Dipartimento di Scienze Economiche, Matematiche e Statistiche

Università degli Studi di Foggia ______

An Analisys of Business VPN Case Studies

Crescenzio Gallo, Michele Perilli e Michelangelo De Bonis

Quaderno n. 10/2009

“Esemplare fuori commercio per il deposito legale agli effetti della legge 15 aprile 2004 n. 106” Quaderno riprodotto dal Dipartimento di Scienze Economiche, Matematiche e Statistiche nel mese di luglio 2009 e depositato ai sensi di legge.

Authors only are responsible for the content of this reprint.

______Dipartimento di Scienze Economiche, Matematiche e Statistiche, Largo Papa Giovanni Paolo II, 1, 71100 Foggia (Italy), Phone +39 0881-75.37.30, Fax +39 0881-77.56.16

An Analisys of Business VPN Case Studies

Crescenzio Gallo, Michele Perilli, Michelangelo De Bonis

[email protected], [email protected], [email protected]

Dipartimento di Scienze Economiche, Matematiche e Statistiche Universit`adi Foggia Largo Papa Giovanni Paolo II, 1 - 71100 Foggia (Italy) Phone +39-0881-753708 Fax +39-0881-774450

Abstract

A VPN (Virtual Private Network) simulates a secure private net- work through a shared public insecure infrastructure like the Inter- net. The VPN protocol provides a secure and reliable access from home/office on any networking technology transporting IP packets. In this article we study the standards for VPN implementation and analyze two case studies regarding a VPN between two routers and two firewalls.

Mathematics Subject Classification (2000). 68-01; 94C99. Keywords. VPN; Network; Protocol. 1 Introduction

A VPN (Virtual Private Network) simulates a secure private networking environment within a shared public insecure infrastructure, like the Internet, through the encapsulation and encryption of all traffic from the client to the remote access VPN server. The VPN protocol provides a secure and reliable access from your home or the office on any networking technology that transports IP packets. This article provides an identification of the standards for VPN implemen- tation (e.g. using Layer 2 Tunneling Protocol to manage a VPN at the level 2 of the ISO/OSI model) and an analysis of two case studies in which first a VPN between two routers and then between two firewalls is implemented.

2 VPN implementation standards

2.1 PPTP

PPTP (Point-to-Point Tunneling Protocol), albeit developed by Microsoft and other producers, is an open industry standard that supports tunneling of PPP frames, which can encapsulate IP and other networking protocols. Al- though L2TP protocol used in conjunction with IPSec (IP Security) provides greater protection, PPTP is easier to set up. PPTP uses PPP authentica- tion, compression and encryption, and if used together with MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2) and a secure password, provides good protection. Companies can use PPTP to assign their own need for remote connections to an ISP or another operator to reduce cost and complexity.

2.2 L2TP

L2TP (Layer 2 Tunneling Protocol) is an Internet tunneling protocol that is an industry standard with essentially the same functionality as PPTP. The L2TP protocol is designed to run in native mode on IP networks on many

2 platforms. As with PPTP, PPP frames are encapsulated by L2TP, which in turn encapsulates other protocols’ frames, allowing users to remotely run applications that depend on specific network protocols. Figure 1 shows how works the connection between a remote computer and a private network using the L2TP protocol. You can configure the tunnel shown to run on the Internet or an intermediate private network.

Figure 1: A connection using L2TP

Use of L2TP in union with IPSec criteria provides data authentication, integrity and encryption thereby increasing the protection when sending data over unsecured networks.

2.3 IPSec

The need for protection of IP-based networks is almost universal in the com- mercial environment interconnected by the Internet, intranets, branch offices and remote access. As networks are constantly crossed by confidential in- formation, the task of network administrators and other information system professionals consists in ensuring a kind of traffic with the following charac- teristics:

• protected from any data changes during transfer;

• protected from “sniffing”;

3 • protected from representation made by not authenticated parties;

• protected from capture and later playback to gain access to confidential resources: this, in general, enables the use of an encrypted password.

These security services are known as data integrity, data confidentiality, data authentication and protection against reproduction. IP does not have a default security mechanism and the IP packets are easy to read, modify, reproduce and create. This lack of protection exposes pub- lic and private networks to control and access by unauthorized users. While internal attacks could be the result of a minimum or nonexistent intranet pro- tection, external risks arise from connections to the Internet and extranets. User access controls based on passwords do not represent by themselves a protection of data transmitted in a network. As a result, IPSec has been designed by IETF (Internet Engineering Task Force) to support data authentication at the network level, data integrity, data confidentiality and protection from reproduction. IPSec works with the largest number of Operating Systems and network devices to provide the ideal platform to ensure the security of Internet and intranet communications. This type of protection uses encryption algorithms and a complete protection to provide security for all TCP/IP communications on both sides of the tunnel over a public network. IP protection is delivered below the transport layer, avoiding network managers dealing with problems and costs associated with trying to deploy and coordinate security for individual applications.

2.4 IPSec and prevention of network attacks

The absence of protective measures could expose the data to an attack. Some attacks are passive, since the information is simply read or intercepted. Oth- ers, by contrast, are active, i.e. information is used or modified in order to damage or destroy data or the network itself. In Table 1 some kinds of most relevant network attack are illustrated and the related methods of prevention through IPSec.

4 Table 1: Some relevant kinds of network attack

Attack type Description IPSec prevention method Eavesdropping (also Plain or unencrypted Data are encrypted before known as sniffig or packets monitoring. transmission preventing ac- snooping). cess to original data even when packet is monitored or intercepted. Only peers know the encryption key. Data editing. Editing and transmis- Data hashing “attaches” a sion of changed packets. checksum to each packet, which is verified by the re- ceiving computer to detect the change. Identity spoofing. Use of packets con- Authentication protocols, structed or acquired for public key certificates or falsely assume the iden- pre-shared keys allow to tity of a valid address. authenticate peers before a secure communication. Denial of service. Valid users are unable Ports or protocols can be to access a network blocked. server. One example consists in sending a large amount of traffic to network or server. Man-in-the-middle. Forwarding of IP pack- Authentication of peers. ets to an extraneous third party, to control and, if possible, change them. Known-key. Used to decrypt or mod- Encryption keys may be up- ify data. dated periodically, thus re- ducing the possibility of ac- cessing protected information through an acquired key. Application layer. Directed primarily to Because IPSec is implemented the application server, at the network level, packets this attack is used to that do not meet the security cause errors in OS or filters at this level are never network applications, or transferred to the applications to introduce viruses into in order to protect applica- the network. tions and OSes.

5 IPSec allows you to prevent the attacks described in Table 1 through mechanisms based on cryptography. Thanks to encryption, information can be transmitted in a secure way through the hashing and encryption itself. To protect information a combination of algorithm and key is used, where

• the algorithm is the mathematical process by which we protect infor- mation;

• the key, instead, is the secret code or number needed to read, write, or verify data.

3 Case studies

Here two case studies of VPN implementation are detailed, one regarding a connection between two routers, the other related to connecting two firewalls through a secure channel.

3.1 Case study #1

The first typical case for the application of IPSec-based L2TP is, as shown in Figure 2, the most simple. In this case study the secure VPN connection is obtained via an Internet tunnel just between two routers. The configuration of a single peer will be defined later, the other being perfectly symmetrical. It would be pointed out that the process of tunnel creation (data encryption) and elimination (data decryption) will certainly lead to a slowdown in the router, degrading performance of the two peers and consequently slowing down the predominant activity on the router itself, which is to “route”. The ideal hardware and software configuration will be that of Case study #2, in which the implementation of a security-dedicated hardware device, as the Cisco firewall, is shown.

6 Figure 2: VPN tunnel between two routers

Configuration Description Router# Router#sh run Building configuration...

Current configuration : 2668 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! boot-start-marker boot system flash An IOS is loaded with security c837-k9o3y6-mz[1].123-8.T4.bin features to implement VPN. boot-end-marker ! enable secret 5 $1$afkP$CN96t/NaMBlK1lKVj9zFc/ ! no aaa new-model ip subnet-zero ip name-server 195.130.224.18 Here are defined the addresses ip name-server 195.130.225.129 of two DNS servers that are 7 used in the connection. ip ips po max-events 100 no ftp-server write-enable crypto isakmp policy 11 Here starts the part on the definition of security policies used. A policy for the IPSEC protocol with ID = 11 is de- fined. hash md5 Authentication will be of hash type with MD5 encryption. authentication pre-share The key will be of pre-shared type. The key is the shared string ’123456789’ and is sent to the crypto isakmp key 123456789 other router with IP address address 216.58.66.234 ’216.58.66.234’. A Security Association (SA) with the set of processors crypto ipsec transform-set mine called ’mine’ is defined and we esp-des esp-md5-hmac agree to use the ESP protocol and DES or MD5 encryption. crypto map nolan 11 ipsec-isakmp Here we define the crypto- graphic mapping as ’nolan’ with identification ’11’ set peer 216.58.66.234 The other address of the tun- nel is defined. set transform-set mine The transformation set ’mine’ is applied to the tunnel de- fined. match address 120 Access list 120 is recalled which defines tunnel access for machines belonging to in- ternal LAN 192.168.100.0.

8 interface Ethernet0 description internal LAN gateway ip address 192.168.100.100 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface ATM0 description connection to ADSL access no ip address atm vc-per-v no atm ilmi-keepalive dsl operating-mode auto pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto interface Dialer1 Define the tunnel address ip address 216.133.132.193 255.255.255.240 from local side.

9 ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp Apply PPP encapsulation. ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication chap pap callin Define parameters for PAP / ppp chap hostname host1 CHAP authentication. ppp chap password 0 net@net ppp pap sent-username host1 password 0 net@net crypto map nolan From here the encrypted mes- sage defined by the mapping pre- viously named ’nolan’ starts. ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 Build a static route on interface Dialer1. no ip http server no ip http secure-server ip nat pool my-pool Here we define NAT/PAT: de- 216.133.132.193 216.133.132.193 clare public addresses with which netmask 255.255.255.240 will be presented hosts inside the LAN. ip nat inside source route-map nonat Packets accessing NAT will be pool my-pool overload defined by the next route-map (all packets coming from our LAN to the other end of the tun- nel will be excluded). access-list 120 permit Define who can access the tunnel ip 192.168.100.0 0.0.0.255 to connect to the LAN of other 10.1.1.0 0.0.0.255 extreme 10.1.1.0.

10 access-list 130 deny This access-list blocks all traf- ip 192.168.100.0 0.0.0.255 fic coming from local network 10.1.1.0 0.0.0.255 192.168.100.0 to network 10.1.1.0 access-list 130 permit (the LAN at the end of the tunnel); ip 192.168.100.0 0.0.0.255 any all packets from the internal net- work to any other destination are allowed. dialer-list 1 protocol ip permit Define a dialer list #1 permitting IP traffic. route-map nonat permit 10 Defines a route-map with id = 10 called ’nonat’ which, combined with access-list 130, allows access only to NAT packets from the in- ternal network 192.168.100.0 leav- ing not translated the source ad- dresses of the packets whose desti- nation network is 10.1.1.0. match ip address 130 The access list 130 is associated with the dialer list. control-plane ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 exec-timeout 120 0 password 7 045807071C32 login length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end

11 3.2 Case study #2

The most frequent case is the VPN connection between two networks through firewalls and not – as the previous case – routers. In this design case the router has the characteristics of a normal link, without IPSec security. This hardware and software configuration allows the router to completely dedicate itself to routing, leaving the task of creating and monitoring the tunnel to the firewall. This device, as explained below, will strengthen the defense barrier through a series of software technology tricks (such as packet filtering contextual to session) which will not only allow the two LANs (the 192.168.100.0/24 and 10.1.1.0/24) to talk in safe mode, but also not to be attacked by any hacker from the public Internet.

Figure 3: VPN tunnel between two firewalls

Here are the firewalls’ configurations as per Figure 3.

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Sjt95ZFvq6lc8P0 encrypted passwd 8Sjt95ZFvq6lc8P0 encrypted hostname firewall domain-name firewall.it

12 fixup protocol dns maximum-length 512 Defining characteristics for fixup protocol ftp 21 the Traffic Inspection: all fixup protocol h323 h225 1720 response packets will be al- fixup protocol h323 ras 1718-1719 lowed for sessions that origi- fixup protocol http 80 nate from within the LAN and fixup protocol rsh 514 belonging to the list of proto- fixup protocol rtsp 554 cols with their doors. fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit This access-list allows the ip 192.168.100.0 255.255.255.0 transition of IP traffic host 10.1.1.170 from the internal LAN access-list 101 permit 192.168.100.0 to hosts: ip 192.168.100.0 255.255.255.0 10.1.1.170, 10.1.1.209, host 10.1.1.209 10.1.1.219. This access-list access-list 101 permit will be used for not translating ip 192.168.100.0 255.255.255.0 traffic from the internal LAN host 10.1.1.219 to the three aforementioned hosts. access-list outside_cryptomap_20 permit The access-list called “out- ip 192.168.100.0 255.255.255.0 side cryptomap 20” allows host 10.1.1.209 IP traffic from the internal access-list outside_cryptomap_20 permit LAN to the hosts 10.1.1.170, ip 192.168.100.0 255.255.255.0 10.1.1.209, 10.1.1.219. This host 10.1.1.170 access-list will be used to access-list outside_cryptomap_20 permit apply encryption to the links ip 192.168.100.0 255.255.255.0 starting from the internal host 10.1.1.219 LAN to the three hosts on the the part of the tunnel.

13 access-list acl_out permit icmp any any It defines an access-list called “acl out” which allows ICMP packets from any network to any network. It will be applied to inbound traffic to the out- side port of the firewall (traf- fic coming from outside the LAN). access-list acl_in permit icmp any any An access-list called “acl in” access-list acl_in permit ip any any is defined which allows IP and ICMP packets from any net- work to any network. Will be applied to inbound traffic to the serial inside port (traffic coming from inside the LAN). pager lines 24 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside Addresses of inside and out- 217.133.219.76 255.255.255.248 side ports are defined. ip address inside 192.168.100.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface To all internal addresses NAT/PAT on the outside door address is applied. nat (inside) 0 access-list 101 All traffic from internal network to the three hosts 10.1.1.170, 10.1.1.209, 10.1.1.219 is left untrans- lated. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 NAT is applied on the whole traffic from the internal net- work to any network.

14 access-group acl_out in Applies the access-list called interface outside “acl out” to outbound traffic on the outside port. access-group acl_in in Applies the access-list called interface inside “acl in” to inbound traffic on the inside port. route outside 0.0.0.0 0.0.0.0 All traffic leaving the out- 217.133.219.74 1 side port is routed toward the router with address 217.133.219.74. timeout xlate 0:05:00 Connection time-outs are de- timeout conn 1:00:00 half-closed 0:10:00 fined for certain protocols udp 0:02:00 rpc 0:10:00 h225 1:00:00 (connections trying to exceed timeout h323 0:05:00 mgcp 0:05:00 the time limit are at risk and sip 0:30:00 sip_media 0:02:00 are closed by the firewall). timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec IPSec traffic is allowed. crypto ipsec transform-set ESP-3DES-MD5 A transformation set for en- esp-3des esp-md5-hmac cryption named “ESP-3DES- MD5” is created using proto- col ESP with 3 DES and MD5 encryption.

15 crypto map outside_map 20 ipsec-isakmp An encryption map is cre- ated with ID=20 named “out- side map” for traffic IPSec with key management proto- col ISAKMP. crypto map outside_map 20 match address The encryption map “out- outside_cryptomap_20 side map” with ID=20 is associated with traffic defined by access-list “out- side cryptomap 20” allowing traffic from internal network to the three hosts 10.1.1.170, 10.1.1.209, 10.1.1.219. crypto map outside_map 20 set The encryption map is asso- peer 85.46.191.73 ciated with the PIX address 85.46.191.73 at the other end of the tunnel. crypto map outside_map 20 set The encrytpion map “out- transform-set ESP-3DES-MD5 side map” with ID=20 is associated with the previ- ously defined transformation set “ESP-3DES-MD5”. crypto map outside_map interface outside Encrypted traffic applies starting from the outside port. isakmp enable outside Key management protocol ISAKMP is applied to the outside port. isakmp key ******** address 85.46.191.73 The key is sent to the speci- netmask 255.255.255.255 fied host (the other PIX) with IP 85.46.191.173. isakmp policy 1 authentication rsa-sig A policy 1 is defined with authentication algorithm and digital signature certified by a CA (Certification Authority). isakmp policy 1 encryption des Policy 1 uses DES encryp- tion. isakmp policy 1 hash sha Policy 1 also uses SHA en- cryption. isakmp policy 1 group 1 Policy 1 is associated with policy group 1.

16 isakmp policy 1 lifetime 86400 Maximum key lifetime is 24 hours. isakmp policy 20 authentication pre-share Another preshared key pol- icy with ID=20 is defined. isakmp policy 20 encryption 3des 3DES encryption is used.

isakmp policy 20 hash md5 MD5 encryption can also be used. isakmp policy 20 group 2 Policy 20 is associated with policy group 2. isakmp policy 20 lifetime 86400 Maximum key lifetime is 24 hours. telnet timeout 5

ssh 217.58.66.238 255.255.255.255 outside SSH sessions are al- ssh 80.23.95.131 255.255.255.255 outside lowed from the outside port toward public ad- dresses 217.58.66.238 and 80.23.95.131. ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80

4 Conclusions

In this work we study the configuration of a Virtual Private Network and related tunneling and its application to a router-to-router and firewall-to- firewall scenario. The techniques exposed are suited to any type of network deploying CISCO routing IOS and PIX OS.

17 References

[1] Black, Ulysses. PPP and L2TP: Remote Access Communications. Pren- tice Hall: New York, 1999.

[2] Shea, Richard. L2TP Implementation and Operation. Addison Wesley Longman: Boston, 1999.

[3] C. Gallo, M. Perilli. Virtual Private Networks: stato dell’arte e scenari futuri. Quaderni DSEMS, n.1, 2007.

[4] RFC 2401, Security Architecture for the Internet Protocol.

[5] RFC 2402–2410 (various IPSec specifications).

[6] RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP.

[7] RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP).

[8] Cisco IOS, http://www.cisco.com/univercd/cc/td/doc/product/ software/ios120/120newft/120t/120tl/12tpt.htm

[9] L2TP over IPSec, http://www.cisco.com/en/US/tech/tk583/tk372/ technologies_configuration_example09186a0080093f6f.shtml

18