Lecture #22 - Virtual Private Networks
Firewall Basics
In the context of computer networking, a firewall is a device which filters packets according to some predefined criteria. Given that a router forwards packets between two or more networks, it makes sense for a router to perform packet filtering in addition to routing. A router performing such duties is known as a packet filtering firewall.
A firewall is a critical component in network security, since it allows a network administrator to prevent hostile traffic from entering or leaving a network.
We have already looked at Cisco access lists and have used them to perform filtering on traffic that is entering or leaving an interface. This is the most rudimentary way of implementing a packet filtering firewall.
Stateful Packet Inspection (SPI)
Whilst basic packet filtering is better than no filtering at all, it is rather limited due to its inability to understand the relationship between packets - it is only working at the IP or network level.
A proper firewall will perform Stateful Packet Inspection or SPI. Instead of simply filtering packets at the network level, packets are filtered statefully by monitoring transport level flows. A typical SPI firewall is configured to allow specific packets, such as TCP SYN segment that initiates a TCP connection, after which other packets associated with this connection are permitted.
This means that packets not associated with a specific connection are not permitted through the firewall. All connections have to be initiated by a internal or external host, as stipulated by the firewall rules.
Firewall Architecture
Whilst there are a large number of firewall architectures possible, most of these resolve around the idea of a De-Militarised Zone or DMZ. This is a network which sits between a corporate network and the external Internet - traffic from the external Internet is not allowed to enter beyond the DMZ and traffic from the corporate network is not allowed to pass beyond the DMZ.
Regardless of the architecture implemented, the most critical firewall is the one which connects the corporate network to either the DMZ or two the Internet. This is effectively the last line of defence against hostile network traffic. Should this firewall become ineffective your network may become completely exposed.
Private Networks
Many businesses have multiple locations and benefit from all sites having access to the same business systems. This may mean that they need to access a single database, or they may make use of a remote access technology. Either way, the sites need to be interconnected via a network.
The "traditional" way of doing this is via the use of private networks - a dedicated connection leased from a telecommunications company. Whilst these were usually highly reliable, they were also very expensive. With the event of the Internet, dedicated private networks quickly became less popular since it is cheaper and often easier to route traffic over the Internet.
Routing corporate traffic over the Internet introduces a number of challenges, primarily those related to security and reliability. The security aspects are easily addressed through the use of a Virtual Private Network or VPN. It is also worth noting that with the increased deployment of IP networks, many telcos and ISPs are offering "private" IP networks that can be used to connect multiple business premises.
Virtual Private Networks - Basic Ideas
A VPN is a structure which ties together two different private networks in such a way that they appear to have a direct, point-to-point connection between them. Two techniques are fundamental to the success of this approach:
- Tunnelling
This is the generic name for any system which encapsulates a data packet in a protocol which is at the same level, or a higher level, in the protocol stack. These protocols can be the same protocol (eg. IP) or different protocols (eg. IP and TCP). For example, we could encapsulate an IP datagram inside another IP datagram, by having the second form the "payload" of the first datagram. Tunnelling allows packets to seemingly disappear from one private network, and pop out in another private network somewhere else, almost as though the two networks had a "wormhole" connecting them...
- Encryption
Data packets are observable as they traverse the global Internet. In order for two networks to be interconnected in a secure way, the data must be encrypted before it is sent. There are many encryption mechanisms available, which we will only mention briefly.
Several Internet VPN protocols exist, which implement both tunnelling and encryption. Protocols include Microsoft's Point-to-Point Tunnelling Protocol (PPTP), the IETF Layer 2 Tunnel Protocol (L2TP), the IETF IPsec protocol and OpenVPN.
Introduction to IPsec
IPsec is a protocol suite for securing IP traffic by providing authentication and encryption, allowing for packets to be safely routed over the Internet. IPsec operates at the network layer and can operate in either tunnel mode or transport mode. Transport mode operates by providing end-to-end encryption of the transport layer payload - whilst this can be beneficial it is not especially interesting to us.[3]
In tunnel mode, the entire IP datagram is encrypted before becoming the payload of a new IP datagram. Once the original IP datagram is encrypted, an Encapsulating Security Payload (ESP) header is appended prior to the new IP header. We can visualise this as:
An additional Authentication Trailer can be appended to the end of the encrypted payload to verify the source of the encrypted packet. IPsec can also be operated in Authentication Header (AH) mode which allows for authentication and data integrity, however does not provide encryption.
One of the big challenges with IPsec is that of key exchange - either we have to manually configure each VPN router with shared keys, or we need to use a key exchange protocol such as IKE -- the Internet Key Exchange protocol. For IKE we will need to use some form of host authentication, typically using X.509 certificates and keys (or we can use a pre-shared key for authentication only, then perform automated key exchange).
[3] Although it does have implications for packet filtering based on (for example) TCP or UDP service type, ie. port number -- this information is obviously encrypted and so can't be viewed by a packet filter. However, in transport mode the IP header isn't encrypted and can still be filtered.
Implementing VPNs
A simple VPN may be implemented as follows:
At least two VPN routers are required. Presumably the two
192.168.0.0 (private IP) networks are physically
located some distance apart, however the VPN makes them appear to be
directly connected.
Microsoft's PPTP
This protocol is (slightly) interesting. It takes an ordinary IP packet and encapsulates it into a PPP frame. This entire frame is then encrypted and encapsulated in an IP Generic Routing Encapsulation (GRE) packet. A GRE packet has, in a similar way to IPsec's ESP, an additional IP extension header.
In fact, the protocol forms part of Microsoft's Remote Access Server (RAS), which was originally designed to facilitate dial-in access to Windows systems. It was not originally designed for VPN use, although this is the more commonly use today.
PPTP has an advantage over IPsec in that both NAT and VPN encryption/encapsulation can be done in one step. However, it has several well-known (but ostensibly fixed) security vulnerabilities. It's recommended that it be configured to always use the highest level of security available.
OpenVPN
Unlike most of the other VPN technologies, which operate by encapsulating IP datagrams inside another network level protocol, OpenVPN uses UDP or TCP as the transport between VPN routers or hosts. The control channel (including host identification, authentication and key exchange) is performed over the TLS protocol, using X.509 keys/certificates, or alternatively static pre-shared keys. The data channel provides encryption and data integrity using the EVP interface of the OpenSSL library, with user selected encryption and MAC algorithms. The encrypted packets are loosely based on IPsec.
If X.509 certificates are in use, often these will be self-signed since we are establishing trust between a number of devices which we configure and maintain.
Rather than having to have support for a protocol such as IPsec or PPTP/GRE within the operating system kernel, OpenVPN operates in userland. IP datagrams are provided to the OpenVPN server or client using a TUN or TAP virtual (pseudo) network adapter. This allows it to secure the datagram, before encapsulating it within an UDP datagram and sending it on its way. The remote host decrypts, authenticates and de-encapsulates the original IP datagram, before injecting it back into a TUN or TAP virtual network adapter.
References
Copyright © 2007, 2009 Joel Sing