1.0 The Introduction to Virtual Private Network (VPN)

According to Lewis, Mark (2006), virtual private network (VPN) can be described as the

extended private network as well as the resources that consist in the network across the public

networks like the Internet. The implementation of the Virtual Private Network (VPN) will

play an important role to allow the host computer to send as well as received the data across

shared or public networks. It can emulate the properties of the private network such as shares,

server access, as well as printer by establishing and maintaining the security as well as

management policies of the respective private network in the organization. Obviously, the

Virtual Private Network (VPN) can be done by establish the point – to – point connection via

the uses of either the dedicated connection or via the encryption or even combining both of

the methods.

According to the explanation from R. Morris and K. Thompson (1979), the Virtual Private

Network System can be classified according to:

The protocols used to tunnel the traffic

The tunnel’s termination point,

Whether they offer site- to-site or remote access connectivity

The levels of security provided

The OSI layer they present to the connected network.

Diagram 1.0 The example of Internet Virtual Private Network (VPN)

2.0 Evaluation of the Encryption Methods and Security Issues

According to H. Krawczyk, M Bellare and R. Canetti (1997), encryption is an important

method to use in the virtual private network (VPN). It is to ensure the virtual private network

(VPN) is secure and limiting user access so that the data is protected and only can be

accessed by the authenticated person only. As in virtual private network (VPN), it uses the

cryptosystem to scramble the data into the cipher text, then decrypted back into readable text

by the recipient. There are two types of cryptosystem that been used in virtual private

network (VPN), namely symmetric and asymmetric. Overall, the symmetric cryptography is

very likely to be much faster to deploy and used in the Virtual Private Network. Obviously, it

is commonly used to exchange large packets of data between two parties who know each

other, and use the same private key to access the data. However, the asymmetric systems that

been used to encrypt the data that send via the VPN server and client are far more complex. It

is because the users are requiring a pair of mathematically related keys to do the decryption.

The keys are public and one private – in order to be accessed. This method is often used for

smaller, more sensitive packets of data, or during the authentication process in the virtual

private network (VPN).

Obviously, D. Harkins and D. Carrel (1998) explained that the longer encryption key, the

strongest it was. It is because the bit length of the algorithm determines the amount of effort

required to crack the system using a “brute force” attack, where computers are combined to

calculate all the possible key permutations. So, the users are advised to use the longer

encrypted key so that the data that been transmitted from the virtual private network (VPN)

server and clients are save.

However, the Virtual Private Network (VPN) data encryption does not provide the end – to –

end data encryption. According to R. Pereira and S. Beaulieu (1999), the end-to-end

encryption is the data that encrypted between the client applications and server hosting the

resources or even the services that is accessed by the client application.

On the other hand, D. Harkins and D. Carrel (1998) explained that there are many relevant

secure VPN protocols are used to transfer or transmit the data from the Virtual Private

Network (VPN) server to the clients. Among the Virtual Private Network (VPN) protocols

that been used are:

IPSec (Internet Protocol security)

Transport Layer security (SSL)

Datagram Transport Layer security

Microsoft Point – to – point encryption

Secure Socket Tuning protocol

MPVPN

Secure Shell

However, there are still many security related issues occurred in the Virtual Private Network

(VPN). Each of the security issues will be discussed clearly and relevant examples will be

provided to support the discussion.

(A) Many Authentication Methods are too weak to Provide Adequate Security for most

organizations

As explained by H. Krawczyk, M Bellare and R. Canetti (1997), the first security issues that

happened in the Virtual Private Network (VPN) is the authentication methods that been used

is too weak and easily broken by the unauthorized person. It is simply because there are many

organizations use authentication methods that expose their network to a variety of security

attacks. The most secure method of authentication is Extensible Authentication Protocol-

Transport Level Security (EAP-TLS) when used in conjunction with smart cards. However,

EAP-TLS and smart cards require a public key infrastructure (PKI), which can be

complicated to deploy. Therefore, it will become a serious threat for the users of Virtual

Private Network (VPN) in the office.

(B) Remote Access Account Logout can Deny Network access to authorized users.

According to R. Morris and K. Thompson (1979), the authorized users might be blocked from

access the network, It Is because if a malicious user attempts a dictionary attack with the

logon name of an authorized user, both the malicious user and the authorized user are locked

out of the account until the account lockout threshold is reached. Therefore, it will cause very

inconvenience for the authorized users especially when they wish to access the Virtual

Private Network (VPN) to get some data or resources. Therefore, it is a security related issue

that happens in the Virtual Private network (VPN).

(C) Man-in-the-Middle Attacks

As for the third security issues that occurred in the Virtual Private Network (VPN), it is call

man-in-the-middle attacks. H. Krawczyk, M Bellare and R. Canetti. (1997) explained that the

security issue happens when the Virtual Private Network (VPN) server is using IKE

Aggressive Mode, and it is possible to determine a valid username and password, then an

ISAKMP SA can be established to the Virtual Private Network (VPN) server. Even if the

VPN server enforces a second level of authentication, this often relies on the security of this

ISAKMP SA. As for this case, if it is possible to establish an ISAKMP SA in the virtual

private network (VPN), it causing the second level of authentication would not provide

complete protection. It is because it would be vulnerable to a man-in-the-middle attack.

Therefore, it will lead the data that sent and transmitted via the Virtual Private Network

(VPN) facing a problem that been tapped by the third parties or unauthorized people. Due to

that, it is an important and critical security issues in Virtual Private Network (VPN).

3.0 Suggestion about the Appropriate Authentication Mechanism

As discussed in section 2.0, there are many security flaws and issues that occurred along the

process of transfer the data from Virtual Private Network (VPN) server and clients.

Therefore, better and appropriate authentication mechanism will be suggested and discussed

in detail in this section in order to solve respective problems in the future. Appropriate

examples will be given to support the respective discussion in this section.

As we know, the simply encryption methods like symmetric and asymmetric encryption

method is far not enough to guarantee the security of the virtual private network (VPN).

Thus, extra secure VPN protocols are proposed to be used to transfer or transmit the data

from the Virtual Private Network (VPN) server to the clients.

According to H. Krawczyk, M Bellare and R. Canetti (1997), the strengths of the security in

Virtual Private Network (VPN) is making harder for eavesdropping and interception on the

connection between the Server and clients in the network. Thus, few Virtual Private Network

(VPN) related security protocol will be suggested to improve and enhance the security

features of the communication between the server and clients in the Virtual Private Network

(VPN). Among the Virtual Private Network (VPN) protocols that been used are:

IPSec (Internet Protocol security)

o According to International Engineering Consortium. (2001), it is an Internet

Protocol security that developed Internet Engineering Task Force (IETF). As

in this particular protocol, the standard-based security protocol is used to

provide function of authentications, integrity, and confidentially for the data

transfer in the Virtual Private Network (VPN). It can encrypt and encapsulate

an IP packet inside the IPSec packet, then de-encapsulation will be happened

at the end of the data transmission tunnel, where the original IP packet is

decrypted and forward to the destination. Thus, it is more secure for the data to

be transferred in the Virtual Private Network (VPN)

Transport Layer security (SSL)

o It is the tunnel for the entire virtual private network (VPN) to send and receive

the data between the VPN server and clients. As in the SSL, R. Morris and K.

Thompson. (1979) explained that the Virtual Private Network (VPN) can

connect from the locations where the IPSec is runs into the trouble with the

Network Address Translation as well as firewall rules. There are a number of

cryptographic features provided by SSL / TLS and these include

confidentiality, integrity, and digital signatures. Once the SSL been used in the

Virtual Private Network (VPN), the SSL VPN gateway can do the

authentication itself on the Web user using the SSL server certificate that

signed by the trusted Certification Authority (CA). This certification authority

is very important to verify that the users are talking to a trusted server via their

browser. As in the reality life, certain SSL VPNs will use a self-signed digital

certificated that is not normally well trusted by most of the web browsers.

Therefore, the users need to add the SSL VPNs self-signed digital certificated

to the user’s own list of trusted certificates so that the browser can be used.

Datagram Transport Layer security

o Normally, the datagram transport layer security will be used in the Cisco

AnyConnect Virtual Private Network (VPN) in order to solve the issues that

occurred in the Secure Socket Layer (SSL) has with tunnelling over User

Diagram Packet (UDP).

Microsoft Point – to – point encryption

o H. Krawczyk, M Bellare and R. Canetti. (1997) explained that this mechanism

will work with the Point-to-Point Tunneling Protocol and in several

compatible implementations on other platforms. It is an OSI layer two

protocols that built on top of the point-to-point protocol. The authentication

mechanism that been used in PPP connection is supported in a PPTP-based

Virtual Private Network (VPN) connection. As for this connection, EAP

(Extensible Authentication Protocol), MSCHAP (Microsoft Challenge –

Handshake Authentication Protocol), CHAP, SHAP (Shiva Password

Authentication Protocol) as well as PAP (Password Authentication Protocol)

will be used.

Microsoft’s Secure Socket Tuning protocol

o This security mechanism will work in Window Vista Services Pack 1 whereby

the SSTP tunnels Point-to-point protocol (PPP) or layer 2 tunneling protocol

traffic through an SSL 3.0 channel that can be implemented in the Virtual

Private Network (VPN)

Secure Shell VPN

o It is the OpenSSH that provides the Virtual Private Network (VPN) tunneling

to secure remote connection to the network or inter-network links. As in this

particular method, the OpenSSH will provide the limited numbers of

concurrent tunnels and it lets the Virtual Private Network (VPN) to configure

itself so that no support the personal authentication.

Apart of that, SOCKS5 is another new security mechanism that can be implemented in the

Virtual Private Network (VPN) in order to improve the security features during the

transmitting of data between the Virtual Private Network (VPN) server and clients.

Obviously, H. Krawczyk, M Bellare and R. Canetti (1997) explained that SOCKS5 is a circuit

–level proxy protocol that was initially designed to facilitate authenticated firewall traversal.

As for the SOCKS 5, it will offers a secure, proxy architecture with extremely granular

access control, in order ensure the excellent choice for extranet configurations. Obviously,

the SOCKS v5 is able to support a broad range of authentication, encryption, and tunnelling

as well as key management scheme. At the mean time, the SOCKS v5 also can be used for

some security features that are impossible with IPSec, PPTP or other VPN technologies.

Firstly, the new SOCKS v5 can offers the extensible architecture that allows developers to

build system plug-ins, such as content filtering like denying access to Java applets or ActiveX

controls as well as the extensive logging and auditing of users. Therefore, SOCKS 5 is able to

offer the Virtual Private Network more complete and intensive security features compare to

any other technology in the market like IPSec, PPTP or other VPN technologies.

On the other hand, R. Morris and K. Thompson (1979) explained that the user of Virtual

Private Network (VPN) can integrate the technologies of both IPSec and SOCKS together to

make the whole security features and mechanism in Virtual Private Network (VPN) become

even stronger than before. As for the configuration part, the IPSec could be used to secure the

underlying network transport, while SOCKS could be used to enforce user-level and

application-level access control. Therefore, the security level of the Virtual Private Network

(VPN) will be improved in the future.

4.0 Conclusion

As the conclusion, the Virtual Private Network (VPN) is useful networks that allow the host

computer to send as well as received the data across shared or public networks. It can emulate

the properties of the private network such as shares, server access, as well as printer by

establishing and maintaining the security as well as management policies of the respective

private network in the organization. However, there are many security flaws and issues that

because the Virtual Private Network (VPN) not been trusted by the users since it can easily

cause the interception or eavesdropping along the process of sending and receiving the data

between the server as well as clients in the VPN. Thus, few new security mechanism been

proposed to improve and enhance the security features in the Virtual Private Network (VPN).

Among the new suggested security mechanism are include implemented Virtual Private

Network (VPN) protocols like IPSecs (Internet Protocol Security), Transport Layer Security

(SSL / TSL), Datagram Transport Layer Security, Point-to-point Encryption Protocol, Secure

Socket Tuning Protocol, and Secure Shell VPN. Besides that, SOCKS version 5 will be

another ideal security mechanism that can be used to improve the security levels in the

Virtual Private Network (VPN).

5.0 Reference

D. Harkins and D. Carrel. (1998). RFC 2409 “The Internet Key Exchange (IKE)”

International Engineering Consortium. (2001). Digital Subscriber Line 2001. Intl.

Engineering Consortiu, 2001, p. 40.

Lewis, Mark. (2006). Comparing, Designing. And Deploying VPNs. Cisco Press, p. 5

R. Hills. (2003). “NTA Monitor UDP Backoff Pattern Fingerprinting White Paper”,

http://www.nta-monitor.com/ike-scan/whitepaper.pdf

R. Morris and K. Thompson. (1979). “Password Security: A Case History”, Communications

of the ACM, Vol.22, No.11, November, 1979, pp.594-597.

H. Krawczyk, M Bellare and R. Canetti. (1997). RFC 2104 “HMAC: Keyed-Hashing for

Message Authentication”.

R. Pereira and S. Beaulieu. (1999). Extended Aut hentication within ISAKMP/Oakley

(XAUTH)

R. Hill. (2002). “SecuRemote usernames can be guessed or sniffed using IKE exchange”,

Bugtraq Mailing List.