Virtual Private Networks (VPN)
Last week I've been in the north of Spain (Oviedo) working with VPNs and this is the reason why I've been reviewing and studying deeply all kind of VPNs like IPSec, SSL, GRE, L2TP/PPTP and MPLS, and I've also been working with cryptographic algorithms like Diffie Hellman, ciphers like 3DES and AES, authentication mode like PSK and RSA, Aggressive Mode VPNs, Main Mode VPNs, etc, etc.
Speaking about IPsec, we have to begin with the framework where we can see protocols and algorithms which give us confidentiality, integrity and authentication over an untrusted network like Internet.
When we have to configure an IPsec VPN, we have to choose a set of these protocols and algorithms which are needed to make a Security Association (SA). It is important to choose strong algorithms like AES and SHA, and a strong group of Diffie Hellman as well, which I recommend at least 2048 bits or the 14 group.
The authentication mode could be PSK (Pre Shared Key) or RSA. Obviously, PSK is easier to configure but easier to crack when it is compared with RSA because the asymmetric algorithm RSA is composed by public key and private key, which is stronger than just having a key. The RSA algorithm is easy to understand if we think about padlocks because they are opened (Public key) to everybody who wants to write a confidential message, which is only able to be opened (read) by the private key. On the other hand, we shouldn't confuse RSA with Diffie Hellman (DH), even though DH is an asymmetric cryptographic protocol, because DH is used to exchange keys between two peers who don't know each other. DH uses a large prime number and a base group along with the private key and public key to agree a secret key between peers, once it is done, peers exchange messages encrypted by the secret key with a symmetric algorithm.
If we are going to configure an IPsec VPN, we should know how it works because if something goes wrong we have to know what we are doing. Therefore, we should know that the first phase is going to propose algorithms and protocols to the remote peer to make a security association. In the first phase we can choose between two mode, Aggressive Mode which has three steps or packets and Main Mode which has six steps or packets and it is more secure than Aggressive Mode. While in the second phase, peers are going to negotiate networks to share in the VPN and algorithms to cipher data as well.
I've been working with FortiGate appliances to analyze and understand IPsec and SSL VPN protocols, and Cisco emulators for IPsec and GRE VPN and this has been the best way to consolidate my knowledge about Virtual Private Networks. In fact, this has been the reason why I wrote about VPN Security last week, and these are the slides about that speech:
Speaking about tendencies, although it seems that VPN as a services is the trend due to the fact that there are many free VPN services, we should be careful about what we are using because sometimes we can be paying with confidential data or personal data if we send this information through the free VPN.
Last, but not less important, I have to say … that while I've been in Oviedo, I've been drinking cider in Tierra Astur, eating the typical food like Cachopo and of course taking pictures with Woody Allen.
Regards my friend and remember, drop me a line with the first thing you're thinking.