Before you start
Objectives: Learn what is VPN, why do we use it, and which tunneling and authentication protocols are used with VPN technology.
Prerequisites: no prerequisites.
Key terms: VPN, tunneling, security, protocols, authentication.
What is VPN
Typically, private networks are not accessible from the Internet or other public networks, because firewalls will block all unrequested traffic. To remotely access a private network over Internet, we need to use technology like Virtual Private Network (VPN). VPN uses a tunneling protocol to encrypt data to be sent over public networks. Before VPN, we could dial-in directly to the server on our private network with dial-up networking protocols. The problem with dial-up is that a long-distance charges quickly add up this way. In addition to that, a dedicated WAN link could also be used to connect two remote locations. However, now when the Internet is widely present, we have the ability to go trough Internet (our Internet Service Providers (ISP)) using VPN to enable secure communication between our devices. This way we don’t have to maintain two separate networks (WAN and Internet), but only use VPN through the Internet.
VPN uses tunneling protocol to encrypt regular packet content, and then encapsulate all that into a new packet. Information in the packet header of these new packets is used to route the packets through the Internet. On the destination device, the outer wrapping of the packets is removed, as well as the encryption, and in that way the data is back in its original format. Devices on the Internet that may intercept these packets won’t be able to read the packet contents. Only the authorized devices can remove the tunneling information and restore the packets back to their original form. This means that with VPN we create a secure virtual communication channel. Routers use the unencrypted packet headers to deliver the packet to the destination device.
VPN protocols are designed to secure our data over public (unsafe) networks. Security is ensured using:
- Data Confidentiality – data is encrypted which makes it unreadable to those on the public network.
- Data Integrity – data is digitally signed, so that the recipient can recognize that the data has been changed during transmission. This doesn’t encrypt the data, but uses a hash value of the data to determine if the content was altered. The hash value of any data will stay the same as long as the content of the data is not changed.
- Replay Protection – ensures that the same data can’t be sent more than once. In a replay attack, an attacker captures and then resends the data, such as our login information in an attempt to access the server. Trough the use of sequencing, VPN protocols make sure that the data is not replayed.
- Data Origin Authentication – uses authentication techniques to ensure the origin of the transmitted and received data. It makes sure that the transmitter and a receiver is trusted.
VPN Configuration Types
VPN can be configured as a host-to-host connection, a site-to-site VPN connection, and remote access VPN.
Host-to-host connection allows an individual host connected to the Internet, to establish a VPN connection to another host on the other end. With a host-to-host VPN connection, both devices need to be able to establish and understand the VPN protocol that’s used. Both devices need to have the software for encrypting the packets and encapsulating the packets before sending them through the Internet. Device on the other end must use the same protocol to remove the encapsulation information and decrypt packets.
With site-to-site VPN we have a collection of computers at different locations. Any computer on any location can communicate securely with any other computer on different location. Rather than requiring VPN configuration on every single computer, we install a single device on each location which acts as a gateway server. This VPN server accepts unencrypted packets from the private location, and encrypts and encapsulates that packet for sending over the Internet to the destination VPN server. At the other location the VPN server then removes the encryption information and forwards the data into the private network at the other end. So, with this configuration only the VPN servers need to be configured for the VPN protocol.
Remote access VPN takes the place of the dial-up Remote Access Server. In this case, any client can establish a VPN connection to the remote site. The client computer must be able to establish the VPN connection with the server that sits on the edge of the private network. That server is often called a VPN concentrator, and its job is to accept multiple VPN connections through the Internet, with multiple clients. Each client is configured with software that allows it to encrypt packets, and the VPN concentrator is configured to allow or reject connections from users, and then to remove the encryption before forwarding packets to the private network.
Users connected trough a VPN can access resources on the LAN, like shared folders and printers, all while using their computer outside of the private network (for example at home). VPNs are like tunnels which authorize users from the Internet to access the private network resources without those resources being directly available to other people on the Internet.
VPN Tunneling Protocols
The tunneling protocol or the VPN protocol identifies the methods that the devices use to establish the VPN connection and encrypt the data. Clients running Windows OS can use 4 different VPN protocols. These protocols differ in the type of encryption and data protection they offer. Those protocols are:
- PPTP (Point-to-Point Tunneling Protocol) – Microsoft VPN technology, and it was one of the original VPN protocols. It is the least secure of all the VPN protocols. It doesn’t require Public Key Infrastructure (PKI), which uses certificates. On the other hand, it is easy to configure. PPTP connection uses Microsoft Point to Point Encryption (MPPE) to encrypt data (PPTP doesn’t provide encryption by it self). PPTP connections provide data confidentiality, but do not provide data integrity or data origin authentication. PPTP uses TCP port 1723. It only supports TCP/IP protocol. It uses CHAP or PAP authentication protocol (discussed later).
- L2TP / IPSec (Layer 2 Tunneling Protocol / IP Security) – open standard protocol. Provides the highest level of security by using digital certificates. It requires access to certificate service infrastructure. It uses IPSec for encryption. It uses TCP port 1701 and UDP port 500. Most third party VPN solutions support L2TP / IPSec, and they can’t be behind a NAT device unless the client and server support IPSec NAT traversal.
- IPSec (Internet Protocol Security) – provides authentication and encryption. It can be used with L2TP or by itself as a VPN solution. It can encrypt any traffic supported by the IP protocol. It can use digital certificates or pre-shared keys. It can be used to secure host-to-host communication within a LAN, to secure VPN communication trough Internet, and to secure any IP traffic like e-mail, telnet, file transfer, and others. IPSec includes two different protocols: AH which stands for Authentication Header, and ESP which stands for Encapsulating Security Payload. ESP is used for encryption and it also provides some authentication. AH is used for authentication. When implementing IPSec, we have the choice of implementing either of these protocols by themselves. For example, if we only implement AH, when we will have authentication, but no encryption. So, in most cases, we will want to make sure that our IPSec VPN solution includes ESP.
- SSTP (Secure Socket Tunneling Protocol) – uses SSL protocol. It can be used to pass almost all firewalls that allow Internet access. This is something that is not true with the other VPN protocols. SSTP works by encapsulating PPP (Point-to-Point) protocol traffic over the SSL channel of the HTTPS protocol. Encryption is included trough SSL. As we know, SSL has long been used in combination with other protocols. For example, it is used with HTTP to secure the HTTP traffic. Because SSL already provides encryption, SSL has been extended to provide some form of VPN connection. SSL requires certificates for proof of identity, as well as for encryption. SSL uses port 443. SSTP supports data origin authentication, data integrity, replay protection and data confidentiality, in similar form as L2TP does. We can’t use SSTP trough a web proxy that requires authentication. SSTP is Microsoft implementation of SSL in VPN, but for example, CISCO has its own implementation of SSL VPN.
- IKEv2 (Internet Key Exchange version 2) – available starting from Windows 7. It supports IPv6, new VPN reconnect feature, as well as smart card certificate authentication. IKEv2 supports data origin authentication, data integrity, replay protection, and data confidentiality. IKEv2 uses UDP port 500, 4500, and protocol 50 for ESP traffic.
We can use Windows 7 to support incoming VPN connections using PPTP. By default, Windows 7 attempts to make an IKEv2 connection after we configure a new VPN connection. When implementing a VPN, we have to make sure to select a protocol that is supported by all devices that need to encrypt or encapsulate packets. When using a VPN through a firewall, we should open the necessary ports to allow the VPN traffic. For this reason, SSL is quickly becoming an accepted VPN protocol because the firewall ports are typically already opened for other types of secure traffic, such as HTTPS. When using a VPN through a NAT device, we have to make sure that it can support VPN connections.
To provide the best security, Windows first tries to use the most secure authentication protocol that is enabled, and then falls back to the less secure protocols if they are available. Windows supports several different authentication protocol, which fall into two categories. First category is password based, and the second is certificate based. Supported authentication protocols are:
- PAP (Password Authentication Protocol) – uses unencrypted passwords (plain text passwords) for authentication. It is not enabled by default. It is usually used to connect older, third party VPN clients which don’t support more secure authentication protocols.
- CHAP (Challenge Handshake Authentication Protocol) – a password based authentication protocol. It allows to connect third party VPN servers that don’t support more secure authentication protocols.
- MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol) – password based authentication protocol, but it can be configured to use the credentials of the currently logged on use for authentication.
- PEAP / PEAP-TLS (Protected Extensible Authentication Protocol – Transport Layer Security) – certificate based authentication protocol. Users authenticate using certificates. It requires the installation of a computer certificate on the VPN server, as well as a Certificate Authority (CA) to issue these certificates .
- EAP-MS-CHAPv2 () – the most secure password based authentication protocol. It requires the installation a of computer certificate on the VPN server as well.
- Smart Cards or Certificates – can be used for VPN authentication.
With traditional VPN connections, users would have to manually reconnect after they lost VPN connectivity. All operations across that dropped VPN connection would be lost, and then started over when we reconnect the VPN connection. VPN reconnect feature allows Windows clients to automatically reconnect disconnected VPN sessions. Even if we are disconnected up to 8 hours. VPN reconnect feature users the IKEv2 protocol to connect to a Windows VPN server. If the outage is longer than that the user must then manually reconnect. VPN Reconnect eliminates the need for mobile clients who roam from one network to another to re-establish the VPN connection after moving to a different network.
VPN requires a valid connection to the Internet, either trough a dial-up, broadband or other connection type. When we attempt to make the VPN connection, the connection to the Internet is established first, then the VPN tunnel between the two computers. By default, the all traffic is sent over the VPN connection. In advanced TCP/IP Settings, clear the Use default gateway on remote network option to not route Internet traffic through the VPN connection.