Abstract: Virtual Private Network (VPN)usage has grown in the last couple of years due to the increasing need of moreprivate, secure and anonymous connection. VPN providers claim toprovide the needs of anonymity, privacy and security, but, the question is howwell are they living up to their claim? Since VPN services claim to providesecure user access and they are less expensive than a dedicated leased line,they have become more attractive to enterprises. However, there are still a lotof concerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how itworks, different types of VPN protocols like Point-to-Point Tunneling Protocol(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to addressvarious security issues of VPN services, analyze their claims of privacy andsecurity, discuss how do the VPN services suffer from ipv6 leakage and finally explorepossible solutions and alternatives for these vulnerabilities. 1.
0 Introduction: In brief, VirtualPrivate Network (VPN) is a secured, encrypted connection between a user and aservice provider designed to keep the communications private. The encryption isto provide data confidentiality. VPN uses the tunneling mechanism toencapsulate encrypted data into a secure tunnel.
VPN tunneling requiresestablishing a network connection and maintaining the connection. There arevarious types of tunneling protocols which will be discussed later. VPN alsoclaims to provide data integrity. When we browse through the Internet, ourcomputer a request for a specific page then that request goes to our ISP’sserver, then the ISP translate the requested domain name into an IP(InternetProtocol) address and requests the page on our behalf and finally sends the results back to ourcomputer. What VPN does is that it replaces our IPaddress with that of the VPN 1.
However, VPN does more than that otherwise itwouldn’t be any different from a proxy server which are very insecure becausewhatever is send using a proxy, a hacker can just read it if he or she wants. Thereason is proxy doesn’t use any encryption. This is what makes VPN differentfrom a proxy server. It builds a supposedly secure tunnel between our computer andthe VPN server. All our traffic is routed through this tunnel and no one cancheck what’s going on there because it is protected by one or a several layersof encryption, which means that the VPN service itself cannot know what we areup to, since they are supposed to have a “no logs” policy in place.
Most decentservices will not keep your logs (except maybe for some basic information,known as metadata), though sorrowfully enough there are plenty of unscrupulousservices out there, too 2. Robinson (2002)explained 3 how VPNs provide a means for organizations and individuals toconnect their various resources over the Internet (a very public network), butnot make the resources available to the public, instead only making themavailable to those that are part of the VPN. VPNs provide a means for suchusers to have resources scattered all over the world, and still be connected asthough they were all in the same building on the same network together, withall the ease of use and benefits of being interconnected in such a manner.Normally, without a VPN, if such a private connection was desired, the companywould have to expend considerable resources in finances, time, training,personnel, hardware and software to setup dedicated communication lines.
Thesededicated connections could be a variety of technologies such as 56k leasedlines, dedicated ISDN, dedicated private T1/T3/ and so on, connections,satellite, microwave and other wireless technologies. Setting up anorganization’s private network over these dedicated connections tends to bevery expensive. With a VPN, the company can use their existing Internetconnections and infrastructure (routers, servers, software, etc.) and basically”tunnel” or “piggyback” their private network inside the public networktraffic, and realize a considerable savings in resources and costs compared todedicated connections.
A VPN solution is also able to provide more flexibleoptions to remote workers instead of only dial-up speeds and choices, they canconnect from anywhere in the world for just the cost of their Internetconnection, at whatever speed their ISP services may provide. There have beenmany VPN technologies developed in recent years, and many more on the way. Theyvary widely from simple, to very difficult to setup and administrate, from freeto very expensive, from light security to much heavier protection, fromsoftware based to dedicated hardware solutions, and even some managed servicesproviders (for example www.devtodev.com or www.iss.
net ) now entering into themarket to increase the VPN choices available. Most VPNs operate using variousforms of “tunneling” combined with many choices for encryption andauthentication. In this document “tunneling” is over IP based networks, thoughother technologies exist as well (such as ATM based). This document will focuson technologies that deliver VPN solutions over IP based networks, and refer tothem generically as “public” or “Internet” based networks, and only delve intothe specific “carrier” protocol when appropriate (IPX, ATM, and other protocolsare also used, but as IP has become quite dominant, many are now focused onIP). This document will only cover IPv4 not IPv6. Use of MS PPTP over 802.11b wirelesstechnologies will also be briefly covered.
The data of the “private network” iscarried or “tunneled” inside the public network packet, this also allows otherprotocols, even normally “non-routable” protocols to become usable acrosswidely dispersed locations. For example, Microsoft’s legacy NetBEUI protocolcan be carried inside such a tunnel, and thus a remote user is able to act aspart of the remote LAN or two small LANS, in two very different locations,would actually be able to “see” each other, and work together, over many hopsof routers, and still function, with a protocol that normally would not routeacross the Internet, although there are many consequences in trying to stretchsuch a protocol beyond it’s intended use. Tunneling in and of itself is notsufficient security. For example, let’s use IP as the carrier public protocol,carrying IPX inside as the private protocol. Anyone sniffing the “public”network’s packets could easily extract the clear text information of the IPXpackets carried within the IP packets.
This means that sufficient encryption ofthe carried IPX packets is necessary to protect their data. These twotechnologies suffice to provide a basic VPN, but will be weak if a third partis missing or lax (as we will show in various examples throughout thisdocument). This third part would be anything related to authentication, trafficcontrol, and related technologies.
If there aren’t sufficient authenticationtechnologies in place then it is quite simple for an intruder to interceptvarious VPN connections and “hijack” them with many “man/monkey in the middleattacks” and easily capture all data going back and forth between the VPNnodes, and eventually be able to compromise data, and potentially all networksand their resources, connected by the VPN. This document is based on researchand lab testing performed from March 1st through June 30th, 2002. The setup ofthe lab will also be briefly detailed to assist others who may wish to go intogreater depth with this testing, and to help clarify under what circumstancesthe lab information was gathered. 2.0 Literaturereview: A Recent report 4 suggested that VPNs are not as secure as theyclaim to be. VPN services claim that they provide privacy and anonymity.
They studiedthese claims in various VPN services. They analyzed a few of the most popular VPNs.They decided to investigate the internals and the infrastructures.
They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is whena user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Webserver which pretends to be a popular site like Twitter5. What theirexperiment revealed is very agitating, that most of the VPN services sufferfrom IPv6 traf?c leakage and most of the VPN services leaked information andnot only the information of the websites but also the user’s. They went on tostudy various mobile platforms which use VPNs and found that these platformsare much secure when an iOS is being used, however, were vulnerable when anAndroid platform is being used.
Theyalso talked about more sophisticated DNS hijacking attacks that allow all traf?cto be transparently captured. Tomake things worse, most of the VPNs that were part of the experiment usedPoint-to-Point Tunneling Protocol with MS-CHAPv2 authentications, whichaccording to TechReport, makes them vulnerable to brute force hacks 6. Akamai argued that VPNs cannot be a wise SecuritySolution and that it can be a drawback for remote access for third party. Ifyou have an institution that requires interacting with third parties in aregular basis who need remote access to enterprise applications hosted in yourhybrid cloud, a VPN is no way a good solution because, why would you hand overthe access of the whole network to a third party when that party only needsaccess to a specific application only. Usually, a third party needs access justto a specific program for a specific amount of time. It will take a lot of timeto configure and deploy different subnets for other parties and on top of that monitoringusers, adding users, they are all time consuming. So clearly this is a drawback.VPN services areconsidered to be a way of transfer private data.
They are well known across theworld. However, recently7 the SOX mandates have urged organizations to installend-to-end VPN security, which can only mean one thing that the VPN is nolonger enough by itself. Moreover, VPN systems cannot be managed easily andmaintaining the security of the clients is also a complicated process. It willrequire keeping the clients up to date. Another research 8 revealed that 90% SSL VPNs use age-old encryptionmethod and eventually it will put corporate data at risk. An Internet researchpublicly-accessible SSL VPN servers was conducted by HTB (High Tech Bridge). From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems 8:1.
Quitea few VPN services have SSLv2 and approximately 77% of SSL VPN services useSSLv3 protocol which is being considered obsolete now. Both these protocols havevarious vulnerabilities and both are unsafe. 2.
About76 per cent of SSL VPNS use an untrusted SSL certificate, which might result ina man-in-the-middle attacks. 3. Asimilar 74 per cent of certificates have an insecure SHA-1 signature, whilefive per cent make use of even older MD5 technology. By 1 January 2017, themajority of web browsers plan to deprecate and stop accepting SHA-1 signedcertificates, since the ageing technology is no strong enough to withstandpotential attacks. 4. Around41 per cent of SSL VPNs use insecure 1024-bit keys for their RSA certificates.RSA certificate is used for authentication and encryption key exchange.
RSA keylengths below 2048 are considered insecure because they open the door toattacks, some based on advances in code breaking and crypto-analysis. 5. 1% ofSSL VPNs that use OpenSSL are vulnerableto Heartbleed. This vulnerability was found in 2014.
Heartbleed affected all products that use OpenSSL.It allowed hackers to retrieve personal data like encryption keys 6. 97% of examined SSL VPNs are notfulfilling the PCI DSS requirements, and all of them were not in compliant withNIST guidelines. 3.0 VPN categories: VPNs can be categorized as follows: 1. A firewall-based VPN is one that is equipped with both firewall andVPN capabilities. This type of VPN makes use of the security mechanisms infirewalls to restrict access to an internal network. The features it providesinclude address translation, user authentication, real time alarms andextensive logging.
2. A hardware-based VPN offers high network throughput, betterperformance and more reliability, since there is no processor overhead.However, it is also more expensive. 3. A software-based VPN provides the most flexibility in how traffic ismanaged. This type is suitable when VPN endpoints are not controlled by thesame party, and where different firewalls and routers are used.
It can be usedwith hardware encryption accelerators to enhance performance. 4. An SSL VPN3 allows users to connect to VPN devices using a webbrowser. The SSL (Secure Sockets Layer) protocol or TLS (Transport LayerSecurity) protocol is used to encrypt traffic between the web browser and theSSL VPN device. One advantage of using SSL VPNs is ease of use, because allstandard web browsers support the SSL protocol, therefore users do not need todo any software installation or configuration.
3.1.0 VPN Tunneling:Thereare two types of tunneling that are being commonly used-1.Voluntary and 2.Compulsory. Involuntary tunneling, the VPN client manages connection setup. The client firstmakes a connection to the carrier network provider (an ISP in the case ofInternet VPNs). Then, the VPN client application creates the tunnel to a VPNserver over this live connection.
Incompulsory tunneling, the carrier network provider manages VPN connectionsetup. When the client first makes an ordinary connection to the carrier, thecarrier in turn immediately brokers a VPN connection between that client and aVPN server. From the client point of view, VPN connections are set up in justone step compared to the two-step procedure required for voluntary tunnels.CompulsoryVPN tunneling authenticates clients and associates them with specific VPNservers using logic built into the broker device. This network device issometimes called the VPN Front End Processor (FEP), Network Access Server (NAS)or Point of Presence Server (POS) 9.
3.2.0 Tunneling Protocols:Severalcomputer network protocols have been implemented specifically for use with VPNtunnels. There are a few tunneling protocols but the three most popular VPNtunneling protocols listed below 9 continue to compete with each other foracceptance in the industry. These protocols are generally incompatible witheach other.
3.2.1 Point-to-Point TunnelingProtocol (PPTP)Severalcorporations worked together to create the PPTP specification. People generallyassociate PPTP with Microsoft because nearly all flavors of Windows include built-inclient support for this protocol. The initial releases of PPTP for Windows byMicrosoft contained security features that some experts claimed were too weakfor serious use.
Microsoft continues to improve its PPTP support, though.3.2.2 Layer Two TunnelingProtocol (L2TP)Theoriginal competitor to PPTP for VPN tunneling was L2F, a protocol implementedprimarily in Cisco products. In an attempt to improve on L2F, the best featuresof it and PPTP were combined to create a new standard called L2TP. Like PPTP,L2TP exists at the data link layer (Layer Two) in the OSI model — thus theorigin of its name.3.2.
3 Internet ProtocolSecurity (IPsec)IPsecis actually a collection of multiple related protocols. It can be used as acomplete VPN protocol solution or simply as the encryption scheme within L2TPor PPTP. 3.
3.0 Securityconcerns OF VPN: Tunneling in and of itself is not sufficient security.For example, let’s use IP as the carrier public protocol, carrying IPX insideas the private protocol. Anyone sniffing the “public” network’s packets couldeasily extract the clear text information of the IPX packets carried within theIP packets.
This means that sufficient encryption of the carried IPX packets isnecessary to protect their data. These two technologies suffice to provide abasic VPN, but will be weak if a third part is missing or lax (as we will showin various examples throughout this document). This third part would beanything related to authentication, traffic control, and related technologies.If there aren’t sufficient authentication technologies in place then it isquite simple for an intruder to intercept various VPN connections and “hijack”them with many “man/monkey in the middle attacks” and easily capture all datagoing back and forth between the VPN nodes, and eventually be able tocompromise data, and potentially all networks and their resources, connected bythe VPN. This document is based on research and lab testing performed fromMarch 1st through June 30th, 2002. The setup of the lab will also be brieflydetailed to assist others who may wish to go into greater depth with thistesting, and to help clarify under what circumstances the lab information wasgathered 3. Followings are the potential risks of VPN 10-3.
3.1 Hacking Attack: A clientmachine may become a target of attack, or a staging point for an attack, fromwithin the connecting network. An intruder could exploit bugs ormis-configuration in a client machine, or use other types of hacking tools tolaunch an attack. These can include VPN hijacking or man-in-the-middle attacks:1. VPN hijacking is the unauthorized take-over of an established VPN connectionfrom a remote client, and impersonating that client on the connecting network.2.
Man-in-the-middle attacks affect traffic being sent between communicatingparties, and can include interception, insertion, deletion, and modification ofmessages, reflecting messages back at the sender, replaying old messages andredirecting messages. USER AUTHENTICATION By default VPN does not provide /enforce strong user authentication. A VPN connection should only be establishedby an authenticated user. If the authentication is not strong enough torestrict unauthorized access, an unauthorized party could access the connectednetwork and its resources. Most VPN implementations provide limitedauthentication methods. For example, PAP, used in PPTP, transports both username and password in clear text.
A third party could capture this informationand use it to gain subsequent access to the network.3.3.2 CLIENT SIDERISKS The VPN client machines of, say, home users may be connected to theInternet via a standard broadband connection while at the same time holding aVPN connection to a private network, using split tunneling. This may pose arisk to the private network being connected to. A client machine may also beshared with other parties who are not fully aware of the security implications.In addition, a laptop used by a mobile user may be connected to the Internet, awireless LAN at a hotel, airport or on other foreign networks.
However, thesecurity protection in most of these public connection points is inadequate forVPN access. If the VPN client machine is compromised, either before or duringthe connection, this poses a risk to the connecting network.3.3.
3 INCORRECTNETWORK ACCESS: Granting more accessrights than needed to clients or networks3.3.4 MALWAREINFECTIONS: If any client is malware infected, the connecting network mightget compromised as well unless it’s protected with an effective anti-virussystem. 3.3.
5 INTEROPERABILITY: IPsec compliant software from twodifferent vendors may not always be able to work together, so, Interoperabilityis also a concern 4.0 Conclusion:As we find ourselves relying more andmore on cloud services and multiple devices all connected to the Internet, itis vital that we stay informed and take steps to ensure our privacy online. VPNservices claim to offer a private, secure network. There are a few VPNtechnologies amongst which IPsec and SSL VPN are most popular. However, thereare a lot of vulnerabilities that needs to be addressed.
A report suggestedthat NSA had the ability to remotely extract confidential keys from Cisco VPNsfor over a decade, Mustafa Al-Bassam, a security researcher at paymentsprocessing firm Secure Trading, told Ars. “This explains how they wereable to decrypt thousands of VPN connections per minute as shown in documentspreviously published by Der Spiegel.” So, careful consideration must begiven to the risk involved. Security features such as support for strongauthentication, support for anti-virus software, and intrusion detection, industry-provenstrong encryption algorithms and so on are need to considered if we decide togo for a VPN product. 5.0 Future work:The following can be implemented when deploying a VPN for more secure andprivate connection: 1. Installing an Intrusion Detection system.
2. Using firewall. 3. Installing anti-virus software on both clients andservers in the case if either end is infected with virus.4. VPN connections should have secured and managedauthentication system.
5. Network connections should be recorded.6. The log should be reviewed regularly. 7. Network administrators and supporting staff should betrained so that they can implement VPNs in a proper way8. TO protect the internal network, VPN entry point shouldbe placed in a Demilitarized Zone (DMZ) 9. During a VPN connection, split tunneling should beavoided when accessing the Internet or any other network that is not secure simultaneously 6.
0 References: 1. J. Crace. “VPN Security: What You Need toKnow.” Cloudwards, 25 Sept, 2017. Online.
F.O’Sullivan. “Beginners Guide: What Is a VPN?” 3 Dec, 2017.Online.Available: www.cloudwards.net/what-is-a-vpn/.3.
H. Robinson. “Microsoft PPTP VPN VulnerabilitiesExploits in Action.” August 22nd 2002.4.
G. Tyson. “A Glance through the VPNLooking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”.17-Feb.
Noyes. “Beware, VPN users: You may not beas safe as you think you are.” 1 July, 2015.
Online. Available: https://www.pcworld.
com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html. 6. J.
Martindale, “Many big VPNs have glaring security problems.” July1, 2015.Online.
Available: https://www.digitaltrends.com/computing/commercial-vpn-huge-security-flaws/.7. R. Harrell. “VPN security:Where are the vulnerabilities?” October, 2005. Online.
Available: http://searchenterprisewan.techtarget.com/tip/VPN-security-Where-are-the-vulnerabilities.8 J. Leyden. “90% of SSL VPNsare ‘hopelessly insecure’, say researchers.” 26 February, 2016. Online.
Available: https://www.theregister.co.uk/2016/02/26/ssl_vpns_survey/. 9. B.
Mitchell. “VPN Tunnels Tutorial”. July 21, 2017.
The Government of theHong Kong Special Administrative Region, VPN SECURITY. February, 2008. 11. D. Goodin. “How the NSA snooped on encrypted Internet traffic for adecade.
” August 20, 2016. Online. Available: https://arstechnica.