Security and xDSL
Connections
Part IV: Virtual Private Networking
by Dave
Piscitello
In my previous three
columns on security and xDSL
connections, I discussed the technology of DSL and the vulnerabilities and
issues that DSL connections present. I suggested policies and technologies
administrators can use to control desktops, and explained the importance
of firewalls in home and remote offices having broadband local access
connections. Having accepted the risks and implemented the security
solutions, and now that your remote workers are connecting via DSL, you
will want to secure broadband local access communications using Virtual
Private Networking (VPN). This last column in the series describes several
VPN approaches.
What Is Virtual Private Networking?
A traditional private
network is composed of dedicated or leased lines that interconnect
routers. In a virtual network, tunnels replace
dedicated lines, interconnecting sites and remote users over the public
Internet logically. A virtual private network (VPN) adds
authentication (trust), access control, confidentiality, and message
integrity among the hosts participating in a virtual network so that the
communications are as secure as the private network it replaces (or if
implemented properly, more secure).
When and Why You Need VPNs
Organizations have successfully used ATM or Frame Relay to create
virtual networks instead of building a mesh of expensive dedicated lines
between its sites. Today, Internet access is commonplace, so why not use
the Internet for virtual networking? Virtual networking over the Internet
is straightforward, and is accomplished by using tunneling or encapsulation.
Satisfying the private aspect of a Virtual
Private Network is harder. The public Internet runs on IP, using the same
technologies large enterprises use, and is generally understood to have
the same vulnerabilities, especially with respect to interception of
unprotected traffic. To maintain confidentiality over the public Internet,
you must add encryption.
Technology
Choices for VPNs
VPNs
come in many flavors, and can be used for secure remote access (Remote
User VPN) or site-to-site (Branch Office VPN) connectivity. I’ll briefly
describe the following alternatives:
-
Layer 2
-
Layer 3
-
Secure Shell (SSH)
-
Secure Socket Layer (SSL)
-
Transport Layer Security (TLS)
(I’ve posted a chart
summarizing the key features of all these VPN technologies at my Web site.) And in
conclusion, I’ll list a few deployment scenarios and recommend which
flavor of VPN may best suit each one.
Layer 2
VPNs
The
Point-to-Point Protocol (PPP) supports dial-up Internet access and
enterprise remote access between two endpoints, e.g., a mobile worker’s
laptop and an organization’s remote access server. Layer 2 VPN protocols like the
Layer 2 Tunneling Protocol (L2TP) move PPP packets between two endpoints
over an IP-based internet (private or public) by creating a virtual "modem
link" from a tele-worker’s PC to the corporate LAN.
In one common L2TP scenario, a
user dials up an ISP and establishes a connection. Based on his
authentication credentials (e.g., Caller ID, user@domain name), the ISP recognizes this
customer as being one who requires a
tunnel to a corporate L2TP server. An L2TP access concentrator operated by
the ISP handles authentication on behalf of the corporation. If
authentication succeeds, the L2TP access concentrator passes or “proxies”
the packets between the remote user L2TP client and the L2TP server at the
corporate network. This scenario is referred to as compulsory tunneling. L2TP can
also be used to support voluntary tunnels, similar to Microsoft’s
Point-to-Point Tunneling Protocol (PPTP) a common implementation of a
Layer 2 VPN.
L2TP uses traditional dial
authentication protocols (CHAP, PAP, etc.). It allows a tunnel server to
enforce access controls at the point where the dial-up session connects to
the corporate network. L2TP can encapsulate IP and non-IP protocols within
PPP. Remember, L2TP only tunnels; it does not encrypt. L2TP can be carried
over a Layer 3 VPN when message confidentiality and integrity are
required.
Layer
3 (IPsec) VPNs
Layer 3
VPNs provide virtual connections using Internet standard IP Security
extensions (IPsec). IP packets can be exchanged between IPsec-enabled
tunnel endpoints—host computers, firewalls, security appliances, routers,
or servers—over any IP network. The “security association” connecting
IPsec endpoints is typically created using the Internet Key Exchange (IKE)
protocol. Each IPsec endpoint authenticates the far end of the tunnel,
negotiates protocols, encryption and authentication algorithms, and
generates shared secret keys—essentially providing everything needed to
enforce the security policy for the virtual connection. WatchGuard
customers can use Mobile User VPN for secure remote access and IPsec
Branch Office VPN for secure site-to-site communications.
The most common form of IPsec
is tunnel-mode, using the Encapsulating Security Payload (ESP). In this
method, each original IP packet is encapsulated
within another IP packet containing the addresses of the two tunnel
endpoints. An ESP header is added to convey the IPsec parameters. The inner packet may be encrypted to ensure that the
entire original IP packet’s content, even its source and destination,
remain private as the packet traverses a public network. This prevents
eavesdropping, and makes it more difficult to perform traffic analysis or
denial of service attacks by sniffing IP packets. An ESP trailer is
appended to the original (now encrypted) IP packet, for packet
authentication (message integrity).
There are other flavors of
IPsec—for example, an Authentication Header (AH) that provides message
integrity without encryption; and “transport-mode” IPsec, which protects
packet payload end-to-end between hosts, without encapsulation. But these
are deployed far less often than the tunnel-mode ESP I've described
here.
When
using tunnel-mode IPsec, you can apply security policies to any IP packet
entering or leaving a corporate network, much as you would apply packet
filters at a firewall. Initial standards support IKE authentication via
preshared secret, raw public key, or digital certificate — methods
well-suited for site-to-site VPNs, but not easily applied to large remote
access VPNs.
Secure
Application Streams
The
VPNs I’ve described thus far create a secure path for every application
protocol, but their use might not be feasible in some circumstances. If
all you need is to exchange e-mail or perform remote administrative
functions securely, or if your business and e-business needs can be
satisfied by securing all browser-accessible applications, you may be able
to solve your privacy issues by securing individual application streams.
Secure Shell, Secure Sockets Layer, and Transport Layer Security do just
this.
Secure Shell (SSH) is used to
secure application streams, and is commonly seen in UNIX environments. You
use an SSH client to initiate a TCP connection to an SSH server that sits
at the edge of the protected network, serving as a gatekeeper between the
untrusted and trusted networks. The SSH client and server create an
encrypted session on top of TCP that can be used for host or user
authentication. Once authenticated, additional application sessions (for
example, POP3) can be
multiplexed over the SSH connection. A POP3 stream would be encrypted over
the public (untrusted) Internet; then, once it reaches the SSH server
gateway, can be forwarded as clear text to a private enterprise mail
server located behind the SSH server.
Secure Sockets Layer (SSL) is
commonly used to secure Web traffic (HTTP). When you use a Web browser to
secure a transaction, the browser's SSL client initiates an encrypted
session on top of TCP. One of the many things you can do over an SSL
connection is perform sub-authentication, where the
client authenticates to the server. SSL sub-authentication at a proxy host
is commonly used for single sign-on environments and for Web-based
extranets. Since the SSL session itself is encrypted, anything else that
you pass over the connection (e.g., user
IDs, authentications to an ftp server) can be safely passed in clear,
unencrypted text.
The Transport Layer Security (TLS)
protocol is another Internet standard like IPsec, but is based on SSL. As
with SSH, you can use TLS to secure non-Web application protocols (POP3,
SMTP, IMAP, Telnet). There are two ways you can use TLS to secure
application streams. The first way is to assign a new port number used by
TLS connections for each client/server application, e.g., mail. The
existing "well known" port is used for unencrypted traffic, and encrypted
traffic is sent through the new port. An alternative is to modify both the
client and server software of an application so that they negotiate or upgrade to communicate using a
secure TLS channel.
SSH, SSL, and TLS operate end-to-end (client/server) or as proxies on firewalls or security appliances. They are useful alternatives when:
-
changes to client desktop software cannot be imposed unilaterally across multiple enterprises;
-
when a legacy authentication method is not supported by IPsec;
-
or when an IPsec site-to-site VPN doesn’t provide the ability to create affinity groups composed of trusted individuals from more than one enterprise.
Deployment
Scenarios at the Teleworker’s Small Office
A VPN
is the final element of securing DSL connections. In cases where your
traffic travels over the public Internet, you should consider some form of
VPN between a teleworker and the corporate network.
If you are connecting a remote
user’s single PC to the
corporate network, consider using a remote user IPsec (Layer 3) VPN to a
Firebox firewall, or an IPsec capable router. However, if your teleworker
requires multi-protocol support (that is, other than TCP or UDP IP), run
L2TP over IPsec. Where your remote user shares a household (e.g., user has
a roommate or spouse that works for a competitor), add additional security
to the connection by requiring your user to authenticate. (Requiring
authentication for a remote user in a shared household should also be
applied with Branch Office VPNs.)
If you take the IPsec route on
Windows 2000 PCs, be sure to check for interoperability between your
security gateway and the Windows 2000 IPsec/L2TP implementation .
If your employees are using Windows 95/98, you will need either a third party or vendor-provided IPsec adapter
(such as WatchGuard’s Mobile User VPN). One caveat: some clients can be
troublesome to install on certain PCs and laptops, and are not compatible
with all NIC and modem cards.
If your remote user’s PC only
requires browser access to corporate servers, you can take the current
path of least resistance and use SSL. This (or a TLS-protected application
like e-mail) may also be attractive if you must tackle both the problem of
securing e-business transactions, and the problem of securing branch
office remote access.
Teleworker and small offices
that employ SOHO firewall appliances, such as the WatchGuard SOHO, can
operate IPsec site-to-site. I believe site-to-site (from teleworker
firewall to a corporate firewall) is the simplest, most secure deployment
you could ask for. Look for a teleworker firewall that supports IPsec and
can be centrally administered through the same management interface as
your corporate, IPsec-capable firewall. In this scenario, you can assert
security policy uniformly and transparently across all teleworker DSL
connections, and you avoid help desk issues for desktops in teleworker
residences.
Central administration of your VPN topology
will quickly become a top priority when choosing a corporate VPN server.
Look for products that provide effective means to administer pre-shared
keys today, and that have a viable approach for managing digital
certificates and any legacy authentication method you may have already
implemented across your enterprise (e.g., 2-factor, token-based
authentication).
Closing Remarks on This Series
Broadband local access forces IT administrators to consider on a
much grander scale than before the security of systems, information, and
communication outside an organization’s core networking environment. It
also forces administrators to reconsider some existing security policies
and practices for remote access in general. These are Good Things. You may
wonder whether it’s necessary to implement all the suggested practices
I’ve mentioned in this series. You may also wonder which of these
solutions is best for your organization. The only way to answer these
questions is to consider policy first, understand the risks broadband
local access introduces, and assess which risks you can mitigate or reduce
most effectively given available budget and expertise.