WHAT IS A VPN? Virtual Private Network – Before going into the actual solution it is prudent to do a quick tutorial on what a VPN actually is.
There are many definitions of a VPN in the marketplace and each one has its own benefits and/or losses.
So the first and foremost goal is to try to place a model with which the industry can live.
The short version of a VPN is as follows:
A virtual private network (VPN) is an overlay network built on top of the public network through the use of a tunneling protocol, in which the tunnels provide for encryption, authentication and non-repudiation.
So another way of summarizing what a VPN is would be to state it as follows:
1. An extension of a private intranet
2. Used across the public networks (i.e., PSTN or Internet)
3. Proving a secure connection
4. Using a tunnel that makes it a virtual network
5. Normally owned by the carriers – although a private network can also be used
6. Used by an organization as though it is privately owned
7. Intended to eliminate the hassle of private ownership
That summary may well be subject to differences of opinion but it does convey what the industry is looking for in their networking strategies.
The definitions above begs for more of a picture than just text. Shown in Figure 3.1 is a typical end-to-end path for a VPN. Note that firewall is used on the ends between the public Internet and the intranet.
Using the remote user as an example, perhaps with a soft phone on the laptop computer, a connection is made with an xDSL or cable modem or, in the least likely mode, a dial up link.
The ISP connection uses the public Internet to provide the path across the public domain, and then passes the connection off to the firewall front-ending the private network (i.e., the LAN or CAN).
This creates an end-to-end connection from the remote host to the corporate intranet.
However, cases have been reported in the past where an imposter creates a redirection to a false tunnel and thus to the wrong gateway.
This can apply in a VoIP environment using a phone or a soft phone and a laptop for data access.
When a remote user accesses an unsecured network and particularly an unsecured WiFi network, they expose themselves to a man-in-the-middle (MITM) attack.
Yet many travelers (road warriors) still use unsecured networks if they have a VPN client.
The risk is that a user’s WiFi connection (as in a coffee shop, free airport WiFi access, Internet cafe, etc.)
will be intercepted via an attacker on the network who executes a MITM attack. In Figure 3.2 one can see that across the Internet a false tunnel is built.
WHAT IS A VPN? Virtual Private Network
Still another risk is on a wired network (such as a hotel LAN or a remote rental office) an attacker can spoof ARP.
The attacker’s machine can advertise on the wire that it is the default gateway to the Internet and perform a MiM attack, causing a false tunnel to the Imposters gateway.
Users rarely notice anything amiss. Even if the Imposters sets up a different form of user logon, the user will likely be oblivious to the difference.
Once the user logs on to the Imposter gateway (with the attacker capturing the username and password) they can get knocked off the connection.
On retrying they connect to the correct tunnel and get through the VPN to the server.
However, the correct logon on screen is now presented to the user who logs on as normal.
The user will not recognize that something was different between the two logon screens that were presented and thus will not report any possible compromise to the security department.
Whenever a user’s VPN credentials are sent in the clear, the attacker can sniff them and record them using one of many tools (Wire shark, 1e.g.).
If it’s Secure Sockets Layer (SSL) encrypted, the attacker can present a bogus certifcate to try to intercept the SSL connection.
The purpose is that the attackers will use the credentials to get access to the network or get free phone service. Moreover, attackers will typically save those stolen credentials and sell them.
Educating the user is a must in this scenario as the user is the front line of defense in a situation like this.
The underlying assumption is that regardless of some of the risks, we are trying to provide a private network access over the public Internet.
And, yes, risks still exist. Another risk is a “tailgater,” who captures a set of credentials and gets onto the
network by following the legitimate user onto the network using the same logon connection.
This is particularly easier when dealing with a wireless connection.