NCS

Mr. Santosh, Assistant Professor

Cyber Security
 Unit - 3

Proxy & VPNs

VPN
A Virtual Private Network (VPN) is a technology that
allows users to create a secure and encrypted
connection to a private network over the internet. VPNs
are commonly used to protect online privacy, secure
data transmission, and access restricted content.
VPN types
Remote Access VPN:
Purpose: Provides a secure connection for remote users to
access a private network over the internet.
Use Case: Employees working from home or traveling can
connect to their company's internal network securely.
VPN types
Site-to-Site VPN:
Purpose: Connects entire networks together, allowing
multiple offices or branches of a company to share data
securely.
Use Case: Companies with multiple locations can use
site-to-site VPNs to connect their local networks securely
over the internet.
Intranet-based VPN:
Purpose: Connects different branches or remote offices of
the same organization to create a secure communication
network.
Use Case: Large organizations with geographically dispersed
offices can use intranet-based VPNs for secure internal
communication.
Extranet-based VPN:
Purpose: Allows different organizations to establish a secure
communication channel over the internet.
Use Case: Partner companies or organizations can share data
securely while maintaining privacy and security.
SSL/TLS VPN:
Purpose: Uses SSL/TLS protocols to provide a secure
connection over the web browser, often used for secure
remote access.
Use Case: Securely accessing corporate applications or data
through a web browser without requiring additional
software.
IPsec VPN:
Purpose: Uses Internet Protocol Security (IPsec) to provide a
secure connection between networks or devices.
Use Case: Commonly used for site-to-site VPNs and remote
access VPNs, offering a high level of security.
PPTP VPN:
Purpose: Point-to-Point Tunneling Protocol (PPTP) was one of
the earliest VPN protocols but is now considered less secure
due to vulnerabilities.
Use Case: Legacy systems that still support PPTP, though it's
not recommended for use due to security concerns.
L2TP/IPsec VPN:
Purpose: Layer 2 Tunneling Protocol (L2TP) combined with
IPsec to provide a more secure and robust VPN connection.
Use Case: Offers a higher level of security than PPTP and is
commonly used for remote access VPNs.
Tunnelling Protocols
Tunneling protocols are a crucial aspect of Virtual Private
Networks (VPNs) as they are responsible for encapsulating
and encrypting data for secure transmission over the
internet.
Tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP):
Purpose: Provides a basic level of encryption and is easy to
set up.
Security: Considered less secure due to vulnerabilities and is
not recommended for sensitive data.
Tunneling protocols:
Layer 2 Tunneling Protocol (L2TP):
Purpose: Often used in combination with IPsec for improved
security.
Security: L2TP alone doesn't provide encryption, but when
used with IPsec, it becomes more secure.
Tunneling protocols:
Internet Protocol Security (IPsec):
Purpose: Adds a layer of security by authenticating and
encrypting each IP packet.
Security: Widely used for site-to-site VPNs and remote access
VPNs due to its strong security features.
Secure Socket Tunneling Protocol (SSTP):
Purpose: Developed by Microsoft and operates over the
SSL/TLS protocol.
Security: Offers a high level of security and is commonly used
for remote access VPNs on Windows platforms.

OpenVPN:
Purpose: An open-source protocol that uses SSL/TLS for key
exchange and offers flexibility and security.
Security: Considered highly secure and is widely used for
both remote access and site-to-site VPNs.
WireGuard:
Purpose: A modern, open-source VPN protocol designed for
simplicity and efficiency.
Security: Known for its speed and security, with a smaller
codebase compared to some other protocols.
IKEv2/IPsec:
Purpose: A combination of Internet Key Exchange version 2
(IKEv2) and IPsec for strong security and quick reconnection
after a network interruption.
Security: Provides robust security and is suitable for mobile
devices due to its ability to handle changes in network
connectivity seamlessly.
Tunnel and Transport Mode
In the context of Virtual Private Networks (VPNs) and IPsec
(Internet Protocol Security), "Tunnel mode" and "Transport
mode" refer to two different ways in which IPsec can be
applied to secure communication between two devices or
networks.
Tunnel Mode:
Purpose: Tunnel mode is typically used to create VPNs
between networks.

Encapsulation: In tunnel mode, the entire original IP packet

(including the original IP header) is encapsulated within a
new IP packet.
Tunnel Mode:
Header Modification: The original IP header is usually
modified, with the new header containing information
related to the secure communication between the two
endpoints.

Use Case: Commonly used in site-to-site VPNs, where entire

networks are connected securely over the internet.
Transport Mode:
Purpose: Transport mode is typically used for end-to-end
communication between two devices.

Encapsulation: In transport mode, only the payload (data) of

the original IP packet is encrypted and/or authenticated,
leaving the original IP header intact.
Transport Mode:
Header Modification: The original IP header is not modified;
instead, additional headers are added to the packet to
provide security services.

Use Case: Often used for securing communication between

individual devices, such as in remote access VPNs or
point-to-point communication.
Authentication Header
The Authentication Header (AH) is one of the two main
protocols used in IPsec (Internet Protocol Security) to provide
security services for IP packets. The other protocol is the
Encapsulating Security Payload (ESP). Both AH and ESP can be
used in conjunction, but they serve different purposes.
Purpose of Authentication Header (AH):
Authentication:
Integrity: AH provides data integrity by ensuring that the
contents of the IP packet have not been altered in transit. It
achieves this by calculating a cryptographic hash of the
packet's contents and including it in the AH header.
Authentication: This cryptographic hash, also known as the
Integrity Check Value (ICV), is used to verify the authenticity
of the packet. If the packet has been tampered with during
transmission, the hash will not match, and the packet will be
rejected.
Purpose of Authentication Header (AH):
Anti-Replay Protection:
AH includes a sequence number field to protect against
replay attacks. This field is used to order incoming packets
and identify if any packets are duplicates or out of order.
No Confidentiality:
Unlike ESP, AH does not provide encryption. It only focuses
on ensuring the integrity and authenticity of the transmitted
data.
Structure of Authentication Header:
The AH is inserted between the original IP header and the
upper-layer protocol (e.g., TCP or UDP). The structure of the
Authentication Header includes several fields, but the most
important ones are:

Next Header: Identifies the type of the next header,

indicating the upper-layer protocol (e.g., TCP, UDP) following
the AH header.

Payload Length: Specifies the length of the AH header and

the payload it covers.
Reserved: Reserved for future use.

Security Parameters Index (SPI): A unique identifier for a

specific security association.

Sequence Number: Prevents replay attacks by assigning a

unique number to each packet.

Authentication Data (ICV): The Integrity Check Value,

containing the cryptographic hash used for data integrity and
authentication.
IPSEC Protocol Suite
The IPsec (Internet Protocol Security) protocol suite is a
comprehensive set of protocols and standards designed to
secure Internet Protocol (IP) communications. IPsec provides
a range of security services such as authentication, integrity,
confidentiality, and replay protection for IP packets. It is
widely used to establish Virtual Private Networks (VPNs) and
to secure communication over IP networks. The IPsec suite
consists of several protocols, with the two main components
being the Authentication Header (AH) and the Encapsulating
Security Payload (ESP). Additionally, key management
protocols are used to establish and manage cryptographic
keys for secure communication.
Components:
Authentication Header (AH):
Purpose: Provides authentication and integrity services for IP
packets.

Authentication: Verifies the authenticity of the transmitted

data.

Integrity: Ensures that the contents of the IP packet have not

been altered during transmission.

Anti-Replay Protection: Guards against replay attacks using

sequence numbers.
Encapsulating Security Payload (ESP):
Purpose: Provides confidentiality, authentication, and
integrity services for IP packets.

Confidentiality: Encrypts the payload of the IP packet to keep

it confidential.

Authentication: Similar to AH, ESP also provides

authentication and integrity services.

Optional: Anti-Replay Protection: ESP can include measures

for protection against replay attacks.
Security Associations (SA):
Purpose: Defines a one-way logical connection between two
entities (such as two devices or networks) for secure
communication.

Attributes: Each SA has specific attributes, including the

security protocol (AH or ESP), cryptographic algorithms, and
keys.

Establishment: SAs are established through a process known

as negotiation, typically involving the Internet Key Exchange
(IKE) protocol.
Internet Key Exchange (IKE):
Purpose: Used to automate the negotiation and
management of security associations (SAs) between devices.

Authentication: Authenticated key exchange protocols are

used to establish a secure communication channel.

Key Management: Handles the exchange of cryptographic

keys for secure communication.
Phase 1 and Phase 2: IKE negotiation consists of two phases,
with Phase 1 establishing a secure channel for further
negotiation in Phase 2.
Key Management:
Purpose: Involves the generation, distribution, and
management of cryptographic keys used by IPsec.

Manual or Automated: Keys can be configured manually or

established through automated protocols like IKE.

Lifetime Management: Defines how long a set of

cryptographic keys is valid before being refreshed or
renegotiated.
Tunnel Mode and Transport Mode:
Tunnel Mode: Used for VPNs, where entire IP packets,
including the original IP header, are encapsulated and
encrypted for secure transmission.

Transport Mode: Used for end-to-end communication, where

only the payload of the IP packet is encrypted, leaving the
original IP header intact.
IKE PHASE 1
Internet Key Exchange (IKE) is a key management protocol
that is a part of the IPsec (Internet Protocol Security) suite.
IKE is used to establish a secure and authenticated
communication channel by negotiating and exchanging
cryptographic keys between two devices, such as VPN
gateways or hosts. IKE operates in two phases: Phase 1 and
Phase 2.
IKE Phase 1
Objective: Establish a secure, authenticated communication
channel and negotiate a shared secret key for further use in
securing communication (Phase 2).
Key Aspects:
Authentication:
Purpose: Ensure the identities of the communicating parties
and prevent unauthorized access.
IKE Phase 1
Methods: IKE Phase 1 supports various authentication
methods, such as pre-shared keys (PSK), digital certificates,
or a combination of both.

Encryption Algorithm Negotiation:

Purpose: Determine the encryption algorithm to be used for
protecting the confidentiality of the IKE communication.
Options: Negotiation includes selecting an encryption
algorithm, such as DES, 3DES, AES, etc.
Lifetime Negotiation:
Purpose: Define the duration for which the negotiated keys
and security associations will be valid before re-negotiation is
required.
Lifetime Parameters: Typically expressed in seconds and/or
kilobytes.

Main Mode or Aggressive Mode:

Main Mode: A three-message negotiation process that is
more secure but requires more messages.
Aggressive Mode: A quicker negotiation process using fewer
messages but with slightly less security due to some
information being exchanged in the clear.
Lifetime Negotiation:
Purpose: Define the duration for which the negotiated keys
and security associations will be valid before re-negotiation is
required.
Lifetime Parameters: Typically expressed in seconds and/or
kilobytes.
IKE Phase 1 Process:
Main Mode or Aggressive Mode:
Main Mode: A three-message negotiation process that is
more secure but requires more messages.

Aggressive Mode: A quicker negotiation process using fewer

messages but with slightly less security due to some
information being exchanged in the clear.
Authentication:
The parties authenticate each other using the agreed-upon
method (e.g., pre-shared keys, digital certificates).

Establishment of IKE SA (Security Association):

A secure IKE SA is established, and the negotiated
parameters are used to derive the keying material for further
use in Phase 2.
Implementation of VPNs
The implementation of Virtual Private Networks (VPNs)
involves setting up a secure and encrypted communication
channel over an existing network, typically the internet.
There are several methods and technologies for
implementing VPNs, each with its own advantages and use
cases.
VPN implementations:
Remote Access VPNs:

Purpose: Provides secure access to a private network for

individual users or remote devices.
VPN implementations:
Implementation:
VPN Client Software: Users install VPN client software on
their devices.
Authentication: Users typically authenticate using
credentials, such as a username and password.

Encryption: The client establishes a secure connection to a

VPN server using protocols like PPTP, L2TP/IPsec,
IKEv2/IPsec, or SSL/TLS.
Examples: SSL VPNs (web-based VPNs), IPsec-based client
VPNs.
Site-to-Site VPNs:

Purpose: Connects multiple networks or sites securely,

allowing communication as if they were on the same physical
network.

Implementation:
VPN Gateway/Firewall: Each site has a VPN gateway or
firewall that manages the secure connection.
Authentication: VPN gateways authenticate each other using
pre-shared keys or digital certificates.

Encryption: IPsec is commonly used for encryption and

tunneling between sites.
Examples: IPsec-based VPNs, MPLS (Multiprotocol Label
Switching) VPNs.
SSL/TLS VPNs:

Purpose: Provides secure remote access through a web

browser without requiring client software.

Implementation:
Web Browser Interface: Users connect to a secure web
portal.
Authentication: Users log in using credentials, often with
two-factor authentication.
Encryption: SSL/TLS protocols secure the communication
between the client and the VPN server.
Examples: Cisco AnyConnect, OpenVPN with SSL/TLS, and
other SSL-based VPN solutions.
Clientless VPNs:

Purpose: Allows secure access to resources without requiring

the installation of client software.

Implementation:
Web Browser Interface: Users connect to a web portal using
a standard web browser.
Authentication: Users log in using credentials through the
web interface.

Access: Users can access resources through a web-based

interface.
Examples: Cisco SSL VPN, Juniper Networks Secure Access.
OpenVPN:

Purpose: Open-source VPN solution providing flexibility and

security.

Implementation:
OpenVPN Software: OpenVPN software is installed on both
the client and server.
Authentication: Various methods, including
username/password or certificates.

Encryption: Uses SSL/TLS protocols for secure

communication.

Examples: OpenVPN is commonly used in various

configurations, including site-to-site and remote access VPNs.
WireGuard:

Purpose: Modern and lightweight open-source VPN protocol.

Implementation:
WireGuard Software: WireGuard software is used on client
and server devices.
Authentication: Public and private keys are used for
authentication.

Encryption: Utilizes modern cryptography for secure

communication.

Examples: Growing in popularity due to its simplicity and

performance.