Virtual Private Networks
Volume Number: 21 (2005)
Issue Number: 3
Column Tag: Programming
Virtual Private Networks
by Brad Belyeu
How to securely get to the office on the information super-highway
Let's say your working on a big project at the office. Of course, the project is saved on the fileserver for security and accessibility reasons. The big deadline is Friday at five, and you or one of your team-members becomes deathly ill a couple days before. Or what if there was a blizzard? How in the world are you going to work on this project for your biggest client when you can't make it to the office? Create a virtual office! Using a virtual private network, you could access the network file, application, & print servers just as if you were there. When you connect to a VPN, it appears as though your computer sits right on the local network. Access is not as fast as physically being on the LAN, but when you can't be there it's the next best thing.
VPNs (or Virtual Private Networks) come in many shapes and sizes. It has been a buzzword that is fairly ambiguous and has taken on different meanings over time. VPNs provide secure remote access to internal (private) networks over public networks, usually the Internet. The problem in defining VPNs has to do with its ambiguity. Virtually all networks are virtual in some sense of the word. I don't have a direct cable connection to all the Internet resources I use on a daily basis. But I get to those resources through a public network, and they are often located on someone else's private network. Besides, what one person considers private is often not private enough for someone else. VPNs can't be defined by any specific software protocols because there are several different common protocols that work effectively.
Virtual private networks can be hardware or software based. Using Mac OS X Server or a software application like VPN Tracker Server allows you to create a software VPN server, but most VPN servers are pieces of hardware external to your computer. VPN hardware is often included inside a firewall or router. For example, I use the Linksys WRV54G, which is an Internet connection-sharing router, wireless access point, VPN endpoint, & firewall all wrapped up in a single box. Cisco makes some very powerful VPN hardware for large networks. Most software servers are created for a one to one connection using client-server based technology.
There are two main types of VPNs and I will define them by the endpoints they connect. The first is the client to LAN (local area network) connection. A local area network is your private internal network. You normally use this connection for remote users to connect to a single office from anywhere with Internet access. This is useful for telecommuting. If you have employees that work in the field but need access to office databases, this is the type of VPN that you need. The other VPN type is LAN to LAN. This VPN type is usually used to connect the resources at two office locations so they look like a single LAN. This is often used when a company has a corporate location and other locations that need access to the corporate resources, or when resources are distributed across a couple of locations.
When companies wanted to connect different office locations together before the Internet was widespread, they normally had to lease lines from a cable company to connect the locations. This kind of a network is referred to as a trusted VPN. This was a secure way to build a network since no one outside the buildings had access to the network as long as the cable company protected their switches, but it was also a very expensive way to share resources. With the advancement of the Internet, it became clear that using public lines instead of privately leased lines could connect offices much less expensively. But could a network over public lines be trusted for private (secure) communication? Because of the need to protect data, secure VPNs were developed. Secure VPNs use network protocols to encrypt data as it leaves the originating network and then decrypt it when it arrives at its destination. If you are using a combination of both trusted and secure VPN technology, it is referred to as a hybrid VPN.
PPP (point-to-point protocol) is a protocol that allows users to dial-up a connection to access the Internet. This connection is basically a VPN. You're using public telephone lines to access the Internet, but the access is insecure. Point-to-point tunneling protocol (PPTP) is a protocol developed by several companies but usually associated with Microsoft. Microsoft added it into every OS release since Windows 98. PPTP was built on PPP technology to create a "tunnel" allowing secure passage of information. PPP is the parent technology of PPTP, and PPTP couldn't exist without PPP. PPTP sends data in encapsulated PPP packets, which are then encapsulated within IP packets. Encapsulation allows you to send different protocols over IP. That means you can send more than just IP packets over the VPN. It's like wrapping presents. You normally use different kinds of wrapping paper for different occasions, Christmas paper, birthday paper, etc. PPTP can only deliver IP packets over the Internet, which would be like demanding a present be wrapped in Christmas paper to be delivered. But if it's really a birthday present, PPTP allows you to wrap the present in birthday paper, then wrap it in Christmas paper for delivery. After the packet is delivered, the packet header knows that it is really a birthday present and takes off the Christmas wrapping paper at its final destination. That is how you can send IPX or NetBEUI packets over IP with PPTP. The trick of PPTP being able to send other packets over IP lies in the fact that it runs at the OSI (open systems interconnection) layer 2, or link layer. PPTP relies on PPP for its authentication and encryption methods. PPTP can be used to create a 'tunnel' between two locations using TCP port 1723. Once the TCP connection is established, both control messages and data packets are sent from one endpoint to the other. These control messages do everything from initializing the VPN, to keeping it alive, and closing the VPN session. Control messages also serve other maintenance functions for the VPN. The weaknesses of PPTP are that it does not provide strong encryption for protecting data nor does it support any token-based methods of authenticating users.
L2TP (layer 2 tunneling protocol) combines the best features of PPTP and L2F from Cisco Systems into one protocol. The Internet Engineering Task Force (IETF) standardized L2TP for tunneling PPP across a public network. The main two components of L2TP are the Access Controller (LAC) and the Network Server (LNS). L2TP is similar to PPTP and runs over the OSI layer 2 so it can also route other protocols through IP packets. Data is forwarded from the LAC, which can be your own computer or your ISPs, to the LNS. If you're inside a private network, L2TP may be fine by itself. Because L2TP can't prevent packets from being changed, stolen, or faked, it is usually combined with IPSec when used across the Internet.
IPSec is the most secure way to connect to a VPN network. There are two components to IPSec: the authentication header (AH) and the Encapsulating Security Payload (ESP). The AH creates a special hashing algorithm and a specific key known only to the source and destination, which is used to check for packet integrity. A security association is setup between the devices and the AH stores the output of the special computation. Then the receiving device does the same computations, it checks the AH to make sure the computations are the same. This verifies that the packet has not been altered from its original state. It is a checksum type of authentication. The AH provides authentication but not privacy; the ESP does that by encrypting the data. The ESP encryption algorithm is a key known only to the source and destination so no one in-between can decrypt the transmitted data.
IPSec can run in two different modes. These modes relate to how IPSec is set up. If two routers are creating a VPN connection, it uses tunnel mode; but if the VPN is host to host, it uses transport mode. In transport mode, only the data portion of the packet is encrypted. To obtain maximum security, one should use tunneling mode where the entire IP packet is encrypted and authenticated. The only downfall of IPSec is that it runs on OSI layer 3 and only supports IP packets. There is a way to overcome this however. Bundling L2TP with IPSec allows a VPN with maximum security and multiple protocols. Because IPSec by itself has no way of tunneling, it is normally only used with L2TP. L2TP creates the tunnel and IPSec allows it to be secure. This is the most secure way to create a private network and is being adopted as the best standard. RFC 3193 describes the standard for bundling L2TP & IPSec. (http://www.faqs.org/rfcs/rfc3193.html)
OS 10.3 & VPNS
OS 10.3 Panther has built in VPN client support through the Internet Connect application (see figure 1). It currently allows for two different kinds of VPN connections: PPTP or L2TP over IPSec in transport mode.
Figure 1. VPN Connections
Apple doesn't allow for plain IPSec connections because, "Pure IPSec only provides user authentication or configuration of the client machine through protocols which are either proprietary or defined by the long-expired IETF drafts, which are not standards. Using PPP/L2TP over IPSec is the only "standard" way of doing remote access with user authentication and IP address assignment over IPSec at this time." (http://docs.info.apple.com/article.html?artnum=108088) What Apple means by "Pure IPSec" is using IPSec without the internal encapsulation. The built-in functionality of the VPN client for OS X is very limited, but there are good applications for expanding that functionality. VPN Tracker (http://www.apple.com/downloads/macosx/networking_security/vpntracker.html) is an excellent application for customizing your VPN connection. VPN Tracker is one of many products developed by equinux for VPNs. VPN Tracker allows you to customize every option of the connection (see figure 2). It also has built in support for a large number of VPNs from major vendors. If you choose the option for that specific VPN server, it will automatically set all the necessary options for you.
Figure 2. VPN Tracker
Equinux also makes a VPN Tracker Server in case you want to setup a VPN connection to a specific computer on your network. If you decide to setup a software VPN and you are behind a NAT (Network Address Translation) router, you need to make sure it has VPN pass-through enabled or the proper TCP/UDP ports are being forwarded.
Setting up a VPN can be complicated; but with the proper hardware & software, the average Macintosh user can do it. With all the different protocols, setup needs to be thought out before hand. If you choose a hardware router/VPN, research the manufacturers products first to see which protocols they work with. I've had no problem with my Linksys router, and I've setup other common brands that have worked as well (D-Link, Netgear, etc.) I would suggest viewing equinux's website at http://www.equinux.com/us/products/vpntracker/interoperability.html for a list of products that work with VPN Tracker. If you're going to use Internet Connect, it is very compatible with a large range of products; but doesn't offer near as much customization as VPN Tracker. I strongly suggest downloading and trying out equinux's VPN Tracker to keep those private networks secure!
Brad Belyeu is the President of ABConsulting based out of Oklahoma City, OK. He is an Apple
Certified Technician and a member of the Apple Consultant Network.