Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Module Flow

Discuss Essential Network Understand Different Types of
Security Protocols Proxy Servers and their Benefits

Discuss Fundamentals of VPN
Discuss Security Benefits
and its importance in Network

2o
®
of Network Segmentation
Security

Understand Different Types Discuss Other Network Security
of Firewalls and their Role Controls

Understand Different Types Discuss Importance of Load
of IDS/IPS and their Role Balancing in Network Security

Understand Different Types Understand Various
of Honeypots Antivirus/Anti-malware Software

Discuss Fundamentals of VPN and its importance in Network
Security
VPN technology helps organizations protect the communication between their corporate
private networks spread across the public Internet. It provides privacy and secures the
communication between these networks through encrypted tunnels that transmit data
between a remote user and corporate network. This section explains the fundamentals of VPN
and its importance in securing networks.

Module 07 Page 904 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

O VPNs are used to securely communicate with ) A i soudbanamodem L upw concentrtor
different computers over insecure channels Traveling personal I, : i A
O A VPN use the Internet and ensures secure El @ g}
communication to distant offices or users within Soutog el VN1 Clond Home m
the enterprise’s network

Al Rights Reserved, Reproductionis Strictly Prohibited

What is a VPN?

Most organizations have offices at different locations around the world. Consequently, there is
a need for establishing a remote connection between these offices. Previously, remote access
was established through leased lines with the help of dial-up telephone links such as ISDN, DSL,
cable modem, satellite, and mobile broadband. However, establishing remote connections with
these leased lines is quite expensive, and the costs increase as the distance between the offices
increases.
To overcome the drawbacks of conventional remote access technologies, organizations are
adopting virtual private networks (VPNs) to provide remote access to their employees and
distant offices.
A VPN offers an attractive solution for security professionals to connect their organization’s
network securely over the Internet. VPN is used to connect distant offices or individual users to
their organization’s network over a secure channel.
VPN uses a tunneling process to transport encrypted data over the Internet. IPsec is the most
common protocol used in VPN at the IP level. VPN ensures data integrity by using a message
digest and protects data transmission from being tampered with. VPN guarantees quality of
service (QoS) through service-level agreements (SLAs) with the service provider.

Module 07 Page 905 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

’
PR
VPN Architecture

|—
Head Office s \
;I ===+ VPN Connectivity

P
Ld
I'fii"Router with
VPNJylodule..................
lf Router with
3G/ COMA/HSDPA- ". Internet 'o,
VPN Module
Mobile Broadband ~ +* K
s » Boardbrand Modem
*
-
B
P - VPN concentrator
Telecommuter / @ S
Travelling personal P

Laptop with VPN Client Branch Office

PC with VPN Client

Figure 7.102: VPN architecture

= Typical Features of VPN

o VPN establishes a connection between a remote system and a LAN across an
intermediary network such as the Internet.
o VPNs allow cheap long-distance connections over the Internet because both end
points require a local Internet link, which serves as a free long-distance carrier.
o VPN uses tunneling or encapsulation protocols.

o VPNs use encryption to provide a secure connection to a remote network over the
Internet and protects the communication.
o VPNs provide virtual access to the physical network, and the experience is similar to
the case where the user is physically located in the office.

= Advantages of VPNs
o VPNs are inexpensive.

o They provide a framework for corporate intranets and extranets.
o VPN ensures secured data transfer.

o VPN allows the user to access both web applications and websites in complete
anonymity.

Module 07 Page 906 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

= Disadvantages of VPNs
o Designing and implementing a VPN is a complex issue that requires experts for
configuration.
o Reliability depends on the chosen service provider.
= VPN Architecture
A certain set of protocols and standards must be followed while establishing a VPN
architecture. Security professionals should decide the scope, implementation, and
deployment of the VPN and perform continuous network monitoring to ensure the
security of a VPN. They should be continuously aware of the overall architecture and
scope of the VPN.
= Protocols Used in Deploying a VPN

To deploy VPNs, there are two primary options: IPsec and SSL. Each protocol has its own
unique advantages and is utilized depending on the requirement of the user or the
organization’s IT processes.

= |Psec VPN

IPsec-based VPN is the deployment solution most commonly used by organizations. It is
a set of protocols and standards developed by the Internet Engineering Task Force (IETF)
for secure communication on the IP layer. It ensures the security of each packet in
communication by encrypting and authenticating them. IPsec connections are
established using pre-installed VPN client software, which mainly focuses on company-
managed desktops.
o Advantages
e |Psec VPNs can support all IP-based applications through an IPsec VPN product.
e They offer tremendous versatility and customizability through the modification
of the VPN client software.

e Organizations can control the VPN client functions by using the APIs in IPsec
client software.

e They ensure the secure exchange of IP packets between remote networks or
hosts and an IPsec gateway located at the edge of the organization’s private
network.

The three basic applications of IPsec VPNs (associated with business requirements) are as
follows.
o Remote-access VPNs: These allow individual users, such as telecommuters, to
connect to a corporate network. This application creates an L2TP/PPTP session
protected by IPsec encryption.
o Intranet VPNs: These help in connecting branch offices to the corporate
headquarters, creating a transparent intranet.

Module 07 Page 907 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

o Extranet VPNs: These allow companies to connect with their business partners (for
example, suppliers, customers, and joint ventures).
= SSL VPN (Web-based)
SSL-based VPNs provide remote-access connectivity using a web browser and its native
SSL encryption, irrespective of the location. SSL does not require any special client
software to be pre-installed and is capable of any type of connectivity. The connectivity
ranges from company-managed desktops to non-company-managed desktops, such as
employee-owned PCs, contractor-owned PCs, or business partner desktops. It helps in
reducing desktop software maintenance as it downloads software dynamically
whenever needed.

o Advantages

e It offers additional features such as easy connectivity from non-company-
managed desktops and requires little or no desktop software maintenance.

e |t provides accessibility to the SSL library and access to TCP port 443.
e |t works wherever the user can gain access to HTTPS websites such as Internet
banking, secure webmail, or intranet sites.

Module 07 Page 908 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

How VPN Works
VPN uses authorization and encryption to connect. external host securely
ng to connect to a company’s ‘A\
work initially connects to the Internet. e """""
i UnauthorizedHost "+, 7" Authorized
Most with VPN client
en, the client initiates a VPN connection 57 cmodmonted sncrypton

ishing a connection, end points
nticated through passwords,

nection is established, the Y
curely access the company's oy

roduction is Strictly Prohibited,

How VPN Works

A VPN enables a secured connection over the Internet from a public network to a private
network placed at a distant site. All the network traffic in a VPN is encrypted and passes
through a virtual secure tunnel placed between the client and VPN server.
All the packets passing through a VPN are encrypted or decrypted with respect to inbound or
outbound traffic. The packets are encrypted at the client side and decrypted at the VPN server.
A client willing to connect to a company’s network initially connects to the Internet. Then, the
client initiates a VPN connection with the company’s server. Before establishing a connection,
end points must be authenticated through passwords, biometrics, personal data, or any
combination of these. Once the connection is established, the client can securely access the
company's network.
For example, when a client with a VPN connection enabled browses Youtube.com, the
outbound traffic is encrypted at the client side. The encrypted data are then sent to the nearest
VPN server, which passes the data to the gateway server. At the gateway server, the data are
decrypted and sent to the server hosting Youtube.com. When Youtube.com sends a reply
request, the VPN server performs the reverse process on the outbound traffic.
A VPN closely monitors any insecure networks. It creates a new IP address for an encrypted
packet, concealing the real IP address; this prevents attackers from finding the real IP address
from which the packets were sent.

Module 07 Page 909 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN uses authorization and encryption to connect
external host securely

o.-......

Unauthorized Host '°'.. * " Authorized Host with VPN client
software, which handles
authorization and encryption

Firewall with VPN 2=
option Zopsues

ry B
--u----.-----..-a.--—c-a-.-----’.:--------
- -.

=i
=l Figure 7.103: Working of VPN
Internal
Network

Module 07 Page 910 Certified Cybersecurity Technician Copyright © by EG-Gouncil
 Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Why Establish VPN?
A well-designed VPN provides
the following benefits:

Extend geographic connectivity

Reduce operational costs versus traditional WANs

Reduce transit times and traveling costs for remote users '

Improve productivity

Simplify network topology }

Provide global networking opportunities

Why Establish VPN?
The easy accessibility of sensitive data over the Internet poses a serious security threat to
organizations. Attackers easily exploit and gain access to sensitive information sent over an
unsecured public network such as the Internet. A VPN ensures reliable communication through
an encrypted tunnel, preventing attackers from gaining access to the organization’s
information. A well-designed and well-implemented VPN can provide the following benefits:
* Itenables a secured connection across multiple geographical locations.
* It saves time and expenditure for employees as it allows the sharing of information
between a corporate office and regional offices.
= |t enhances the level of output for remote users.
* Itimproves the security of data by concealing the IP address from attackers.
* It handles multiple connections simultaneously and provides the same quality of service
for each connection.
* It has the ability to provide a secure connection to large enterprises.
= The implementation of a VPN increases the bandwidth and efficiency of the network.
= Maintenance costs are low.
* It reduces transit times and traveling costs for remote users.

* Itimproves productivity and simplifies network topology.
* It provides global networking opportunities and telecommuter support.

* It has a faster return on investment (ROI) than a conventional WAN.

Module 07 Page 911 Certified Cybersecurity Technician Copyright © by E@-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

This encrypted traffic proves beneficial when a user connects their system to Wi-Fi networks in
public places. The encryption makes it difficult for eavesdroppers in the network to identify the
encrypted data.

A VPN allows users to access servers across the world, making it easy for them to access all
types of content. With a VPN, users need not face restrictions such as geo-blocking while
browsing. A VPN allows the user to stay anonymous without sharing their device information in
the network. By hiding such data, a VPN prevents websites from spying on or monitoring the
user. To avoid excessive monitoring from third-party websites or attackers, users should install
a VPN for safe browsing.

Module 07 Page 912 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Components
VPN Components
v" VPN client
v Network access server (NAS) VPN Client

v’ Tunnel Terminating Device (or
VPN server)
=
0 Q Remote Network P "
v" VPN protocol Q

$
i 15p :

° o......... o[ ]
PSTN ;

i Network Access VPNServer i Corporate Network
Server :

Layer 3 Layer3
VPN Client Protocol Protocol

' VPN

b

Copyright © by EC- 1. Al Rights Reserved. Reproductions Strictly Prohibited.

VPN Components
The VPN architecture consists of four main components.

= VPN client: It is a computer that initiates a secure remote connection to a VPN server.
= Network access server (NAS): Also called a media gateway or a remote-access server
(RAS), the NAS is responsible for setting up and maintaining each tunnel in a remote-
access VPN. Users need to connect to the NAS to use a VPN.
* Tunnel terminating device (or VPN server): It is a computer that accepts VPN
connections from VPN clients.
= VPN protocol: It includes VPN-specific protocols used to manage tunnels and
encapsulate private data. It includes the use of PPTP and L2TP protocols, along with
IPsec.

Module 07 Page 913 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

The following diagram shows the use of various VPN components in a remote-access VPN:
VPN Client

Q Remote Network
i

: ISP
-.<

°.IIII
o I-III.

>
§ Network Access VPN Server i Corporate Network
: Server :

% Layer 3 Layer3
VPN Client Protocol Protocol

Figure 7.104: VPN components in a remote access VPN

A typical remote-access VPN connection is established as follows:
* The remote user propagates a PPP connection with an ISP’s NAS through a PSTN.

* The packets sent by the user are sent to the tunnel connecting the NAS and VPN server
after authenticating the user.
* The packet is encrypted before placing it in the tunnel.
= The location of the VPN server depends on the model used for the VPN implementation.
= The VPN server accepts the packet from the tunnel, decrypts it, and sends it to the final
destination.

Module 07 Page 914 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Concentrators
O A VPN Concentrator is a network device used to create

O It acts as a VPN router which is generally used to create a remote access or VPN

O It uses tunnelling protocols to parameters, create and manage tunnels,
encapsulate, transmit, or receive packets through the tunnel, and de-encapsulate them

8 e
Low speed remote user : Migh speed remote user

Public Segment (Untrusted) ;............................................................................................................... U
F fae, Cisco
VPN 3000
EI FTP Server ‘ Firewall e Concentrater.................................
File Server Mail Server Intranet Server Authentication Server

VPN Concentrators

VPN concentrators normally enhance the security of the connections made through a VPN.
They are generally used when a single device needs to handle a large number of VPN tunnels.
They are best used for developing a remote-access VPN and site-to-site VPN.
VPN concentrators implement the security of tunnels using tunneling protocols. These
protocols manage the following:
= Flow of packets through the tunnel
= Encryption and decryption of packets
= Creation of tunnels
A VPN concentrator works in two ways:

= Receives plain packets at one end, encrypts at the other end, and forwards the packet to
the final destination

= Receives encrypted packets at one end, decrypts at the other end, and forwards the
packet to the final destination

Module 07 Page 915 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Asssssssnn?®

Asssssnnnn®
POTTETT TN

TN
POTTTTT
VPN Accessvia VPN Accessvia
tssssssssssssssnns’
Low speed remote user High speed remote user

«j) Router
Public Segment (Untrusted) =

: - ‘::/ Cisco VPN 3000
'fi. 4
FTP Server m Firewall » Concentrator
Firewall Segment s

Private Segment (Trusted) File Server Mail Server Intranet Server Authentication Server

Figure 7.105: VPN concentrator

In the figure, the VPN concentrator is placed in parallel with the firewall supporting two remote
users who have a slow and fast Internet speed, respectively. If the VPN is placed behind the
firewall, the implementation requires additional configuration changes and is vendor-
dependent.
VPN concentrators provide a high level of security for SSL and IPsec VPN architectures. A
normal VPN tunnel requires IPsec to be implemented on the network layer of the OSI model. A
major benefit of using a VPN concentrator is that the client is considered to be present outside
the network and can access the network as if it is connected.

Module 07 Page 916 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Functions of a VPN Concentrator
O A VPN Concentrator functions as a bi-directional tunnel endpoint

The VPN Concentrator functions are:

Encrypts and decrypts
Manages security keys
data

Authenticates users Establishes Tunnels

Manages data transfer
Assigns user addresses
across the tunnel

Manages inbound and
Negotiates tunnel outbound data transfers
parameters as a tunnel endpoint or
router

Functions of a VPN Concentrator

A VPN Concentrator functions as a bi-directional tunnel end point. A VPN concentrator adds
more security controls to the router, improving the security of the communication. The
functions of a VPN concentrator are as follows.
Data encryption: The VPN concentrator encrypts the data. Being bi-directional, it
initially encrypts the plain packets it receives and later decrypts them at the end of the
tunnel, before sending them to the destination. It manages security keys.
Managing tunnels: By adding the features of advanced data and network security, a
VPN concentrator has the ability to create and manage large VPN tunnels. These tunnels
ensure data integrity among systems. It negotiates tunnel parameters.
User authentication: A VPN concentrator authenticates users at either the computer
level or the user level. Authentication at the computer level is performed using the
Layer 2 Tunneling Protocol (L2TP), whereas authentication at the user level is performed
using the Point-to-Point Tunneling Protocol (PPTP).
Traffic handler: A VPN concentrator routes the tunneled and non-tunneled traffic
depending on the server configuration. It simultaneously handles traffic of a corporate
network as well as Internet resources. It manages inbound and outbound data transfers
as a tunnel end point or router. It assigns user addresses.

Module 07 Page 917 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls. 4
VPN Types and Categories
This sub-section explains different types of VPN and their categories.

Module 07 Page 918 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Client-to-Site (Remote-access) VPNs

O Remote-Access VPNs allow individual { VPN Architecture
hosts or clients, such as -
telecommuters and mobile users to
'''' VPN Connectivity
establish secure connections to a
company’s network over the Internet VPN concentrator
7/ M

/ e
ROu(N,y\‘I"I VPN Module
QO Each host contains VPN client b4
software or uses a web-based client
Router with

QO The VPN encrypts the data packets N ? VPN Module
3G/ COMA/HSDPA-.,
that are forwarded over the Internet Mobile Broodband & ypn concentrator
to the VPN gateway at the edge of Tetocoplter/
the target network, with the software TS pop
installed on the client’s machine

2 i
O A VPN Gateway receives the packets Laptop with VPN Client —— Branch Office
and then closes the connection to the PC with VPN Client
VPN after transfer is complete

Copyright © by EC- All Rights Reserved. Reproductionis Strictly Prohibited.

Client-to-Site (Remote-access) VPNs
Remote-access VPNs allow individual hosts or clients such as telecommuters and mobile users
to establish secure connections to a company’s network over the Internet. This allows the users
to access the information provided in the private network. An older name for a remote-access
VPN is a virtual private dial-network (VPDN), in which a dial-up configuration is required for the
connection to a server. This type of VPN, also known as a split tunnel, provides remote access
using a native IP configuration and DNS servers.

Every host using a remote-access VPN must have the VPN client software installed; this
software wraps and encrypts the data before the host sends any traffic over the Internet to a
VPN gateway. After reaching the gateway, the data are unwrapped, decrypted, and passed over
to the final destination in a private network. The gateway performs the reverse process to send
data packets back to the user.

Module 07 Page 919 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

’
£
pm———

VPN Architecture

|N
Head Office

------ VPN Connectivity

~

$ Rou‘t‘eayvith VPN Module

s
-
/.
7. N
/" P -“"“"*-—---.‘2:\_‘ __________ Router with
/i Internet "@ VPN Module
3G/ CDMA/HSDPA- / N
i...‘: Brosdbarid Moder ‘% G e
Mobile Broadband
’ ’ ; ’
’l ‘I ; I'

Telecompiuter / * !
Traveljirig persénal
’
/ P4

Laptop with VPN Client Branch Office

PC with VPN Client

Figure 7.106: Remote-access VPN

A remote-access VPN consists of two types of components.

= Network access server (NAS) or remote-access server (RAS): NAS is required while
users are accessing a VPN. A separate authentication process is involved while
authenticating users accessing a VPN.

= Client software: Users accessing a VPN from their own network need to install software
that helps create and manage the VPN connection.
VPN client software and a VPN gateway are required for the hosts supporting a remote-access
VPN. Most VPN gateways support only IPsec while maintaining VPN services.
Advantages
= Remote-access VPNs minimize the connection cost for the users.

* The encryption of data packets provides an added security layer. This hides the IP
address of the packets and prevents attackers from accessing the packets.
= Remote-access VPNs can handle a large number of users. The VPN provides the same
service even if more users are added to the VPN network.
= Remote-access VPNs allow the sharing of files from a remote location.

Module 07 Page 920 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Disadvantages
= Computers without any antivirus installed pose a threat to the VPN connection.
= |mplementing many VPN connections simultaneously may affect the bandwidth of the
network.
= |tis time-consuming to accessing files and applications over the Internet.

Module 07 Page 921 Certified Cybersecurity Technician Copyright © by EG-Gouncil
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Site-to-Site VPNs
Site-to-site VPN is classified in two types:
O Intranet-based: VPN connectivity is between sites of a single organization

0O Extranet-based: VPN connectivity is between different organizations such as business partners,
business, and its clients

f \ Site-to-Site VPNs

QO Site-to-site VPN extends the
company's network, allows access of an connection 1 s
organization's network resources from e s} ~
different locations % ,,,,,,,,,, X... o E sinofice

Q It connects a branch or remote office Branch Office o
network to the company's headquarters

Q
network

Also known as LAN-to-LAN or L2L VPNs
¥ Mol
& pamn),.-

w
2
—~

K Branch Office

Site-to-Site VPNs

The site-to-site VPN helps connects all the networks together. For example, the branch offices
of an organization can be connected to the main campus through a site-to-site VPN. The main
differentiation between a remote and a site-to-site VPN is that site-to-site VPNs do not require
the need for any client software. The entire traffic is sent through a VPN gateway that encrypts
the data packets passing through it. Such VPNs are also known as full tunnels. They alter IP
address and DNS server options of every data packet entering and leaving the tunnel.
In a site-to-site VPN, the outbound traffic is passed through a tunnel to the VPN gateway. The
data packets in the outbound traffic are encrypted at the gateway and are passed to the tunnel
over the Internet. The traffic is sent to the nearest gateway to the target location. The nearest
gateway decrypts the data packets, and they are then forwarded to the final destination.

Site-to-site
connection

: NAS ~

w........---Y-" \L Main Office

Internet

Branch Office

p. :
- saan).° H B

%Branch Office
-
Branch Office

Figure 7.107: Site-to-site VPN

Module 07 Page 922 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

There are two types of site-to-site VPNs.
* Intranet-based: In this type, VPN connectivity is between the sites of a single
organization. It creates an intranet VPN to connect each individual LAN to a single WAN.
= Extranet-based: In this type, VPN connectivity is between different organizations such
as business partners, businesses, and clients. An extranet VPN connects every single LAN
of an organization. The extranet VPN configuration prevents any access to an intranet
VPN.

Module 07 Page 923 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

O A dedicated hardware VPN appliance is used to connect routers
H ardware and gateways to ensure communication over an insecure channel

VPNS QO Itis designed to serve as a VPN endpoint and can connect to
multiple LANs

LAN1 LAN 2

=
VPN Appliance VPN Appliance -
P..................................... ;mlfl ) _‘—‘m) — -
Encrypted VPN Tunnel _— _

VPN appliances create secure connection between two or more LANs
=m
__ —

Hardware VPNs

Hardware-based VPNs are separate devices that consist of individual processors and hardware
firewalls. They easily manage the authentication and encryption of data packets. The main
advantage of using a hardware-based VPN is that they provide more protection than the
software variant.
LAN 1 LAN 2

-- v,

- 1l
‘_—

-

VPN Appliance VPN Appliance :
Se
—
L:_.
[ =———— e |I PN
SO S|
—)
=
=
— : Encrypted VPN Tunnel _—

- : R—
- 1lY = VPN appliances create secure connection between two or more LANs
- i ——

Figure 7.108: Hardware VPN

Advantages

= A hardware VPN provides load balancing, especially for large client loads.
Disadvantages

= |t is more expensive than a software VPN.

= |t is more useful for large business organizations than for smaller ones.
= |t has low scalability.

Module 07 Page 924 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN 3000 series
concentrators, VPN 3002
Cisco Systems Hardware Clients, 7600 series https://www.cisco.com
routers, and Web VPN
Services Module

SonicWALL PRO ]
SonicWALL 5060,4060,3060,2040,1260 https://www.sonicwall.com

NetScreen 5000, 500,200, and
Juniper Networks Y6 savies https://www.juniper.net

WatchGuard WatchGuard Firebox X series https://www.watchguard.com

Hardware VPN Products

Manufacturer Product Name Web Site
VPN 3000 series concentrators, VPN 3002
Cisco Systems Hardware Clients, 7600 series routers, and https://www.cisco.com
Web VPN Services Module

SonicWALL SonicWALL PRO 5060,4060,3060,2040,1260 https://www.sonicwall.com

Juniper Networks | NetScreen 5000, 500,200, and ISG series https://www.juniper.net

WatchGuard WatchGuard Firebox X series https://www.watchguard.com

Table 7.5: Hardware VPN products

Module 07 Page 925 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Software VPNs
4 and configured on routers, servers and firewallsor as a gateway
5a VPN

O No extra devices need to be installed
Q Itis an easy and low-cost way to
deploy a VPN and does not change the
target network Advantages

g! QO Extra processing burden to devices
on which it is installed
Disadvantages O Itis less secure and prone to attacks

Copyright © by Al Rights Reserved. ReproductionIs Strictly Prohibited.

Software VPNs

VPN software is installed and configured on routers, servers, and firewalls or as a gateway that
functions as a VPN. Software-based VPNs are best suited for network traffic management and
when the same party does not manage the VPN end points. Traffic management is performed
using a tunneling process depending on the protocol and address of the traffic. Hardware
encryption accelerators are used to improve the performance of the network.
Advantages

= Asoftware VPN minimizes the cost of additional hardware purchases.
= |tis easy and inexpensive to deploy and does not change the target network.
* |t has high scalability.
Disadvantages
= |t causes increased processing tasks for devices implementing the VPN.
= Security is an issue; a software VPN is prone to attacks as they need to share the server
with other servers and OSes.

Module 07 Page 926 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Software VPN Products
T
| Manufacturer | ProductName | WebSite
CheckPoint VPN-1 YSX,VPN-l Pro, VPN-1
https://www.checkpoint.com
Edge, Firewall-1
NETGEAR ProSafe VPN https://www.netgear.com

Cisco AnyConnect Secure
https://www.cisco.com
CEEIRIIE Mobility Client

Copyright © by | I. All Rights Reserved. Reproductions Strictly Prohibited

Software VPN Products

Manufacturer Product Name Web Site

VPN-1 VSX,VPN-1 Pro, VPN-1
heckPoi https.//www.checkpoint.com
RiICEKEQME Edge, Firewall-1

NETGEAR ProSafe VPN https.//www.netgear.com

Cisco AnyConnect Secure
https.//www.cisco.com
Cisco Systems | robility Client
Table 7.6: Software VPN products

Module 07 Page 927 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Selecting an Appropriate VPN
O Choose the best possible VPN solution for your enterprise

Choose the type of VPN solution based on

Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.

Selecting an Appropriate VPN
The selection of an appropriate VPN depends on many factors such as cost, protocols, and
technical issues. The following are a few factors to consider while selecting a VPN.
Compatibility: The organization should consider the compatibility of the selected VPN
within the organization’s network and determine whether it is possible to adopt the
selected VPN. Selecting and implementing a VPN that is not compatible will add extra
expenditure and cause security issues.
Scalability: Increasing the number of employees working for an organization is a
common trend. As the number of employees increases, the configured VPN needs to
accommodate the new employees. The inability to handle an increasing number of
users adversely affects the performance of the network. The organization must select a
VPN that can handle any number of users at any time without affecting the performance
of the network.
Security: Security is an important factor while selecting a VPN. The following are the two
major criteria in selecting a VPN.

o Authentication: Organizations need to select an appropriate authentication method
depending on the type of network on which the VPN is implemented.
o Encryption: Organizations should be highly alert regarding the encryption process
for the selected VPN. Some VPNs do not provide direct encryption, allowing
attackers to gain information from the network.
Capacity: Organizations need to foresee the number of users joining it in the future and
then select the VPN accordingly.

Module 07 Page 928 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

= Cost: An organization should consider cost as a factor while selecting VPNs.
= Need: The need for a VPN depends on the requirements of an organization.
Requirements such as the need for remote employees to access the network or
encrypted traffic rules must be considered. Each organization is different, and these
differences will decide the appropriate VPN choice.
= Vendor support: The following are the two factors to consider in vendor support.
o The first factor is the number of servers and their location. The VPN should be
selected according to the location of the vendor server and the activities performed.
o Does the vendor limit connections, use bandwidth throttling, or restrict service?
VPNs that control bandwidth, reduce Internet speeds, or limit them in any way
should not be used in an organization. Moreover, care should be taken while dealing
with the protocols and services running in the network. The organization must
decide whether the existing services and protocols running are actually required.

Module 07 Page 929 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Core Functionality: Encapsulation
O Packets over a VPN are enclosed within another packet (encapsulation) which has a different
IP source and destination
O Concealing the source and destination of the packets protects the integrity of the data sent
O The most common VPN encapsulation protocols:
= Point-to-Point Tunneling Protocol (PPTP)
= Layer 2 Tunneling Protocol (L2TP)
= Secure Shell (SSH)
= Socket Secure (SOCKS)

Encapsulated packet..... Internal LAN
has router’s IP address > Source IP 192.168.50.1 ,if =
Original packet is «++«+++=++ Pl Source!P10.0.50.3 o, -
encapsulated - =

ey N —_— :
o, LT B) Prm— 7 s) = Originating
Encapsulating data to 1 6(......... O 7 Jerenaeans - computer 10.0.50.3
conceal source and - <
Packet VPN router H
destination information (encrypted) 192.168.50.1 Packet —) -

Copyright © by EC | Al Rights Reserved. Reproductionis Strictly Prohibited.

VPN Core Functionality: Encapsulation
Encapsulation is the method through which protocols have separate functions to communicate
among each other by hiding the data. Data vulnerability increases if the data do not pass
through a secure channel. When data are transmitted using VPN tunneling, the data are
encapsulated to ensure security. Encapsulation relies on various technologies and protocols
such as GRE, IPsec, L2F, PPTP, and L2TP.

The packets sent over a VPN are enclosed within another packet (encapsulation), which has a
different IP source and destination. Concealing the source and destination of the packets
protects the integrity of the data sent. The VPN tunnel acts as a path between the source and
destination. To send the encapsulated data securely, it is necessary to establish a tunnel. All the
data packets travelling through the tunnel are encapsulated at the source point and de-
encapsulated at the destination point. To send the data to the destination point, a tunnel data
protocol is created. The information in the data packet is called a payload. The tunnel data
protocol encapsulates the payload within the header containing the routing information. Once
the server receives the payload, it discards the header, de-encapsulates the payload, and sends
it to the destination.

All data packets transmitted through a VPN network are encapsulated using a VPN base or a
carrier protocol. The encapsulated data packet is then sent through the tunnel and later de-
encapsulated at the receiver’s end.
For example, a TCP/IP packet encapsulated with an ATM frame is hidden within the ATM frame.
Upon receiving the ATM frame, the encapsulated packet is de-encapsulated to extract the
TCP/IP packet.

Module 07 Page 930 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Encapsulated packet Internal LAN
has ro?:ter’s P :ddress ---- > Source IP 192.168.50.1
—
Original packet is ***=*+**=»| Source IP 10.0.50.3 — -
b
encapsulated

o]
O Common VPN N.., doarype doe
Encryption Technologies Certificate Branch Office
Authority(CA)
= Triple Data Encryption
Standard (3DES)

= Secure Sockets Layer l Key Is sent to
(SSL) (%) VPN userto
Certificates are "~ w5 decrypt data
managed by
= OpenVPN certificate server

Main Offi
SRS Home Office

Copyright © by E All Rights Reserved. Reproductionis Strictly Prohibited.

VPN Core Functionality: Encryption
A VPN uses encryption to provide an additional layer of security to data transmitted over the
VPN. Encryption plays an important role when sensitive data in an organization are transferred
over the Internet. All data that enter the VPN tunnel are encrypted, and decryption is
performed as soon as the data reach the end of the tunnel. An encryption key is used in the
process of encryption and decryption. Encryption disables monitoring, logging, or tampering of
the data in an organization.
Encryption helps secure the data passing through the network. The sender encrypts the data
passing through the network, and the receiver decrypts the data. No encryption is required on
the communication link between a dial-up client and the internal service provider, as the
process of encryption occurs between the VPN client and VPN server.
Keyis sentto g
VPN user to ! >
[ : v'j/ decrypt data |%
JM\/// cenf‘fj Is
Y Cates y,, or,
Certificate Branch Office
Authority(CA)

Key is sent to
(F5% VPN user to
Certificates are ™. decrypt data
managed by [ gl T -
certificateserver [n il e
M
Main Office
Home Office

Figure 7.110: VPN encryption

Module 07 Page 933 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

In VPN encryption, both the sender and the receiver must have a common encryption key that
is sent along with the data. If a packet traveling through the VPN connection does not have the
keys associated with it, then it is of no use to the computer. There are many mechanisms to
determine the length of the encryption key. The encryption of messages using the same key
enables the easy interpretation of the encrypted data. The administrator can always select the
encryption keys used for a connection.
In end-to-end encryption, the encryption occurs between the client application and server.
IPsec is used with an end-to-end connection once a remote-access connection is established.
IPsec works as follows:

= A packet is encrypted using an encryption key. The key is known only to the sender and
the receiver.
= An encapsulation header, a sub-protocol, conceals the sensitive information of the
packets including the sender’s identity.

VPN Encryption Technologies
= Triple DES algorithm: It is a 64-bit block of data that processes each block three times
with a 56-bit key. 3DES eliminates the chances of breaking the encryption key.

= Secure Socket Layer (SSL): SSL is a secure technology that enables communication
between a server and client. SSL technology enables the secure transmission of credit
card numbers, login credentials, etc. over the Internet.

= OpenVPN: Open VPN is an open-source VPN instance that works with the SSL/TLS
protocol. OpenVPN can be used as both software and a VPN protocol that utilizes VPN
techniques to protect site-to-site and point-to-point network connections. It creates a
secure tunnel between a VPN client and server. Using the OpenSSL library, OpenVPN
handles both encryption and authentication. OpenVPN can also use TCP or UDP for data
transmission.

Module 07 Page 934 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Core Functionality: Authentication
O Users are authenticated to access the VPN and its resources

QO It uses digital certificates to authenticate users

O Common user authentication techniques for a VPN
= |PSec ®

= MS-CHAP

= Kerberos

1
VPN Router 200, 15.150.3 VPN Router 203. 12.205.40 =
= -

4, Database check determines -t
: : whether authentication was §
v W " v successhul H

Oy
> | A
aam m.>‘ p e
6)& [ internet H
\\_ BN [SRRRR—
P LR
{ = 7 -

A: A: o 1. Athoration
puoe & 3K
Successhul - i
: : r—
1, Packet(unencrypted) Not Successtul ‘—, -
: Packet is refused and error message -—
2. Packet(encrypted and returned to sender
encapsulated) Network 2

Copyright © by EC- |, Al Rights Reserved, Reproductionis Strictly Prohibited.

VPN Core Functionality: Authentication
Authentication is an integral part of VPN technology, as the hosts receiving VPN communication
must ensure the authenticity of the hosts initiating and sending the VPN connections. Users
must be authenticated to access the VPN and its resources, and authentication uses digital
certificates. A VPN employs the following three types of authentication.
= User authentication: In this type of authentication, the VPN employs the mutual
authentication concept. The VPN server authenticates the VPN client to check whether
the client has the permission to connect. Moreover, the VPN client can authenticate a
VPN server for proper permissions.

* Computer authentication with L2TP/IPsec: Remote-access computers are
authenticated for proper permissions using IPsec and L2TP/IPsec.
= Data authentication and integrity: All L2TP/IPsec packets sent are included with a
cryptographic checksum based on the encryption key. Only the sender and the receiver
know this checksum. This is to ensure that the data sent are not manipulated during
transit.
Authentication Techniques Used in VPN
= |IPsec Family
o Internet Protocol Security (IPsec): All application traffic is secured using the IP
network. IPsec conducts session authentication and data packet authentication for
any two securely connected entities. IPsec ensures a secure connection between
two networks or remote networks to the main network.
o Layer 2 Tunneling Protocol (L2TP): This protocol initiates a connection between two
L2TP connections. L2TP is always combined with IPsec to confirm security.

Module 07 Page 935 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Kerberos

Kerberos consists of a record of clients and their private keys. Only the client and
Kerberos know the details of the private key, and Kerberos generates session keys that
encrypt the messages between two clients.
Password Authentication Protocol (PAP)
PAP uses a cleartext authentication mechanism for authenticating users. It sends a
username and password as per the NAS request. The NAS receives the username and
password in cleartext, which implies that the NAS receives the details in an unencrypted
form. This makes it easy for attackers to establish a connection with the NAS to acquire
all the information.
Shiva Password Authentication Protocol (SPAP)
SPAP is a reversible encryption mechanism that is more secure than PAP. SPAP plays its
role when a Shiva client attempts to access a server. However, this authentication
mechanism is less secure than the Challenge Handshake Authentication Protocol (CHAP)
or Microsoft CHAP (MS-CHAP).
Challenge Handshake Authentication Protocol (CHAP)
CHAP is more secure than PAP and uses an encryption authentication technique, which
transmits a password representation instead of an actual password during the
authentication process. The server sends a challenge message to the client to
authenticate users. Users respond with a hash value created using a hash algorithm. The
server then compares this hash value with its own calculation of the hash. If they match,
then authentication is acknowledged. The remote client creates a hash of the session ID,
challenge, and password. It uses the MD-5 one-way hashing algorithm.
Microsoft CHAP (MS-CHAP)
MS-CHAP uses a remote-access server to send a session identifier and a challenge string
to the remote-access client. The client, in turn, sends an encrypted form of the identifier
and challenge string to the server. This encrypted form is irreversible.
Extensible Authentication Protocol (EAP)
With EAP, the data for authentication are compared against an authentication database
server. The EAP authentication protocol allows new plug-ins to be added at the client
and server.
E1 - VPN Router 200. 15.150.3 VPN Router 203. 12.205.40 E\ -

- 4.Database check determines =
: whether authentication was

Oe o o) =.
H g v successful j

S:
— ,
—
| "
A (e
>amn emet ) TR
>
4
6
nterne
s
|
H P
“.n
‘et
Ao
—
= J
: A 3.Authorization STATE 1573644643 TCP_CONNI ] [@ectim Crerw FT. () ] [} ()
Wed Nov 13 17 00 44 2019 TCP connecton estabished with [AF | INET‘]IOI ”7‘ 2" M3 ]
Wed Nov 13 1700 44 2019 TCP_CLIENT
ik local: fnot bound) ]
(Wed Nov 13 17.00.44 2019 TCPZCUENT
irk remote [AF_| INET]lOl”?IZHu) ]
Wed Nov 13 17.00.44 2019 MANAGEMENT >STATE 1573644644 WAIT....., |

i e ey
b S B' I :
Wed Nov 13 1700 44 2019 MANAGEMENT >sur£157)6uwaur |

Viedod Novo 13 1700 4 2013 VERIFTHEY OKOK. dethe1.
desthe C-GB, STGrmster. Manchests,o LeSarod
LaSafrd. 0-COMOC BT :P e | weBas | [Damemnens Mo ;| Dae
Wed Nov 13 1700:44
2015 VERIFY OK: degth=0. OU«Doman Control Valdat Masaguract of pssarers VEN e ad btk e ety
Wed Nov 13 170045
2019 Cortrol Channel TLS¥12, cpher TLSY1 ZECONE RSA AES?SSGCM SN»\J! L (st (AP port “ W
Wed Nov 13 1700
45 2019 [* opengw net] Peer Connection Intuated
weh [AF_INET]101
99 74 214 443 ' | Chowe 4
Ve Now 1317 03,46 2019 MAMAIEMENT SSTATE 1573644646 GET_CONFI..... ! e gl e B8 , ey o v v
Wed Nov 13 1700.46
2019 SENT CONTROL [" cpengw net] PUSH_REQUEST (statuss1) : F L ) L... o W B s ol ML
: 0 tan ey

Btesn:0B out: 168 OpenVPNGUI 1114007248 : V8 [ispiionry| @ [masnnsons| [ [ irion | | | oemimamia
Oiscornact Rocormech ‘ Vide :. Dyneme DAL Letiog s VI Ase Leting. u R — Febey [
1 Convent
DOV satrawe VEOSUUIR0SOT soMtether
rmt

https://openvpn.net https.//www.softether.org

All Rights Reserved. Reproduction ks Strictly Prohibites

Examples of a VPN
= OpenVPN

Source: https://openvpn.net
OpenVPN provides flexible VPN solutions to secure data communications for Internet
privacy, remote access for employees, securing 10T, or for networking cloud data
centers. It is a VPN server software solution that can be deployed on premises using
standard servers or virtual appliances; it can also be deployed on the cloud.

3J OpenVPN Connection (vpngate_101,99.74.214 _tcp_443) - a X

Curent State: Connecting

Wed Nov 13 17.00:43 2019 Attempting to establish TCP connection with [AF_INET]101.99.74 214443 [nor A
Wed Nov 13 17.00:43 2019 MANAGEMENT: >STATE: 1573644643 TCP_CONNECT......
Wed Nov 13 17.00:44 2019 TCP connection established with [AF_INET]101.99.74.214.443
Wed Nov 13 17.00:44 2019 TCP_CLIENT
ink local: (hot bound)
Wed Nov 13 17.00:44 2019 TCP_CLIENT knk remote: [AF_INET]101.99.74 214:443
Wed Nov 13 17:.00:44 2019 MANAGEMENT: >STATE 1573644644 WAIT.....,
Wed Nov 12 17.00:44 2019 MANAGEMENT: >STATE 1573644644 AUTH......
Wed Nov 13 17.00:44 2019 TLS: Intial packet from [AF_INET]101.99.74 214:443, 5id=9390370 09d 2bd(
Wed Nov 13 17.00:44 2019 VERIFY OK: depthe2, C«GB, ST«Greater Manchester, L=Salford, 0«COMODC
Wed Nov 13 17.00:44 2019 VERIFY OK: depth=1, C=GB. ST=Greater Manchester, L=Sa¥ford, 0=COMODC
Wed Nov 13 17:00:44 2019 VERIFY OK: depth«0, OU«Domain Control Validated, OUsPostive SSL Widcar
Wed Nov 13 17.00:45 2019 Control Channel: TLSv1.2. cipher TLSv1.2 ECDHE-RSA-AES256GCM-SHA38
Wed Nov 13 17.00:45 2019 [ opengw net] Peer Connection Intiated with [