VPN Types

Although there are many types of VPNs (including remote access, extranets, branch offices, SOHO, and wireless), there are only two types of connections: remote access and router-to-router. This section provides an overview of how VPN technology is used with WLANs. When VPN technology is used in a wireless environment, a client must have VPN software loaded whether or not it is a computer or a router used as a client.

The VPN server can provide upstream network access to the client or to just those network resources the VPN has available locally. A connection to a VPN server is created when a client initiates a remote-access VPN. A remote-access VPN is a point-to-point connection where packets are transmitted through the tunnel originating from the client and are sent to the server or from the server to the client. For added security, VPNs can be configured for mutual authentication of client and server; however, in most cases, such as dial-up Remote Access Server (RAS), authentication is not mutual, and only the server authenticates the client.

A VPN connection over a wireless medium leaves the access point open to attack. Access points are Layer 2 devices that can be managed at Layer 3. Because they are Layer 2 devices, they do not care what kind of traffic is traversing the wireless medium and will simply forward all traffic from the wireless side to the wired side without regard for security; however, if the VPN server is implemented directly inside the access point, it will act as more of a wireless router than just an access point. Combined with secured management features such as HTTPS, a VPN provides a very secure solution but results in slow processing problems. Because wireless access points are generally inexpensive devices lacking powerful CPUs, the added overhead of VPN management features, access point features, routing functions, high encryption overhead, and overall VPN setup and tear-down will degrade the performance of these units very quickly.

Secure VPN redirection occurs when an access point is configured to allow incoming VPN traffic to be sent to a single VPN server host. This should be considered when only one VPN server is being used. Each wireless router is redirecting the VPN traffic to a specified IP address.

EWGs are the most common implementation of VPNs in WLAN environments. EWGs typically have VPN features, remote management, firewall features, RBAC, throughput management, and many other useful features.

Some VPNs can be configured for mutual authentication of client and server for added security. In many cases, such as dial-up RAS, authentication is not mutual, and only the server authenticates the client. A remote-access VPN is created when a client initiates a connection to a VPN server. The VPN server can provide upstream network access to the client or to network resources the VPN has available locally. Because a remote-access VPN is a point-to-point connection, packets are transmitted through the tunnel originating from the client and are sent to the server.

PPTP, L2TP, IPSec, and SSH2 are some of the many types of VPN protocols that are used in conjunction with WLANs. All of these protocols rely on tunneling of some form and usually employ encryption. The method and level of encryption levels deployed with each of the VPN types varies greatly. VPN encryption can take place through either a software-or hardware-based solution. Software-based encryption/decryption typically increases latency and decreases throughput. In contrast, hardware encryption/decryption accelerators decrease latency and increase throughput.

Accelerators, also called off-load processors, are often included in access points and VPN servers for speeding up the encryption/decryption processes used in WEP. In some cases, the VPN server is implemented as part of a PC server, where a PCI card and accompanying software serve as the accelerator. The accelerator is often another chip on the motherboard when implemented in a VPN appliance such as an EWG. Newer EWGs may have gigabit Ethernet interfaces. These units normally don't push more than 100 Mbps of heavily encrypted (e.g., IPSec using 3DES or AES) traffic and only have Gigabit interfaces for use when encryption is not desired. It is common to see EWG units push traffic at around 300 Mbps, even when encryption is not used.

PPTP

Point-to-Point Tunneling Protocol (PPTP) is a simple, low-cost, easy-to-implement wireless security VPN solution based on the client/server architecture. It supports multiple encapsulated protocols, authentication, and encryption based on the Point-to-Point Protocol (PPP) [17]. Most of Microsoft's desktop and server operating systems having PPTP [18] native support.

Microsoft Point-to-Point Encryption (MPPE) is supported by PPTP using the RC4 algorithm with a 128-bit key. Most local and external authentication using RADIUS is supported through PPTP on VPN servers. A software product called POPTOP has been implemented on Linux servers to provide PPTP support and is fully compatible with Microsoft PPTP client software. The destination IP address, encryption parameters, username, and password are the only pieces of information needed to form a PPTP connection, making it very popular for use over wireless networks.

PPTP forms a tunnel between the client and server. DHCP can be used for both subnets inside and outside the tunnel, eliminating most of the administrative overhead. PPTP is often implemented as an IP-in-IP tunnel (http://faqs.org/rfcs/rfc1853.html), where the client/server connection has an IP subnet and the tunnel has a different subnet, with the tunnel IP addresses typically allocated by the PPTP VPN server.

On wireless networks, IP-in-IP is by far the most common protocol used for encapsulating data transported with PPTP. The PPTP client connects with the server by "dialing" the server over the IP network. The server authenticates the user and establishes a tunnel address to begin passing traffic to and from the client.

Typical authentication methods used by PPTP are PAP, MS-CHAP, and MS-CHAPv2. Because of the security requirements placed on WLAN implementations by most organizations, MS-CHAPv2 authentication against a RADIUS or LDAP-compliant database with MPPE encryption is commonly used for security. The 128-bit MPPE provides adequate security protection for most SOHO networks or networks that do not have high-value/sensitive data or systems to protect. When keeping administrative and network overhead costs down is a higher priority than security controls, encrypting data with 128-bit MPPE inside a tunnel provides enough protection to stop the casual or unskilled war driver while maintaining due diligence in protecting noncritical corporate data.

L2TP/IPSEC

L2TP combines the best of Cisco's Layer 2 Forwarding (L2F) protocol and Microsoft's PPTP. It is a key building block for VPNs in the dial access space [19]. Cisco and other network industry leaders support L2TP. Large implementations of call terminations in the Telco and ISP space commonly use L2TP. L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS) are the two distinct components of an L2TP network. A client's physical connection, such as a dial-up connection to the Internet, is terminated by the LAC, and the upstream LNS terminates the PPP session. This solution is highly scalable for Telcos and ISPs because LACs can route PPP sessions to various service providers or locations. L2TP is often combined with IPSec for security because it does not define any encryption standard.

Mutual authentication can be achieved through IPSec using shared keys or certificates and strong encryption. Although L2TP's current use in wireless networks is rare, it will likely gain popularity as L2TP support is included in EWGs. As a result of the rapid increase of hotspot users throughout the world, Wireless ISPs (WISPs) will gain market share, and L2TP/IPSec will find an appropriate use in the marketplace. Both the Microsoft Windows 2000 and Windows XP operating system support L2TP/IPSec VPN technology.

L2TP/IPSec and PPTP are similar in that they both provide a logical transport mechanism to send PPP frames; provide tunneling and encapsulation, so that PPP frames based on any protocol can be sent across an IP network; and rely on the PPP connection process to perform user authentication, typically using a username, password, and protocol configuration. They do, however, have some significant differences. With PPTP, data encryption begins after the PPP connection process and authentication are completed, so the user authentication process is not encrypted. Data encryption begins before the PPP connection process with L2TP/IPSec, so the user authentication process is encrypted. MPPE uses PPTP connec tions, which use the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm and 40-, 56-, or 128-bit encryption keys. The Data Encryption Standard (DES) algorithm is used for L2TP/IPSec connections, which uses either a 56-bit key for DES or three 56-bit keys for Triple DES (3DES). The Microsoft L2TP/IPSec VPN client supports only DES encryption.

PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require two levels of authentication. To protect the L2TP-encapsulated data, an L2TP/ IPSec client must perform a computer-level authentication with a certificate or a preshared key to create the IPSec Security Associations (SAs). The L2TP portion of the connection performs the same user-level authentication as PPTP after the IPSec SAs are successfully created.

PPTP only provides per-packet data confidentiality, whereas IPSec provides per-packet data origin authentication. This function is significant because it will help comply with new regulatory requirements by providing transactional nonrepudiation with proof the data was sent, accessed, or viewed by the authorized user. Data integrity is provided because there is proof the data was not modified in transit. PPTP also provides replay protection by preventing the resend of a stream of captured packets. Data confidentiality is achieved by preventing the captured packets from being interpreted without the encryption key.

Two steps necessary to complete the authentication process are used by L2TP/IPSec connections to create stronger authentication: (1) using certificates or preshared keys as a computer-level authentication for the IPSec session, and (2) using a PPP authentication protocol for the L2TP tunnel as user-level authentication. If captured as plaintext, the PPP authentication exchange for some types of PPP authentication protocols can be used to perform offline dictionary attacks and determine user passwords. By encrypting the PPP authentication exchange using L2TP/IPSec, offline dictionary attacks are only possible after the encrypted packets have been successfully decrypted. PPP frames exchanged during user-level authentication are never sent in cleartext because the PPP portion of the exchange occurs after the IPSec SAs are established.

One of the problems with L2TP/IPSec is the Internet Key Exchange (IKE), the protocol used to negotiate SAs, and the fact that IPSec-protected traffic is not NAT-translatable. This prevents IPSec peers from being placed behind a Network Address Translator (NAT). A new set of Internet standards describe IPSec NAT traversal, allowing for L2TP/IPSec connections to be created. The new standard addresses client and server computers that support IPSec NAT traversal located behind one or more NAT segments, where IKE messages and processing are modified and IPSec-protected packets are encapsulated as User Datagram Protocol (UDP) messages.

L2TP/IPSec could only be used with Windows XP and Windows 2000 until the release of the Microsoft L2TP/IPSec VPN client because only those VPN clients supported the L2TP protocol and IPSec. The release of the Microsoft L2TP/IPSec VPN client has made it possible for computers running all versions of Windows 98, Windows Millennium Edition, and Windows NT Workstation 4.0 to also create L2TP/IPSec remote-access VPN connections.

IPSEC/IKE

IPSec/IKE supports a wide variety of encryption algorithms to include DES, 3DES, AES, and RC4, as well as data integrity mechanisms such as MD5 and SHA-1. IPSec/IKE actually refers to a collection of IETF standards that include specifics on key management protocols and encrypted packet protocols. There are two forms of IPSec data integrity: 128-bit strength Message Digest 5 (MD5)-HMAC or 160-bit strength Secure Hash Algorithm (SHA)-HMAC. The bit strength of SHA is greater and is considered more secure, and it is recommended for use because the increased security outweighs the slight increase in overhead costs.

IPSec is a network layer VPN technology, which means that it operates independently of the applications that use it. The IPSec/IKE standard also supports preshared secrets (e.g., passwords and passphrases) and X.509 digital certificates used for authenticating VPN peers. IPSec encapsulates the original IP data packet with its own packet, hiding all application protocol information when using Tunnel Mode IPSec. The IPSec tunnel is negotiated via IKE. After the successful negotiation and creation of an IPSec tunnel, one-to-many connections of various types (e.g., Web, e-mail, file transfer, VoIP) can flow over it, with each connection destined for different servers behind the VPN gateway.

The U.S. government is promoting strong authentication and encryption, helping to promote IPSec as the leading VPN security solution. IPSec has also gained widespread acceptance in wireless environments because of its support for EWGs, Mobile IP solutions, VPN appliances, and VPN server software packages. IPSec still has a high barrier to entry because of its high administrative overhead costs (resulting from configuration and troubleshooting complexities) when used in VPN solutions.

Even though IPSec has significant implementation drawbacks, it has a rich set of security features that are useful to prevent eavesdropping, data modification, forgery, reply, man-in-the-middle, and denial-of-service attacks. By encrypting headers and data, only the receiver can understand the data transmitted, thus preventing the risk of eavesdropping. IPSec prevents unauthorized data modification by guaranteeing that packets transmitted are not intercepted and altered in any way through the use of cryptographically generated keys available only to the sending and receiving computers. A checksum is included in each packet, and any alteration by an attacker would alter the checksum. The keying of data and the encryption of identities prevents an attacker from conducting forgery attacks by inserting spoofed packets into the transmission. IPSec traffic is sequenced, so data cannot be retrieved by an attacker and resent at a later time as a replay attack. Mutual authentication and shared keys used in IPSec prevent an intruder from claiming to be a valid client or server as part of a man-in-themiddle attack. The packet filtering features of IPSec can be configured to block communications that do not originate from a valid IP address range, do not use an authorized protocol, or are not sent from a specific port, eliminating the risk of denial-of-service attacks.

The Authentication Header (AH) [20] and Encapsulating Security Payload (ESP) are the two main protocols used with IPSec. Authentication and integrity are achieved by applying a keyed one-way hash function to the datagram. This creates a message digest for the datagrams passed between two systems by the AH. If any part of the datagram is changed during transit, the receiver will detect the change when it performs an identical oneway hash function on the datagram and compares the value of the message digest the sender has supplied. The one-way hash also involves the use of a shared secret between the two systems, meaning that authenticity can be guaranteed. The AH may also enforce antireplay protection by requiring a receiving host to set the replay bit in the header to verify the packet has been seen. This prevents an attacker from performing multiple resends of a packet that may have been compromised.

Except for fields such as the IP Header and the Time To Live (TTL) fields, which are modified by routers along the transmission path, the AH function is applied to the entire datagram. The hashing function is simply the process of taking a snapshot of what is there and recording it for later use in authentication, and it should not be confused with an encryption process. The AH process starts with the IP header and data payload being hashed for integrity. The hash is then used to build a new AH header, which is appended to the original packet, and the new packet is transmitted to the IPSec peer router, which hashes the IP header and data payload, extracts the transmitted hash from the AH header, and compares the two hashes. The hashes must match exactly. If even one bit is changed in the transmitted packet, the hashed output on the received packet will change and the AH header will not match.

Encapsulating Security Payload (ESP) is a security protocol that provides confidentiality by performing encryption at the IP layer. ESP provides confidentiality through encryption, data origin authentication, integrity, an optional antireplay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis [21]. A variety of symmetric encryption algorithms is supported by ESP. The default algorithm for IPSec is the 56-bit DES algorithm, which is required by the standard to be implemented to guarantee interoperability among IPSec products.

Two modes, transport and tunnel, are supported by IPSec. Only the data portion, also known as the payload of each packet, is encrypted by transport mode, leaving the header unencrypted. Both the header and the payload are encrypted in the secure tunnel mode. Although the data portion of the packet is encrypted in transport mode, the originating machine address behind the VPN gateway is transmitted in the clear and is available to anyone watching traffic on an insecure or public network. The entire packet is encapsulated by the IPSec gateway, and a new header is wrapped around the packet using tunnel mode. All data is encrypted, and only the publicly available gateway address is visible.

The rules for deciding when to use AH or ESP are simple. The AH protocol is used when you want to make sure data from an authenticated source is transferred with integrity and does not need confidentiality. ESP is used when you need to keep data private and confidential. The upper-layer protocols (in transport mode) and the entire original IP datagram (in tunnel mode) are encrypted by ESP, rendering them unreadable from a wireless medium. If the gateway were being treated as a host, the transport mode would be used between endstations or between an endstation and a gateway. When the gateway is acting as a proxy for the hosts behind it, the tunnel mode is commonly used between gateways or at an endstation to a gateway. Obtaining addresses by eavesdropping for information transported via the transport mode could give an attacker the opportunity to perform a spoofing attack to gain unauthorized network access. For this reason, transport mode is rarely used for enterprise VPNs.

Because no dial-up session is established, the use of IPSec/IKE in a wireless remote-access scenario differs from the use of PPTP. Encapsulation or special headers between two endpoints are all that is needed for the IP session connection. The client machine IPSec configuration is often done through client software. Authentication and encryption policy rules are sent as part of the client configuration when the client machine is connecting to an IPSec host or gateway. Once the traffic is sent to a remote destination, the connection is authenticated and encrypted, and traffic is allowed to proceed across the connection. If the client software has been properly configured, this process will be transparent to the user.

The configuration of policies on client and server devices is a part of IPSec administration and addresses what authentication and encryption connection parameters will be used for a particular connection. The configuration policies may include whether to secure a single connection or all connections, connection type and ID such as a secure gateway tunnel and IP address, the mode (e.g., transport or tunnel), ID type such as a digital certificate or preshared key, negotiation mode (e.g., main or aggressive); Perfect Forward Secrecy (PFS, PFS Key Group [Diffie-Hellman type]) enabled or disabled; and replay detection enabled or disabled.

The Phase I proposal included the encryption algorithm, hash algorithm, SA life, and key group while the Phase II proposal included SA life, compression, and ESP/AH. Only IP unicast traffic is supported by the IPSec standard. If multiple protocols or IP multicast tunneling is needed, another tunneling protocol is required. Support for tunneling packets other than IP unicast types is provided by either PPTP or L2TP. It is important to understand the advantages and disadvantages of certificate use in IPSec authentication versus preshared keys when making decisions as to which method to deploy. Certificates are advantageous in the IPSec environment because all IP types and services are supported. Other advantages include the following:

Failover without dropping sessions (available from multiple vendors)

Dynamic rekeying

Strong algorithms and long key lengths that make encryption very strong

The same technology base that will work in client-to-site, site-to-site, and client-to-client configurations

Support for strong authentication technologies and directory integration

IPSec client manufacturers' starting to bundle personal firewalls and other security functions such as antivirus and IDS/IPS with their IPSec client products

That once a key exchange is complete, many connections can utilize an established tunnel

IPSec can be troublesome because it typically requires a client software installation, and not all required client operating systems may be supported. Interoperability between IPSec clients and IPSec servers/gateways is weak because of configuration issues. Client configuration is required before the tunnel is established. The firewall policy may not allow IKE or IPSec, which will result in connectivity being adversely affected by firewalls between the client and gateway. Connectivity can be adversely affected by NAT or proxy devices between the client and gateway. A VPN gateway client that has a tunnel into an organization without personal firewalls and/or access controls can become a target for hackers. In such situations, the client device can effectively be turned into a router, which provides an unauthorized entry path into the organization.

SSH2

SSH is an open standard defined by the IETF [22]. A cryptographically secure TCP/IP tunnel between two authenticated computers is provided through the implementation of (SSH2) [23] Secure Shell v2 protocol. Authentication is implemented within the application, and encryption occurs at a special SSH transport layer. A client/server model is used by SSH2, and such implementations require special client/server software to communicate because the client must initiate the request for a secure connection. A client's username and password, a public key, or both authentication methods can be used in sequence as an added level of security. SSH2 mitigates eavesdropping, man-in-the-middle, insertion, and replay attacks that are common to wireless networks through the use of secure command shell, secure file transfer, and port forwarding.