Securing Network Communications

(OBJ 3.2)

Virtual Private Networks (VPNs)

• Extend private networks across public networks

• Allow remote users to securely connect to an organization's network as if their computing devices were directly connected to your organization's own private network.

• Can be configured as site-to-site, client-to-site, or clientless VPNs

  • Site-to-Site VPN
    • Connects two sites cost-effectively
    • Replaces expensive leased lines
    • Utilizes a VPN tunnel over the public internet
    • Encrypts and secures data between sites
    • Slower, but more secure
      • Secures traffic, but may slow down users due to extra data transfer
    • "Funneling everything through a HQ network"
  • Client-to-Site VPN
    • Connects a single host (e.g., laptop) to the central office
    • Ideal for remote user access to the central network
    • Options for full tunnel and split tunnel configurations
      • See Split Tunneling vs. Full Tunneling
    • Windows Client-to-Site VPN creation:
      • Go to Open Network and sharing center
      • select "Set Up a Connection or Network"
      • select "Connect to a workplace"
      • You can now select between using Over the Internet or a Direct Dial
      • Give it our IP address and a name for the VPN
      • Put username and password, and hit connect!
      • You are now connected to the VPN
  • Clientless VPN
    • Uses a web browser to establish secure, remote-access VPN
    • No need for dedicated software or hardware client
    • Utilizes HTTPS and TLS protocols for secure connections to websites
    • Daily used by browser without you even knowing

• In addition to site-to-site and client-to-site VPNs, we have to decide whether we are going to use a full tunnel or split tunnel VPN configuration

  • Full Tunnel VPN
    • Encrypts and routes all network requests through the VPN
    • Provides high security, clients fully part of central network
    • Limits access to local resources
    • Suitable for remote access to central resources
  • Split Tunnel VPN
    • Divides traffic, routing some through the VPN, some directly to the internet
    • Enhances performance by bypassing VPN for non-central traffic
    • Less secure; potential exposure to attackers
    • Recommended for better performance but requires caution on untrusted networks
    • Split tunnel basically combines encrypted VPN path to headquarters with a direct, unencrypted Internet path for everything else
    • If you are connecting through an untrusted network you should always opt to use a full tunnel VPN

Transport Layer Security (TLS)

• A protocol that provides cryptographic security for secure connections and is used for secure web browsing and data transfer
• Provides encryption and security for data in transit
• Used for secure connections in web browsers (HTTPS)
  • Little lock on your web browser
• Uses Transmission Control Protocol (TCP) for secure connections between a client and a server
  • may slow down the connection because TCP has a lot more overhead than a UDP connection does.
• Datagram Transport Layer Security (DTLS)
  • A faster User Datagram Protocol-based (UDP-based) alternative
  • Operates faster than using TCP while providing the same security level
  • Ensures end-user security and protects against eavesdropping in clientless VPN connections
  • Ensures confidentiality, integrity, and authentication of data

Internet Protocol Security (IPSec)

• A secure protocol suite for IP communication

  • Secure communication through authentication and data encryption in IP networks

• Provides confidentiality, integrity, authentication, and anti-replay protection (checking the sequence of numbers of all the packets before they are sent, prevent transmission of any duplicate packets)

• Used for both site-to-site and client-to-site VPNs

• Five key steps in establishing an IPSec VPN

  • Request to start the Internet Key Exchange (IKE)
    • PC1 initiates traffic to PC2, triggering IPSec tunnel creation by RTR1
  • Authentication - IKE Phase 1
    • RTR1 and RTR2 negotiate security associations for the IPSec IKE Phase 1 (ISAKMP) tunnel
  • Negotiation - IKE Phase 2
    • IKE Phase 2 establishes a tunnel within the tunnel
  • Data transfer
    • Data transfer between PC1 and PC2 takes place securely
    • Occur over the secure tunnel using the IPsec parameters and keys that we stored from the security associations that were negotiated back in step 3.
  • Tunnel termination
    • Tunnel torn down including the deletion of IPSec security associations
    • Either through mutual agreement and deletion or due to the timing out of the tunnel because one party became non-responsive.

• IPSec Tunneling Modes (Data transfer)

  • Transport Mode
    • Uses original IP header
    • Suitable for client-to-site VPNs
    • Avoids potential fragmentation issues from MTU constraints
      • MTU (Maximum Transmission Unit)
        • set by default at 1500 bytes and may cause fragmentation and other VPN problems
    • Does not increase packet size
  • Tunneling Mode
    • Adds a new header to encapsulate the entire packet
    • Ideal for site-to-site VPNs
    • May increase packet size and require jumbo frames
      • Exceeding the 1500-byte default max MTU size.
      • Or Lower the inner router's MTU to ~1400 bytes if jumbo frames cannot be utilized
        • This way you have an extra 100 bytes of room to be able to add that extra encapsulation and the new packet header.
      • Adjusting the MTU to 9000 bytes is feasible in Local Area Networks but not recommended for Internet use due to potential issues.
    • Provides confidentiality for both payload and header
    • At the destination site, the VPN concentrator removes the outer header, decrypts the content, and routes it internally

• Authentication Header (AH)

  • Offers connectionless data integrity and data origin authentication for IP datagrams using cryptographic hashes as identification information
  • Provides protection against replay attacks
  • The AH does not provide any kind of confidentiality of the data itself, instead, the authentication header contains a cryptographic hash of the data and this will simply act as identification information to provide the integrity between the sender and the receiver of each packet that's being transmitted.

• Encapsulating Security Payload (ESP)

  • Provides confidentiality, integrity, and encryption
  • Provides replay protection
  • Encrypts the packet’s payload
    • Rewrites the payload of the packet inside of an encrypted format
  • ESP is only protecting the confidentiality of the payload that's contained within the packet, not the headers themself.
  • If you are using Transport Mode, such as in a Client-to-site VPN, you can use AH to provide integrity for your TCO header, and then you can add ESP to be able to encrypt the TCP header and the data inside the payload.
    • This does not encrypt the end-to-end header so people outside your organization though will be able to see where the data's coming from and where it's going to, but they won't be able to read the data inside.
  • If you are using a Tunneling Mode, employ both the AH and the ESP to provide integrity and encryption of the payload, including the end-to-end header.
    • This covers the hops to the other end of the secure connection.

Considerations

• Balance between security and performance when choosing VPN tunnel type
• Use full tunnel VPNs for higher security but reduced local access
• Use split tunnel VPNs for better performance but potentially lower security
• Ensure proper MTU settings when using tunneling mode in site-to-site VPNs
• AH for integrity and ESP for encryption in IPSec, but both can be used together for comprehensive security