OpenVPN and the SSL VPN Revolution
True SSL VPNs are beginning to appear in the market. One of the best, and definitely the least expensive, is the open source SSL VPN, OpenVPN.
IPSec VPNs are either too expensive or too difficult to use securely. IPSec is dense and contains too many options to be configured and administered securely by non-expert personnel. It also operates in kernel space providing the opportunity for catastrophic failure. OpenVPN rejects the complexity of IPSec by using the battle tested SSL/TLS protocol and cryptographic libraries to provide equal or better function in a simpler package. OpenVPN also operates in user-space increasing security and stability.
Many of the products that claim to be SSL VPNs are actually just SSL gateways operating under the guise of a true VPN. Many of these products open the unsuspecting user to serious security issues. OpenVPN is the first real SSL VPN to provide the same function and security as its IPSec predecessors.
Introduction
“IPSec VPNs protect IP packets exchanged between remote networks or hosts and an IPSec gateway located at the edge of your private network. SSL VPN products protect application streams from remote users to an SSL gateway. In other words, IPSec connects hosts to entire private networks, while SSL VPNs connect users to services and applications inside those networks.”
The above statement is totally wrong. The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. The commercial SSL VPN market has falsely labored under this misdirected paradigm, but it is a mishandling of terms and represents an untrue statement. This document covers the emerging trend of SSL based VPNs. It is important to be absolutely clear that when this document refers to a VPN, it is not referring to an application level access to a remote network’s application. A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel. There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs in to the same category with SSL enabled web servers and proxy servers. People hear SSL and immediately think of a protocol that encrypts traffic for an application, or for several applications, one at a time via proxying, application translation, or port forwarding. This is NOT a VPN. It is an application level gateway, a firewall, or an SSL gateway, but it is not a VPN. A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. This provides the same connectivity and privacy you would find on a typical local private network. A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. See the section on other SSL VPNs at the bottom of this document for more information on this issue.
In the past, the method for creating such a site-to-site tunnel was to use the Internet Protocol Security (IPSec) standard. IPSec was not chosen due to its great strength as a protocol. It was chosen because it was the only game in town. IPSec has received much criticism for its unnecessary complexity and tight coupling with the OS kernel [SF99], but due to its monopoly on function, it has enjoyed widespread implementation.
Enter OpenVPN. OpenVPN is a user-space SSL-based VPN that illustrates the ease of use and simplicity of SSL VPNs while providing protection and function equivalent, and in some cases superior, to IPSec. OpenVPN does away with the complexities of IPSec from an installation, configuration, and management perspective. Security’s worst enemy is complexity and OpenVPN defeats this enemy. Unlike IPSec, OpenVPN holds true to the secure OS Ring Architecture philosophy of non-interference with kernel space or keeping applications out of Ring 0, which we will discuss more shortly. Adherence to this philosophy gives OpenVPN the ability to operate more safely today and provide greater protection against unknown attacks of tomorrow.
Note: The IETF has taken over development and management duties for SSL and have renamed it Transport Layer Security (TLS). For the rest of this document you may see it referred to as SSL, TLS, or SSL/TLS. Unless other wise noted, all of these refer to the latest version of TLS.
SSL/TLS is the most widely deployed security protocol in the world [Res01]. As such, it has undergone extensive scrutiny and has yet to be degraded by any known weakness. This does not mean it is guaranteed secure for the future, but it does mean that many of the brightest minds in cryptography and mathematics have been unable to find any holes in its cryptographic armor. In the past, SSL/TLS was a general protocol that would be tightly coupled with specific applications, thus the extreme confusion about what an SSL VPN really is. It would be used to secure session communication between two hosts using a single application or protocol at a time. The most well known use of SSL is in the HTTPS protocol to enable secure web-based ecommerce. SSL is the default security solution for application to application needs, but it has never been implemented to handle arbitrary multiple protocols at the same time, until now. Before jumping into OpenVPN, we need to cover a couple general issues on Cryptography, VPNs and IPSec.
Quick Intro to Cryptography
In order to talk about VPNs we must know a little bit about cryptography. VPNs rely heavily on cryptography to maintain a tunnel between end points and to securely build this tunnel. Cryptography is very complex and easy to do wrong, so its a good thing there are products like OpenVPN that have it already implemented for us.
There are four cryptographic primitives that relate to our discussion on VPNs: symmetric ciphers, asymmetric ciphers, message digests, and digital signatures. There are also four goals we have with information security: Confidentiality, Integrity, Authentication and Non-repudiation. The trick is to assemble our four primitives to achieve our four goals.
Symmetric Ciphers – Confidentiality
In order to keep our data secure from prying eyes, we must encrypt it. Symmetric encryption uses a very fast block level algorithm to encrypt and decrypt data and is the primary primitive used to protect data confidentiality. Both sides of the tunnel will use the same encrypt/decrypt key which presents us with the primary weakness of symmetric ciphers, key distribution. Common symmetric ciphers are DES, 3DES, Blowfish, AES (Rijndael), RC5, RC6, Serpent, and IDEA.
Message Digests – Integrity
With VPNs we are sending our sensitive dat a over the public Internet. This uncontrolled network subjects our data to all sorts of malicious and accidental tampering and modification. We want to make sure what we send is the same as what the other side receives, and vice versa. To maintain this integrity, we use message digests. A message digest is an irreversible mathematical function that takes a message of any size and encodes it as a fixed length block of cipher text. This fixed length cipher is called the digest. It is essentially a cryptographic “summary” of the message. Every mess age has only one digest and ideally, no two messages should ever create the same digest. If even one letter of our message is changed, the entire message digest will be different.
Before we send our message, we run it through a message digest function and get our fixed length block of cipher text. We then send this cipher text along with the message. When the other side of our communication receives our message, they will run the same message digest function on the text of our data and compare the result to our attached message digest. If they are the same, the receiver knows the message has not been changed since we sent it. If we add a key to our message before running the message digest we get even better protection. We will discuss this later under the HMAC section below. Commonly used message digest algorithms are MD5 and SHA-1.
Asymmetric Ciphers – Everything Else
We have two goals left to cover, authenticity and non-repudiation. We want to guarantee that the entity we are talking to is the entity we think we are talking to. To authenticate this fact we use asymmetric encryption, or public key cryptography. This involves the creation of a key pair. These two keys are mathematically related is a very useful way. Data encrypted with one key can only be decrypted with the other key in the pair, and vice versa. One key is labeled the public key and it is distributed to the world. The other key is the private key and it is kept secret. We can use this system to authenticate the entity by checking that it has something that no other entity should have, its private key. In order to check this, we have the entity send us message encrypted with this private key. Since the entities public key is available to the world, we can use it to decrypt the message. If this works, we know the entity is who they claim to be. This gets a bit more complex below.
We also want to make sure that every one is held accountable. In order to hold entities accountable we need to make it impossible for someone to send traffic and later claim that they did not, non-repudiation. Again, since the only person who knows an entity’s private key is the entity itself, we can use this to gain non-repudiation. Just as in the above case, if an entity encrypts its message with its private key, we can decrypt the message using the public key and assure that the sender is the only entity that could have sent the message, meaning they cannot later claim that someone else forged it.
In actual practice, we use digital signatures. When an entity needs to send a message, they will run a message digest for it. They will then digitally sign the message digest by encrypting it with their private key. The whole package is bundled up and run through symmetric encryption for confidentiality. This gets sent to the other end of our communication tunnel where the symmetric encryption is decrypted. The receiver then decrypts the message digest using the sender’s public key. If it works, we have authentication and non-repudiation. The receiver then runs a message digest and compares it to the one it received. If they match, the receiver knows the data has not been altered, thus we have integrity. The most commonly used asymmetric algorithm is RSA.
We will talk about each of the above primitives in much greater detail as we go.
VPN in a Nutshell
VPN stands for Virtual Private Network. VPN is the term used to refer to any device that is capable of creating a semi-permanent encrypted tunnel over the public network between two private machines or networks to pass non-protocol specific, or arbitrary, traffic. This tunnel can carry all forms of traffic between these two machines meaning it is encrypting on a link basis, not on a per application basis. VPNs are useful in situations where an entity is paying for dedicated leased lines due to security concerns or the need to provide layer two communications over a WAN link via transparent bridging, WINS servers, or other broadcast repeaters. The VPN allows the end points to connect to the Internet and have this same functionality without the need for expensive leased lines. The other common use for VPNs is to provide dial-up access or network extension for remote employees. Instead of making expensive calls and maintaining access servers with modem banks, a remote user can dial up and connect to the Internet locally, then use the VPN to access the main site securely over the Internet. This allows for reduction in phone bills and elimination of expensive and hard to secure modem banks and access servers.
One of the key elements of VPNs is encryption. To protect sensitive or non-routable data as it passes over the public Internet, we need to create a virtual private tunnel. This tunnel is built by encrypting the packets or frames and then encapsulating these in regular IP traffic between the two hosts or networks. The protection and encapsulation of these packets is vital to the function of a VPN and one of the most complex pieces to get right.
What the heck is IPSec?
In November of 1998 the Internet Engineering Task Force (IETF) came out with a series of Request for Comments (RFC’s) defining the protocols necessary to create VPNs. Specifically, RFC 2401-2412 represent the backbone of the technologies that have come to be known collectively as IPSec. IPSec is a standard set of protocols and rules for their use that allow the creation of VPNs. The theory was if vendors implement IPSec to create their VPN products, they would interoperate with other vendor’s products. This has had varying success as IPSec allows for significant latitude in design choices and often leads to IPSec compliant products from different vendors that do not interoperate. Some of the highlights of this series of RFC’s are: RFC 2401 (IPSec), RFC 2402 (Authentication Header), RFC 2406 (Encapsulating Security Payload), RFC 2408 (ISAKAMP), and RFC 2409 (IKE). For a comprehensive collection of IPSec related RFC’s see Pete Loshin’s book Big Book of IPSec RFC’s.
IPSec creates a secure tunnel by first using a handshake protocol called Internet Key Exchange (IKE). IKE authenticates the end points of the tunnel to each other, and then follows a secure procedure to exchange the necessary information to create a more permanent tunnel using symmetric encryption. Once this tunnel is in place, any arbitrary traffic sent between these two end points will be passed through the protected tunnel. This tunnel can be used by any application or protocol and is semi-permanent, meaning it will stay up indefinitely provided both end points continue to desire its existence.
IPSec was created by a committee and some believe this process added more functionality, bloat, and complexity than is needed or reasonable. The committee approach has received criticism as a viable way to develop security standards. The preferred method is to use contests like the one used to choose the new Advanced Encryption Standard or AES. As Bruce Schneier and Niels Ferguson put it, “IPSec is too complex to be secure” [SF99]. Be that as it may, IPSec is used to create a majority of the VPN products found today. Checkpoint VPN-1, Cisco PIX, and the open source FreeS/WAN are all examples of commonly used VPN solutions that implement IPSec. So in the past, if you wanted a VPN, you suffered with the complexity of IPSec.
Note: The FreeS/WAN project is now dead. Its original charter was to secure the Internet using ubiquitous Opportunistic Encryption [Free04]. Failing to make progress in that direction, they closed their doors. The excellent code base they left behind has continued to develop in the form of OpenS/WAN and StrongS/WAN.
In addition to configuration complexity, IPSec has strayed from the secure OS Ring Architecture design principle of non-interference with kernel space. This principle breaks out the OS into rings of privilege. Ring0 is reserved for the kernel and other essential processes. Ring1 for other system processes that need low level access to hardware. As you move outward in rings, the privilege of the process is decreased. Ring3 is where most user processes are found. The architecture rules state that processes in higher numbered rings can not interfere with processes in lower numbered rings. This provides greatly enhanced stability and security in our applications and allows for multi-user, multithreaded systems.
“The part of the OS that needs to access the hardware and provides the basic metaphors of processes, memory and devices, run in ring0, some system tasks run in ring 1 etc… The normal user processes run in the ring with the lowest privileges. This means a process running in a certain ring cannot harm the processes in a ring with more privilege. Multics was the OS that brought this idea to us, and formed the base for all later operating systems up to now. This architecture offers… a lot more stability and security than the earlier architectures, and is able to provide multitasking and multi-user facilities.”
To reduce the impact of application failure on the stability and security of the system, non-essential processes should not interfere with the kernel. In order to gain the level of control needed to secure traffic over the interface link, IPSec needs to be tightly integrated into the OS kernel, in Ring0. This violates our design principle and puts the entire operating system at risk. This violation also makes installation difficult and puts up road blocks to developing client and server applications for other platforms.
Anyone who has installed FreeS/WAN on Linux understands the degree of coupling necessary under IPSec. Having to install touchy, kernel specific code hacks can definitely be discouraging, especially for security conscious administrators who upgrade their kernels on a regular basis. Additionally, even though IPSec is touted to be interoperable between vendors; the reality is if you have a vendor’s VPN product on one side of the tunnel, you often need to use the same vendor’s client or server on the other end. This reduces the flexibility of many products as they don’t make clients for Windows or have a hard time installing with the existing Windows IPSec VPN client. This issue of variation in implementation results in many headaches that eliminate the benefit of using an open standard in the first place.
So how do these things work?
VPNs work by creating a virtual tunnel over the public Internet. In order to create this tunnel, symmetric encryption is used. Both sides of the tunnel share common encryption and decryption keys and use them to encrypt all traffic in both directions. Symmetric encryption is very fast and there are many solid algorithms available to implement this (Blowfish, AES, 3DES). There are two problems with symmetric encryption. First, how do we get these common keys to both sides of the tunnel? This is called key exchange or key agreement. Second, how do we know we are exchanging keys with the correct entity? This is called authentication.
There are many ways to exchange keys, some elegant and some barbaric. One way to exchange keys is to call the administrator on the other end of the tunnel and read them the key over the phone. Another way is to send them the key in an email using Pretty Good Privacy (PGP) to encrypt the exchange. Both of these methods will work, but they are not very effective. This is referred to as a pre-shared secret and it does not scale well or provide us with perfect forward secrecy, which we will talk more about in a minute.
A foundation of solid cryptography is that you change your encryption keys on a “regular” basis. The definition of “regular” is pretty broad. I have seen philosophies that say the lifespan of a key should be less than the time it takes to break that key. The literal interpretation of this strikes me as kind of silly. Imagine an attacker had a system that could break a DES key in 1 hour (not that far from reality). If you change your DES key every hour, all this means is your attacker needs to archive your traffic and get to work breaking it. They will begin seeing unencrypted traffic one hour after that traffic is sent, so all you’ve really done is add a one hour delay to the compromise of your data. I feel the true spirit of this philosophy is to change your keys as often as you can without putting an unreasonable resource load on your system or administrators. This frequent change also provides what is called Perfect Forward Secrecy meaning if your key is broken for one series of transactions, it does not compromise any future series.
If you want to change your keys once an hour, or even once a day, you can see how the phone call or PGP method is not really practical. Especially if you have 80 VPN users with whom you need to exchange keys.
To overcome this cumbersome key exchange issue, VPNs often use certificates. Certificates use Public Key Cryptography, meaning a host generates a public and private key pair that are mathematically related to one another. Any data encrypted with the public key can only be decrypted with the private key, and vice versa. Each end system has its own public/private key pair. The public key is given out to the world to encrypt traffic bound for the system, and the private key is kept secret to decrypt this traffic. The private key can also be used to prove that data was actually sent by a specific entity, which is called non-repudiation. If I encrypt something with my private key you can confirm it is really me by decrypting it with my public key. The problem with this is I will need a copy of every host’s public key that I want to connect with. If I have 100 hosts I’m keeping VPN connections with, this again becomes a scalability problem.
The solution is to use a certificate authority (CA). A certificate authority looks over an entity’s credentials and certifies that they are who they say they are. Once an entity is certified, the certificate authority will sign the entity’s public key with the CA’s private key. Now, in order to prove that your entity is really the entity you want to talk to, you just need to prove that they have been approved by your CA. We essentially are saying “We trust the CA and anyone the CA trusts we will trust too”. To prove that our CA trusts this entity all we need is the CA’s public key. When you get a certificate from the entity, it should have a signature created by the CA’s private key. You use the CA’s public key to decrypt this signature to make sure the certificate is valid. Now you can have 100 hosts who have all been preapproved by your CA. You can authenticate these hosts by checking the CA signature on their certificates with the CA’s public key, and only need to keep one key on your system, the CA’s public key. This solves our scalability problem.
SSL/TLS to the Rescue
The new kid in town is the user-space SSL/TLS based VPN. SSL has been in existence since the early 90’s. SSL was initially developed by Netscape and was eventually joined by another similar code branch created by Microsoft. In the late 90’s the IETF created TLS is an attempt to consolidate the different SSL branches into a common, open standard. TLS is essentially SSLv3 with some minor fixes and enhancements.
User-space SSL VPNs use the highly mature and widespread SSL/TLS protocol to handle the tunnel creation and cryptographic elements necessary to create a VPN. We are going to focus mostly on an open source SSL VPN, OpenVPN. There are other commercial products available to create SSL VPNs, but most if not all of them miss the mark on creating a usable site-to-site VPN. For adetailed explanation of this see the section below on other SSL VPNs.
OpenVPN is a user-space VPN that uses the well tested and mature SSL/TLS infrastructure to create the same site-to-site connection functionality found in IPSec VPNs. OpenVPN is referred to as a user-space VPN because it does not require sophisticated intertwining with the OS’s kernel to function. It operates in Ring3 of our secure OS Ring Architecture, which is right where we want it. Usually, in order to do link encryption, an application must be intertwined with the kernel to provide low level access to the interface where the link is found. User-space VPNs use a “virtual interface” they control and access without this kernel dependence. This gives user-space VPNs a more secure starting point than standard IPSec devices, as well as provided more flexibility in porting to other operating systems and ease of installation and maintenance. The flexibility of this architecture even allows it to exist on the same box with IPSec VPNs. You can install OpenVPN on Windows machines without any conflicts between it and the Windows IPSec client which, as anyone who has tried to install a third party IPSec client on Windows knows is a pretty big plus. In fact, you can run an IPSec VPN from your Windows machine, and still have an SSL/TLS based VPN running at the same time.
SSL/TLS is a standard protocol for encrypting Internet traffic. It is very mature and has been widely implemented and tested for vulnerabilities. As long as no one figures out how to factor large pseudo-prime numbers in a hurry, SSL/TLS appears to be in good shape to provide security for quite some time to come. SSL/TLS is much easier to implement than IPSec and provides a platform that is solid, simple, and well-tested. It is important to note that SSL/TLS based VPNs are able to encrypt link traffic for site-to-site connectivity just like IPSec VPNs. The RSA handshake (or DH) is used exactly as IKE in IPSec, and the SSL crypto library is used to secure the symmetric tunnel after that, again using similar encryption techniques to those protecting IPSec tunnels. This tunnel can pass arbitrary traffic, just like an IPSec VPN. No restrictions, no tricks.
Note: One downside to SSL/TLS is in packet drop performance. IPSec will inspect and drop a packet at a lower level in the protocol stack than SSL/TLS which will take it higher and process it more before rejecting it. This could be an issue with DoS attacks and some very high capacity usage scenarios. In most cases this is not a problem.
Other SSL VPNs
The current state of commercial SSL VPNs is disturbing at best. The term “SSL VPN” is in my opinion being badly distorted by almost all the vendors claiming to offer the product. What they are really offering is an SSL gateway which is quite a different product. Again the definition of a VPN is a device that provides a site-to-site encrypted tunnel between two end point hosts or networks that allows arbitrary traffic to pass between them. For the most part, the SSL VPN products on the market fall short of this mark while claiming they meet it.
The term VPN carries with it an expectation of the highest level of security. When someone looks at a product labeled a VPN, they believe that the protections we have been discussing thus far are in place to some degree. Many commercial SSL VPNs are carrying this label without including the above protections. The architectures they are suggesting have serious security problems.
The Four Horsemen of SSL VPNs
SSL gateways provide access to corporate applications on an application by application basis, which violates are definition of a VPN right from the start. They use four methods to do this: proxying, application translation, port forwarding, and network extension. Network extension is the only one of these methods that actually creates a VPN. Few of the SSL VPNs provide this feature, and fewer still provide a working version of it.
The business push on commercial SSL VPNs is their ability to function without a client. This is confusing at best and irresponsibly deceptive at worst. What these vendors are really claiming is that you can access corporate applications using the universal client, the Web browser. They are trying to sell simplicity and flexibility, eliminating client installation for remote users, or (gasp) allowing mobile users to “VPN” to the corporate network from public machines like kiosks. What they aren’t in a hurry to tell you is that Web browsers only work on the first two levels of access, proxying and application translation. In order to do port forwarding, and particularly network extension, you need a client, which often requires administrative access to the machine you are using. So much for clientless VPN and so much for using public kiosks.
Proxying
Proxying is simply providing an intermediary between an external and internal application. This intermediary usually pretends to be the end point for both sides of the connection and accepts the client request, rewrites it and sends it to the server. Return traffic is handled the same way. Application Level Gateway (ALG) is a common name for devices that do this, or in simpler situations, just a Web Proxy. Many ALG’s make sure the client request is well formed before they forward traffic to ensure proper resource usage. Regardless, the applicationrequest is completed and sent back to the client over the SSL connection. This method of mediating traffic is slightly slower than normal as the gateway must decode/encode the packets an extra time as well as inspect the contents. It works well with Web based protocols but struggles beyond that. A common use would be to couple the proxy with authentication and allow access to a private intranet website for remote users. It also requires a special proxy for each and every protocol. This system does not provide site-to-site connectivity for arbitrary traffic and requires new coding for any addition protocols that come up.
Application Translation
Some applications, like FTP and other file sharing services, can adapt to translation. This means the internal protocol is translated to HTTP and HTML for delivery to the client’s Web browser. This works in some circumstances, but is hard to get right with some protocols, like the black magic that is Windows file sharing. It also destroys the look and feel of applications as they are limited to the display capabilities of HTML. This translation needs to be done on a protocol by protocol basis and can not handle many services. It requires a special translator for each and every protocol. This system does not provide site-to-site connectivity for arbitrary traffic and requires new coding and analysis for any addition protocol that come up.
Port Forwarding
Port forwarding is what firewalls do. Traffic to a port on one IP address (usually your gateway) is simply redirected to the same (or sometimes different) port on another machine. If the packet qualifies, the gateway simply passes the traffic without inspecting its contents. This works well for so me common services that use predictable ports. However, many protocols do not use a fixed port, instead using a range of ports or random ephemeral ports. It also requires individual forwarding for each service or port, one at a time. This system does not provide site-to-site connectivity for arbitrary traffic and requires new coding for any addition protocols that come up. It also requires that software be installed on the client machine; if you think that sounds like a “client” you are correct! For this client to work correctly, it requires administrative access on the box. Again, so much for clientless VPN, and so much for public kiosks.
Network Extension
Of The Four Horsemen of the SSL VPNs, the only one that provides true VPN service is network extension. As with traditional IPSec VPNs, the devices that handle network extension create a site-to-site tunnel that can handle arbitrary traffic. No surprise, this configuration requires a client in all cases. On top of that, it requires administrative access to the host or gateway machine, which you are not going to get on public machine (I hope). This is going to sound like a broken record, but so much for clientless VPNs and so much for public kiosks. Few of the commercial devices claim to do network extension and of those that claim to do it, few actually do it correctly. For those select few (Checkpoint, NetScreen, OpenVPN), we reserve the name SSL VPN.
Hybrids
Some of the devices listed as SSL VPNs actually just provide SSL access to web based applications, and then use IPSec access for network extension (Cisco). I would suggest that labeling this device an SSL VPN is a misnomer at best.
Security Issues
For all the rest of the commercial SSL VPN market, shame on you. I don’t know if this phrase is already claimed, but if it isn’t, I’m labeling it Hosner’s Lament:
“The one thing worse than bad security is bad security that creates the illusion of good security”
VPNs are an extension of your network. Hence the term network extension above. They represent your LAN at a location outside your company. Most of the commercial SSL VPN products focus heavily on “clientless VPN” as an obvious marketing feature. The following quote is taken directly from the marketing material of one of these vendors:
“The biggest difference between SSL VPNs and traditional IP Security remote access VPNs is that the IPSec standard requires installation of client code on the end user’s system, while SSL VPNs focus on making applications available through any Web browser.”
This is not only deceptive, it is dangerous. Either these companies lack an understanding of security and VPNs, or they are unethically presenting a product to unknowing users that gives them the impression of safety with the well know label of VPN without the security features that are traditionally associated with this label. Here is another marketing snippet that affirms this strategy:
“We ruled out changes to client systems as unacceptable and not in the spirit of SSL VPNs’ goal of security with ease of use.”
That philosophy would be fine if it were true. The real situation is security is being compromised for the sake of ease of use. Imagine this, one of these SSL VPNs allows “clientless access” from public kiosk machines. Your user goes to one of these kiosks where a 14 year old has installed a keystroke logger. Your user connects to your “VPN”, authenticates to your network with their username and password, and accesses a bunch of material. Your 14 year old now knows your users username and password plus a large amount of data about your internal applications. Or worse yet a trojan on the kiosk starts a worm attack on your network through the SSL tunnel. Now you have a worm hammering the soft underbelly of your network through a trusted tunnel. Public clients are by definition untrusted clients. VPNs work on the foundation that both sides of the connection are trusted. If you are providing an application gateway, maybe this is acceptable, but if you are using a VPN, you must have trusted and authenticated hosts on both ends of the connection. The following quote says it all.
“Your VPN–IPSec or SSL–is only as secure as the laptops, PCs or PDAs connected to it.”
How about cookies, temporary files, browser history, and session information? Many of these vendors claim to have programs that clean these areas up after use. Unfortunately, to use these features, you need to have administrative rights on the machine. If a kiosk lets you have admin access to it, you can bet it is already infected with a keystroke logger, remote control software and enough bugs and viruses to make the Amazon jungle jealous. This feature is most important on public machines, which are the most unlikely to provide the permissions necessary to allow this sort of scrubbing.
Ever heard of a man in the middle attack? How do these so called SSL VPNs defend against that? Do the users remember a 1024-bit certificate that they type into the password box at authentication challenge? How do we know the server is really the machine we want to connect to and not some hostile intermediary? What we have here is a cotton shirt claiming to be suit of armor. Both devices provide access to internal corporate resources. The difference is only devices that deal with trusted and authenticated end points using installed client software are actually capable of creating a VPN. All other current claimants are charlatans and very dangerous ones at that. These companies put their name and the label of VPN on these products which give the unknowing IT manager a sense of security. This sense will stay until a terribly damaging breach occurs that could wipe out the company, and definitely the IT manager’s career. Will these “SSL VPN” corporations bear this responsibility? Of course not. I imagine if you look at their user license agreement you will find text absolving them of any responsibility for compromise related to their product. Use commercial SSL VPN solutions with extreme care!!! Just to give you a taste of the lack of security knowledge some of these vendors have, here is a quote that represents their level of understanding, again taken directly from marketing material. Company name removed to protect the guilty.
“The XXX Server is protected against any kind of web server, password or other hacking attempts.”
Anyone who has spent more than 5 minutes in the computer security field knows the above statement is ridiculous and a common indicator that we are dealing with an entity with little experience in security. For anyone interested in more information on these products plus some excellent comparisons and product information please see the reference at the end of this document.
Conclusion
IPSec VPNs are unnecessarily complex. The IPSec protocol is dense and confusing providing many opportunities to compromise its security by implementing it incorrectly. As Bruce Schneier says:
“We strongly discourage the use of IPSec in its current form for protection of any kind of valuable information …… however, we …. recommend IPSec when the alternative is an insecure network.”
Vendor IPSec packages are expensive and most open source variations are hard to install and configure. But now we have a choice. OpenVPN is an SSL/TLS-based user-space VPN that provides industry tested security with tremendous ease of use. It is available on most modern operating systems and gives you the flexibility to work in a variety of modes that are easy to understand and hard to make insecure.
Glossary
Application Level Gateway – (ALG) Usually a component of a firewall, an ALG acts as an intermediary between an external client and an internal service.
Asymmetric Encryption – System for encrypting/decrypting and digitally signing messages. Uses different keys (public/private) on either side of the connection. Does not perform well for bulk encryption when compared to symmetric encryption.
Authentication – Determining an entity’s identity and possibly the level of access they are allowed to have.
Authentication Header – (AH) A component of IPSec that allows masking and protection of the original source address of packets. Its value is questioned as ESP and NAT do most of its functions with the exception of source address verification, which has limited use.
Broadcast repeater – A networking device that regenerates OSI level 2 broadcasts onto a different network segment.
Certificate – An electronic data structure that contains identification information on an entity as well as that entity’s public key. This public key is usually signed by a certificate authority.
Certificate authority – (CA) An entity that does physical validation of other entities and then signs these other entity’s keys to prove they are who they claim to be.
Cipher Block Chaining – (CBC) A method of randomizing cipher text to reduce the amount of available cipher text encrypted using a common key.
Confidentiality – Keeping information private between only those who need to know it.
Cryptographic Primitive – Refers to the basic building blocks of a crypto system. Symmetric ciphers, Asymmetric ciphers, message digests and digital signatures are all primitives.
Digital Signature – Using a private key to sign a cryptographic hash of a message to guarantee authorship and integrity of the message.
Ebuild – Package management system used by Gentoo Linux for distributing and installing applications.
Encapsulating Security Payload – (ESP) A component of IPSec that enables the encryption and protection of a message.
Hosner’s Lament – The one thing worse than bad security is bad security that creates the illusion of good security.
Initialization Vector – (IV) Random or hard to predict string of characters used to modify the first block of a Cipher Block Chaining mode encryption session or any other encryption requiring pseudo-random seeding.
Integrity – A guarantee that the in formation sent is the same as the information received.
Internet Engineering Task Force – (IETF) Group organized to design and disseminate technical standards for the Internet. The keepers of the fabled RFC’s.
Internet Key Exchange – (IKE) Handshake protocol used by IPSec. Uses a 6 message format to authenticate tunnel end points and exchange session keys to build and maintain an IPSec VPN tunnel.
IPSec – Internet Protocol Security. IPSec is a standard for creating VPNs. Primarily defined by RFC’s 2401-2412. IPSec has received much criticism for its
complexity.
Key Agreement – A process by which two entities can calculate the same key over a public network without eavesdroppers also being able to calculate the key. The oldest and most wide spread algorithm for key agreement is Diffie-Hellmann.
Key Distribution – System for moving cryptographic key material between entities over a secure medium.
Key Exchange – System for transferring cryptographic key material between entities, usually over an insecure medium. RSA and Diffie-Hellmann are examples.
Message Digest – A cryptographic summary of a message. If any character in a message is changed, all of the message digest will change.
Network Address Translation – (NAT) Usually a component of a firewall. NAT allows multiple internal clients to share external addresses. NAT (actually PAT) maps private internal addresses to ports on an external address allowing public address space conservation and source address masking.
Network Extension – This refers to extending the boundary of the corporate network to include remote machines that are connected over the public Internet. This is the primary purpose of VPNs.
Non-repudiation – The inability of the sender to later deny they sent the message. Achieved using digital signatures.
OS Ring Architecture – Operating system design philosophy that breaks the OS into rings of privilege starting with Ring0. Kernel processes and all essential system components run at Ring0 or Ring1. User applications run at Ring3. The philosophy states that processes at higher rings can not interfere with processes at lower rings thus creating a more secure, stable, multi-user environment.
Perfect Forward Secrecy – This philosophy states that if a key is compromised for one section of an encrypted communication, it will only allow access to that section. Future sections of the communication are protected differently (different key) and will not be compromised.
Polynomial Time – Means the function can be computed in a reasonable time. This is in comparison to exponential time meaning as the function adds complexity, the time to crack it increases exponentially, quickly surpassing the reasonable time measure.
Pretty Good Privacy – (PGP) A system for protecting information. Uses the IDEA cipher to encrypt data and incorporates public key cryptography using a web of trust. Common system for protecting email communications between trusted entities.
Public Key Cryptography – System of using public and private key pairs to protect data and authenticate entities. Includes certificate authorities.
Redhat Package Management – (RPM) Package management system used by Redhat Linux for distributing and installing applications.
Request For Comment – (RFC) Standard system for communicating technical standards for the Internet. RFC’s are created and maintained by the IETF.
Secure Socket Layer – (SSL) Protocol and crypto libraries used to protect communication over the Internet. Used primarily in e-commerce, SSL is making headway into link encryption environments like VPNs. Originally developed by Netscape in the early 1990’s.
Symmetric Encryption – System for encrypting/decrypting traffic using the same key on both sides of the connection. Very fast when compared to asymmetric encryption.
TAP Virtual Driver – A driver interface that allows Ethernet bridging. The TAP interface communicates with the actual physical interface eliminating some complexity and rigidity.
Transparent Bridging – Using a device that connects two different subnets together and allows traffic to pass between them without routing. Stores MAC addresses of each network in a table and uses this data to bridge networks.
Transport Layer Security – (TLS) To condense the code trees of SSL and centralize management and development of the protocol, the IETF developed TLS. TLS is essentially the latest version of SSL and is really just SSLv3 with some minor improvements. Often abbreviated SSL/TLS.
TUN Virtual Driver – A driver interface used for IP traffic. The TUN interface communicates with the actual physical interface eliminating some complexity and rigidity.
Virtual Private Network – (VPN) A device that is capable of creating a semi-permanent encrypted tunnel over the public network between two private machines or networks to pass non-protocol specific, or arbitrary, traffic.
Windows Internet Name Service Server – (WINS) Device that maps NetBIOS names to IP addresses allowing machines on different subnets to still use services like Windows file sharing. Samba is able to act as a WINS Server.
Source: Sans