Virtual Private Networks

VPN technology is a rapidly growing technology that provides secure data transmission across public network infrastructures. VPNs have in recent years allowed corporations to harness the power of the Internet for remote access. Today, VPNs are typically used in three different scenarios: for remote user access, for LAN-to-LAN (site-to-site) connectivity, and for extranets. VPNs employ cryptographic techniques to protect IP information as it passes from one network to the next or from one location to the next. Data that is inside the VPN “tunnel”—the encapsulation of one protocol packet inside another—is encrypted and isolated from other network traffic. A VPN for site-to-site connectivity is illustrated in 31 See “Clinic: What are the biggest security risks associated with Wireless technology? What do I need to consider if my organization wants to introduce this kind of technology to my corporate LAN?”, 2001, at http://www.itsecurity.com. 32 See http://csrc.nist.gov.

Most VPNs in use today make use of the IPsec protocol suite. IPsec, developed by the Internet

Engineering Task Force (IETF), is a framework of open standards for ensuring private communications over IP networks. It provides the following types of robust protection:

! Confidentiality

! Integrity

! Data origin authentication

! Traffic analysis protection.

Connectionless integrity guarantees that a received message has not changed from the original message. Data origin authentication guarantees that the received message was sent by the originator and not by a person masquerading as the originator. Replay protection provides assurance that the same message is not delivered multiple times and that messages are not out of order when delivered. Confidentiality ensures that others cannot read the information in the message. Traffic analysis protection provides assurance that an eavesdropper cannot determine who is communicating or the frequency or volume of communications. The Encapsulating Security Protocol (ESP) header provides privacy and protects against malicious modification, and the Authentication header (AH) protects against modification without providing privacy. The Internet Key Exchange (IKE) Protocol allow for secret keys and other protection related

WIRELESS NETWORK SECURITY

parameters to be exchanged prior to a communication without the intervention of a user.33 IKEv1 is in the process of being replaced by IKEv2.34

The use of IPsec with WLANs is depicted in Figure 3-11. As shown, the IPsec tunnel is provided from the wireless client through the AP to the VPN device on the enterprise network edge. With IPsec, security services are provided at the network layer of the protocol stack. This means all applications and protocols operating above that layer (i.e., above layer 3) are IPsec protected. The IPsec security services are independent of the security that is occurring at layer 2, the WEP security. As a defense-in-depth strategy, if a VPN is in place, an agency can consider having both IPsec and WEP applied. With a configuration as

Figure 3-12 illustrates another example of a wireless network with the “VPN overlay.” As shown, with wireless devices with VPNs, clients can connect securely to the enterprise network through a VPN gateway on the enterprise edge. Wireless clients establish IPsec connections to the wireless VPN gateway—in addition to or instead of WEP. Note that the wireless client does not need special hardware; it just needs to be provided with IPsec/VPN client software. The VPN gateway can use preshared cryptographic keys or digital (public-key based) certificates for wireless client device authentication. The reader should recognize that an organization that uses preshared keys for a VPN solution will encounter the same scalability and key distribution problems present in WEP. Additionally, user authentication to the VPN gateway can occur using remote authentication dial-in user service (RADIUS) or one-timepasswords (OTP). The VPN gateway may or may not have an integral firewall to restrict traffic to certain locations within the enterprise network. Today, most VPN devices have integrated firewalls that work

together to protect both the network from unauthorized access and the user data going over the network. Integrated VPNs and firewalls save costs and reduce administrative burden. Additionally, the VPN gateway may or may not have the ability to create an audit journal of all activities. An audit trail is a chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities. A security manager may be able to use an audit trail on the VPN gateway to monitor compliance with security policy and to gain an understanding of whether only authorized persons have gained access to the wireless network. 33 For more information on IPsec protocol security—including discussion of the IPsec authentication header, Encapsulating Security Payload (ESP) header, and Internet Key Exchange (IKE)—refer to the NIST ITL Bulletin “An Introduction to IPsec (Internet Protocol Security),” March 2001.

Ref.:NIST  Wireless Handbook 802.11