A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng.Florida AtlanticUniversityBoca Raton, FL , USA
Figure 1. Virtual Private Network.[For04]R1 – Router at Site A.R2 – Router at Site B.
Abstract pattern diagram for the VPN and the protocols in the security layers.
Sequence diagram for end user authentication using an identity base.
Types of VPN • Virtual Private Networks can be established at the Application layer, IP Layer or the TCP layer. XML VPN are established at the application layer and IP VPN are established at the IP Layer and TSL VPN are established at the TCP Layer.
IPsec VPN pattern • Example • We need a network where we can establish and maintain control over all entry and exit points for the protected network, which helps to ensure its integrity. We need to ensure that all IPsec endpoints (gateways and hosts) are secured and maintained properly, which should reduce the risk of IPsec compromise or misuse and we should be able to revise organizational policies as needed to incorporate appropriate usage of the IPsec solution
Forces • All forms of communication such as servers, client hosts, network etc should be protected and each type of communication needs encryption, integrity protection, and peer authentication at the IP layer. • An IPsec architecture model is chosen for the different architecture models such as gateway-to-gateway, host-to-gateway, host-to-host etc… • The performance should be good at normal and peak loads.
Solution • Designing the architecture of the IPsec implementation includes ideal host placement (for host-to-host architectures)and/or gateway placement (for host-to-gateway and gateway-to-gateway architectures). • The IPsec implementation will have a reliable authentication method selected, such as pre-shared key or digital signature. • The algorithms for encryption and integrity protection will be selected, as well as the key strength for algorithms that support multiple key lengths. • The packet filter determines which types of traffic should be permitted and denied, and what protection and compression measures (if any) should be applied to each type of permitted traffic.
Consequences: Advantages This pattern has the following advantages: • Already supported by most operating systems • Can provide strong encryption and integrity protection • Transparent to clients in gateway-to-gateway architecture • Can use a variety of authentication protocols
Consequences: Disadvantages • Can only protect TCP-based communications • Requires client software to be configured (and installed on hosts without a built-in client) for host-to-gateway and host-to-host architectures • Does not protect communications between the clients and the IPsec gateway in gateway-to-gateway architectures
TLS VPN Pattern Example • We need a network where we have to access a web based application on a server and we need to authenticate the server to the client and do not need to authenticate both the end points.
Forces • All forms of communication such as servers, client hosts, network etc should be protected and each type of communication needs encryption and integrity protection. The server must be authenticated to the client. • The server has a web based application that needs to be accessed. • The performance should be good at normal and peak loads.
Solution • The solution is the use of TLS reverse proxy servers (commonly referred to as SSL proxy servers) to provide a more robust VPN solution for remote users. A remote user who needs to use some of the organization’s applications enters the main Uniform Resource Locator (URL) for the proxy server in a Web browser and connects to it through TLS-protected HTTP. The user then provides authentication to the proxy server. Once authenticated, the user can then access designated applications, as specified in the proxy server’s access controls.
Solution (Contd…) • The user does not access the applications directly; the user’s system has a TLS-protected HTTP connection with the proxy server. The proxy server then establishes another connection between itself and the application server; this connection is protected or unprotected as appropriate.
Consequences: Advantages • If access is needed to only Web-based applications, the solution is very convenient for users and easier to deploy and maintain than remote access solutions that involve client installation or configuration. • The proxy server can authenticate users before they can gain any access to applications, as opposed to allowing users to connect to individual applications’ login screens. This adds another layer of security by only allowing authenticated users to see what applications are being served. • Users cannot directly connect to the application servers; this provides better protection for the application servers against reconnaissance and attacks. • Since the client systems connect above the network layer, they are not on the network in the same manner that IPsec client systems would be. This severely reduces their ability to attack or misuse systems on the organization’s networks.
Consequences: Disadvantages • Non-web-based applications and applications that are more challenging to proxy (e.g., those that use multiple dynamic ports) typically require additional software and services, such as terminal servers and special client software. This makes the solution more resource-intensive to deploy and less convenient to use. • Transport layer controls cannot provide any protection for network layer information, such as IP addresses. • A compromise of the proxy server could allow an attacker to intercept data and authentication credentials for many different applications at once.
Conclusion • A virtual private network is a basic component in network architectures. We presented here an abstract pattern for its architecture and also a pattern for the IPsec VPN and also for the TLS based VPN. Future work will integrate this pattern with other patterns
Thank You • Questions • Suggestions