Virtual Private Networks

3

Virtual Private Networks

Selected Topics in Information Security – Bazara Barry

Introduction

A virtual private network (VPN) is a computer network that is implemented on top of an existing larger network for the purpose of creating a private scope of computer communications.

The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network.

The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network.


Introduction


Internet

VPN (tunnel)

Travelling employee

VPN (tunnel)

Company Headquarters

Introduction

Firewalls, gateways, and other such devices can help keep intruders from compromising a network, but firewalls are no defense against an internal hacker.

Another layer of defense is necessary at the protocol level to protect the data itself.

In VoIP, as in data networks, this can be accomplished by encrypting the packets at the IP level using IPsec.


Introduction

The IPsec suite of security protocols and encryption algorithms is the standard method for securing packets against unauthorized viewers over data networks and will be supported by the protocol stack in IPv6.

Hence, it is both logical and practical to extend IPsec to VOIP, encrypting the signal and voice packets on one end and decrypting them only when needed by their intended recipient.


IPSec

IPsec is the preferred form of VPN tunneling across the Internet. There are two basic protocols defined in IPsec: Encapsulating Security Payload (ESP) and Authentication Header (AH).

IPsec also supports two modes of delivery: Transport and Tunnel.


IPSec


IPSec


Security in VoIP is concerned both with protecting what a person says as well as to whom the person is speaking.

IPsec can be used to achieve both of these goals.

VoIPsec (VoIP using IPsec) helps reduce the threat of man in the middle attacks, packet sniffers, and many types of voice traffic analysis.

Difficulties arising from VoIPSec


There are several issues associated with VOIP that are not applicable to normal data traffic. Of particular interest are Quality of Service (QoS) issues.

In VoIP, packets must arrive at their destination and they must arrive fast.

The use of VoIPSec, although secures communication, could affect various QoS parameters.

Encryption/decryption latency

Many studies revealed that the cryptographic engine was the bottleneck for voice traffic transmitted over IPSec.

Computationally lighter algorithms achieve better throughput than the more expensive ones.

Much of the latency results from the computation time required by the underlying encryption.


Scheduling and Lack of QoS in the Crypto-Engine

The driving force behind the latency associated with the crypto-engine is the scheduling algorithm for packets that entere the encryption/decryption process.

Unlike routers, crypto-engines provide no support for manual manipulation of the scheduling criteria.

Standard FIFO scheduling algorithms employed in today’s crypto-engines creates a severe QoS issue.

Scheduling a greater number of packets had a more degrading effect on performance than encrypting/decrypting fewer (but larger) packets.


Expanded packet size


IPsec increases the size of packets in VOIP, which leads to more QoS issues.

The increase in packet size due to IPsec does not result in an increased payload capacity. The increase is actually just an increase in the header size due to the encryption and encapsulation of the old IP header and the introduction of the new IP header and encryption information.

This leads to several complications especially with bandwidth.

Incompatibility with NAT


Network Address Translation (NAT) traversal completely invalidates the purpose of AH because the source address of the machine behind the NAT is masked from the outside world. Thus, there is no way to authenticate the true sender of the data.

The same reasoning demonstrates the inoperability of source authentication in ESP.

Solutions to the VoIPSec Issues


•Encryption at the End Points.

•Secure Real Time Protocol (SRTP).

•Better Scheduling Schemes.

•Compression of Packet Size.

•Resolving NAT/IPsec Incompatibilities.

Multiprotocol Label Switching MPLS


MPLS is the convergence of connection-oriented forwarding techniques and the Internet’s routing protocols.

Many claims have been made regarding the role of MPLS, chief among them that it is the Internet’s best long-term solution to efficient, high performance forwarding and traffic differentiation (IP QoS).

MPLS-labeled packets are switched after a Label Lookup instead of a lookup into the IP table.


The entry and exit points of an MPLS network are called Label Edge Routers (LERs).

Routers that perform routing based only on the label are called Label Switched Routers (LSR).

Labels are distributed between LERs and LSRs using the “Label Distribution Protocol” (LDP),



The MPLS Working Group gives the name forwarding equivalence class (FEC) to each set of packet flows withcommon cross-core forwarding path requirements.

LDP dynamically establishes a shortest path VC (now known as a label-switched path, or LSP) tree between all the edge LSRs for each identifiable FEC.

The label —virtual path/channel identifier (VPI/VCI) — at each hop is a local key representing the next-hop and QoS requirements for packets belonging to each FEC.


NIF Node Forwarding Engine


LSR Forwarding Engine


MPLS label stack encoding for packet-oriented transport


MPLS for Virtual Private Networks


VPNs share a single physical infrastructure of routers and/or switches between multiple independent networks.

An MPLS-based VPN uses LSPs to provide tunnel-like topological isolation, and temporal isolation if the LSPs have associated QoS guarantees.

MPLS for Virtual Private Networks


Segregation of Network Traffic


Packetized voice is indistinguishable from any other packet data at Layers 2 and 3, and thus is subject to the same networking and security risks that plague data-onlynetworks.

The general idea that motivates the logical separation of data from voice is the expectation that network events such as broadcast storms and congestion, and security-related phenomena such as worms and DoS attacks, that affect one network will not impact the other.

VLANs


Logical separation of voice and data traffic via VLANs is recommended in order to prevent data network problems from affecting voice traffic and vice versa.

In a switched network environment, VLANs create a logical segmentation of broadcast or collision domains that can span multiple physical network segments.

The predominant VLAN flavor is IEEE 802.1q, as defined by the IEEE. VLANs can be configured in various ways—by protocol (IP or IPX, for example) or based on MAC address, subnet, or physical port.

Location-based VLANs


Function-based VLANs


VLANs: benefits

Creating a separate VLAN for voice reduces the amount of broadcast traffic (and unicast traffic on a shared LAN) the telephone will receive.

Separate VLANs can result in more effective bandwidth utilization, and reduce the processor burden on IP telephones and PCs.

Management traffic can be segregated on a management VLAN so that SNMP and syslog traffic do not interfere with data which has the benefit of adding a layer of security to the management network.



References1. T. Porter, Practical VoIP Security. Rockland, MA: Syngress, 2006, Ch 13.2. D. Richard Kuhn, Thomas J. Walsh, and Steffen Fries, “Security

Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology” Special Publication 800-58, January 2005, Sections 8 and 9.

3. Grenville Armitage, Bell Labs Research Silicon Valley, Lucent Technologies “MPLS: The Magic Behind the Myths” IEEE Communications Magazine, January 2000.

Virtual Private Networks

Documents

Transcript of Virtual Private Networks