Classify the three different types of Private Networks (VPNs).
VPNs are a type of private network with two main types: the Commercial VPN and the Non-Commercial VPN. The commercial VPN is usually used by business, in order to provide secure communication between their company’s personnel and remote locations (Almomani, 2022). These are also often used for remote workers who need to access certain files or applications on a regular basis, as well as employees who want to connect with co-workers outside of the office. These type of VPNs are used to access applications and files through the private network.
The Non-Commercial VPN is usually used by privacy activists and individuals who need to preserve their anonymity while they are online, as they require access to the Internet while keeping their communications confidential. These type of VPNs are used to access the internet anonymously, with the added benefit of being able to connect through a private network.
Distinguish the characteristics of each type in terms of configuration (e.g., host-to-host), transmission technology (e.g., multiplexing), and ease of implementation
There are three types of communication networks:
The host-to-host network is so called because it is used for connection between two hosts only. The server connects one client to the other and does not communicate with any third party (other than its own host).
The host-to-network network can be used for connection between hosts within a single large entity, but it can also be connected to the outside world (Almomani, 2022). The Internet is an example of this type of network.
The host-to-host and host-to-network are sometimes connected with a router, which is a device that forwards data from one network to another. A router may connect both types of networks or only one of them; in any case, it has two connections with the outside world and can route information to other networks at its destination.
Another common device that can be used to connect different types of networks is the bridge. It forwards data between two or more networks, but it also connects them in such a way that they have the same topology as one large network (Almomani, 2022). From an outside point of view, it appears as if the two connected networks were one entity under a common administration, though their geographical locations can be different. A wired or wireless network consists of one or more networks connected by routers. A special case of this type is a telephone network, which can be seen as a special kind of network consisting of links between switches and hosts that are routers for other devices on their sides.
The signal sent over links is called traffic and each link can have multiple traffic streams that are carried independently from other traffic. The host-to-host network uses a client/server relationship. This means that there is one host (the server) that always remains online and to which clients are connected, and the clients can be disconnected at any time when they are not using the service from the server (Almomani, 2022). The server also has multiple clients in most cases. The clients and servers may use different operating systems (OS). A router connects two or more networks with each other, but it is possible to connect more than two networks to the same router if necessary.
Compare the two different Internet security standards of IPsec and SLL/TLS in terms of features they provide for security, strengths, and weaknesses.
IPsec is a standards-based and open protocol suite, designed to provide integral security services at the IP layer. IPsec has two different modes of operation – transport and tunnel. Transport mode only provides data integrity, data origin authentication, and anti-replay protection for the upper layer protocols (e.g., TCP). Tunnel mode additionally provides confidentiality for these upper layer protocols by encrypting their traffic within an IPsec tunnel.
In Transport mode (for non-tunnel use), IPsec uses Hash-based Message Authentication Code (HMAC) to provide integrity checking of upper-level protocols traffic, and uses sequence numbers and time stamps to provide data origin authentication. In Tunnel mode, the IP header is replaced with a piece of header that carries the actual IPsec payload (Liagkou et al., 2019). This design ensures that the two sides of an IPsec tunnel exchange traffic in a way that can not be used to facilitate an attack on the lower-layer protocols.
In addition to providing security, IPsec also integrates other network services into the IP layer. The Encapsulating Security Payload (ESP) protects the confidentiality of encapsulated (tunneled) data by encrypting it using an encryption algorithm and an encryption key. ESP can operate in two modes: transport mode and tunnel mode. In transport mode, ESP protects the upper layer protocols from modification or forgery (Liagkou et al., 2019). In tunnel mode, ESP encrypts both the inner and outer IP headers so that attackers in the network cannot forge or modify packets. ESP provides data integrity by using HMAC to check whether an encrypted packet has been altered in transit.
Like IPsec, the Secure Sockets Layer (SSL) Protocol provides con- fidentiality, data integrity services. SSL was designed to be application-independent, and it is commonly used for securing Web traffic. SSL provides the transport layer services of integrity, authentication, and confidentiality for TCP-based services such as HTTP.
Like IPsec, SSL also provides data origin authentication and anti-replay protection by using HMAC. For example, the server generates a message digest (HMAC) of the client’s message and compares it with the digest that the client returns. SSL also uses sequence numbers to provide data integrity (Liagkou et al., 2019). The client generates a sequence number and sends it to the server. The server acknowledges the sequence number and returns it to the client. It then verifies that the message received is the same as what was sent by checking if the sequence number received is one greater than previously received (in other words, out of sync).
However, unlike IPsec, SSL does not provide confidentiality. Instead, SSL provides encryption only in tunnel mode. In transport mode, the server encrypts the entire TCP/UDP conversation between itself and the client. The client can use a separate key to decrypt the messages in transport mode.
SLL/TLS has been designed to provide security services at both layers of the TCP Application Layer: Internet Protocol transport and User Datagram Protocol (UDP) access. Both TLS and SSL work together in harmony to provide security. (Liagkou et al., 2019) The Secure Sockets Layer (SSL) Protocol performs a similar role as IPsec. It provides confidentiality, data integrity, and authentication services for TCP- based applications such as HTTP. SSL was designed to be application independent, and it is commonly used for securing Web traffic.
The key difference between IPsec and SSL is that SLL/TLS provides services at both layer’s of the TCP Application Layer: Internet Protocol transport and User Datagram Protocol (UDP) access. Both TLS and SSL work together in harmony to provide security. So, while IPsec provides only the Layer 3 or 4 service, both IPsec and SLL/TLS provide Layer 3 through 6 services.
In terms of features the two technologies share the same set of features that include: Data origin authentication and anti-replay protection, data integrity checking through message digesting, confidentiality in tunnel mode, and encryption capabilities at transport mode (Liagkou et al., 2019). However, the key differences are that IPsec supports tunneling of upper layer protocols (the transport layer), which is not possible with SLL/TLS.
Both IPsec and SLL/TLS provide data origin authentication through hash-based message authentication code (HMAC). This provides data integrity to ensure that a packet has not been tampered with after it has been processed by the upper layer protocol.
Evaluate the IPsec and SLL/TLS standards for implementing security in the three different types of VPNs.
Logical Link Layer (LLP) or Layer 2 VPNs,
Point-to-point Tunneling Protocol (PPTP), and
Strong Authentication via a Public Key Infrastructure (SAPKI) – are vulnerable to a variety of attacks. These three protocols have their strengths and weaknesses, with cooperation from their peers in the IPsec standard. In order to protect your virtual private network from these attacks, it is necessary to understand what each type is vulnerable to in the first place.
Logical Link Layer (LLP) or Layer 2 VPNs were created to address the problems faced by connectionless technologies when used for secure network communication. These protocols are vulnerable to a variety of attacks. They can be used to encrypt data transmitted over a network in order to provide security features and prevent un-authorized access or interception of data sent across IP networks. RFC 2547 describes the general model as “a virtual circuit based on the point-to-point protocol (PPP) . Layer 2 VPNs are designed to pass data dependent on the type of traffic they carry. They use the PPP to offer virtual circuits that multiplex several logical connections into one physical connection.
Point-to-Point Tunneling Protocol (PPTP), Windows 2000 Server VPN, was released as part of Microsoft’s Point-to-Point Encryption (MPPE). PPTP provides encryption for virtual private networks and is based upon Microsoft’s Data Encryption Standard (DES) algorithm. DES uses 128-bit keys and it is believed that this algorithm can be easily broken.
In a typical VPN, you have separate virtual IP networks (VIP) which are each connected to a logical (main) network. By using the routing features of an IPsec VPN, the restrictions of physical connectivity can be overcome. The main idea is that the security appliance provides a secure tunnel between two secured networks rather than having the client connect over a less secure connection such as Ethernet (Rybin et al., 2018). The security appliance automatically, or by user configuration, creates a separate logical network, called the “split tunnel” VPN. The net effect is that the main network is split into a secure (non-routable) VIP and a less secure (routable) non-VIP.
Strong Authentication with a Public Key Infrastructure (SAPKI) provides authentication in IPsec VPNs as well as providing secure tunneling between VPN connections at remote sites. This aids in managing security between separate remote sites. SAPKI allows for the creation of server certificates for use by remote VPN connections, proxy connections and Extranet connections (Rybin et al., 2018). These certificates can be issued automatically by an enterprise certificate authority (CA) upon receiving a request from a VPN host. This way, there is no intervention on the part of a human administrator.
An Extranet is a secure connection between an enterprise and its customers or partners over the public Internet. Extranets allow business partners to conduct secure financial transactions and share proprietary data. An Extranet VPN connection is established using a router’s SAPKI capabilities while using a private network connection such as Frame Relay or Asynchronous Transfer Mode (ATM) (Rybin et al., 2018). The Extranet VPN connection also uses an encryption algorithm to protect private information between the enterprise and its partner over the public Internet on a private network.
IPsec provides security services for both in-bound and out-bound connections. IPsec is a framework that allows multiple security services to be implemented with IP addresses, so that the same address space can be used for multiple security functions (Rybin et al., 2018). IPsec provides data integrity, access control and confidentiality by using the Internet Security Association and Key Management Protocol (ISAKMP) to negotiate individual security services. ISAKMP also establishes a virtual tunnel interface that creates an encrypted communication path between two endpoints.
References
Almomani, A. (2022). Classification of Virtual Private networks encrypted traffic using ensemble learning algorithms. Egyptian Informatics Journal. https://www.sciencedirect.com/science/article/pii/S1110866522000482
Liagkou, V., Kavvadas, V., Chronopoulos, S. K., Tafiadis, D., Christofilakis, V., & Peppas, K. P. (2019). Attack detection for healthcare monitoring systems using mechanical learning in virtual private networks over optical transport layer architecture. Computation, 7(2), 24. https://www.mdpi.com/2079-3197/7/2/24
Rybin, D., Piliugina, K., & Piliugin, P. (2018, January). Investigation of the applicability of SSL/TLS protocol for VPN in APCS. In 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus) (pp. 1318-1321). IEEE. https://ieeexplore.ieee.org/abstract/document/8317339