Question

Secure VPN Configuration and Management & Wireless Network Defense

Give me two pages of easy about the topic.

Answer 1

Secure VPN Configuration and Management

A virtual private network (VPN) extends a private network across a public network, such as the Internet. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols, or traffic encryption.[1]

It enables users to send and receive data across shared or public networks as if they were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network.

Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunnelling protocols, are designed to overcome this limitation.

A virtual private network (VPN) extends a private network across a public network, such as the Internet. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols, or traffic encryption.[1]

It enables users to send and receive data across shared or public networks as if they were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network.

Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunnelling protocols, are designed to overcome this limitation.

Types of Virtual Private Network and Protocols

There are 2 types of VPN:

a) Site-to-site VPN

It consists of intranet and extranet based VPN. The encryption and decryption is done by the routers on both ends.

The intranet VPN connects 2 office LANs securely and transparently across the internet. Where as the extranet allows different offices of a company in various parts of the world to connect securely to share data across internet.

b) Remote access VPN

The remote access VPN allows users to create a secure connection using a remote computer network. Those users can securely access the resources on that network as if they were directly plugged into the network’s servers. Another name for this type of VPN is Virtual Private Dial-up Network (VPDN).

Different types of VPN protocols available currently. The most commonly used VPN protocols are:

PPTP VPN

PPTP is short for Point-to-Point Tunnelling protocol. PPTP is the most common and widely used VPN protocol in the internet. PPTP uses a control channel over TCP and GRE tunnel to encapsulate PPP packets. It enables authorized remote users to connect to the VPN network using their existing internet connection and then log on to the VPN using password authentication. One of the down sides of PPTP is that it does not provide encryption and it relies on the PPP (Point-to-Point Protocol) to implement security measures for data packets.

As PPTP is the most commonly used protocol in the internet it has become a subject to serious security vulnerabilities. Since PPTP relies on PPP for encryption it is the biggest security issue.

L2TP VPN

L2TP or Layer to Tunnelling Protocol was developed by Microsoft and Cisco in the year 1999 as a standard RFC 2661. L2TP is developed from the older protocol versions of PPTP and L2F. L2TP also does not provide encryption and confidentiality and it relies on PPP protocol to do this. Unlike PPTP which provides only data confidentiality, L2TP provides data confidentiality and also data integrity.

According to RFC 3931 published in 2005 a newer version of L2TPv3 is released which provides the same as L2TP with additional security and better data encapsulation.

IPSec

Internet Protocol Security was initially developed by the Internet Engineering Task Force (IETF) for IPv6 in the year December,1993, the software encryption protocol also known as swIPe was researched at Columbia University and AT&T Bell Labs by John Ioannidis and others. IPSec is a trusted protocol which uses cryptographic security services over networks and communicates by encrypting and authenticating each IP data packet of the current session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). A major disadvantage of IPSec is that it requires expensive and time consuming client installations.

IPSec uses the following protocols to perform its functions.

Authentication Headers: provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replays.

Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.[RFC 2406 ]

Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange,[10] with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.

SSTP

Secure Socket Tunnelling Protocol (SSTP) is a type of VPN tunnel that provides mechanisms to transport PPP or L2TP traffic through SSL 3.0 channel. SSTP servers must first be authenticated by SSL before entering into the network. There may be cases where SSTP will originally built for remote client access.

.

SSL

Secure Socket Layer is a VPN accessible via https over web browser. SSL uses a cryptographic protocols when inside a network. SSL creates a secure session from your PC browser to the application server you’re accessing. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. SSL allows SSTP to virtually pass through all firewalls and proxy servers except for authenticated web proxies. SSL 3.0 is the current version in use. It is an improved version over SSL 2.0, where the server is never able to complete a successful handshake as mentioned by firefox web browser. SSL 3.0 has newly added SHA-1 ciphers to encrypt and decrypt data.

Wireless Network Defense

The majority of work to develop and mature military wireless networks to date has focused on efficiency and stability in benign conditions. Insufficient attention has been paid to identifying and mitigating vulnerabilities arising from the new features being added to make these networks more efficient. Unfortunately, because of the focus on efficiency, the protocols that have been developed implicitly trust all information shared about the state of the nodes and the larger network. Consequently, when the information that is shared among these nodes is bad, the network quickly becomes unusable.

In particular, the protocols that have been developed for military wireless networks require the nodes in the network to coordinate among themselves to manage their resources (e.g., spectrum, time, and power) and also to organize themselves in order to provide the functionality necessary to deliver data efficiently. To meet that objective, the nodes must share information about their state and the state of the world around them, and do so in a way that is not wasteful of the precious network capacity intended for user data. With the shared information, the network nodes make decisions about configuration details such as which frequencies to use, which node gets to transmit when, and to which node(s) to forward data when a direct path to the destination does not exist. These are protocols that determine how the physical channels are used in order to provide a useful network to the devices and people using the wireless network.

As the use of wireless systems expands, the likelihood of network compromise (whether maliciously or by unwitting misconfiguration) will increase. Beyond the conventional node-by-node security in use today, a set of network-based checks are needed to ensure that misinformation inserted into the control protocols does not disable the network functionality. While this concern is particularly important to the class of emerging wireless mesh networks, it is also relevant to other topologies, such as hub-spoke, which are evolving to include self-organizing network technologies.

Acknowledging that the network can be compromised, the Wireless Network Defense program will develop and demonstrate new technology for robustly controlling wireless networks. This program will not create a new communications waveform nor develop a new tactical radio. Instead, the technology will be developed in such a way as to enable improvement in the robustness of the class of wireless networks that are being procured and fielded in the near future, and also to provide a reliable foundation on which to build the subsequent generation of wireless systems.