There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2.
An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network.
Although most VPN packages themselves don’t implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you don’t have a firewall protecting your network, don’t bother with a VPN until you get one—you’re already exposing yourself to considerable risk.
The most common firewall is a packet filtration firewall, which will block specified IP services (run on specific port numbers) from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange (PIX) and the 3Com/U.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware.
Authentication techniques are essential to VPNs, as they ensure the communicating parties that they are exchanging data with the correct user or host. Authentication is analogous to “logging in” to a system with a username and password. VPNs, however, require more stringent authentication methods to validate identities. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the keys will generate its own hash value and compare it to the one it received from the other end. The hash value sent across the Internet is meaningless to an observer, so someone sniffing the network wouldn’t be able to glean a password. The Challenge Handshake Authentication Protocol (CHAP) is a good example of an authentication method that uses this scheme. Another common authentication system is RSA.
Authentication is typically performed at the beginning of a session, and then at random during the course of a session to ensure that an impostor didn’t “slip into” the conversation. Authentication can also be used to ensure data integrity. The data itself can be sent through a hashing algorithm to derive a value that is included as a checksum on the message. Any deviation in the checksum sent from one peer to the next means the data was corrupted during transmission, or intercepted and modified along the way.
All VPNs support some type of encryption technology, which essentially packages data into a secure envelope. Encryption is often considered as essential as authentication, for it protects the transported data from packet sniffing. There are two popular encryption techniques employed in VPNs: secret (or private) key encryption and public key encryption.
In secret key encryption, there is a shared secret password or passphrase known to all parties that need access to the encrypted information. This single key is used to both encrypt and decrypt the information. The data encryption standard (DES), which the Unix crypt system call uses to encrypt passwords, is an example of a private key encryption method.
One problem with using secret key encryption for shared data is that all parties needing access to the encrypted data must know the secret key. While this is fine for a small workgroup of people, it can become unmanageable for a large network. What if one of the people leaves the company? Then you’re going to have to revoke the old shared key, institute a new one, and somehow securely notify all the users that it has changed.
Public key encryption involves a public key and a private key. You publish your public key to everyone, while only you know your private key. If you want to send someone sensitive data, you encrypt it with a combination of your private key and their public key. When they receive it, they’ll decrypt it using your public key and their private key. Depending on the software, public and private keys can be large—too large for anyone to remember. Therefore, they’re often stored on the machine of the person using the encryption scheme. Because of this, private keys are typically stored using a secret key encryption method, such as DES, and a password or passphrase you can remember, so that even if someone gets on your system, they won’t be able to see what your private key looks like. Pretty Good Privacy (PGP) is a well-known data security program that uses public key encryption; RSA is another public key system that is particularly popular in commercial products. The main disadvantage of public key encryption is that, for an equal amount of data, the encryption process is typically slower than with secret key encryption.
VPNs, however, need to encrypt data in real time, rather than storing the data as a file like you would with PGP. Because of this, encrypted streams over a network, such as VPNs, are encrypted using secret key encryption with a key that’s good only for that streaming session. The session secret itself (typically smaller than the data) is encrypted using public key encryption and is sent over the link. The secret keys are often negotiated using a key management protocol.
The next step for VPNs is secure IP, or IPSec. IPSec is a series of proposals from the IETF outlining a secure IP protocol for IPv4 and IPv6. These extensions would provide encryption at the IP level, rather than at the higher levels that SSL and most VPN packages provide.
IPSec creates an open standard for VPNs. Currently, some of the primary VPN contenders use proprietary encryption, or open standards that only a few vendors adhere to. Rather than seeing IPSec as a threat to their current products, most vendors see it as a way to augment their own security, essentially adding another interoperable level to their current tunneling and encryption methods.
We’ll go into detail about the power, politics, and use of various encryption techniques in Chapter 2.
Many VPN packages use tunneling to create a private network, including several that we review in this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Forwarding Protocol, and IPSec’s tunnel mode. VPNs allow you to connect to a remote network over the Internet, which is an IP network. The fact is, though, that many corporate LANs don’t exclusively use IP (although the trend is moving in that direction). Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could be of the same protocol or of a completely foreign one. For example, tunneling can be used to send IPX packets over the Internet so that a user can connect to an IPX-only Novell server remotely.
With tunneling you can also encapsulate an IP packet within another IP packet. This means you can send packets with arbitrary source and destination addresses across the Internet within a packet that has Internet-routable source and destination addresses. The practical upshot of this is that you can use the reserved (not Internet-routable) IP address space set aside by the Internet Assigned Numbers Authority (IANA) for private networks on your LAN, and still access your hosts across the Internet. We will look at how and why you would do this in later chapters.
Other standards that many VPN devices use are X.509 certificates, the Lightweight Directory Access Protocol (LDAP), and RADIUS for authentication.