VPNs CSH 6 Chapter 32 Virtual Private Networks

VPNs CSH 6 Chapter 32 “Virtual Private Networks & Secure Remote Access” Justin Opatrny & Carl Ness 1 Copyright © 2020 M. E. Kabay. All rights reserved.

Topics ØIntroduction ØRemote-Access VPNs ØSite-to-Site VPNs ØExtranets OH NO! 49 SLIDES!!! (MUST TALK LIKE SOMEONE ON LOTS OF COFFEE) 2 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction ØBorders Dissolving ØSecure Remote Access ØVirtual Private Networks ØVPN Technology Concepts 3 Copyright © 2020 M. E. Kabay. All rights reserved.

Borders Dissolving (1) Ø Before Internet access, security → internal networks Ø After ~1993, explosion in Internet connections Ø Perimeter firewall reduced access by digital predators Ø How to maintain network security for employees using mobile technology? q. Laptop computers, cell phones q. Home, traveling Ø How to define extranets for business partners? 4 Copyright © 2020 M. E. Kabay. All rights reserved.

Borders Dissolving (2) Ø Competitive advantage requires q. Employee network & information access q. From outside workplace q. Coping with inclement weather, disruptions q. Geographic dispersion of workforce Ø B 2 B requirements growing q. Vendors, suppliers, partners q. Outsourcing q. Support Ø B 2 C demands q. Growing expectations from consumers 5 Copyright © 2020 M. E. Kabay. All rights reserved.

Secure Remote Access Ø Require extensive planning & review q. Must not jeopardize safety of critical information & information systems Ø Primary tools q. Virtual Private Networks (VPNs) üSecured connection üEncrypted tunnel q. Extranets üEncrypted connection to Web application server outside internal NW üUsually need connections from server to internal NW for data exchange 6 Copyright © 2020 M. E. Kabay. All rights reserved.

Virtual Private Networks Ø Basic idea q. Create stream of encrypted data through firewall q“Encrypted tunnel” Ø Goals q. Securely extend internal network q. Protect data during transmission q. Maintain security of system Ø Two categories q. Remote-Access VPNs q. Site-to-Site VPNs 7 Copyright © 2020 M. E. Kabay. All rights reserved.

VPN Technology Concepts Ø See other chapters in CSH 6 for background concepts, terminology, details & readings q. Chapter 5: Data Communications & Information Security q. Chapter 6: Network Topologies, Protocols & Design q. Chapter 7: Encryption q. Chapter 26: Gateway Security Devices q. Chapter 37: PKI & Certificate Authorities 8 Copyright © 2020 M. E. Kabay. All rights reserved.

Remote-Access VPNs ØIPSec ØTransport-Layer Security ØUser-Authentication Methods ØInfrastructure Requirements ØNetwork-Access Requirements 9 Copyright © 2020 M. E. Kabay. All rights reserved.

IPSec Ø Basics q. Suite of Internet Protocol (IP) layer protocols q. Establish & protect VPN transmissions q. Usually uses client-resident application q. Create encrypted VPN tunnel into internal network Ø Topics q. Key Exchange & Management q. Authentication Header vs Encapsulating Security Payload q. Transport vs Tunnel Mode 10 Copyright © 2020 M. E. Kabay. All rights reserved.

IPSec: Key Exchange & Management Ø Must establish and manage Security Association (SA) between client & server Ø IPSec uses Internet Key Exchange (IKE) q. Good reference: NIST Guide to IPSEC VPNs (SP 800 -77) Ø 2 phases in establishing SA q. Phase 1 creates initial IKE SA üCan use 2 modes: § Main mode § Aggressive mode q. Phase 2 establishes IPSec SA More details on following slides 11 Copyright © 2020 M. E. Kabay. All rights reserved.

IKE Phase 1 Main Mode Ø Most commonly used Ø 3 pairs of packets q 1 st pair negotiates 4 -parameter protection suite üEncryption algorithm (e. g. , 3 DES, AES) üIntegrity protection algorithm (e. g. , HMAC-SHA-1) üAuthentication method (e. g. , shared key, PKI certificate) üDiffie-Hellman group* (category of keylength & type of encryption algorithm) q 2 nd pair exchanges encryption keys using D-H q 3 rd pair authentications each side of connection to other *See SP 800 -77 pp 3 -11 & 3 -12 12 HMAC: hashed message authentication code Copyright © 2020 M. E. Kabay. All rights reserved.

IKE Phase 1 Aggressive Mode Ø 3 packets (not pairs of packets) q 1 st & 2 nd packets üNegotiate all IKE SA parameters üPerform key exchange q 2 nd & 3 rd packets üAuthenticate end-points to each other 13 Copyright © 2020 M. E. Kabay. All rights reserved.

IKE Phase 2 Ø Quick mode to establish IPSec SAs Ø Each side maintains IPSec SA in SAD (Security Association Database) Ø Initiating device creates & sends SA proposal to VPN server Ø VPN server replies with SA selection & hash to authenticate connection Ø Initiating device replies with hash generated from prompt received from server Ø If server matches received hash with sent hash, server adds SA to SAD & connection proceeds 14 Copyright © 2020 M. E. Kabay. All rights reserved.

IPSec: AH vs ESP Ø Authentication Header (AH) q. Protects integrity of packet header & payload q. Uses cryptographic hashing Ø Encapsulating Security Payload (ESP) q. More common implementation today q. Encrypt entire packet q. Create new IP header q. Protects both integrity & confidentiality 15 Copyright © 2020 M. E. Kabay. All rights reserved.

IPSec: Transport vs Tunnel Mode Ø Transport mode q. Preserves original IP header q. Provides confidentiality & integrity protection for payload q. Incompatible with Network Address Translation (NAT) üTCP integrity checks fail üNAT alters IP address during transmission – therefore IPSec hash will be incorrect Ø Tunnel mode q. Protects both header and payload q. Primary method today for host-to-gateway & gateway -to-gateway VPNs 16 Copyright © 2020 M. E. Kabay. All rights reserved.

Transport-Layer Security (TLS) Ø TLS provides protection of client/server links Ø Most common implementation: SSL (Secure Sockets Layer) → HTTPS Ø Basics q 128 -bit encryption q. Widely available on browsers & servers q. Client* provides SSL-related parameters for establishing HTTPS connection to server q. Server responds with its SSL parameters + digital certificate q. Client authenticates server 17 Copyright © 2020 M. E. Kabay. All rights reserved.

User-Authentication Methods Ø Simplest method: user name & password Ø Other methods q. RADIUS: Remote Authentication Dial-In User Service q. LDAP: Lightweight Directory Access Protocol q. Kerberos: access control system üDeveloped at MIT in 1980 s üAccepted by IETF in 2003 üSee http: //www. ietf. org/rfc 1510. txt üDiagram from CDE on next slide 18 Copyright © 2020 M. E. Kabay. All rights reserved.

Kerberos Ø Login: user PW encrypted & sent to KDC Ø KDC q. Authenticates PW q. Sends master ticket (a kind of session key) to user Ø User sends master ticket to KDC when requesting service 19 Copyright © 2020 M. E. Kabay. Used by kind permission of the author. Copyright © 2010 Computer Language Corporation http: //www. computerlanguage. com All rights reserved.

Infrastructure Requirements Ø VPN should be outside firewall Ø Connection to internal networks protected by firewall q. Restrict all external connections to internal network q. Allow encrypted connections to VPN server to be relayed through firewall 20 Copyright © 2020 M. E. Kabay. All rights reserved.

Network-Access Requirements Ø IPSec q. Can use split tunneling for better throughput q. Enforce encryption on inbound traffic q. Allow outbound traffic to Internet to be treated normally (not through encrypted tunnel) q. But lose ability to inspect outbound traffic Ø TLS/SSL q. Dashboard allows administrator to control settings q. Current implementations similar to IPSec flexibility 21 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site VPNs Ø VPNs mostly used for client remote access Ø But also used for secure internal communications q. Can create equivalent of secure WAN (Wide Area Network) q. Reduce complexity of physically-wired WAN Ø Topics in next slides relating to Trusted VPNs q. MPLS q. Site-to-Site VPNs q. Information Assurance Considerations 22 Copyright © 2020 M. E. Kabay. All rights reserved.

MPLS: Multiprotocol Layer Switching (1) Ø Not traditional encrypted VPN Ø Similar service Ø Complex issues in deployment Ø Service providers differ in offerings Ø Topics on next slides: q. Purpose q. Requirements 23 Copyright © 2020 M. E. Kabay. All rights reserved.

MPLS (2): Purpose Ø Typical WAN topologies = star, ring or mesh (or combinations) Ø MPLS creates q Meshed q Routed q Virtual network at q Service provider level Ø MPLS free to route packets from 1 WAN endpoint to another in virtual network Ø Eliminates hub as single point of failure Ø Can provide multiple Qo. S (quality of service) levels q Prioritize traffic q Allow specific protocols more bandwidth at times 24 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site (S 2 S) VPNs Ø Purpose q Extend WAN concepts to areas where traditional direct connections (T 1, frame relay…) are too expensive q Leased lines be too slow Ø Alternative WAN q Use / share Internet connection q Higher bandwidth, lower cost Ø Backup q Redundancy at relatively low cost Ø Requirements q Internet, VPN end-points (routers) q Possibly VPN-enabled gateway security device (firewall) 25 Copyright © 2020 M. E. Kabay. All rights reserved.

IA Considerations Ø Remote-access VPN Considerations Ø Fidelity of Mobile Device Ø VPN Client Management Ø Protection of VPN Device Ø Cryptographic Options Ø Traffic Inspection Ø Processing Power Ø Interception Ø Site-to-Site VPN Considerations Ø Implications of Elusive VPNs Ø Impact of IPv 6 26 Copyright © 2020 M. E. Kabay. All rights reserved.

IA Considerations Ø Remote-access VPN Considerations q. By nature of VPN, assuming hostile environment for data transmission Ø Fidelity of Mobile Device q. Essential to protect laptops, phones… q. Firewall, antivirus, patches, encryption q. Status may change during connection q. Network Access Control (NAC) üInterrogate connecting device at login üVerify security status üComplex management issue 27 Copyright © 2020 M. E. Kabay. All rights reserved.

VPN Client Management Ø IPSec requires client-side app or embedded OS Ø Need to maintain up-to-date configuration Ø Avoid user involvement q. Push updates rather than pulling Ø TLS/SSL VPN less complex to administer q. Automatic downloads of small Java applets or Active. X controls q. Code can remain resident – avoid delay at re-initiation of sessions 28 Copyright © 2020 M. E. Kabay. All rights reserved.

Protection of VPN Device Ø Configure firewall to stop access to all unused ports Ø Remove unacceptable cryptographic modes Ø Limit access to network management protocols such as ICMP & SNMP using ACLs Ø Don’t allow insecure protocols such as FTP or HTTP for administration Ø Use strong I&A (e. g. , token-based, two-factor) 29 Copyright © 2020 M. E. Kabay. All rights reserved.

Cryptographic Options Ø Selection of cryptographic protocol q. During IKE negotiation Ø Cipher suite determines what is available q. Remove unacceptably weak protocols from cipher suite q. Prevents incompatible clients from connecting 30 Copyright © 2020 M. E. Kabay. All rights reserved.

Traffic Inspection Ø Encrypted traffic on VPN interferes with content inspection Ø Limit inspection to post-decryption packets inside network after VPN device processes data stream Ø Some VPN systems do provide administrative dynamic decryption of packets for content inspection 31 Copyright © 2020 M. E. Kabay. All rights reserved.

Processing Power Ø VPN can easily become a bottleneck Ø Monitor processing power required to maintain bandwidth Ø Increase dedicated VPN devices as number of connections increases Ø Can sometimes add hardware encryption accelerators 32 Copyright © 2020 M. E. Kabay. All rights reserved.

Interception (1) Ø Possible to capture packets q. Datagram Protocol spreads packets over multiple routes q. Thus end-point interception only practical approach q. Massively parallel computational power can crack encryption Ø Person-in-the-middle (PITM) attack q. While VPN session being established q. Address Resolution Protocol (ARP) poisoning to redirect traffic to attacker’s system 33 Copyright © 2020 M. E. Kabay. All rights reserved.

Interception (2) Ø IPsec MITM vector: preshared key q. Group name & password q. Authenticate IPsec connection q. Fiked emulates VPN termination & collects user credentials q. Can defend using client or computer certificate for IPsec authentication Ø SSLStrip (2009) q. ARP-poisoning to intercept client request for TLS/SSL q. Establishes valid TLS/SSL session with server q. Creates HTTP session with user but puts fake lock icon into browser window q. Can reduce risk by forcing use of direct TLS/SSL connections, not redirection from HTTP to HTTPS 34 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site VPN Connections ØInfrastructure Design ØCost ØAvailability 35 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site VPNs: Infrastructure Design Ø Multiprotocol Layer Switching (MPLS) changes WAN administration q. Can provide any-to-any connectivity q. More difficult to troubleshoot than hub/spoke topology Ø Increased number of security devices Ø Maintain Border Gateway Protocol (BGP) routing security q. Both sides must authenticate before being added to routing table Ø VPN naturally puts Internet in contact with internal networks q. Implement gateway security devices (GSD) 36 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site VPNs: Cost Ø New / converted circuits Ø Qo. S (quality of service) monitoring Ø Support for MPLS and routing Ø Time for redesigning network routing infrastructure Ø Site-to-site (S 2 S) VPNs require high processing power q. May need code upgrades ($$) Ø Higher administrative costs for managing increased number of devices 37 Copyright © 2020 M. E. Kabay. All rights reserved.

Site-to-Site VPNs: Availability Ø VPNs quickly become necessity Ø Mobile workforce may be severely impaired if VPNs go down Ø Can load-balance across redundant systems Ø Ideally, connections in process will not be dropped Ø Must have redundant (independent) infrastructure elements q. Internet links q. Power q. Other network components 38 Copyright © 2020 M. E. Kabay. All rights reserved.

Implications of Elusive VPNs Ø More VPNs in use than administrators may be aware of q. Goto. My. Pc q. Malicious VPNs such as botnet control channels q. Laplink™ software could allow unauthorized access to work PC Ø Bypass normal administrative controls Ø Peer-to-peer (P 2 P) networks use VPN-like features Ø Skype can encrypt voice calls and file transfers Ø Must plan for these in defining policies 39 Copyright © 2020 M. E. Kabay. All rights reserved.

Impact of IPv 6 Ø We are running out of IPv 4 address space (or have already) Ø Yet migration to IPv 6 still not evident in real world Ø Verify that VPN infrastructure is IPv 6 compliant Ø Expect to have to translate IPv 6 into IPv 4 foreseeable future Ø IPv 6 does provide support for IPSec automatically 40 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranets ØInformation Assurance Goals ØExtranet Concepts ØTypes of Extranet Access ØInformation Assurance Considerations 41 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranets: Information Assurance Goals Ø Protecting shared information assets q. Increased security issues with external accessors q. Competitive advantage, regulatory requirements Ø Preventing information exposure q. Principle of least privilege q. Identity management q. Access management Ø Minimizing ancillary risks q. Restrict outsiders’ access to non-essential services 42 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranet Concepts Ø Service NW vs DMZ q. Don’t count on DMZ (weak security) for extranet services q. Define specific firewall architecture with particular settings for extranet servers Ø N-Tier Architecture q. Distribute functions across multiple servers q. E. g. , separate front-end user-server from back-end database server Ø SSL Encryption q. Enforce HTTPS Secure Sockets Layer traffic q. Verify that padlock icon is implemented correctly 43 Copyright © 2020 M. E. Kabay. All rights reserved.

Types of Extranet Access Ø Vendor/Partner Information Sharing q ERP (enterprise resource planning) q SCM (supply chain management) Ø E-Commerce q EDI (electronic data interchange) q CRM (customer relationship management) q B 2 B (business to business) q B 2 C (business to client) Ø Employee Self-Service q E-mail q Benefits systems q Access to intranet systems 44 Copyright © 2020 M. E. Kabay. All rights reserved. Norwich University extran * owa for e-mail * my. norwich. edu * Banner. Web

Extranets: Information Assurance Considerations (1) Ø Technical Security q. Cannot secure using only a single point q. Need security at multiple layers Ø Traffic Inspection q. Difficult between nodes q. May have to inspect traffic on extranet server before encryption üIncreases processing load on server CPU q. Or may terminate SSL upstream and send cleartext data to extranet server üRelieves extranet server of need for decryption / encryption processing 45 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranet IA Considerations (2) Ø Internal Network Exposure q. Compromise of extranet server must not allow breach of inside resources üEnsure appropriate firewalls to shield internal networks from extranet Ø Server q. Harden servers by removing vulnerable unused services üConfigure for minimum functionality required q. Close attention to patches q. Intrusion prevention/detection devices q. Virtualization has additional complexities 46 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranet IA Considerations (3) Ø Application q. Many systems susceptible to common attacks üBuffer overflows BO: failure to prevent data outside bounds of a buffer üSQL injection üCross-site scripting (XSS) from being accepted in input and then used. q. Developers must keep security in mind throughout SQLI: DB query sw process doesn’t test query statement for correctness. üUse best practices üStay current on threat XSS: Browser executes landscape hostile script; e. g. , hiding code in bogus URL for non-existent page. 47 Copyright © 2020 M. E. Kabay. All rights reserved.

Extranet IA Considerations (4) Ø Policies q. Provide written policies about requirements for access & use q. Establish expectations q. Useful for legal proceedings Ø Access & Identity Management q. I&A support access controls q. But passwords a poor authentication method q. Better: issuing digital certificates Ø Availability: critical issue – plan for it! Ø Impact of IPv 6: infrastructure support issues 48 Copyright © 2020 M. E. Kabay. All rights reserved.

Now go and study 49 Copyright © 2020 M. E. Kabay. All rights reserved.