Abstract: Virtual
Private Network (VPN) usage has grown in the last couple of years due to the
increasing need of more private, secure and anonymous connection. VPN providers claim to provide the
needs of anonymity, privacy and security, but, the question is how well are
they living up to their claim? Since VPN services claim to provide secure user
access and they are less expensive than a dedicated leased line, they have
become more attractive to enterprises. However, there are still a lot of
concerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how it
works, different types of VPN protocols like Point-to-Point Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to address
various security issues of VPN services, analyze their claims of privacy and
security, discuss how do the VPN services suffer from ipv6 leakage and finally explore
possible solutions and alternatives for these vulnerabilities.

 

 

Introduction: In
brief, Virtual Private Network (VPN) is a secured, encrypted connection between
a user and a service provider designed to keep the communications private. The
encryption is to provide data confidentiality. VPN uses the tunneling mechanism
to encapsulate encrypted data into a secure tunnel. VPN tunneling involves
establishing and maintaining a logical network connection. There are various
types of tunneling protocols which will be discussed later. VPN also claims to provide
data integrity. When we browse through the Internet, our computer a request for
a specific page then that request goes to our ISP’s server, then the ISP
translate the requested domain name into an IP(Internet Protocol) address and
requests the page on our behalf  and
finally sends the results back to our computer

 

 

What VPN does is that It replaces our IP address with that
of the VPN. However, that’s not all because then it wouldn’t be any different from
a proxy server that simply reroutes traffic, which are inherently insecure.
This insecurity lies in the fact that whatever you send over an IPv4 or IPv6, a
third party can simply look at it and then read it for themselves. Internet
traffic is inherently unsafe, unless you encrypt that traffic. This is where
VPN is different from proxy. A VPN creates a so-called secure tunnel between
your computer to the VPN server. All your traffic is routed through this tunnel
and no one can check what’s going on there because of one, or sometimes even
several, layers of encryption (read our NordVPN review for one service that
takes encryption particularly seriously). Note that this means that the VPN
service itself does know what you’re up to, unless they have a “no logs” policy
in place. Most decent services will not keep your logs (except maybe for some
basic information, known as metadata), though sorrowfully enough there are
plenty of unscrupulous services out there, too.

 

A Virtual Private Network, abbreviated as VPN, in it’s most
basic terms, is the use of various technologies to provide a private network of
resources and information over any public network, including the Internet. VPNs
provide a means for organizations and individuals to connect their various
resources over the Internet (a very public network), but not make the resources
available to the public, instead only making them available to those that are
part of the VPN. VPNs provide a means for such users to have resources
scattered all over the world, and still be connected as though they were all in
the same building on the same network together, with all the ease of use and
benefits of being interconnected in such a manner. Normally, without a VPN, if
such a private connection was desired, the company would have to expend
considerable resources in finances, time, training, personnel, hardware and
software to setup dedicated communication lines. These dedicated connections
could be a variety of technologies such as 56k leased lines, dedicated ISDN,
dedicated private T1/T3/etc. connections, satellite, microwave and other
wireless technologies. Setting up an organization’s private network over these
dedicated connections tends to be very expensive. With a VPN, the company can
use their existing Internet connections and infrastructure (routers, servers,
software, etc.) and basically “tunnel” or “piggyback” their private network
inside the public network traffic, and realize a considerable savings in
resources and costs compared to dedicated connections. A VPN solution is also
able to provide more flexible options to remote workers instead of only dial-up
speeds and choices, they can connect from anywhere in the world for just the
cost of their Internet connection, at whatever speed their ISP services may
provide. There have been many VPN technologies developed in recent years, and
many more on the way. They vary widely from simple, to very difficult to setup
and administrate, from free to very expensive, from light security to much
heavier protection, from software based to dedicated hardware solutions, and
even some managed services providers (for example www.devtodev.com or
www.iss.net ) now entering into the market to increase the VPN choices
available. Most VPNs operate using various forms of “tunneling” combined with
many choices for encryption and authentication. In this document “tunneling” is
over IP based networks, though other technologies exist as well (such as ATM
based). This document will focus on technologies that deliver VPN solutions
over IP based networks, and refer to them generically as “public” or “Internet”
based networks, and only delve into the specific “carrier” protocol when
appropriate (IPX, ATM, and other protocols are also used, but as IP has become
quite dominant, many are now focused on IP). This document will only cover IPv4
not IPv6. Use of MS PPTP over 802.11b wireless technologies will also be
briefly covered. The data of the “private network” is carried or “tunneled”
inside the public network packet, this also allows other protocols, even
normally “non-routable” protocols to become usable across widely dispersed
locations. For example, Microsoft’s legacy NetBEUI protocol can be carried
inside such a tunnel, and thus a remote user is able to act as part of the
remote LAN or two small LANS, in two very different locations, would actually
be able to “see” each other, and work together, over many hops of routers, and
still function, with a protocol that normally would not route across the
Internet, although there are many consequences in trying to stretch such a
protocol beyond it’s intended use. Tunneling in and of itself is not sufficient
security. For example, let’s use IP as the carrier public protocol, carrying
IPX inside as the private protocol. Anyone sniffing the “public” network’s
packets could easily extract the clear text information of the IPX packets
carried within the IP packets. This means that sufficient encryption of the
carried IPX packets is necessary to protect their data. These two technologies
suffice to provide a basic VPN, but will be weak if a third part is missing or
lax (as we will show in various examples throughout this document). This third
part would be anything related to authentication, traffic control, and related
technologies. If there aren’t sufficient authentication technologies in place
then it is quite simple for an intruder to intercept various VPN connections
and “hijack” them with many “man/monkey in the middle attacks” and easily
capture all data going back and forth between the VPN nodes, and eventually be
able to compromise data, and potentially all networks and their resources,
connected by the VPN. This document is based on research and lab testing
performed from March 1st through June 30th, 2002. The setup of the lab will
also be briefly detailed to assist others who may wish to go into greater depth
with this testing, and to help clarify under what circumstances the lab information
was gathered.

 

Literature review: A Recent
report 1 suggested that VPNs are not as secure as they claim to be. VPN
services claim that they provide privacy and anonymity. They studied these
claims in various VPN services. They analyzed a few of the most popular VPNs. They
decided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is
when a user’s unencrypted information is collected by a third party, and DNS
hijacking is when the user’s browser is being redirected to a controlled Web server
which pretends to be a popular site like Twitter2. What their
experiment revealed is very agitating, that most of the VPN services suffer from
IPv6 traf?c leakage and most of the VPN services leaked information and not
only the information of the websites but also the user’s. They went on to study
various mobile platforms which use VPNs and found that these platforms are much
secure when an iOS is being used, however, were vulnerable when an Android
platform is being used.  They also talked
about more sophisticated DNS hijacking attacks that allow all traf?c to be transparently
captured. To make things
worse, most of the VPNs that were part of the experiment used Point-to-Point Tunneling
Protocol with MS-CHAPv2 authentications, which according to TechReport, makes
them vulnerable to brute force hacks 10.

Akamai argued that VPNs cannot be a wise Security Solution and that it can
be a drawback for remote access for third party. If you have an institution
that requires interacting with third parties in a regular basis who need remote
access to enterprise applications hosted in your hybrid cloud, a VPN is no way
a good solution because, why would you hand over the access of the whole
network to a third party when that party only needs access to a specific
application only. Usually, a third party needs access just to a specific program
for a specific amount of time. It will take a lot of time to configure and
deploy  different subnets for other parties
and on top of that monitoring users, adding users, they are all time consuming.
So clearly this is a drawback.

VPN services are considered to be a way of transfer private
data . They are well known across the world. However, recently the SOX mandates
have urged organizations to install end-to-end VPN security, which can only
mean one thing that the VPN is no longer enough by itself. Moreover, VPN
systems cannot be managed easily and maintaining the security of the clients is
also a complicated process. It will require keeping the clients up to date.

Another research 9 revealed
that 90% SSL VPNs use age-old encryption method and eventually it will put
corporate data at risk. An Internet research publicly-accessible SSL VPN
servers was conducted by HTB(High Tech Bridge).  From of four million randomly selected IPv4
addresses including popular suppliers such as Cisco, 10,436 randomly selected
publicly available SSL VPN servers were scanned which revealed the following
problems:

1. Quite a few VPN services have
SSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which is
being considered obsolete now. Both these protocols have various vulnerabilities
and both are unsafe.

 

2. About 76 per cent of SSL VPNS
use an untrusted SSL certificate, which might result in a man-in-the-middle attacks.

 

3. A similar 74 per cent of
certificates have an insecure SHA-1 signature, while five per cent make use of
even older MD5 technology. By 1 January 2017, the majority of web browsers plan
to deprecate and stop accepting SHA-1 signed certificates, since the ageing
technology is no strong enough to withstand potential attacks.

 

4. Around 41 per cent of SSL
VPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate is
used for authentication and encryption key exchange. RSA key lengths below 2048
are considered insecure because they open the door to attacks, some based on advances
in code breaking and crypto-analysis.

 

5. 1% of SSL VPNs  that use OpenSSL are vulnerable to Heartbleed.
This vulnerability was found in 2014.  Heartbleed
affected all products that use OpenSSL. It allowed hackers to retrieve personal
data like encryption keys

 

6. 97% of examined SSL VPNs are not fulfilling the PCI DSS
requirements, and all of them were not in compliant with NIST guidelines.

 

 

 

VPNs can be broadly categorized
as follows:

1. A firewall-based VPN is one
that is equipped with both firewall and VPN capabilities. This type of VPN
makes use of the security mechanisms in firewalls to restrict access to an
internal network. The features it provides include address translation, user
authentication, real time alarms and extensive logging.

2. A hardware-based VPN offers
high network throughput, better performance and more reliability, since there
is no processor overhead. However, it is also more expensive.

3. A software-based VPN provides
the most flexibility in how traffic is managed. This type is suitable when VPN
endpoints are not controlled by the same party, and where different firewalls
and routers are used. It can be used with hardware encryption accelerators to
enhance performance.

4. An SSL VPN3 allows users to
connect to VPN devices using a web browser. The SSL (Secure Sockets Layer)
protocol or TLS (Transport Layer Security) protocol is used to encrypt traffic
between the web browser and the SSL VPN device. One advantage of using SSL VPNs
is ease of use, because all standard web browsers support the SSL protocol,
therefore users do not need to do any software installation or configuration.

VPN
Tunneling

There
are two types of tunneling that are being commonly used-

1.
Voluntary and

2.
Compulsory.

In
voluntary tunneling, the VPN client manages connection setup. The client first
makes a connection to the carrier network provider (an ISP in the case of
Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server
over this live connection.

In
compulsory tunneling, the carrier network provider manages VPN connection
setup. When the client first makes an ordinary connection to the carrier, the
carrier in turn immediately brokers a VPN connection between that client and a
VPN server. From the client point of view, VPN connections are set up in just
one step compared to the two-step procedure required for voluntary tunnels.

Compulsory
VPN tunneling authenticates clients and associates them with specific VPN servers
using logic built into the broker device. This network device is sometimes
called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point
of Presence Server (POS) 9.

Tunneling Protocols

Several
computer network protocols have been implemented specifically for use with VPN
tunnels. The three most popular VPN tunneling protocols listed below 9
continue to compete with each other for acceptance in the industry. These
protocols are generally incompatible with each other.

Point-to-Point Tunneling
Protocol (PPTP)

Several
corporations worked together to create the PPTP specification. People generally
associate PPTP with Microsoft because nearly all flavors of Windows include
built-in client support for this protocol. The initial releases of PPTP for
Windows by Microsoft contained security features that some experts claimed were
too weak for serious use. Microsoft continues to improve its PPTP support,
though.

Layer
Two Tunneling Protocol (L2TP)

The
original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features
of it and PPTP were combined to create a new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI model — thus the
origin of its name.

Internet Protocol Security
(IPsec)

IPsec
is actually a collection of multiple related protocols. It can be used as a
complete VPN protocol solution or simply as the encryption scheme within L2TP
or PPTP. 

 

Security concerns OF VPN:

Tunneling in and of itself is not sufficient security. For example,
let’s use IP as the carrier public protocol, carrying IPX inside as the private
protocol. Anyone sniffing the “public” network’s packets could easily extract
the clear text information of the IPX packets carried within the IP packets.
This means that sufficient encryption of the carried IPX packets is necessary
to protect their data. These two technologies suffice to provide a basic VPN,
but will be weak if a third part is missing or lax (as we will show in various
examples throughout this document). This third part would be anything related
to authentication, traffic control, and related technologies. If there aren’t
sufficient authentication technologies in place then it is quite simple for an
intruder to intercept various VPN connections and “hijack” them with many
“man/monkey in the middle attacks” and easily capture all data going back and
forth between the VPN nodes, and eventually be able to compromise data, and
potentially all networks and their resources, connected by the VPN. This
document is based on research and lab testing performed from March 1st through
June 30th, 2002. The setup of the lab will also be briefly detailed to assist
others who may wish to go into greater depth with this testing, and to help
clarify under what circumstances the lab information was gathered 7.
Following are the 5

HACKING ATTACKS A client machine may
become a target of attack, or a staging point for an attack, from within the
connecting network. An intruder could exploit bugs or mis-configuration in a
client machine, or use other types of hacking tools to launch an attack. These
can include VPN hijacking or man-in-the-middle attacks: 1. VPN hijacking is the
unauthorized take-over of an established VPN connection from a remote client,
and impersonating that client on the connecting network. 2. Man-in-the-middle
attacks affect traffic being sent between communicating parties, and can
include interception, insertion, deletion, and modification of messages,
reflecting messages back at the sender, replaying old messages and redirecting
messages. USER AUTHENTICATION By default VPN does not provide / enforce strong
user authentication. A VPN connection should only be established by an
authenticated user. If the authentication is not strong enough to restrict unauthorized
access, an unauthorized party could access the connected network and its
resources. Most VPN implementations provide limited authentication methods. For
example, PAP, used in PPTP, transports both user name and password in clear
text. A third party could capture this information and use it to gain
subsequent access to the network.

CLIENT SIDE RISKS The VPN
client machines of, say, home users may be connected to the Internet via a
standard broadband connection while at the same time holding a VPN connection
to a private network, using split tunneling. This may pose a risk to the
private network being connected to. A client machine may also be shared with
other parties who are not fully aware of the security implications. In
addition, a laptop used by a mobile user may be connected to the Internet, a
wireless LAN at a hotel, airport or on other foreign networks. However, the
security protection in most of these public connection points is inadequate for
VPN access. If the VPN client machine is compromised, either before or during
the connection, this poses a risk to the connecting network.

VIRUS / MALWARE INFECTIONS A
connecting network can be compromised if the client side is infected with a
virus. If a virus or spyware infects a client machine, there is chance that the
password for the VPN connection might be leaked to an attacker. In the case of
an intranet or extranet VPN connection, if one network is infected by a virus
or worm, that virus / worm can be spread quickly to other networks if
anti-virus protection systems are ineffective.

INCORRECT NETWORK ACCESS RIGHTS
Some client and/or connecting networks may have been granted more access rights
than is actually needed.

 

INTEROPERABILITY Interoperability
is also a concern. For example, IPsec compliant software from two different
vendors may not always be able to work together.

 

Conclusion: As we find ourselves relying more and more on
cloud services and multiple devices all connected to the Internet, it is vital
that we stay informed and take steps to ensure our privacy online.

VPN provides a means of accessing a secure, private, internal network
over insecure public networks such as the Internet. A number of VPN
technologies have been outlined, among which IPsec and SSL VPN are the most
common. Although a secure communication channel can be opened and tunneled
through an insecure network via VPN, client side security should not be
overlooked.

he following are security features to look for when choosing a VPN
product: 1. Support for strong authentication, Support for anti-virus software,
and intrusion detection, Industry-proven strong encryption algorithms

However, careful consideration must be given to the risk involved.

GENERAL VPN SECURITY CONSIDERATIONS
The following is general security advice for VPN deployment: 1. VPN connections
can be strengthened by the use of firewalls. 2. An IDS / IPS (Intrusion
Detection / Prevention System) is recommended in order to monitor attacks more
effectively. 3. Anti-virus software should be installed on remote clients and
network servers to prevent the spread of any virus / worm if either end is
infected. 4. Unsecured or unmanaged systems with simple or no authentication
should not be allowed to make VPN connections to the internal network. 5.
Logging and auditing functions should be provided to record network
connections, especially any unauthorised attempts at access. The log should be
reviewed regularly. 6. Training should be given to network/security administrators
and supporting staff, as well as to remote users, to ensure that they follow
security best practices and policies during the implementation and ongoing use
of the VPN. 7. Security policies and guidelines on the appropriate use of VPN
and network support should be distributed to responsible parties to control and
govern their use of the VPN. 8. Placing the VPN entry point in a Demilitarized
Zone (DMZ) is recommended in order to protect the internal network. 9. It is
advisable not to use split tunnelling to access the Internet or any other
insecure network simultaneously during a VPN connection. If split tunneling is

 

 

References:

 A. A. Author of article. “Title of article,”

1. G. Tyson, “A Glance through the VPN Looking
Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients “.
17-Feb.-2015.

2. K. Noyes, “Beware, VPN users: You may not be as safe as you think you
are.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html.

 

3. Crace, James. “VPN Security: What You Need to Know.” Cloudwards,
25 Sept, 2017. Online. Available: www.cloudwards.net/vpn-security-what-you-need-to-know/.

4. O’Sullivan, Fergus. Beginners Guide: What Is a
VPN? 3 Dec. 2017, www.cloudwards.net/what-is-a-vpn/

5. R. Harrell, “VPN security: Where are the vulnerabilities?”
October
2005

6.  J. Leyden, “90% of SSL VPNs are
‘hopelessly insecure’, say researchers”

7. H. Robinson, “Microsoft
PPTP VPN Vulnerabilities Exploits in Action.” August 22nd 2002

9. B. Mitchell, “VPN Tunnels Tutorial”.July 21, 2017. Online.
Available: https://www.lifewire.com/vpn-tunneling-explained-818174.

 

10. J. Martindale, “Many big VPNs have
glaring security problems.”

 

8. The Government of the Hong Kong Special Administrative Region, VPN
SECURITY. February, 2008

 

Australian Bureau of Statistics, Engineering
Construction Activity (cat. no. 8762.0). Canberra: ABS, 2010.
Online. Available from AusStats,  http://www.abs.gov.au/ausstats.
Accessed: Sept. 7, 2010.