Abstract: VirtualPrivate Network (VPN) usage has grown in the last couple of years due to theincreasing need of more private, secure and anonymous connection. VPN providers claim to provide theneeds of anonymity, privacy and security, but, the question is how well arethey living up to their claim? Since VPN services claim to provide secure useraccess and they are less expensive than a dedicated leased line, they havebecome more attractive to enterprises. However, there are still a lot ofconcerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how itworks, different types of VPN protocols like Point-to-Point Tunneling Protocol(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to addressvarious security issues of VPN services, analyze their claims of privacy andsecurity, discuss how do the VPN services suffer from ipv6 leakage and finally explorepossible solutions and alternatives for these vulnerabilities. Introduction: Inbrief, Virtual Private Network (VPN) is a secured, encrypted connection betweena user and a service provider designed to keep the communications private. Theencryption is to provide data confidentiality. VPN uses the tunneling mechanismto encapsulate encrypted data into a secure tunnel.
VPN tunneling involvesestablishing and maintaining a logical network connection. There are varioustypes of tunneling protocols which will be discussed later. VPN also claims to providedata integrity. When we browse through the Internet, our computer a request fora specific page then that request goes to our ISP’s server, then the ISPtranslate the requested domain name into an IP(Internet Protocol) address andrequests the page on our behalf andfinally sends the results back to our computer What VPN does is that It replaces our IP address with thatof the VPN. However, that’s not all because then it wouldn’t be any different froma proxy server that simply reroutes traffic, which are inherently insecure.This insecurity lies in the fact that whatever you send over an IPv4 or IPv6, athird party can simply look at it and then read it for themselves. Internettraffic is inherently unsafe, unless you encrypt that traffic.
This is whereVPN is different from proxy. A VPN creates a so-called secure tunnel betweenyour computer to the VPN server. All your traffic is routed through this tunneland no one can check what’s going on there because of one, or sometimes evenseveral, layers of encryption (read our NordVPN review for one service thattakes encryption particularly seriously). Note that this means that the VPNservice itself does know what you’re up to, unless they have a “no logs” policyin place. Most decent services will not keep your logs (except maybe for somebasic information, known as metadata), though sorrowfully enough there areplenty of unscrupulous services out there, too. A Virtual Private Network, abbreviated as VPN, in it’s mostbasic terms, is the use of various technologies to provide a private network ofresources and information over any public network, including the Internet. VPNsprovide a means for organizations and individuals to connect their variousresources over the Internet (a very public network), but not make the resourcesavailable to the public, instead only making them available to those that arepart of the VPN. VPNs provide a means for such users to have resourcesscattered all over the world, and still be connected as though they were all inthe same building on the same network together, with all the ease of use andbenefits of being interconnected in such a manner.
Normally, without a VPN, ifsuch a private connection was desired, the company would have to expendconsiderable resources in finances, time, training, personnel, hardware andsoftware to setup dedicated communication lines. These dedicated connectionscould be a variety of technologies such as 56k leased lines, dedicated ISDN,dedicated private T1/T3/etc. connections, satellite, microwave and otherwireless technologies. Setting up an organization’s private network over thesededicated connections tends to be very expensive. With a VPN, the company canuse their existing Internet connections and infrastructure (routers, servers,software, etc.) and basically “tunnel” or “piggyback” their private networkinside the public network traffic, and realize a considerable savings inresources and costs compared to dedicated connections. A VPN solution is alsoable to provide more flexible options to remote workers instead of only dial-upspeeds and choices, they can connect from anywhere in the world for just thecost of their Internet connection, at whatever speed their ISP services mayprovide. There have been many VPN technologies developed in recent years, andmany more on the way.
They vary widely from simple, to very difficult to setupand administrate, from free to very expensive, from light security to muchheavier protection, from software based to dedicated hardware solutions, andeven some managed services providers (for example www.devtodev.com orwww.iss.
net ) now entering into the market to increase the VPN choicesavailable. Most VPNs operate using various forms of “tunneling” combined withmany choices for encryption and authentication. In this document “tunneling” isover IP based networks, though other technologies exist as well (such as ATMbased). This document will focus on technologies that deliver VPN solutionsover IP based networks, and refer to them generically as “public” or “Internet”based networks, and only delve into the specific “carrier” protocol whenappropriate (IPX, ATM, and other protocols are also used, but as IP has becomequite dominant, many are now focused on IP).
This document will only cover IPv4not IPv6. Use of MS PPTP over 802.11b wireless technologies will also bebriefly covered. The data of the “private network” is carried or “tunneled”inside the public network packet, this also allows other protocols, evennormally “non-routable” protocols to become usable across widely dispersedlocations. For example, Microsoft’s legacy NetBEUI protocol can be carriedinside such a tunnel, and thus a remote user is able to act as part of theremote LAN or two small LANS, in two very different locations, would actuallybe able to “see” each other, and work together, over many hops of routers, andstill function, with a protocol that normally would not route across theInternet, although there are many consequences in trying to stretch such aprotocol beyond it’s intended use. Tunneling in and of itself is not sufficientsecurity. For example, let’s use IP as the carrier public protocol, carryingIPX inside as the private protocol.
Anyone sniffing the “public” network’spackets could easily extract the clear text information of the IPX packetscarried within the IP packets. This means that sufficient encryption of thecarried IPX packets is necessary to protect their data. These two technologiessuffice to provide a basic VPN, but will be weak if a third part is missing orlax (as we will show in various examples throughout this document). This thirdpart would be anything related to authentication, traffic control, and relatedtechnologies. If there aren’t sufficient authentication technologies in placethen it is quite simple for an intruder to intercept various VPN connectionsand “hijack” them with many “man/monkey in the middle attacks” and easilycapture all data going back and forth between the VPN nodes, and eventually beable to compromise data, and potentially all networks and their resources,connected by the VPN.
This document is based on research and lab testingperformed from March 1st through June 30th, 2002. The setup of the lab willalso be briefly detailed to assist others who may wish to go into greater depthwith this testing, and to help clarify under what circumstances the lab informationwas gathered. Literature review: A Recentreport 1 suggested that VPNs are not as secure as they claim to be. VPNservices claim that they provide privacy and anonymity. They studied theseclaims in various VPN services. They analyzed a few of the most popular VPNs. Theydecided to investigate the internals and the infrastructures.
They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring iswhen a user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Web serverwhich pretends to be a popular site like Twitter2. What theirexperiment revealed is very agitating, that most of the VPN services suffer fromIPv6 traf?c leakage and most of the VPN services leaked information and notonly the information of the websites but also the user’s. They went on to studyvarious mobile platforms which use VPNs and found that these platforms are muchsecure when an iOS is being used, however, were vulnerable when an Androidplatform is being used.
They also talkedabout more sophisticated DNS hijacking attacks that allow all traf?c to be transparentlycaptured. To make thingsworse, most of the VPNs that were part of the experiment used Point-to-Point TunnelingProtocol with MS-CHAPv2 authentications, which according to TechReport, makesthem vulnerable to brute force hacks 10. Akamai argued that VPNs cannot be a wise Security Solution and that it canbe a drawback for remote access for third party. If you have an institutionthat requires interacting with third parties in a regular basis who need remoteaccess to enterprise applications hosted in your hybrid cloud, a VPN is no waya good solution because, why would you hand over the access of the wholenetwork to a third party when that party only needs access to a specificapplication only.
Usually, a third party needs access just to a specific programfor a specific amount of time. It will take a lot of time to configure anddeploy different subnets for other partiesand on top of that monitoring users, adding users, they are all time consuming.So clearly this is a drawback.VPN services are considered to be a way of transfer privatedata .
They are well known across the world. However, recently the SOX mandateshave urged organizations to install end-to-end VPN security, which can onlymean one thing that the VPN is no longer enough by itself. Moreover, VPNsystems cannot be managed easily and maintaining the security of the clients isalso a complicated process. It will require keeping the clients up to date. Another research 9 revealedthat 90% SSL VPNs use age-old encryption method and eventually it will putcorporate data at risk. An Internet research publicly-accessible SSL VPNservers was conducted by HTB(High Tech Bridge). From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems:1.
Quite a few VPN services haveSSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which isbeing considered obsolete now. Both these protocols have various vulnerabilitiesand both are unsafe. 2. About 76 per cent of SSL VPNSuse an untrusted SSL certificate, which might result in a man-in-the-middle attacks. 3. A similar 74 per cent ofcertificates have an insecure SHA-1 signature, while five per cent make use ofeven older MD5 technology. By 1 January 2017, the majority of web browsers planto deprecate and stop accepting SHA-1 signed certificates, since the ageingtechnology is no strong enough to withstand potential attacks.
4. Around 41 per cent of SSLVPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate isused for authentication and encryption key exchange. RSA key lengths below 2048are considered insecure because they open the door to attacks, some based on advancesin code breaking and crypto-analysis.
5. 1% of SSL VPNs that use OpenSSL are vulnerable to Heartbleed.This vulnerability was found in 2014. Heartbleedaffected all products that use OpenSSL. It allowed hackers to retrieve personaldata like encryption keys 6. 97% of examined SSL VPNs are not fulfilling the PCI DSSrequirements, and all of them were not in compliant with NIST guidelines.
VPNs can be broadly categorizedas follows: 1. A firewall-based VPN is onethat is equipped with both firewall and VPN capabilities. This type of VPNmakes use of the security mechanisms in firewalls to restrict access to aninternal network. The features it provides include address translation, userauthentication, real time alarms and extensive logging.
2. A hardware-based VPN offershigh network throughput, better performance and more reliability, since thereis no processor overhead. However, it is also more expensive. 3. A software-based VPN providesthe most flexibility in how traffic is managed.
This type is suitable when VPNendpoints are not controlled by the same party, and where different firewallsand routers are used. It can be used with hardware encryption accelerators toenhance performance. 4. An SSL VPN3 allows users toconnect to VPN devices using a web browser. The SSL (Secure Sockets Layer)protocol or TLS (Transport Layer Security) protocol is used to encrypt trafficbetween the web browser and the SSL VPN device. One advantage of using SSL VPNsis ease of use, because all standard web browsers support the SSL protocol,therefore users do not need to do any software installation or configuration.VPNTunnelingThereare two types of tunneling that are being commonly used-1.
Voluntary and 2.Compulsory. Involuntary tunneling, the VPN client manages connection setup. The client firstmakes a connection to the carrier network provider (an ISP in the case ofInternet VPNs). Then, the VPN client application creates the tunnel to a VPN serverover this live connection.
Incompulsory tunneling, the carrier network provider manages VPN connectionsetup. When the client first makes an ordinary connection to the carrier, thecarrier in turn immediately brokers a VPN connection between that client and aVPN server. From the client point of view, VPN connections are set up in justone step compared to the two-step procedure required for voluntary tunnels.CompulsoryVPN tunneling authenticates clients and associates them with specific VPN serversusing logic built into the broker device. This network device is sometimescalled the VPN Front End Processor (FEP), Network Access Server (NAS) or Pointof Presence Server (POS) 9.
Tunneling ProtocolsSeveralcomputer network protocols have been implemented specifically for use with VPNtunnels. The three most popular VPN tunneling protocols listed below 9continue to compete with each other for acceptance in the industry. Theseprotocols are generally incompatible with each other.Point-to-Point TunnelingProtocol (PPTP)Severalcorporations worked together to create the PPTP specification. People generallyassociate PPTP with Microsoft because nearly all flavors of Windows includebuilt-in client support for this protocol. The initial releases of PPTP forWindows by Microsoft contained security features that some experts claimed weretoo weak for serious use.
Microsoft continues to improve its PPTP support,though.LayerTwo Tunneling Protocol (L2TP)Theoriginal competitor to PPTP for VPN tunneling was L2F, a protocol implementedprimarily in Cisco products. In an attempt to improve on L2F, the best featuresof it and PPTP were combined to create a new standard called L2TP. Like PPTP,L2TP exists at the data link layer (Layer Two) in the OSI model — thus theorigin of its name.Internet Protocol Security(IPsec)IPsecis actually a collection of multiple related protocols.
It can be used as acomplete VPN protocol solution or simply as the encryption scheme within L2TPor PPTP. Security concerns OF VPN: Tunneling in and of itself is not sufficient security. For example,let’s use IP as the carrier public protocol, carrying IPX inside as the privateprotocol. Anyone sniffing the “public” network’s packets could easily extractthe clear text information of the IPX packets carried within the IP packets.This means that sufficient encryption of the carried IPX packets is necessaryto protect their data. These two technologies suffice to provide a basic VPN,but will be weak if a third part is missing or lax (as we will show in variousexamples throughout this document). This third part would be anything relatedto authentication, traffic control, and related technologies.
If there aren’tsufficient authentication technologies in place then it is quite simple for anintruder to intercept various VPN connections and “hijack” them with many”man/monkey in the middle attacks” and easily capture all data going back andforth between the VPN nodes, and eventually be able to compromise data, andpotentially all networks and their resources, connected by the VPN. Thisdocument is based on research and lab testing performed from March 1st throughJune 30th, 2002. The setup of the lab will also be briefly detailed to assistothers who may wish to go into greater depth with this testing, and to helpclarify under what circumstances the lab information was gathered 7.Following are the 5HACKING ATTACKS A client machine maybecome a target of attack, or a staging point for an attack, from within theconnecting network.
An intruder could exploit bugs or mis-configuration in aclient machine, or use other types of hacking tools to launch an attack. Thesecan include VPN hijacking or man-in-the-middle attacks: 1. VPN hijacking is theunauthorized take-over of an established VPN connection from a remote client,and impersonating that client on the connecting network.
2. Man-in-the-middleattacks affect traffic being sent between communicating parties, and caninclude interception, insertion, deletion, and modification of messages,reflecting messages back at the sender, replaying old messages and redirectingmessages. USER AUTHENTICATION By default VPN does not provide / enforce stronguser authentication. A VPN connection should only be established by anauthenticated user. If the authentication is not strong enough to restrict unauthorizedaccess, an unauthorized party could access the connected network and itsresources. Most VPN implementations provide limited authentication methods.
Forexample, PAP, used in PPTP, transports both user name and password in cleartext. A third party could capture this information and use it to gainsubsequent access to the network.CLIENT SIDE RISKS The VPNclient machines of, say, home users may be connected to the Internet via astandard broadband connection while at the same time holding a VPN connectionto a private network, using split tunneling. This may pose a risk to theprivate network being connected to. A client machine may also be shared withother parties who are not fully aware of the security implications. Inaddition, a laptop used by a mobile user may be connected to the Internet, awireless LAN at a hotel, airport or on other foreign networks.
However, thesecurity protection in most of these public connection points is inadequate forVPN access. If the VPN client machine is compromised, either before or duringthe connection, this poses a risk to the connecting network.VIRUS / MALWARE INFECTIONS Aconnecting network can be compromised if the client side is infected with avirus. If a virus or spyware infects a client machine, there is chance that thepassword for the VPN connection might be leaked to an attacker. In the case ofan intranet or extranet VPN connection, if one network is infected by a virusor worm, that virus / worm can be spread quickly to other networks ifanti-virus protection systems are ineffective.INCORRECT NETWORK ACCESS RIGHTSSome client and/or connecting networks may have been granted more access rightsthan is actually needed. INTEROPERABILITY Interoperabilityis also a concern.
For example, IPsec compliant software from two differentvendors may not always be able to work together. Conclusion: As we find ourselves relying more and more oncloud services and multiple devices all connected to the Internet, it is vitalthat we stay informed and take steps to ensure our privacy online.VPN provides a means of accessing a secure, private, internal networkover insecure public networks such as the Internet. A number of VPNtechnologies have been outlined, among which IPsec and SSL VPN are the mostcommon.
Although a secure communication channel can be opened and tunneledthrough an insecure network via VPN, client side security should not beoverlooked.he following are security features to look for when choosing a VPNproduct: 1. Support for strong authentication, Support for anti-virus software,and intrusion detection, Industry-proven strong encryption algorithmsHowever, careful consideration must be given to the risk involved.GENERAL VPN SECURITY CONSIDERATIONSThe following is general security advice for VPN deployment: 1. VPN connectionscan be strengthened by the use of firewalls. 2. An IDS / IPS (IntrusionDetection / Prevention System) is recommended in order to monitor attacks moreeffectively. 3.
Anti-virus software should be installed on remote clients andnetwork servers to prevent the spread of any virus / worm if either end isinfected. 4. Unsecured or unmanaged systems with simple or no authenticationshould not be allowed to make VPN connections to the internal network. 5.Logging and auditing functions should be provided to record networkconnections, especially any unauthorised attempts at access.
The log should bereviewed regularly. 6. Training should be given to network/security administratorsand supporting staff, as well as to remote users, to ensure that they followsecurity best practices and policies during the implementation and ongoing useof the VPN. 7. Security policies and guidelines on the appropriate use of VPNand network support should be distributed to responsible parties to control andgovern their use of the VPN. 8. Placing the VPN entry point in a DemilitarizedZone (DMZ) is recommended in order to protect the internal network. 9.
It isadvisable not to use split tunnelling to access the Internet or any otherinsecure network simultaneously during a VPN connection. If split tunneling is References: A. A.
Author of article. “Title of article,” 1. G. Tyson, “A Glance through the VPN LookingGlass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients “.17-Feb.
Noyes, “Beware, VPN users: You may not be as safe as you think youare.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.
html. 3. Crace, James. “VPN Security: What You Need to Know.” Cloudwards,25 Sept, 2017.
Online. Available: www.cloudwards.net/vpn-security-what-you-need-to-know/.4. O’Sullivan, Fergus.
Beginners Guide: What Is aVPN? 3 Dec. 2017, www.cloudwards.net/what-is-a-vpn/ 5. R. Harrell, “VPN security: Where are the vulnerabilities?”October20056.
J. Leyden, “90% of SSL VPNs are’hopelessly insecure’, say researchers”7. H.
Robinson, “MicrosoftPPTP VPN Vulnerabilities Exploits in Action.” August 22nd 20029. B. Mitchell, “VPN Tunnels Tutorial”.July 21, 2017. Online.
Available: https://www.lifewire.com/vpn-tunneling-explained-818174. 10. J. Martindale, “Many big VPNs haveglaring security problems.
” 8. The Government of the Hong Kong Special Administrative Region, VPNSECURITY. February, 2008 Australian Bureau of Statistics, EngineeringConstruction Activity (cat. no. 8762.
0). Canberra: ABS, 2010.Online. Available from AusStats, http://www.abs.gov.
au/ausstats.Accessed: Sept. 7, 2010.