History provides us with a map of how technology effectuates changes in the way we live and work. This technological transformation started with simple tools that then expanded to the internal combustion engine and now to the technology of computers and networks. One important example of this is transportation. Through a system of physical networks—roads, trains, airplanes, and so on—people can now work and live outside the congestion of large cities. Large parts of the population moved to 'suburb communities', and started the famous daily commute. In spite of high petrol prices, people stayed in their suburbs. Today, with the advent of the Internet, people can work almost anywhere. One of the technologies that allow the ubiquitous access required is a technology known as SSL VPN. This chapter starts you on the knowledge roads that will educate you about this technology. Nevertheless, before we get into too much detail, let's first understand how this technology will help you.
Many people work for what is now known as a 'virtual' organization. Workers in a virtual organization will not necessarily need an office, cube, or a parking space. More and more companies are letting staffers work remotely. The term used to describe these types of worker is teleworkers. As per the ITAC (International Telework Association and Council), the number of U.S. employees who work remotely has grown every year since 1999. The ITAC commissioned a study conducted by Dieringer Research Group (statistically based on teleworkers working at least one day per month), which shows teleworking has grown by nearly forty percent since 2001. What makes teleworking possible is the ability to connect your computer to the Internet from anywhere, anytime. This process of connecting remotely to the Internet is easy, and now with wireless, access is ubiquitous. Teleworking and remote computing is more than just working from poolside at your ranch house. It includes:
Drinking coffee while working on a laptop at the local coffee shop (wireless 802.11)
Reading your online mail while on a train to a customer
On a customer site, using their network to connect to your corporate network
Sitting on a flight to Frankfurt—updating your résumé, and posting it to an Internet-based job site
Accessing accounting data via the Internet café on 42nd street in New York
Playing online games sitting on your deck in the backyard (with your dog)
Working from your house with the white picket fence in the suburbs
Note
Wireless Network
A wireless LAN is just that—wireless. Computers and routers will connect to each other via a set protocol and via a Radio Frequency circuit. Much like TV or your cell phone, your home network can connect computers together without wires. The name of the wireless networking protocol is IEEE 802.11. This standard was developed to maximize interoperability between differing brands of wireless LANs (WLANs). The 802.11 technologies can work with standard Ethernet via a bridge or Access Point (AP) . Wireless Ethernet uses a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)scheme, whereas standard Ethernet uses a Carrier Sense Multiple Access with Collision Detection (CSMA/CD) scheme. One of the biggest advantages the 802.11 standard is the ability for products from different vendors to interoperate with each other. This means that as a user, you can purchase a wireless LAN card from one vendor and a wireless LAN card from another vendor and they can communicate with each other, independent of the brand name of the card.
Now you can be online almost anywhere and anytime. There are very few limits to anywhere with wireless access in North America, Asia, and Europe, and soon you will be able to Google from anywhere in the world. So as you can see, all is happy and secure in the world of ubiquitous Internet access. OK, let us stop and review that last statement. We used the words: 'anytime' and 'anywhere'; so far, so good. The word secure is not always true. In fact, with today's Internet, the traffic is rarely secure. The days of the 9600-baud modem are gone, along with the naive attitude that "all is secure". Access to the Internet is no longer safe.
The Internet is the communication backbone for more than just e-commerce; today you can access the Internet for almost everything:
Playing online games, posting your résumé, and looking for new loves
Supporting your business:
B2B (Business to Business)
B2C (Business to Consumer)
B2E (Business to Employee)
Messaging and emailing (with all of that spam…)
In order to understand the security issues of the Internet, you first need to understand what the Internet really is. The Internet is not just one network. The Internet includes thousands of individual networks. The communication core of these networks is two protocols known as Transmission Control Protocol and Internet Protocol (TCP/IP) . These historic protocols provide connectivity between equipment from many vendors over a variety of networking technologies. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol in a packet-switched computer communication network. The Internet Protocol (IP) is specifically limited in scope to provide the functions necessary to deliver an envelope of data from one computer system to another. Each computer or device on a network will have some type of address that identifies where it is on the network.
Much like computers, the Internet is a new concept for the world of communication. In 1973 Vinton Cerf, a UCLA (University of California, Los Angeles) graduate student who is also known as the Father of the Internet, and Robert Kahn, an MIT (Massachusetts Institute of Technology) math professor, developed a set of software protocols to enable different types of computers to exchange data. The software they developed is now known as TCP/IP. The base part of the protocol is called IP or Internet Protocol. While the IP part of the protocol transports the packets of data between the various computer systems on the Internet, the TCP part ports data to the applications. TCP is the mechanism that allows the WWW (World Wide Web) to communicate. (All of this will be discussed in detail later in this book.) Programs are built on top of this medium, which allows communication between server and client. A network can be connected with cables and/or wireless adapters. Basically the computer is connected via a Network Interface Card (NIC) . The NIC card's job is to place data into the network. All network data is crafted into packets and each packet has the information needed to find its target computer and knows where it came from.
In order to understand the security issues of the Internet, you first need to understand what the Internet really is. The Internet is not just one network. The Internet includes thousands of individual networks. The communication core of these networks is two protocols known as Transmission Control Protocol and Internet Protocol (TCP/IP) . These historic protocols provide connectivity between equipment from many vendors over a variety of networking technologies. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol in a packet-switched computer communication network. The Internet Protocol (IP) is specifically limited in scope to provide the functions necessary to deliver an envelope of data from one computer system to another. Each computer or device on a network will have some type of address that identifies where it is on the network.
Much like computers, the Internet is a new concept for the world of communication. In 1973 Vinton Cerf, a UCLA (University of California, Los Angeles) graduate student who is also known as the Father of the Internet, and Robert Kahn, an MIT (Massachusetts Institute of Technology) math professor, developed a set of software protocols to enable different types of computers to exchange data. The software they developed is now known as TCP/IP. The base part of the protocol is called IP or Internet Protocol. While the IP part of the protocol transports the packets of data between the various computer systems on the Internet, the TCP part ports data to the applications. TCP is the mechanism that allows the WWW (World Wide Web) to communicate. (All of this will be discussed in detail later in this book.) Programs are built on top of this medium, which allows communication between server and client. A network can be connected with cables and/or wireless adapters. Basically the computer is connected via a Network Interface Card (NIC) . The NIC card's job is to place data into the network. All network data is crafted into packets and each packet has the information needed to find its target computer and knows where it came from.
The process of creating data packets is based on two connection models—the OSI and DARPA reference models. The Open Systems Interconnection (OSI) model is a standard reference model for how network data is transmitted between any two points in a computer network. TCP/IP in its most basic form supports the Defense Advanced Research Projects Agency (DARPA) model of internetworking and its network-defined layers. Much like the DARPA model, the OSI was designed to connect dissimilar computer network systems. The OSI reference model defines seven layers of functions that take place at each end of a network communication:
|
Layer |
Description |
|---|---|
|
Application (7) |
This is the layer at which programs are identified; user authentication and privacy are implemented here. |
|
Presentation (6) |
This is a layer—usually part of an operating system—that converts incoming and outgoing data from one presentation format to another. |
|
Session (5) |
This layer sets up, coordinates, ends conversations, exchanges, and dialogs between the applications at each end of the dialog. |
|
Transport (4) |
This layer manages the end-to-end control and error checking. |
|
Network (3) |
This layer handles the routing and forwarding of the data. |
|
Data link (2) |
This layer provides error control and synchronization for the physical level. |
|
Physical (1) |
This layer transmits the bit stream through the network at the electrical and mechanical level. |
TCP/IP also has a much simpler protocol model called the DARPA model:
|
Layer |
Description |
|---|---|
|
Process (4) |
This is the layer where higher-level processes such as |
|
Host to Host (3) |
This is where TCP lives. This is the mechanism that actually ports the data to the correct application. TCP ports are defined here. |
|
Internet (2) |
IP addresses are used to direct packets to the correct destination. Routing protocols live here along with Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) . |
|
Network Interface (1) |
This is the physical connection to the network: Ethernet, token ring, and so on. The packets are placed onto the network at this point. |
Network architecture is discussed in detail in Appendix A. It is important for you to understand network architecture, since hackers understand it! Hacking into computers can include TCP port scanning, fake emails, trojans, and IP address spoofing. The essence of TCP port surfing is to pick out a target computer and explore it to see what ports are open and what a hacker can do with them. If you understand ports then you can understand what hackers can do to you and your systems. With this knowledge you can understand how to effectively keep your computers and networks secure.
Next is our introduction to Hacker Bob.
The above figure shows how Hacker Bob uses his evil hacker tools (and experience) to monitor your network.
Remember those packets and TCP ports? Hacker Bob can monitor the Internet and copy packets into his evil network. Once he has the copied packets, then he can analyze them and extract your sensitive data as explained below:
Once Hacker Bob has your data then he can use a simple tool to review and analyze it. The following example shows how Hacker Bob could analyze your IP packet:
1. The user launched a browser and entered the following site:
http://www.HR_Data_the_company.xyz.2. Hacker Bob was monitoring the Internet with a network packet capture utility.
3. Bob was able to use a filter to view just port
80packets (HTTPonly).4. Bob then viewed the IP packet payload.
In this example below, the data section is 1460 bytes. This payload is transferred in ASCII text using HTML. As a result, it is easy for Hacker Bob to read the data:
</font><b><font color="#424282">@This data is a Secret</font>
Now in the hacker's words "That data is mine."
To make things worse, at some point, during your normal Internet browsing activities, you have likely received one of these types of pop-up windows from your browser:
Typically the username is some name that an administrator (or software utility) has assigned to you or you have assigned yourself. The Web is full of places that require a username. The username is a mechanism that identifies who you are in relation to the program or data you are trying to access. The password is the key that proves that you have the authority to use that username. This is a simple and effective mechanism to access controlled data. In Basic HTTP Authentication, the password passed over the network is neither encrypted nor plain text, but is 'uuencoded'. Anyone watching packet traffic on the network will see the password encoded in a simple format that is easily decoded by anyone who happens to catch the right network packet. Therefore, our friend Hacker Bob could just extract the right packet and he has your username and password. All Hacker Bob had to do was to read RFC2617 (http://www.ietf.org/rfc/rfc2617.txt) for all the information he needed.
Here is the scenario: you are the network manager of a large worldwide enterprise company. You know that you must provide secure access from about 50 sites from around the world to your corporate networking at your headquarters in Dallas. In addition, each site will have a local network with about 10-12 computers each. Making your task a bit harder, the CIO of your company has mandated that you must save money and, at the same time, quickly get the network service up and running. How can you do this? One answer to this problem would be to set up direct connect circuits to each site, also known as a private network. However, this can be a really expensive solution. So, the solution to this quagmire is obvious—you can create a Virtual Private Network (VPN) .
You now ask: "So what is a VPN?" The most basic definition of a VPN is "a secure connection between two or more locations over some type of a public network". A more detailed definition of a VPN is a private data network that makes use of the public communication infrastructure. A VPN can provide secure data transmission by tunneling data between two points—that is it uses encryption to ensure that no systems other than those at the endpoints can understand the communications. The following diagram shows a basic example:
Traveling sales people will connect to the Internet via a local provider. This provider can be AOL, EarthLink, a local community Internet Service Provider (also known as a POP—Point Of Presence). The diagram above shows the concept of the VPN. The VPN now hides, or encrypts, the data, thus keeping Hacker Bob out of your data.
Remember your challenge from the CIO—"secure access from 50 sites around the world into the corporate network and each site having about 10-12 computers?" We have the answer for you. Let's look at two examples:
Connecting one computer to the company corporate network
Connecting networks together (your answer)
In the example, below, a traveling user is able to connect securely to the corporate network via the VPN. The user will connect to the VPN via a local Internet service provider, then that traffic will be routed to the corporate network. At this point the VPN traffic from the end user will terminate into a VPN receiving device or server.
As you can see, Hacker Bob cannot read and/or trap your data—he is stopped.
In the example below, a remote office will be able to connect to the computers and servers in another office via the Internet. An end user on the remote network will access one of the corporate network services. The traffic will route from the remote office to a VPN device, travel securely over the Internet, and into the VPN device on the corporate network. Once on the corporate network the end user will have the potential to access any of the corporate services or servers. As shown below, Hacker Bob is thwarted once again and cannot read your sensitive data:
Now your problem is solved; your company is able to provide access to its corporate office computers from anywhere in the world. And the final result—Hacker Bob will be looking elsewhere to launch his evil plan.
Let's look at some of the different protocols for creating secure VPNs over the Internet:
L2TP: Layer-2 Tunneling Protocol
IPsec: IP Security Protocol
L2TP or Layer-2 Tunneling Protocol is a combination of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and the Cisco Layer-2 Forwarding (L2F) . L2TP is a network protocol and it can send encapsulated packets over networks like IP, X.25, Frame Relay, Multiprotocol Label Switching (MPLS) , or Asynchronous Transfer Mode (ATM) .
IPsec will encrypt all outgoing data and decrypt all incoming data so that you can use a public network, like the Internet, as a transportation media. IPsec VPNs normally utilize protocols at Layer 3 of the OSI Model. This is effectuated by using two different techniques:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
The Authentication Header provides two-way device authentication, which can be implemented in hardware or software, and in many cases provide user authentication via a standard set of credentials—user ID and password. You may also see implementations using a token, or an X.509 user certificate.
The Encapsulating Security Payload protocol provides the data encryption. Most implementations support algorithms such as DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), or AES (Advanced Encryption Standard). In its most basic configuration, IPsec will implement a handshake that requires each end point to exchange keys and then agree on security policies.
IPsec can support two encryption modes:
Transport: encrypts the data portion of each packet, but leaves the header unencrypted. The original routing information in the packet is not protected from being viewed by unauthorized parties.
Tunnel: encrypts both the header and the data. The original routing data is encrypted, and an additional set of routing information is added to the packet to be used for routing between the two endpoints.
IPsec supports a protocol known as the Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) . This protocol allows the receiver to obtain a public key and authenticate the sender using digital certificates. The basic process of a key-based cryptography system provides a method of exchanging one key of a key pair. Once the keys are exchanged, the traffic can be encrypted. IPsec is described in many RFCs, including 2401, 2406, 2407, 2408, and 2409. Also see RFC 3193 for securing L2TP using IPsec.
The downside to a client-based VPN (such as those using IPSEC or L2TP) is that you need to configure and/or install some type of software. Yes, there is code that is built into Windows for a VPN, but you still need to configure the client. In some cases you may even need to install a client certificate. In addition, personal firewalls, anti-virus software, and other security technologies may be necessary. The basic configuration for an IPsec VPN is a central site hub device and a remote client computer. Once the connection has been established then a tunnel is created over the network (private or pubic). This encrypted tunnel will secure the communication between the end points, and once again our best buddy Hacker Bob is not able to read our communications.
Note
Secure VPNs
VPNC (Virtual Private Network Consortium) supports three protocols for secure VPN (L2TP, IPsec, and SSL/TLS) and another two protocols for trusted VPNs (MPLS and Transport of layer 2 frames over MPLS). For securing L2TP using IPsec (see http://www.vpnc.org/rfc3193).
Another option that is available to secure traffic on the Internet is Secure Socket Layer (SSL).SSL is a protocol that provides encryption for network-based traffic. SSL is a network protocol with responsibility for the management of a secure, encrypted, communication channel between a server and a client. SSL is implemented in the major Web browsers such as Internet Explorer, Netscape, and Firefox. One of the most basic functions of SSL is message privacy. SSL can encrypt a session between a client and a server so that applications can exchange and authenticate user names and passwords without exposing them to eavesdroppers. SSL will block Hacker Bob's attempts to read our data by scrambling it.
One of the most powerful features of SSL is the ability for the client and server to prove their identities by exchanging certificates. All traffic between the SSL server and SSL client is encrypted using a shared key and a negotiated encryption algorithm. This is all effectuated during the SSL handshake, which occurs at session initialization. Another feature of SSL protocol is that SSL will ensure that messages between the sender system and receiving system have not been tampered with during the transmission. The result is that SSL provides a secure channel between a client and a server. SSL was basically designed to make the security process transparent to the end user. Normally a user would follow a URL to a page that connects to an SSL-enabled server (see RFC1738—http://ds.internic.net/rfc/rfc1738.txt). The SSL-enabled server would accept connect requests on TCP port 443 (which is the default port for SSL). When it connects to port 443 the handshake process will establish the SSL session.
Several years ago there was a creative advertisement showing one person walking down the street eating chocolate and another person walking down the street eating peanut butter: they run into each other and now we have a product that comprises chocolate and peanut butter together. This is exactly what happened with the SSL VPN.
This combination of SSL and VPN provides us with the following benefits:
This combination of SSL encryption and proxy technologies can provide very simple access to Web and corporate applications.
The marriage of technologies can provide client and server authentication with data encryption between each party.
Overall, it can be easier to set up an SSL VPN than to set up and manage an IPsec VPN.
More benefits of SSL VPN technology will be discussed in the next chapter.
In some respects, the SSL VPN implementation will be similar to that of IPsec. SSL VPNs will also require some type of a hub device. Also the client will require some type of communication software, namely an SSL-enabled web browser. As most computers have an SSL-enabled browser that includes root SSL certificates from certified public Certificate Authorities (CA), by default SSL VPN access is available from the client. Additional client software can be downloaded automatically during SSL VPN sessions (typically this software is in the form of an applet plug-in). The central hub device and the software client will encrypt the data over an IP network. This process of encryption will make the data unreadable to Hacker Bob.
Note
A full discussion of public and private CA can be found in The Internet Security Guidebook: From Planning to Deployment available at: http://www.amazon.com/exec/obidos/tg/detail/-/0122374711/102-0386261-4698507?v=glance.
Most IPsec VPNs will use custom software at each of the end points—the hub device and client. If you think about this for a bit then you will see that this process provides a high level of security. Each end point requires some type of setup steps, potentially adding more human intervention into the process.
The SSL VPN normally will not require any special client software. The overall security is the same as that of the IPsec solution. As far as setup goes, if the browser is up-to-date then the process is automatic.
Both IPsec and SSL VPNs can provide enterprise-level secure remote access. Both these technologies support a range of user authentication methods, including X.509 certificates. IPsec overall is more vulnerable to attack, unless certificates are used. SSL Web servers always authenticate with digital certificates, even in the one-way based authentication that native SSL uses. SSL will determine if the target server is certified by any of the CAs. SSL provides better flexibility in cases where trust is limited or where it is difficult (or unwise) to install user certificates (for example, on public computers)
A Trusted Network of a company is a network that the company uses to conduct its internal business. In many cases, the Trusted Network is by default defined in the organization as 'Secure'. The Trusted Network typically supports the backend systems, internal-only intranet web pages, data processing, messaging, and in some cases, internal instant messaging. In many companies the Trusted Network is allowed to interact between systems directly, without encryption. The problem with the definition above is that many assumptions are being made at these companies. A Trusted Network is not always a secure network. In fact, in many cases the Trusted Network cannot be trusted. The reason is that an internal network comprises many different networks. These include new acquisitions, old acquisitions, international access points, and even several access points to the outside world. A common practice is to define the Trusted Network as the network that internal employees use when at the office or via a secure controlled dial-in mechanism. A single access point is established to the outside world via a mechanism called the Demilitarized Zone (DMZ) .
The DMZ is an isolated network placed as a buffer area between a company's Trusted Network and the Non-trusted Network. The Internet is always defined as untrusted. By design, the DMZ prevents outside users from gaining direct access to the Trusted Network. The following figure shows a generic DMZ:
Most DMZs are configured via a set of rules that are controlled by the Policies and then implemented via the Procedures for your organization. One of the most common rules is that a single port number (like 80) cannot traverse the DMZ. So if you are attempting to access an application on a DMZ via HTTP on port 80, then that port cannot terminate into the trusted network via the DMZ. This is what the DMZ does; it keeps untrusted traffic from entering the Trusted Network. It is the job of the DMZ to filter the traffic and limit access to the Trusted Network via filtering and authentication, and even to completely block traffic if needed. Here are a few examples of what the DMZ can do:
Block port scans of your Trusted Network
Block access to the Trusted Network via a single TCP port
Block Denial of Service Attacks (DoS) from your trusted network
Scan email messages for virus, content, and size
Block passive eavesdropping/packet sniffing
So, how does SSL VPN fit into corporate network infrastructure? Below are a couple of examples of SSL VPN access.
SSL VPN access to selected devices via the use of an SSL VPN hub (access from the Internet)
SSL VPN access to a special network that uses an SSP VPN hub sitting between the trusted network and the special network
One of the key security elements of a DMZ is the ability to terminate the IP connection at various points in the DMZ and the trusted network. The example below shows a client connection on the Internet (untrusted) to an SSL VPN hub on a trusted network.
The traffic is routed into the DMZ, and then is terminated at the router. The IP address is now translated to a DMZ IP address, for example 10.10.10.10. The DMZ can then provide some authentication and allow the traffic to route to the trusted side of the DMZ. At this point the IP address can be translated to another IP address, like 192.168.10.12. The packets are then routed to the SSL VPN device (hub).
The SSL VPN will execute additional checks on the traffic. If all tests are passed then, based on a set of rules and authentication, the traffic could be routed to the HTTP messaging server. In this example you could have a CxO (CEO, CIO, CTO, etc.) on vacation, checking out the Lion King playing on 42nd street. Before sitting down, the CxOwalks into the Internet Café next door and checks his or her email. Now the CxO can feel secure that Hacker Bob will not be able to read those important corporate emails.
Network architectures used to support SSL VPN access from the Internet will be discussed in detail in Chapter 4.
Many large enterprise companies will have private networks. These private networks can span not only just their home country, but can also span the globe. In many cases, these private networks will interconnect via several Internet Service Providers (ISPs). Also some companies will not only have a private network at their local office, but will also have a Point of Presence (POP) to the Internet. This can add additional challenges to keeping the private network secure; each POP is an opportunity for Hacker Bob to enter the network. Additionally, not all corporate employees and contractors are necessarily honest; some may also pose a threat to internal resources. As a result, large companies often regard their trusted private network as untrusted. The risk is that there can be unauthorized access into the private network at several points—not only from the POPs, but also from the ISP. The example below shows where SSL and/or SSL VPNs can be used to provide secure access where the network is NOT trusted:
In the above example, the end user is hosted on the corporate trusted network. The end user may want to access a web page, messaging, or even their file server. Traffic will originate at the end user's computer and will be routed via the trusted network basic address, for example, 192.168.10.22. Packets are terminated in the SSL VPN hub; at this point the data is then routed to each service. Now, a worldwide organization can determine that its data transfers are secure, and not readable by bad old Hacker Bob.
This chapter served as an introduction to understanding the world of SSL VPN. We discussed TCP/IP networking, the Internet, how VPNs keep communications secure over insecure networks, and looked at different VPN technologies.
The remainder of this book discusses the details of SSL VPN—what it is, how it works, how to secure it, why it makes sense business wise, and more.
