet via a
standard broadband connection while at the same time holding a VPN connection
to a private network, using split tunneling. This may pose a risk to the
private network being connected to. A client machine may also be shared with
other parties who are not fully aware of the security implications. In
addition, a laptop used by a mobile user may be connected to the Internet, a
wireless LAN at a hotel, airport or on other foreign networks. However, the
security protection in most of these public connection points is inadequate for
VPN access. If the VPN client machine is compromised, either before or during
the connection, this poses a risk to the connecting network.
3.3.3 INCORRECT NETWORK ACCESS: Granting more access rights than needed to
clients or networks
3.3.4 MALWARE INFECTIONS: If any
client is malware infected, the connecting network might get compromised as
well unless it’s protected with an effective anti-virus system.
3.3.5 INTEROPERABILITY: IPsec compliant software from two
different vendors may not always be able to work together, so, Interoperability
is also a concern
4.0 Conclusion: As we find ourselves relying more and
more on cloud services and multiple devices all connected to the Internet, it
is vital that we stay informed and take steps to ensure our privacy online. VPN
services claim to offer a private, secure network. There are a few VPN
technologies amongst which IPsec and SSL VPN are most popular. However, there
are a lot of vulnerabilities that needs to be addressed. A report suggested
that NSA had the ability to remotely extract confidential keys from Cisco VPNs
for over a decade, Mustafa Al-Bassam, a security researcher at payments
processing firm Secure Trading, told Ars. “This explains how they were
able to decrypt thousands of VPN connections per minute as shown in documents
previously published by Der Spiegel.” So, careful consideration must be
given to the risk involved. Security features such as support for strong
authentication, support for anti-virus software, and intrusion detection, industry-proven
strong encryption algorithms and so on are need to considered if we decide to
go for a VPN product.
5.0 Future work: The
following can be implemented when deploying a VPN for more secure and private
1. Installing an Intrusion Detection system.
2. Using firewall.
3. Installing anti-virus software on both clients and servers in the
case if either end is infected with virus.
4. VPN connections should have secured and managed authentication
5. Network connections should be recorded.
6. The log should be reviewed regularly.
7. Network administrators and supporting staff should be trained so that
they can implement VPNs in a proper way
8. TO protect the internal network, VPN entry point should be placed in
a Demilitarized Zone (DMZ)
9. During a VPN connection, split tunneling should be avoided when
accessing the Internet or any other network that is not secure simultaneously
3.1. J. Crace.
“VPN Security: What You Need to Know.” Cloudwards, 25 Sept, 2017.
4.2. F. O’Sullivan. “Beginners Guide: What Is a VPN?” 3
Dec, 2017. Online.Available: www.cloudwards.net/what-is-a-vpn/.
7.3. H. Robinson.
“Microsoft PPTP VPN Vulnerabilities Exploits in Action.” August 22nd 2002.
1.4. G. Tyson. “A Glance through the VPN
Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”.
2.5. K. Noyes. “Beware, VPN users: You may not be as safe as you think you
are.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html.
10.6. J. Martindale, “Many
big VPNs have glaring security problems.” July1, 2015. Online. Available: https://www.digitaltrends.com/computing/commercial-vpn-huge-security-flaws/.
5.7. R. Harrell. “VPN security: Where are the
vulnerabilities?” October, 2005.
Online. Available: http://searchenterprisewan.techtarget.com/tip/VPN-security-Where-are-the-vulnerabilities.
6.8 J. Leyden. “90% of SSL VPNs are
‘hopelessly insecure’, say researchers.” 26 February, 2016. Online.
9.7. B. Mitchell. “VPN Tunnels Tutorial”. July 21, 2017. Online.Available:
Government of the Hong Kong Special Administrative Region, VPN SECURITY. February,
11. D. Goodin. “How the NSA snooped on encrypted Internet traffic for a
decade.” August 20, 2016. Online. Available: https://arstechnica.com/information-technology/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/.
Australian Bureau of Statistics, Engineering Construction Activity (cat.
no. 8762.0). Canberra: ABS, 2010. Online. Available from AusStats,
http://www.abs.gov.au/ausstats. Accessed: Sept. 7, 2010.