Techniques while addressing the security concerns of an organization IPsec based VPN architecture

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


1. Introduction:

A Virtual Private Network (VPN), in general, can be exemplified as a replica of private communication channel using shared communication channel. It is connected by using public Internet channel or ISP backbone network. VPN is an economically feasible solution for corporate applications which need internal private transportation in diverse locations.

A Wide variety of techniques have been proposed for executing VPN operating public IP network infrastructure and more may come into sight in the future. This thesis tries to put out a set of norms for evaluating such techniques. The norms proposed may be utilized by IETF for evaluating a VPN proposal before advancing it to normal track or by VPN Service provider or corporate network administrators for selecting which techniques to be used in order to put into track their desired VPN networks.

I think, this is worth trying with the apparatus having with a set of criteria addresses are exclusively for executing (IP) Internet Protocol for Virtual Private Networks along with non-IP connections which are used for specific Virtual Private networks like connections based on ATM or Frame Relay networks.

1.1 Basic Norms:

The very important norms of VPN are virtual and private. Virtual implies that, the network has no similar physical network, more precisely it is an copy of infrastructure operating on original public network transportation. Private implies that, access to such network is managed only to a particular set of article and the data broadcast across the VPN which is not be allowed to read by outside network.

In order to be portrayed as a VPN execution technique, a technique should put out accessible executing VPNs satisfying the above mentioned two basic norms.

1.2 Other norms for evaluating VPN execution techniques:

The vital components of a VPN execution technique should consists of several techniques to deal with a) membership details, verification, broadcasting and classification detail; b) path discovery and routing communication for intra VPN between VPN and its primary networks; c) forward with these fundamental elements, a VPN execution technique can be evaluated with aspects like security, architecture, manageability, scalability and feature support.

We must make a note that with the security norms, in case of different VPN's there is a chance for conditional steps to vary differently. Therefore, definite conditions of a particular VPN is to be taken into account when an evaluating is carrying on.

1.2.1 Security:

A VPN execution technique should take necessary steps for securing the data and to ensure the network security.

1.2.2 Data Security:

We can describe data security in terms of its integrity, confidentiality and authentication.

1.2.3 Integrity:

Coming to the data, the main security concern that comes into ones mind is that data communicating through internet, it can be manipulated or can be broken down. So, a VPN execution technique should make sure that the integrity of data is aved at any cost.

1.2.4 Confidentiality:

A VPN should take necessary precautionary steps so that no other party without authorisation can read or copy the VPN data while broadcasting across public network. For which we can consider data encryption as an example.

1.2.5 Authentication:

A VPN technique should make sure that the data to be broad casted from the particular origin or not, so it can ensure the source of data is the correct one.

1.2.5 Network Security:

VPN network security should be responsible that while broadcasting that only authorised recipients receive the routing data and data.

1.2.6 Site authorization and authentication:

VPN has to bear a penalty when site with authorization share a VPN network. For this, the VPN execution technique should take necessary steps for giving access only to the authorized site while the initial VPN building process and at the reconfiguration process. For attaining this condition it should give access to authenticated site before the connection process only.

1.2.7 Admittance Control:

Admittance control is a procedure to state the right to access a VPN network to a particular subject. Admittance control, thus should be developed by a VPN execution technique for not allowing unauthorized entities admittance into the VPN network. Thus, maintaining the privacy of the network.

1.2.7 Routing Security:

In a VPN, the routing security can be attained by not giving access to routers of an VPN to communicate with the entities which are not authorized, to not to give access to routers of an VPN locations from disclosing to needless entities, and to prevent VPN routing data base from getting spoiled by not allowing the needless routing data.

1.2.8 VPN Isolation:

Trusted VPN execution technique has the capacity of maintaining several VPN's which are using a common set of devices (eg; Edge routes of a network). Techniques like different forward tables for each VPN on the device must be good at handling, not to give entry to accidental traffic from a VPN to enter another for a better privacy and security of VPN's.

1.3 Features of Remote Admittance:

1.3.1 Secure Application Manager:

Windows version (WSAM)-The Windows version of the Secure Application Menageries a Windows-based solution, that enables you to secure traffic to individual client/server applications and application servers. Java version (JSAM)-The Java version of the Secure Application Manager affords support for static TCP port client/server applications, including enhanced support for Microsoft MAPI, Lotus Notes, and Citrix NFuse. JSAM also affords NetBIOS support, which enables users to map drives to specified protected resources.[2,8]

1.3.2 File rewriting:

This feature enables admittance to NFS and SMB based file server shares for remote users. Mount points are displayed as links within User Home Page with all file system operations occurring with the security credentials of the authenticated user allowing existing file system ACLs to be used sans modification.

1.3.3 Web rewriting:

This feature uses the VPN to intermediate traffic to Web-based applications and Web pages enabling remote user's admittance to institutional web resources otherwise not admittanceible from off network clients.

1.3.4 Secure Meeting:

The IVE Secure Meeting applications, for users it is very ease of access in order to hold and schedule specific meetings while there are online among of those may be non institutional or institutional users.

During the meeting sessions, users can able to work on their systems as well as remote desktops also, they can share the data, applications each other over a secure VPN connection and every participant in the meeting, can transfer the data with help of secured connections. One of the important aspect is, when online presentations is conducting, users participated on the presentation, they can easily do text chatting without disturbing the session.

1.4 Network Connect:

If we use this choice, network-level remote admittance (based on SSL) to each and every enterprise application resource can be securable as we use the IVE over port 443. When we run the Network Connect, the client machine can be turned into invisible on local LANs of the user and it will be visible on corporate (remote) LAN; IVE appliance could not recognise anything about the local LAN of users, and it is used as a DNS gateway for that particular client.

This type of VPN is analogous to the more traditional VPN services such as PP-TP and IPSEC tunnels and is what most folk's picture when they think of a VPN.


2. Components of IPSec based VPNs:

Generally, we can divide the VPNs into 2 main categories based on their architecture. The site-to-Site VPNs these can be of two types intranet VPNs and extranet VPNs. Intranet VPNs is used to establish connection between fixed locations, this type of LAN-to-LAN VPN connects several remote locations into a single private network. Extranet VPNs is used to establish connection between various companies such as business partners (seller and customer).

The second category of VPNs is the Remote Admittance VPNs, this is a user-to-network connection i.e. the user from home or mobile user establishing a connection with corporate networks from a remote location. In this user-to-Lan connection the two main components are VPN client software and VPN gateway.

VPN client software works on the remote user's machine and coming to the VPN gateway it is the access point into the organization's private network through internet. We will be considering layer-3 IPsec VPNs which uses a thick VPN client, as conflicting to SSL-based VPNs which uses only a browser for connectivity to inside files and mail servers. IPSec is based on symmetric-key encryption and is comprised of the fallowing main security components.

  1. Authentication Header (AH): is a checksum comprising of message that is attached to each packet to ensure its soundness and its reliability as it communicates through the Internet.
  2. Encapsulating Security Payload (ESP): is the encryption technique used to shield the data confidentiality while communicating over the channel.
  3. Internet Key Exchange (IKE): is a protocol which takes proper measures to exchange the secret key securely, which is vital for the successful operation of the AH and ESP over the communication channel. While the secret keys can be manually exchanged, such a solution is not adequate and the keys should be changed at regular intervals to increase the resistance while communicating.

IKE has two key modes - IKE Key Mode and IKE Aggressive Mode. Key Mode in this key-exchange it creates a mutual shared key between the client and the server using Diffie-Helman exchange cryptographic protocol. Aggressive Mode way of key exchange is different when compared to key mode it does not use a Diffie-Helman exchange for securing the authentication data. It uses a sniffer to authenticate the data, and crack it offline.

2.2 Penetration test:

The main idea in conducting the penetration test is find out any flaws in the VPN execution it may prone to while communicating over the channel. This is a nicely planned out zero-knowledge test in which only the IP address of the VPN server is known. This test will be demonstrated using three steps:

  1. Survey : to find out open ports and performing VPN fingerprinting
  2. To make an assessment of PSK protocol mode
  3. Operating on any invalid user accounts

2.2.1 Survey:

The purpose of this test is to figure out the type of VPN execution (IPSec, PPTP, or SSL), the VPN provider data and related version numbers. This is essential to execute a purposeful attack opposing the target VPN situation.

The first step in the survey process involves scanning of the VPN server port to make a well known estimation on the type of VPN execution. The following table presents a mapping of open ports to VPN type, using invalid ports:


Type of VPN

UDP 500


TCP 1723


TCP 443


Table. Invalid ports and VPN type.

While conducting the port scan it is possible to produce negative results. If the scan is done on a firewall-VPN grouping device the possibility of happening this is high. In such cases, packets targeted to it may get dropped due to the firewall, resulting in negative results.

The next step is to show what we are opposed to by searching out the provider and the VPN server version. For the above case the Nmap's operating system classification task presents a quite good picture. In the case of IPSec VPNs, IKE-SCAN can be used to put in front a sensible precise fingerprint of the VPN server provider and its version number. This tool carries out the fingerprinting by examining certain variables of IPSec packets being communicated, and also matches these to its signature database.

2.3 Configuration and architecture review

To execute a systematic VPN assessment it is important to review the network architecture and configuration of the VPN. Some of the issues that are needed to be evaluated are:

  1. The kind of access that has been given to genuine VPN users, and whether this has been limited to specific servers and ports within the internal network.
  2. Check for the two-factor certification, like RSA SecureID, is being used. If it is not used, there should be a business case explaining the reason why that method is not used.
  3. Make sure that the VPN server has been configured securely to refuse destructive mode confirmation being mutual with pre-shared keys (PSK). If aggressive mode is essential, then it is compulsory to use digital certificates or some other form of two-factor verification for an improved authentication level.
  4. Checking the system whether only necessary accounts are generated, and whether the agreement levels of every user are correct or not? Similar accounts must not be used, and every user has a single, distinct account.
  5. Whether crack tunnelling is immobilized on the VPN clients. Where Split tunnelling allows one to configure complete network path to the client while going through the tunnel, and whether any other traffic goes to the local PC border.

By disabling this facility avoids a random Internet-based attacker in compromising with the VPN client machine where it is connected to a society network over the Internet.

  1. And lastly, make sure that necessary patches have been applied or not.

2.4 Exploitation of any invalid user accounts:

One of the common miscalculation in the execution of any system is the presence of invalid system accounts with invalid passwords. In this case VPN systems are also the same. A good source of invalid account names and passwords can be found during several measures. Besides the normal guess such as provider-name, setup, VPN, client, user, contivity, fw1, net screen, and admin, the assessor must also try the names of the places where the remote offices are situated.

In addition to blind saturation testing (exclusive of a valid user account), charging the VPN using a valid user account ID gives extra significance. This in general produces a larger number of dangerous misconceptions than the blind saturation testing phase. This can meet the criteria of the added VPN functionality and can attack outside to an authentic user while compared to a zero-knowledge attacker. The main focus of this is to point out that predetermined corporate policies the level of access settled to VPN users is limited.


3. Architecture:

3.1 Flexible Topology

A group of essential links that belong to a VPN belong to a VPN makes up the topology of VPN network. An essential link can known by the construction of a tunnel like the IPsec VPN technique [2] or by building direct routes with BGP4 or MPLS VPN technology [1].

Based on the necessity of an organisation it may go with the topology of its VPN network with full-mesh or partial-mesh or with hub-and-spoken. A VPN execution technique should be adaptable so that it can be build the VPN topology according to the necessary situation.

3.2 Hierarchy:

Different architectures may lead to different scaling of its previous VPN. Considering the example a good network based VPN architecture may allow a good router to connect with several Customer Premises Equipment (CPE) routers in a particular location. The topology mesh will be constructed with in the good edge routers. This architecture scaling enhanced than the CPE based VPN where the tunnel meshes are built within the CPE routers which has a high number for large VPN's. By implementing this hierarchy, configuration and organization difficulty will b transferred to a lesser set of good edge routers inspite of large amount of CPE devices. Thus, from this it will be advantageous to build a VPN execution technique which makes use of the hierarchy.

3.3 Independency:

A VPN infrastructure is generally built on the top of a public network infrastructure, inspite of this we must try maximum extent to keep the VPN network independent from its lower network infrastructure which has maximum returns. The returns are like the fault isolation and operational transparency, which further maximizes the stability of VPN networks as well as the lower networks.

3.3.1 Backbone technology Independence:

An organisations VPN network may connect with several ISP network domains. When, two VPN's with different ISP network as basic construction may need to combine into single VPN as per the requirements like the organisations merge. To keep up with the situations like this, it is advantageous for a VPN execution technique to be self dependent to its underlying networks or the backbone technology.

Taking into consideration of VPN's using a single ISP network while communication, this case is of the last priority.

3.3.2 Addressing Independence:

For a VPN technique it should not be necessary in combining of IP address space of the VPN to its underlying IP network. This can be clearly explained, that the IP addresses allocated to a VPN network should be differently and self dependent from that of the IP allocated to the underlying IP network/back bone.

When communicating through different IP address from its backbone network, a VPN admin can be managing the IP addresses allocated with VPN network as the admin can now add, modify or delete the IP addresses without the need to structuring with admin of the backbone IP network. By using different IP addresses from its backbone IP network, the VPN can change to some other underlying network with any alteration in the IP addresses, making the transformation easy.

By using different IP addresses from its backbone IP addresses from its backbone IP network, a VPN can use confidential IP address space, using a private IP address space in this way can lead it in preserving IP address space. By doing this, it also helps it in extending more IP address space for VPN's that does not have mutual sites.

3.3.3 Routing Independence:

VPN Routing will be observed as poised in two ways.

a) Achieving transportation of routing data to the private destinations

b) Receiving routing data for VPN entities accessible through the underlying public networks.

In the case of step b), VPN routers have to be the providers of the routing o f the primary network for step a) they need not have to do. This implies that the routing methodology used for attaining a potential with in a VPN can be totally self-dependent from those of the primary network.

Having a self-independent routing mechanism will upgrade the VPN network security and lessens the dropping of network due to drops in the routing of underlying network and in the other way also. Errors in the routing system of the VPN layer, caused due to not configuring properly or due to routing software acting up badly, does not have any influence on the routing or the stability in underlying network. Along with this, it is not necessary for VPN prefixes to be promoted to the underlying public networks routing, which improves the security of the VPN by not giving out VPN prefixes in the underlying networks also reduces the routes in the underlying network. There by enhancing routing scalability of the underlying public network. [2,3]

A VPN execution technique must allow to a maximum extent routing of VPN from its underlying network it can.

3.3.4 Extendibility:

A VPN technique must provide the ease of extension of the VPN's by providing the same extent of privacy and security. Extend to multiple domains:

While extending VPN to different domains, VPN technique should tae into consideration that there is no similar technology of the underlying network infrastructure. The only same technology that can taught of is the IP in the underlying network. Extend to Remote Dialup Users:

In organisations the most important necessity is the remote dial up because they need to communicate at a maximum extent for the VPN technology for internet to provide a solution. Therefore, the VPN execution technique should take care of it. Interconnection VPN's:

There are the situations where there is need to interconnect the VPN's. For example, when two organisations merge there comes a situation like this. VPN execution technique must take care of a situation like this. It is also advantageous to use the same technique for inter VPN and intra- VPN connection for reducing the difficulty in usage and organisation.

3.3.5 Redundancy:

A VPN execution technique should be self-dependent it should not depend on main system for processes routing or organisation. A system which is dependent on the main system introduces single point of failure there by causing performance dropping and capacity dropping.

3.3.6 Operational Transparency

Inspite the VPN works along with the underlying networks for its communication, they both are two different networks. A VPN execution technique must reduce the intervention and dependence between the two networks to enhance the performance.

Due to this reason, it is advantageous to see the operation transparency of VPN from underlying network. As described in section 3.2.3, increasing the independency is a means of attaining operational transparency.

Operational transparency has the following features they are:

Ø Software transformation taken place with the networks will leave a slightest impact on the other network.

Ø VPN network admin must be capable of configuring the VPN with out the support of the admin of the underlying network.

A class of VPN service type keeps the administrators of the underlying network for having an idea of operation of the VPN to which it supports service due to service outsourcing management.

3.4 Manageability:

The enterprise of VPN typically works with membership, policy and security management. Reducing the enterprise management complexity and configuration done in a manual way will decrease the network droppings due to errors in configuration and miss management. It is, therefore advantageous than the VPN execution techniques involves in the manageability of the VPN's. We are going to discuss the enterprise issues in the following features.

3.4.1 Membership Organisation:

The main constructing of VPN lies in its ability to identify and and discriminate members representing the VPN. Due to which connections can be formed between the members to establish a private confidential communication network or reconstructing of a VPN after its formation. The data needed should be discriminated or configured to the VPN routers.

This can be attained by configuration of related data on the routers manually, implement all that data in a centred position and should be dispressed to VPN routers in a computerized fashion, or should done using a piggy backing style in routing protocols as discussed in [2].

What ever the process chosen for implementation, it must do manual organisation of that type of data to the small extent possible, both in terms of construction of VPN and maintenance of VPN in ways of adding or removing sites in VPN.

3.4.2 Admittance Organisation:

As we know that VPN's are of private in behaviour, it is necessary to restrict and control the admittance of the networks. Admittance aspects are to be built on the routers and after which they should be properly taken care. In this case also it is advantageous to keep minimum manual organisation of the policy data that is necessary for a VPN execution.

3.4.3 Key Organisation

In some cases of the VPN's which require high degree of security and privacy, in those cases security keys are needed for maintaining proper authentication and encryption. Thus, key organisation of VPN enterprise is one of the important parts to be handled. Key organisation includes addition, modification and replacement of keys. VPN execution should choose the techniques which provide the necessary security concerns and should also be manageable.

3.4.4 Organisation Limitations:

It is advantageous for a network when it has the property to identify the problem fast. For enterprises it is difficult to believe on mission critical tasks. It will be very beneficial when the limitation of the administrative and organisation are precisely defined. Constructing VPN's which is self dependent to the maximum extent as described in section 3.4.3 will support in attaining the goal.

3.5 Scalability:

A VPN can be increased such that it can contain as many as hundreds of sites. The VPN execution technique must be able to attain while constructing such a large VPN network. For achieving this difficulty of setup, maintenance and organisation should not add up when there is a necessity to increase of the VPN built with the technique.

3.5.1 Architecture Scalability:

Different architecture would have a high extent of impact on the scalability of the VPN networks. For example good network based VPN architecture scales much higher than the CPE based architecture which is due to the start of hierarchy configuration and organisation on a large number of routers used as described in the section 3.2.2 of this thesis.

Giving a chance to similar set of devices to give support to several VPN's is a increasing way for a VPN service. While evaluating a VPN execution technique one has to keep in the mind that the techniques on ehas to keep in the mind that the techniques used must allow execution of VPN with architectures which shows a high extent of growth.

3.5.2 Organisation Scalability:

The key factor to show a high growth in the VPN organisation is to reduce the manual tasks in terms of configuration and maintenance of data related to the membership and policy factors. A VPN execution technique must be able to reduce the manual tasks to the minimum extent possible.

3.5.3 Routing Scalability

A big VPN network would have the same routing complexity when compared to that of a regular network. Therefore, routing scalability constraints which are forced even by the non-virtual large networks as described in [5] also shows the relation with large VPN networks. A VPN execution technique must not be a constraint for execute routing in VPN's which shows signs of growth.

It is advantageous that VPN prefixes do not broadcast the public network infrastructure, not only due to security concern but also for a growing routing table organisation purpose. A VPN execution technique must not have faith on the public networks routing system for transport secure VPN prefixes.

3.5.5 Feature Support:

A VPN technique should be feasible without any objections in an organisations network. The features are lie the QoS, multicast and multi-protocol support. Besides from privacy and security, self-dependent nature of a VPN from its underlying network infrastructure is also a key feature for evaluating VPN techniques. In fact, when a VPN is self dependent to a maximum extent, it with increase the manageability of the VPN, which is also a advantageous aspect.

3.5.6 Security Considerations:

Security is a high priority part of an VPN execution technique. The sections in this part are going to describe the security tough fullness.


4 Literature Review:

4.1 About Aventail:

Aventail is the foremost among the SSL VPN technology and with a leading hand on security application admittance technology. Aventail initiated the first SSL VPN solution in 1997, and now Aventail serves in the secure needs of at least two million end users world wide. Aventail family of smart technology SSL VPN devices adds up the effective of end users and the IT organisations, while making it economically feasible and increasing security aspects. Aventail SSL VPN's are ahead in the industry in the End point control, policy organisation and transparent, easy to use admittance options to transport range of applications.

Aventail is the SSL VPN which is the best option for choosing by leading venture and service suppliers, like AT&T, Dupont, IBM global services, MCI, Netifice, Office Depot, Sanyo and TNT. (This is a source of .

4.2 Client-Side Security considerations for SSL VPN's

Organisations have undertaken of VPN client software techniques and arrangement are violently going on their way to draw more to "clientless" reasons like SSL VPN's. However, by ways of implementing browser based VPN's to "clientless" is till needs client side acceptability reasoning and enhancement. (Lisa Phifer, Vice President, Core competence Inc)

The advantages of SSL VPN's according to the report consists of :

* For initiating a VPN session there is only the need of a browser

* We can give access by setting up radically like the necessity of an urgent situation.

* For security and authentication concerns we can download your Applets and Active X components.

* A single IP address is not mandatory for authentication.

* Broken, unequal and uncertain relations will not cause the VPN to crash.

* SSL session can "roam" between the IP address and transporters.

* Admittance can be stopped by a menu, or IPsec-style LAN admittance can be given.

The overall benefits of SSL VPN's when compared to IPsec solution is added bonus, the Aventail SSL VPN can take the patent pending smart tunnelling mechanism, and according to Aventail tunnelling is a layer3 tunnel with layers 4 besides z policies controls, gives way to produce a compute IP network tunnel over SSL. Smart tunnelling mechanism adds up the strengths of SSL, which have the NAT and firewall replacement techniques, granular policy control, with the presentation and application attainability of IPsec, including difficulty application like VOIP.

4.2.1 The attract of SSL VPN's:

In terms of Frost and Sullivan, the SSL VPN market had seen a boom in 1992, with a increasing rate of 49% compounded annually during 2010. The big draw SSL VPN's maintain browsers presently on each desktop and also been prone to adding software. Security policy can be widely ruled by the VPN gateway, reducing remote configuration. Removing these IT constraints will make the reduction of cost of remote admittance. Browser based VPN's gives support to the remote admittance for a wider destination. Explorer can be utilized by public PC's at business centres and cyber cafes. Tele workers can use home PC's with out the necessity of IT.

Business people can use PC's that are managed by other organisations. Authenticating remote admittance from a wide range of places increases the ease of use, accessibility and efficiency. But there is a note. Loss of it control over the hosts used for remote admittance.

4.3 Leave nothing behind:

Most public PC's have details of the previous used history; outlook in forces are packed with private emails, browser cache having webmail text and password based cookies and attachments saved to temp directories. This type of data being left on the public PC's will cause a great potential risk in the future. For which we cant go the user asking for clearing cache, first of all many does not know how to clear it out and even some does not now there will be some data stored in the computer cache.

For taking necessary steps against these types of risks most SSL VPN's take precautionary measures to automatically clean up the cache after the remote admittance session properties to take of note when SSL VPN predicts are taken into consideration are mentioned below

* Secure logout compulsory session closing and browser window shutdown, typically based on a centralized session inactivity or session time outs.

* Credential scripting removing stored cache credentials on the session closing or taking precautionary steps for not being cached at the start only.

* Team file clean up- removing files used during the session are not allowing their creation, taking a count of cache items, offline content and the programs downloaded

* Cookie blocking- deleting cookies at the session closing or not to give access to any cookies for being reused during the session flow.

* Auto form end point closing- in the private web page forms the user information entered will not be stored so that the next users cant have any access to view these information.

* Personal data profile removing- avoiding access to and use of user data commonly given to the browsers default, like outlook address book entries.

* Browsers history clearing- blocking VPN URLs from being utilized as a start point for general webserver attacks.

4.5 Emulated properties of a private network:

How to differentiate a data network (or a packet-switched network) Is private or not? A network can be said completely private when the organisation using it has the complete authorisation on all the element is uses ( i.e it owns) of the complete network infrastructure like cables, channel making tools, switches, routers and other communication tools.

However, a network can be said as a private network in some cases where the organisation leases instead of owning all the channels that connect this site. This is because the technical properties of the transmission channel do not change whether it is owned or based.

As we now that during the traffic transmission these channels have a fixed or expected bandwidth, when an organisation utilizes a public data network to connect it sites, traffic propagates through these shared public channels and gets a not known share of the channels bandwidth. A long with the known channel bandwidth, a private network is differentiated from a public network by its segregation from other networks i.e the private networks can only connect the sites with in the organisation.

A truly private network can have the follow advantages for it users.

4.5.1 Improved Security:

it has the connections internally only, so as there are no outside connections to the network it reduces the chances of an attack from the outside network, as only authorized users are connected to it. It also reduces the chance of getting trapped in the traffic.

4.5.2 Predictable Performance:

As it owns the communication links of the network there will be no drops in the bandwidth and hence network performance can be predictable, as it chooses the network transport technology by itself for connecting to the user site networks. The possibilities are less only by the choice of a provider or manufacturer and an organisation owner can utilize Ethernet, Frame really, IP, IPX or any other networking transport technology for connection of its sites.[3]

Self- determining IP address space. In a private network it is possible to chose any address.

For example, to a maximum extent all the VPN services supports the use of private IP address such as or, which cannot be route through the public networks. These properties will be advantageous for the trusted users, though the needs of one and other may be different. The compromising nature and less performance of the internet or public IP networks made improved security and predictable performance as necessary properties to be rebuilt on a private network.

The self determining network transport technology property and self determining IP address properties are now a days of less priority the first one because of the maximum use single technology (Ethernet at buyer2 and IP at layer 3) and the later because IPV6 is being currently used which no long wants the defects of IPV4 to be added onto it and the reason for this the enhancing security.

On a whole, a private data network is not economical feasible solution for utilizing its own channel with known bandwidth for connecting LANs at different sites. A VPN data service helps to enhance the standard data service by implementing some of the properties of a private data network like utilising a shared packet.

Switched infrastructure such as JANET, commercial affords network or the internet as a whole. The main goal of VPN of any type is to make communication accessible between all network sites in such a way that it emulates as tightly as required their connection by dedicated physical channels.

4.6 Different VPN Services:

There are several types of VPN and properties of each vary from one another. We are going to classify them on the basis of three important filters.

1. which properties of a private network does a VPN service emulate, and to what degree?

For example, some VPN's need to transmit data with a high security for data privacy but does not bother about the performance of it. Where as some other need to transmit with performance enhancement but with basic level of security. The VPN survey showed had different VPN features are well taught out by users.

The priority list is like as follows,

· Site security from unauthorized access

· High secrecy based on data encryption

· Traffic secured from Non- VPN users with the possibly of encrypting it.

· Enhanced performance.

· Increased bandwidth guarantees

· Self determining addressing.

· Non standard addressing between sites.

4.7 Location of VPN Equipment:

Network based VPN's are placed near the tools that is located near the afford network-based VPN( i.e where VPN tools are placed with in an afford network) are provisioned by afford. Customer based VPN's use tools placed with in a customer network or users computer usually, network based VPN's (i.e where VPN tool is placed with in an afford network) are afford provisioned and customer-based are customer provisioned.[3,5]

Along with these, customer- related properties( i.e properties important for VPN users) are described. VPN's also have afford-related properties. Some of the most necessary one are described here.

4.7.1 Scalability:

It is the property by which the VPN is able to bind a large number of VPN's and sites inside every VPN.

4.7.2 Manageability:

It is the property of which need effort for the set upadn to support VPN. Afford-provision VPN's utilizes more resources in the network tools and accumulates to the difficulty of the efforts setup, with a probable threat for the manageability of the VPN as it has basic ability to work in a multiple domain network.

It is as expected that the security issues would be at the top of high priority list; the next level placing of improved performance and guaranteed bandwidth shows there is a growth for VPN's that support QoS(Quality of Service).


5. Research Methodology: VPN Architecture

5.1 VPN Graphical Representation:

Source: [8]

5.2 Empirical Review of VPN Concepts:

Virtual private networking (VPN) in order to protect the data traffic, is basically uses TCP/IP protocols. Therefore, for better understanding about one should be familiar with how a VPN connection works, also, there is a need to familiarize with the provided protocols as well as concepts and how OS/400(R) VPN uses these protocols and techniques to build better secured Network:

IP Security (IPSec) protocols:

These protocols, is provide a long lasting base and a stable to offer security traits at network layer.

5.3 Key organization:

A dynamic VPN affords additional security for our communications for every key organization it uses the Internet Key Exchange (IKE) protocol. The very most important aspect of the IKE is that allows the VPN servers to generate and negotiate the keys on each end of the relationship at specified regular intervals.

However, For every successful negotiations, the servers at the Virtual private network regenerated new keys in order to provide secure connection, therefore, it's very complex for any hacker to trace the transmission data during the every particular sessions. In addition to that, it is also, very difficult for the hackers or crackers to guess the future keys though they have the previous data about the generated keys.

One of the VPN key manager is IBM(TM) s execution of the Internet Key Exchange (IKE) protocol, this is by an automatic negotiations of security associations (SAs) also used to energize cryptographic keys as well as the routine generation.

5.3.1 Security association (SA):

It contains data which is actually necessary to use the IPSec protocols. To clarify that, every Security association indentifies all types of algorithms , lifetimes and key lengths as well as encapsulation style and contribute parties.

Cryptographic keys, as the name itself explains to protect, lock the data as the data reaches safely and securely to specified destination. [8]

5.3.2 Network address translation for VPN (VPN NAT):

Os/400 VPN provides a method for carrying out the network address transformation called VPN NAT. VPN NAT be different from constructed NAT in that it transforms address even before application of IKE and IPsec protocols.[7]

5.3.3 UDP encapsulation:

UDP encapsulation gives way for the IPsec traffic to transfer through a conventional NAT device. This topic should be studied carefully for extra information like what is it and why you should exercise it for VPN connections.

5.3.4 IP compression (IP comp):

IP comp decreases the size of IP datagram's by reducing the siege of datagram's to enhance the communication performance between the two VPN associates.

5.3.5 VPN and IP filtering:

IP filtering and VPN are very similar to each other. In general, many of VPN connections require filter conditions to work properly. This aspect gives you data about what filters VPN requires, as well as other filtering concepts related to VPN.[7]

5.3.6 VPN and IP filtering Using IKE:

Several VPN connections require filter conditions to work properly. The filter conditions require depend on the type of VPN connection that you are configuring as well as what type of traffic you are inserted to control. In general, each connection will have a policy filter. The policy filter describes which addresses, protocols and ports can use the VPN. Along with this connections that provide the Internet Key Exchange(IKE) protocol a good support typically rules that are written especially to allow IKE processing over the connection.[4,9]

Beginning with V5R.1 of the operating system, VPN can produce these connections automatically whenever possible, VPN should be allowed to create policy filters for you. This process will help not only in producing errors, but it also helps you in setting up the conditions for you as a different step by utilizing the packet rule editor in I series.

There are of different set of conditions, check out these topics to study, more about the other less common VPN and filtering concepts and techniques that may relate to over particular study.

5.7 Concise outline of the research methodology I plan to use:

The main idea of this research project is to shown the network traffic generally using IKE probe in VPN

* Providing filters to data.

* IP address resolving.

* Static data of the packets sent.

5.8 Phases of key organisation

The VPN key manager while executing it utilizes two different phases.

5.8.1 Phase1:

Phase 1 creates a main secret key from which the remaining cryptographic keys are pulled out in order to secure data traffic. This is accurate that even when no security exists between two endpoints. VPN uses either RSA signature mode or pre shared keys to phase 1 bargaining's, as well as to relate the keys that secure the IKE messages that pass during the next level phase 2 bargains.

A pre shared key is a string with a length of maximum 128 characters. Both terminals of a connections must rely on the pre shared key. The benefit of using pre shared keys lies in their basic nature; the drawback is that a shared secret must be communicated out-of-band, for example over the phone or a registered mail, before IKE bargaining. Consider are pre shared key like a password.

RSA signature validation provides more security than these pre-shared keys because this version uses digital certificates to accept confirmation. You must configure our digital certificates by using digital certificate manager (5722-SSI option 34). All of the above, some VPN solutions needed RSA signature for operating between networks. For example, windows (R) 2000 VPN use RSA sign as its basic validation method. Lastly, RSA signature provides more scalability than pre shared keys.

5.8.2 Phase 2:

Phase 2, however bargains the security association and keys that secure the main application data transfers. We must note that til now no data submission has actually been transferred. Phase 1 counteracts the phase 2 IKE.

In case of the phase 2 the negotiations are generally successful, our VPN builds a secure, dynamic connection with the network and between the terminals that you distinguish for our connection. All data that transfers across the VPN is submitted with a degree of security and competence that was accepted on by the key servers during the phase1 and phase2 negotiation steps.

In general, phase 1 talks are generally bargained once a day, while phase2 conference is held for every 60minutes or sometimes it would be even for every five minutes. If we refresh to a maximum extent it increases our data security, but it also has drawbacks like decrease in the system performance. For securing the most private data we must use short key lifetimes.

5.9 Layer 2 Tunnelling Protocol (L2TP):

If you think of using a VPN connection to make your connection secured between our network and remote clients, one must be have a good idea about L2TP.

5.9.1 Migrate policy filters to the current release:

In V4R4 and V4R5 of the operating system, you had to setup the VPN packet rules as a different approach. They will not be introduced continuously as a routine of our VPN set up policies. This topic gives special steps for changing V4R4 and V4R5 policy filters with the present releases and give a detailed summary how to do it.[9,10]

In V4R4 and V4R5 of the operating system, you had to set up the VPN packet rules as a different approach in the packet rules interface of I series(TM) navigator. These will not be generated automatically as a routine of VPN set up policies. Coming to the V5R1 of the operating system, the VPN GUI can produce these packet rules automatically.[9]

There are several things which are to be considered if you produce the policy filter rules (where action = IPsec) in V4R4 or V4R5, and you need to use those same conditions which will produce our policy filter conditions, but you must add some other set of rules that gives access to other IP traffic, for example telenet in between the connection. We must check out these considerations to help you and unaccepted potential arrangement mistakes.

To clarify: when this study is related to customer condition files, it is beng reffered by any condition files that you have been produced by utilizing the packet rules editor in I series navigator. Check out this with VPN POLICY FILTERS.13P rules file, this set of conditions file that VPN automatically produces as a part of VPN setup policies.

If you have VPN connection for any of V4R4 orV4R5 and you are not having any ideas to set up other VPN connections in the present release, you can start out with our filter rules and start up with the connections as usual.

If you have VPN connections from any of V4R4 or V4R5 and you plan to set up new VPN connections in the present release, use the migrate policy filters wizard. This wizard differentiates the policy filters from the packet conditions files that you produce and adds similar policy filters into VPN POLICY FILTER.13P, which VPN produces, to give access to the wizard, follow these conditions.

* In series navigator, increase our server ànetwork à IP Policies.

* Right click on VPN and choose the option migrate policy filters.

If VPN produces our policy filter after conditions, then also for you it would be necessary to insert some non- VPN filter conditions, you need to set up these conditions by utilizaing the packet rules editor in I series navigator.

If any of these Non- VPN filter conditions require to come infront of the VPN filters, the start their set names with PREIPsec. For example, PRECISE MY RULES, this supports the system to find out the follow in which it will execute our filter conditions. The set names of all other Non-VPN conditions should not have the PREIPsec prefix.

Always support VPN to produce our policy filter conditions. However, our Non-VPN filters must be in the place of our user conditions file. Remember, if only of these Non-VPN filters should be placed in front of the policy filters in the VPN POLICY FILTERS.13P conditions file, you have the necessity to sum up PREIPsec before the set name. This builds out the confidence that our user conditions file and VPN conditions work united as you require. For example, VPN produced our policy filter conditions work united as you require. For example, VPN produced our policy filter conditions (VPN sets), but once added more rules (our sets) to allow other IP traffic conditions across the connection.

When you place the conditions on your system, they will be aligned as given below.

* Our sets with names starting with PREIPsec

* VPN sets with names starting with PREIPsec

* VPN sets assigning ACTION=IPsec(policy filters)

* Our sets assigning ACTION=IPsec(policy filters)

* Our sets with something else.

* VPN sets with something else.

Compare the EXPANDED.OUT file to see the alignment of compound result file.EXPANDED.OUT is on paper took where our customer conditions file is located. Using I series navigator, you can select to set up only the VPN produced conditions file, VPN POLICY FILTERS.13P only our customer conditions file which includes both two VPN produced rules and our conditions file.

Start our filter conditions on all interfaces in spite of an individual interface this builds the confidence saying the filters will produce active and will also generate the correct alignment of policy filters.

Always check our filter conditions when you try to start them. If the verify executes with out mistakes, check EXPANDED.OUT to be confident that conditions are pre-aligned as you required.

5.10 VPN connection with no policy filters:

If the connection terminals of our VPN are single, specific, IP addresses and you want to begin VPN with out the need of writing or starting filter conditions on the systems, you and setup a dynamic policy filter. This part of the study explains why one has to take into consideration of this and gives brief summary of how it can be achieved.

A policy filter conditions means which addresses, protocols and ports can utilize a VPN and transfer the right traffic through a necessity to set up a connection that need not require a policy filter condition. For example, you may already had a Non- VPN packet conditions set up on the interfaces that our VPN connection will utilize, inspite of disabling the activity conditions on that interface, you had an idea of setting up the VPN which our system manages all filters dynamically for the connection. The policy filter for this set of connection is termed as a dynamic policy filter. Before one can use a dynamic policy filter for our VPN connection, all of the above mentioned must be correct.

"The connection must only be setup by a local server"

The data terminals of connection systems must be a single systems. That is, it should not be a subnet or range of addresses.

"No policy filter rule can be loaded for the connection"

If our connection satisfies these conditions then you can set up the connection in such a way that it need not require a policy filter. When the connection begins, traffic between the data terminals will transfer between it without the necessity of knowing what other packet conditions are initiated on our system. For step-by-step set of illustrations on how to set up a connection so that it does not require a policy filter use the online help for the VPN.


6.1 Testing My Proposed VPN:

6.1.1 PN security: Testing, troubleshooting and Deploying

Virtual Private Networks(VPN) gives access to remote employees to enter their company's respective network of course. As a large number of VPN's communicate over the internet several security concerns araise. Is it necessary for client to have extra security? Is it necessary for a network to implement extra security measures? Is it easy to hack the network during employee's VPN connection?

Generally a VPN at the start only comes up with a general security measures of its own, which simply does not rule out the VPN is not prone to any further risks. Here are some of tips to learn which give VPN a penetration test and some of the best VPN instant tips. Using the tips provided below select on eof the best VPN technologies for our organisation and how to maintain the VPN once it is deployed.

6.2 Pre-deployment education and decision making:

IPsec VPN's which connect to individual host or entire networks increases our networks security radius. Not allowing any entities to use the network without authorization starts with the authentication of the identity of those VPN tunnel edges. By using the erroneous authentication techniques it may lead to interoperatability subject or commercial network error? This tip puts the IPsec VPN features and authentication option provided by internet key exchange(IKE) standard, as well usual provider additions like Extended Authentication(XAVTH).[6]

6.3 Testing the security of VPN deployment:

VPN provides entrance into our networks for our organisations employs telecommuters and other remote users. It's also an entrance for outsiders searching for ways an internet to enter our network. This tip provides why it is necessary to add VPN during the intial sages of testing process, review techniques and plans for testing both IPsec and SSl VPN's.[4,7]

6.4 Troubleshooting and maintaining our VPN:

Did you ever imagine a situation where own users are facing problems for entrance into his won VPN? Networking security scholar wes noonan suggest that " our VPN settings are to authenticated on the routers to confirm that you are using ms-chap for making sure and that the encrypt command is also configured with the right stage of encryption which is auto, 40 bit or 120 bit for having more details about configuration of 105 based VPN's".

If VPN communication is blocked up one must be aware of getting into security centre and choose "windows firewall" option from "manage security settings" where we can select the "expectations" page on the windows firewall window where there will be a option called "add port". The port numbers are not constant they are different based on the kind of VPN we want to make use of IPsec VPN's generally make use of UDP port 500 and PPTP VPN's makes use of TCP port 3389, so we can generate exceptions for them. On the other hand, if we are not having proper information we must ask our network administrator for getting details about it.

Optional solutions for VPN:

Windows will be having two fundamentl techniques for giving remote users the access control, the Virtual Private Network(VPN) and remote desktop.

6.5 Remote Desktop:

Dissimilar in characteristic to that of VPN, Remote Desktop in windows 2000 or XP professional allows to execute a functionally similar child of another Computers Desktop, giving him access to all programs, resources and access on that computer.

When to use one method over the other?

VPN's also have same backdrops which the remote desktops does not have. When a user establishes a VPN connection, all the network traffic on his computer is transferred to the VPN. It is very hard to force a certain application to use a different network interface.

A remote desktop communication, does not take over the control of the system's networking; it executes as a stand alone network application. Remote desktop connections when encrypted at the administrator's side, that will not create any security concerns. In some situations it is advantageous to select any of them i.e VPN or a Remote Desktop as required to our needs, even they will be integrated and used in quite different ways and a quite different terminals.

6.6 Pen testing our VPN:

Our VPN is a primary entry into our network company's blocking software's, telecommuters and other remote users. This particular tip tells us why is it of that important to add to existing list of aspects.

A Virtual Private Network (VPN) is like a symbol standing for telling "responsive Data Here" hackers will be first in knowing that when a VPN was started, they are going to make huge sum as VPN's are generally used while trying to protect some private data. Therefore, like any other network connection must be tested thoroughly to check for any susceptibilities of compromises in the network. Generally, when the VPN's are administered for the network penetration test it can be easily misguided by thinking that they are the most secured ones. But this is not a correct approach as they are not that secured as the eyes of hackers always lie on these VPN's.

Pen testing a VPN is a very easy method to do and which uses some basic steps for computing the task. It is not quite different from our other pen testing routines and must be a part of it.

VPN are differentiated into two types: IPsec and SSL. Based on the VPN you are executing a plan for doing the pen test. But there are three basic to pen test our VPN, every type of VPN to be followed:

6.7 Scout the terrain and plan the attack:

Test for invalid user accounts then make them shut down.

The development phase of the test has to follow anyone of the two paths. Testing IPsec VPN is quite different from testing an SSL VPN. The difference is because IPsec VPN is a network based where as SSL VPN is a web based one.

6.8 IPsec VPN's:

For IPsec VPN's, there is a tool which can tae note of several VPN providers and models and that tool is IKE-scan of NTA-monitor. Based on the data obtained like that the hackers can search the web for data regarding some particular providers. The data obtained like this will be posted for Cisco, Nortel, Check point and watch guard equipments. The tool, can take note of every VPN model, but also it can leak out the data regarding the type of authentication used in the VPN, which was one of the significant data for the hungry hackers.

However, on the other hand, some other tools like IKE crack and IKE probe takes benefit of the moment of less strength in the pre-started key(PSK) authorization utilized in IPsec- VPN's. The data collected in hashes by these tools can be executed while routine password hackers such as Cain and Abel, to rob passwords for false access to the VPN and of course into the organisation network.

Lastly, IPsec VPN's have invalid user accounts like any other firewall or network device. These accounts are the one which are used during the initialisation process of the VPN and later these are left out as they are not essential. For securing these we must eradicate these accounts or modify their names, where ever convenient. The same should done in case of company' s accounts used for regular protection, can change invalid passwords where ever its possible.

6.9 SSL-VPN's:

For SSL VPN's also we can use the similar tools for taking down the web application. The web threats like cross-site scripting (XSS), SQL injection, buffer overflows, weak authorisation and standard parameter treatment can be verified by tools like web inspect that watch fire to secure the authentication the scan results can be cracked down by a frequent or manual testing process.

6.10 Network adapters that are supported by WinPcap:

The WinPcap drivers ae developed first and foremost to operate with Ethernet (10/100/1000) adapters. During the development it gave encouragement to other MACs although Ethernet rekeys are the best tested one. An appealing list of complete support of adapters is maintained by Ainsnare team at;

You are allowed to use that page to tae a note of the results of our knowledge with WinPcap. Take a note that this inventory is generated by WinPcap users, so it can be considered as a good official one or 100% reliable one not able to see the original broadcasting packets: this implies that the 802.11 frames are converted into duplicate Ethernet sets before being encapsulated, and that control frames are not obtained. Refer: to know whether our adapters run. If these does not work, we can use the techniques given in the video to cut its traffic.

For real wireless capture, CACE technologies have launched AirPcap adapter, which is invented specially to capture 802.11 traffic, counting control frames, organisation frames and power data. At present, AirPcap is the only one which provides answer for encapsulating 802.11 traffic with WinPcap.

6.11 LibPcap:

LibPcap is a self-dependent device which determines itself the threshold point for user level packet encapsulation. "LibPcap provides a small convenient structure for low-level network inspection. Applications consist of network statistics collection, security vigilance and network debugging etc". Basically, this is the principal system that gives access to tcp-dump, snort, ethereal etc... to work with out owners of these other applications to start from the beginning with coding to make accessible the same properties that LibPcap provides.


In order for the IKE discussion to tae place for our VPN, you must setup the UDP datagram's over port 500 for this set of IP traffic. However, if there are no such type of filter conditions on the system certainly written to access to IKE traffic, then the system will implicitly give the access to IKE traffic to transfer. Study this case for more data on how this works on I series.

To initiate a connection, most VPN's needed Internet Key Exchange(IKE) negotiates to happen before the IPsec execution can take place. IKE utilizes the well known port 500, therefore for IKE to work in a correct manner, you must allow UDP datagram's over port500 for this kind of IP traffic.

If there is no filter policy on the system specially written to allow IKE traffic, the IKE traffic is unrestricted. However, conditions written specifically for UDP port500 traffic are maintained in the activ