Abstract: VirtualPrivate Network (VPN) usage has grown in the last couple of years due to theincreasing need of more private, secure and anonymous connection. VPN providers claim to provide theneeds of anonymity, privacy and security, but, the question is how well arethey living up to their claim? Since VPN services claim to provide secure useraccess and they are less expensive than a dedicated leased line, they havebecome more attractive to enterprises. However, there are still a lot ofconcerns regarding VPNs.
VPN services are not as secure as they claim to be.They can be unreliable for end users. So, this paper introduces VPN, how itworks, different types of VPN protocols like Point-to-Point Tunneling Protocol(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to addressvarious security issues of VPN services, analyze their claims of privacy andsecurity, discuss how do the VPN services suffer from ipv6 leakage and finally explorepossible solutions and alternatives for these vulnerabilities. 1.0 Introduction: Inbrief, Virtual Private Network (VPN) is a secured, encrypted connection betweena user and a service provider designed to keep the communications private. Theencryption is to provide data confidentiality. VPN uses the tunneling mechanismto encapsulate encrypted data into a secure tunnel.
VPN tunneling requiresestablishing a network connection and maintaining the connection. There arevarious types of tunneling protocols which will be discussed later. VPN alsoclaims to provide data integrity.
When we browse through the Internet, ourcomputer a request for a specific page then that request goes to our ISP’sserver, then the ISP translate the requested domain name into an IP(InternetProtocol) address and requests the page on our behalf and finally sends the results back to ourcomputer. What VPN does is that it replaces our IPaddress with that of the VPN 1. However, VPN does more than that otherwise itwouldn’t be any different from a proxy server which are very insecure becausewhatever is send using a proxy, a hacker can just read it if he or she wants. Thereason is proxy doesn’t use any encryption. This is what makes VPN differentfrom a proxy server. A VPN creates a so-called secure tunnel between yourcomputer and the VPN server. All your traffic is routed through this tunnel andno one can check what’s going on there because of one, or sometimes evenseveral, layers of encryption.
Note that this means that the VPN service itselfdoes know what you’re up to, unless they have a “no logs” policy in place. Mostdecent services will not keep your logs (except maybe for some basicinformation, known as metadata), though sorrowfully enough there are plenty ofunscrupulous services out there, too 2. Robinson(2002) explained 3 how VPNs provide a means for organizations andindividuals to connect their various resources over the Internet (a very publicnetwork), but not make the resources available to the public, instead onlymaking them available to those that are part of the VPN. VPNs provide a meansfor such users to have resources scattered all over the world, and still beconnected as though they were all in the same building on the same network together,with all the ease of use and benefits of being interconnected in such a manner.Normally, without a VPN, if such a private connection was desired, the companywould have to expend considerable resources in finances, time, training,personnel, hardware and software to setup dedicated communication lines. Thesededicated connections could be a variety of technologies such as 56k leasedlines, dedicated ISDN, dedicated private T1/T3/ and so on, connections,satellite, microwave and other wireless technologies. Setting up anorganization’s private network over these dedicated connections tends to bevery expensive.
With a VPN, the company can use their existing Internetconnections and infrastructure (routers, servers, software, etc.) and basically”tunnel” or “piggyback” their private network inside the public networktraffic, and realize a considerable savings in resources and costs compared todedicated connections. A VPN solution is also able to provide more flexibleoptions to remote workers instead of only dial-up speeds and choices, they canconnect from anywhere in the world for just the cost of their Internetconnection, at whatever speed their ISP services may provide. There have beenmany VPN technologies developed in recent years, and many more on the way. Theyvary widely from simple, to very difficult to setup and administrate, from freeto very expensive, from light security to much heavier protection, fromsoftware based to dedicated hardware solutions, and even some managed servicesproviders (for example www.
devtodev.com or www.iss.
net ) now entering into themarket to increase the VPN choices available. Most VPNs operate using variousforms of “tunneling” combined with many choices for encryption andauthentication. In this document “tunneling” is over IP based networks, thoughother technologies exist as well (such as ATM based). This document will focuson technologies that deliver VPN solutions over IP based networks, and refer tothem generically as “public” or “Internet” based networks, and only delve intothe specific “carrier” protocol when appropriate (IPX, ATM, and other protocolsare also used, but as IP has become quite dominant, many are now focused onIP). This document will only cover IPv4 not IPv6.
Use of MS PPTP over 802.11b wirelesstechnologies will also be briefly covered. The data of the “private network” iscarried or “tunneled” inside the public network packet, this also allows otherprotocols, even normally “non-routable” protocols to become usable acrosswidely dispersed locations. For example, Microsoft’s legacy NetBEUI protocolcan be carried inside such a tunnel, and thus a remote user is able to act aspart of the remote LAN or two small LANS, in two very different locations,would actually be able to “see” each other, and work together, over many hopsof routers, and still function, with a protocol that normally would not routeacross the Internet, although there are many consequences in trying to stretchsuch a protocol beyond it’s intended use. Tunneling in and of itself is notsufficient security. For example, let’s use IP as the carrier public protocol,carrying IPX inside as the private protocol.
Anyone sniffing the “public”network’s packets could easily extract the clear text information of the IPXpackets carried within the IP packets. This means that sufficient encryption ofthe carried IPX packets is necessary to protect their data. These twotechnologies suffice to provide a basic VPN, but will be weak if a third partis missing or lax (as we will show in various examples throughout thisdocument). This third part would be anything related to authentication, trafficcontrol, and related technologies.
If there aren’t sufficient authenticationtechnologies in place then it is quite simple for an intruder to interceptvarious VPN connections and “hijack” them with many “man/monkey in the middleattacks” and easily capture all data going back and forth between the VPNnodes, and eventually be able to compromise data, and potentially all networksand their resources, connected by the VPN. This document is based on researchand lab testing performed from March 1st through June 30th, 2002. The setup ofthe lab will also be briefly detailed to assist others who may wish to go intogreater depth with this testing, and to help clarify under what circumstancesthe lab information was gathered. 2.
0 Literature review: A Recentreport 4 suggested that VPNs are not as secure as they claim to be. VPNservices claim that they provide privacy and anonymity. They studied these claimsin various VPN services. They analyzed a few of the most popular VPNs. Theydecided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is whena user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Webserver which pretends to be a popular site like Twitter5.
What theirexperiment revealed is very agitating, that most of the VPN services sufferfrom IPv6 traf?c leakage and most of the VPN services leaked information andnot only the information of the websites but also the user’s. They went on tostudy various mobile platforms which use VPNs and found that these platformsare much secure when an iOS is being used, however, were vulnerable when anAndroid platform is being used. Theyalso talked about more sophisticated DNS hijacking attacks that allow all traf?cto be transparently captured. Tomake things worse, most of the VPNs that were part of the experiment usedPoint-to-Point Tunneling Protocol with MS-CHAPv2 authentications, whichaccording to TechReport, makes them vulnerable to brute force hacks 6.
Akamai argued that VPNs cannot be a wise Security Solution and that it canbe a drawback for remote access for third party. If you have an institutionthat requires interacting with third parties in a regular basis who need remoteaccess to enterprise applications hosted in your hybrid cloud, a VPN is no waya good solution because, why would you hand over the access of the wholenetwork to a third party when that party only needs access to a specificapplication only. Usually, a third party needs access just to a specificprogram for a specific amount of time.
It will take a lot of time to configureand deploy different subnets for other parties and on top of that monitoringusers, adding users, they are all time consuming. So clearly this is a drawback.VPN services are considered to be a way of transfer privatedata. They are well known across the world. However, recently7 the SOXmandates have urged organizations to install end-to-end VPN security, which canonly mean one thing that the VPN is no longer enough by itself. Moreover, VPNsystems cannot be managed easily and maintaining the security of the clients isalso a complicated process. It will require keeping the clients up to date. Another research 8revealed that 90% SSL VPNs use age-old encryption method and eventually it willput corporate data at risk.
An Internet research publicly-accessible SSL VPNservers was conducted by HTB (High Tech Bridge). From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems 8:1. Quite a few VPN services haveSSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which isbeing considered obsolete now. Both these protocols have various vulnerabilitiesand both are unsafe. 2. About 76 per cent of SSL VPNSuse an untrusted SSL certificate, which might result in a man-in-the-middle attacks.
3. A similar 74 per cent ofcertificates have an insecure SHA-1 signature, while five per cent make use ofeven older MD5 technology. By 1 January 2017, the majority of web browsers planto deprecate and stop accepting SHA-1 signed certificates, since the ageingtechnology is no strong enough to withstand potential attacks.
4. Around 41 per cent of SSLVPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate isused for authentication and encryption key exchange. RSA key lengths below 2048are considered insecure because they open the door to attacks, some based onadvances in code breaking and crypto-analysis.
5. 1% of SSL VPNs that use OpenSSL are vulnerable toHeartbleed. This vulnerability was found in 2014. Heartbleed affected all products that use OpenSSL.It allowed hackers to retrieve personal data like encryption keys 6.
97% of examined SSL VPNs are not fulfilling the PCI DSSrequirements, and all of them were not in compliant with NIST guidelines. 3.0VPN categories: VPNs can be categorized asfollows: 1. A firewall-based VPN is onethat is equipped with both firewall and VPN capabilities. This type of VPNmakes use of the security mechanisms in firewalls to restrict access to aninternal network. The features it provides include address translation, userauthentication, real time alarms and extensive logging. 2.
A hardware-based VPN offershigh network throughput, better performance and more reliability, since thereis no processor overhead. However, it is also more expensive. 3. A software-based VPN providesthe most flexibility in how traffic is managed. This type is suitable when VPNendpoints are not controlled by the same party, and where different firewallsand routers are used.
It can be used with hardware encryption accelerators toenhance performance. 4. An SSL VPN3 allows users toconnect to VPN devices using a web browser. The SSL (Secure Sockets Layer)protocol or TLS (Transport Layer Security) protocol is used to encrypt trafficbetween the web browser and the SSL VPN device. One advantage of using SSL VPNsis ease of use, because all standard web browsers support the SSL protocol,therefore users do not need to do any software installation or configuration.3.
1.0VPN Tunneling:Thereare two types of tunneling that are being commonly used-1.Voluntary and 2.Compulsory. Involuntary tunneling, the VPN client manages connection setup. The client firstmakes a connection to the carrier network provider (an ISP in the case ofInternet VPNs).
Then, the VPN client application creates the tunnel to a VPNserver over this live connection.Incompulsory tunneling, the carrier network provider manages VPN connectionsetup. When the client first makes an ordinary connection to the carrier, thecarrier in turn immediately brokers a VPN connection between that client and aVPN server. From the client point of view, VPN connections are set up in justone step compared to the two-step procedure required for voluntary tunnels.CompulsoryVPN tunneling authenticates clients and associates them with specific VPNservers using logic built into the broker device. This network device issometimes called the VPN Front End Processor (FEP), Network Access Server (NAS)or Point of Presence Server (POS) 9.
3.2.0Tunneling Protocols:Severalcomputer network protocols have been implemented specifically for use with VPNtunnels.
There are a few tunneling protocols but the three most popular VPNtunneling protocols listed below 9 continue to compete with each other foracceptance in the industry. These protocols are generally incompatible witheach other.3.2.1Point-to-Point Tunneling Protocol (PPTP)Severalcorporations worked together to create the PPTP specification. People generallyassociate PPTP with Microsoft because nearly all flavors of Windows include built-inclient support for this protocol.
The initial releases of PPTP for Windows byMicrosoft contained security features that some experts claimed were too weakfor serious use. Microsoft continues to improve its PPTP support, though.3.
2.2Layer Two Tunneling Protocol (L2TP)Theoriginal competitor to PPTP for VPN tunneling was L2F, a protocol implementedprimarily in Cisco products. In an attempt to improve on L2F, the best featuresof it and PPTP were combined to create a new standard called L2TP. Like PPTP,L2TP exists at the data link layer (Layer Two) in the OSI model — thus theorigin of its name.3.
2.3Internet Protocol Security (IPsec)IPsecis actually a collection of multiple related protocols. It can be used as acomplete VPN protocol solution or simply as the encryption scheme within L2TPor PPTP. 3.3.
0 Security concerns OF VPN:Tunneling in and of itself is not sufficient security. For example,let’s use IP as the carrier public protocol, carrying IPX inside as the privateprotocol. Anyone sniffing the “public” network’s packets could easily extractthe clear text information of the IPX packets carried within the IP packets.
This means that sufficient encryption of the carried IPX packets is necessaryto protect their data. These two technologies suffice to provide a basic VPN,but will be weak if a third part is missing or lax (as we will show in variousexamples throughout this document). This third part would be anything relatedto authentication, traffic control, and related technologies.
If there aren’tsufficient authentication technologies in place then it is quite simple for anintruder to intercept various VPN connections and “hijack” them with many”man/monkey in the middle attacks” and easily capture all data going back andforth between the VPN nodes, and eventually be able to compromise data, andpotentially all networks and their resources, connected by the VPN. Thisdocument is based on research and lab testing performed from March 1st throughJune 30th, 2002. The setup of the lab will also be briefly detailed to assistothers who may wish to go into greater depth with this testing, and to helpclarify under what circumstances the lab information was gathered 3.Followings are the potential risks of VPN 10-3.3.1 Hacking Attack: A clientmachine may become a target of attack, or a staging point for an attack, fromwithin the connecting network. An intruder could exploit bugs ormis-configuration in a client machine, or use other types of hacking tools tolaunch an attack. These can include VPN hijacking or man-in-the-middle attacks:1.
VPN hijacking is the unauthorized take-over of an established VPN connectionfrom a remote client, and impersonating that client on the connecting network.2. Man-in-the-middle attacks affect traffic being sent between communicatingparties, and can include interception, insertion, deletion, and modification ofmessages, reflecting messages back at the sender, replaying old messages andredirecting messages. USER AUTHENTICATION By default VPN does not provide /enforce strong user authentication. A VPN connection should only be establishedby an authenticated user. If the authentication is not strong enough torestrict unauthorized access, an unauthorized party could access the connectednetwork and its resources.
Most VPN implementations provide limitedauthentication methods. For example, PAP, used in PPTP, transports both username and password in clear text. A third party could capture this informationand use it to gain subsequent access to the network.3.3.
2 CLIENT SIDE RISKS TheVPN client machines of, say, home users may be connected to the Internet via astandard broadband connection while at the same time holding a VPN connectionto a private network, using split tunneling. This may pose a risk to theprivate network being connected to. A client machine may also be shared withother parties who are not fully aware of the security implications. Inaddition, a laptop used by a mobile user may be connected to the Internet, awireless LAN at a hotel, airport or on other foreign networks. However, thesecurity protection in most of these public connection points is inadequate forVPN access.
If the VPN client machine is compromised, either before or duringthe connection, this poses a risk to the connecting network.3.3.3 INCORRECT NETWORK ACCESS: Granting more access rights than needed toclients or networks3.3.4 MALWARE INFECTIONS: If anyclient is malware infected, the connecting network might get compromised aswell unless it’s protected with an effective anti-virus system. 3.3.
5 INTEROPERABILITY: IPsec compliant software from twodifferent vendors may not always be able to work together, so, Interoperabilityis also a concern 4.0 Conclusion: As we find ourselves relying more andmore on cloud services and multiple devices all connected to the Internet, itis vital that we stay informed and take steps to ensure our privacy online. VPNservices claim to offer a private, secure network. There are a few VPNtechnologies amongst which IPsec and SSL VPN are most popular. However, thereare a lot of vulnerabilities that needs to be addressed. A report suggestedthat NSA had the ability to remotely extract confidential keys from Cisco VPNsfor over a decade, Mustafa Al-Bassam, a security researcher at paymentsprocessing firm Secure Trading, told Ars. “This explains how they wereable to decrypt thousands of VPN connections per minute as shown in documentspreviously published by Der Spiegel.” So, careful consideration must begiven to the risk involved.
Security features such as support for strongauthentication, support for anti-virus software, and intrusion detection, industry-provenstrong encryption algorithms and so on are need to considered if we decide togo for a VPN product. 5.0 Future work: Thefollowing can be implemented when deploying a VPN for more secure and privateconnection: 1. Installing an Intrusion Detection system.2. Using firewall.
3. Installing anti-virus software on both clients and servers in thecase if either end is infected with virus.4. VPN connections should have secured and managed authenticationsystem.5.
Network connections should be recorded.6. The log should be reviewed regularly. 7. Network administrators and supporting staff should be trained so thatthey can implement VPNs in a proper way8. TO protect the internal network, VPN entry point should be placed ina Demilitarized Zone (DMZ) 9.
During a VPN connection, split tunneling should be avoided whenaccessing the Internet or any other network that is not secure simultaneously 6.0 References:3.1. J. Crace.”VPN Security: What You Need to Know.” Cloudwards, 25 Sept, 2017.
Online.Available: www.cloudwards.net/vpn-security-what-you-need-to-know/.4.2. F. O’Sullivan.
“Beginners Guide: What Is a VPN?” 3Dec, 2017. Online.Available: www.
cloudwards.net/what-is-a-vpn/.7.3.
H. Robinson.”Microsoft PPTP VPN Vulnerabilities Exploits in Action.” August 22nd 2002.1.4. G.
Tyson. “A Glance through the VPNLooking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”.17-Feb.-2015.2.5. K. Noyes.
“Beware, VPN users: You may not be as safe as you think youare.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html.10.
6. J. Martindale, “Manybig VPNs have glaring security problems.” July1, 2015. Online. Available: https://www.digitaltrends.
com/computing/commercial-vpn-huge-security-flaws/. 5.7.
R. Harrell. “VPN security: Where are thevulnerabilities?” October, 2005.Online. Available: http://searchenterprisewan.techtarget.com/tip/VPN-security-Where-are-the-vulnerabilities. 6.
8 J. Leyden. “90% of SSL VPNs are’hopelessly insecure’, say researchers.” 26 February, 2016. Online.Available: https://www.theregister.co.
uk/2016/02/26/ssl_vpns_survey/. 9.7.
B. Mitchell. “VPN Tunnels Tutorial”.
July 21, 2017. Online.Available:https://www.lifewire.com/vpn-tunneling-explained-818174.
10. TheGovernment of the Hong Kong Special Administrative Region, VPN SECURITY. February,2008. 11. D. Goodin. “How the NSA snooped on encrypted Internet traffic for adecade.
” August 20, 2016. Online. Available: https://arstechnica.com/information-technology/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/.
Australian Bureau of Statistics, Engineering Construction Activity (cat.no. 8762.0). Canberra: ABS, 2010. Online.
Available from AusStats, http://www.abs.gov.au/ausstats. Accessed: Sept. 7, 2010.