Security DevCenter
oreilly.comSafari Books Online.Conferences.


VPNs and Public Key Infrastructure

by Scott Brumbaugh

The virtual private network (VPN) is increasingly becoming an invaluable part of every business network. With broadband available in more and more places, small- and medium-size businesses are taking advantage of VPN technology and leveraging the investment they've made in their internal private networks, expanding services available to customers, partners, and staff. This article focuses on VPN tunneling. Because it is also necessary to understand the basic principles of data encryption, this article will also summarize the set of technologies that form a Public Key Infrastructure (PKI). We will see how to ensure privacy in a virtual private network.

A successfully deployed VPN will do two things for you. First, it will allow only known users to access your network. Second, it will encrypt all network traffic over the VPN, ensuring private communications. Certainly you have used the public Internet to access data or services dispersed across the globe. You are reading this article with a web browser located on your desktop, and the images and text have traveled perhaps thousands of miles from the web servers. The data has traveled as a sequence of digital packets; think of it as a stream. The stream has probably passed through at least a dozen network routing devices along the way. Due to the redundancy designed into the Internet, it is practically impossible to predict the path that a data stream will take. A motivated party can look at or change parts of this stream anywhere on the path. This lack of privacy doesn't matter much, given the nature of this web page, but for more sensitive information pertaining to your business or personal information, greater security is important. Using a VPN tunnel is a good way to ensure that.

A VPN can also extend your LAN. When working at the office, you likely take advantage of many computing services provided at your site. You can access files shared by your coworkers and read and send email using your business account. Your office network probably has specialized maintainers, allowing you to depend on applications to work, stay up to date, and remain findable.

Related Reading

Network Security Hacks
100 Industrial-Strength Tips & Tools
By Andrew Lockhart

Travel away from the office and try to do work that requires access to your office network. If you've done this, you know it can be frustrating. A typical non-VPN solution for smaller business is some type of dial-up access. That works on a limited scale and suffers from unreliability and cost. Modem banks are expensive. You need some safe, reliable way to extend the reach of your small-office network out to people who need access--you, your staff, your business partners, and your customers. Be it a remote affiliate site or a home office, a VPN will let you reach out and touch your local network resources from practically anywhere in the world.

VPN Technologies

A VPN tunnel connects two locations. In this case, it's your site and a remote site that needs network access. When an outsider wants to connect to your local network through a VPN, he must first communicate with a known service running on your local network by authenticating to it. That is the process by which a remote user proves his identity to the VPN service running on your network. This way you control who accesses your network.

After successful authentication, the VPN service establishes a direct communications channel to a compatible VPN service running at the remote site. This channel will provide the tunnel through the Internet between the two networks. From now on, until the outsider disconnects, any network message that needs to travel between the two networks will pass through this tunnel. The VPN services at the end points encrypt and decrypt all messages that pass into the tunnel.

At the nuts and bolts level, many different techniques are available for actually implementing the tunnel, each with advantages and disadvantages. Two of the most often used techniques for constructing the VPN tunnel are Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol encrypted with IPSec (L2TP/IPSec). Current Microsoft Windows Server operating systems provide everything necessary to set up VPN tunnels using one of these two techniques. However, this article covers a third method, implemented by James Yonan's OpenVPN.

Why not use Microsoft's built-in PPTP or L2TP/IPSec packages? In many cases you can, but be aware of the limitations of these. First, PPTP was initially a proprietary protocol by Microsoft with notoriously weak security. Later revisions of the authentication protocol fixed the problems, but interoperability with non-Microsoft platforms remains difficult to this day. A more subtle potential problem with PPTP has to do with the construction of the VPN tunnel. The PPTP tunnel packet uses the General Routing Encapsulation (GRE) protocol. Sometimes routers between the two end points block this protocol. In a typical VPN scenario, you don't have control over the channel between the two end points, so this can be a real problem. This situation is hard to diagnose and harder to fix, since you may not be able to convince a third party to allow your GRE packets to pass. OpenVPN will use either UDP or TCP for constructing its tunneling packets, so there is more assurance that the VPN will work everywhere.

Considering L2TP by itself, it does not provide security but is simply an encapsulation protocol. So, in the VPN scenario, IPSec is used to add encryption and authentication. IPSec is an industry standard and as such is extremely robust and reliable when implemented correctly. Fortunately, most platforms have good implementations available.

The L2TP/IPSec VPN suffers from one major problem: it cannot operate over basic Network Address Translation (NAT) routers. Small networks often connect to the Internet using NAT; most small office/home office (SOHO) routers implement NAT by default. Some newer SOHO DSL routers provide Universal Plug and Play (UPnP) NAT Traversal, which allows IPSec to operate--but again, you want the VPN to work everywhere.

The complexity of L2TP/IPSec is another minor disadvantage. It's more difficult to troubleshoot and maintain relative to other protocols. This has to do in part because IPSec is part of the underlying network operating system and is difficult to separate. Contrast this tight binding to the lower levels of the network stack with PPTP, which operates at a higher level. With PPTP it is easier to isolate problems either to the VPN protocol or the underlying network. This final disadvantage is minor because we assume that a business network will employ specialists that, given time, can work through these technical difficulties. Major disadvantages involve third-party equipment that your network staff will have not access to, such as routers at some unknown off-site location. Here, OpenVPN's use of the ubiquitous UDP and TCP protocols is clearly advantageous.

As mentioned previously, OpenVPN provides a third, widespread alternative: the software runs on all widely used computer platforms. It uses either UDP or TCP for reliability and ease of maintenance, and employs the Secure Socket Layer (SSL) protocol developed by Netscape to secure e-commerce applications. More often, you may hear of this protocol by the acronym TLS (Transport Layer Security). In fact, the Internet Engineering Task Force renamed SSL as TLS in 1999. The rest of this article uses the terms SSL and TLS interchangeably. SSL/TLS enforces security using X.509 certificate technology.

Earlier releases of OpenVPN lacked a couple of key features unrelated to security, but the latest beta releases of OpenVPN-2.0 have added them. Specifically, the first new feature is support for certificate validation versus a Certificate Revocation List (CRL) during client authentication. This leads to easier maintenance and greater security. The second new feature is that the OpenVPN service now runs as a single server instance. Previously, each VPN tunnel connected to a different server port and needed a separate OpenVPN service to manage it. This new feature greatly simplifies configuration work. The second part of this series will cover both features.

Pages: 1, 2

Next Pagearrow

Sponsored by: