Information security: VPN technology principles and applications.

VPN is a common technology for network communication security protection. The Chinese translation of VPN is "virtual private network". Its basic technical principle is to encrypt the packets that need to be transmitted through the public network, and then send them to the destination by the public network. VPN technology can be used to build a dedicated secure channel on an untrustworthy public network, and the data transmitted through the VPN has confidentiality on the public network. The so-called "virtual" refers to the network connection characteristics are logical rather than physical. VPN is a secure network logically constructed on a public physical network through cryptographic algorithms, identification authentication, security protocols and other related technologies.

VPN overview:

(1)VPN security functions:

◆ There are three main VPN security services:

▶ Confidentiality service: prevent transmitted information from being intercepted ;

▶ Integrity service: prevent the transmitted information from being modified ;

▶ Authentication service: Provide access authentication for users and devices to prevent illegal access ;

(2) VPN development:

◆ The technical trends of future VPN products have the following characteristics:

▶ The VPN client should be simplified as much as possible, and a “zero client” installation mode will appear;

▶ VPN gateway integration, comprehensive integration of multiple access modes, and integration of multiple security mechanisms and security functions;

▶ VPN products may evolve into trusted network products;

▶ VPN provides a standard security management data interface and can be incorporated into the SOC center for management control;

(3) VPN technical risks:

◆ Security flaws implemented in VPN product code :

▶ The implementation of VPN products involves multiple protocols, cryptographic algorithms, etc. Improper programming can easily lead to code security flaws, thus causing security problems in VPN products. For example, the Open SSL Heartbleed vulnerability could allow a remote attacker to expose sensitive data;

◆ Security flaws of VPN password algorithm :

▶ If a VPN product chooses a non-secure password algorithm or chooses poor password parameters, it may cause security problems in the VPN system and fail to provide security protection. For example, the key length is not sufficient;

◆ Security flaws caused by improper VPN management :

▶ Improper VPN management can lead to password leaks, unauthorized access and other issues;

VPN types and implementation technologies:

(1)VPN type:

◆ Link layer: VPN implementation methods include ATM, Frame Relay, and multi-protocol label switching MPLS ;

◆ Network layer: VPN implementation methods include controlled route filtering and tunnel technology ;

◆ Transport layer: VPN is implemented through SSL ;

(2) Password algorithm:

◆ At present, in addition to foreign cryptographic algorithms such as DES AES IDE RSA, domestic commercial cryptographic algorithms SM1 SM4 block cipher algorithm, SM3 hash algorithm, etc. can also be applied to VPN ;

(3) Key management:

◆ There are two methods for key distribution : one is through manual configuration ; the other is dynamic distribution using key exchange protocol . Although the manual configuration method is reliable, the key update speed is slow and is generally only suitable for simple networks. The key exchange protocol uses software to automatically negotiate and dynamically generate keys. The keys can be updated quickly, which can significantly improve the security of the VPN . Currently, the main key exchange and management standards are SKIP (Internet Simple Key Management Protocol) and ISAKMP/0akley (Internet Security Alliance and Key Management Protocol)

(4) Authentication access control:

◆ User identity authentication: Before the VPN connection is established, the VPN server authenticates the VPN client requesting the connection to check whether it is a legal authorized user ;

◆ Data integrity and legality authentication: In addition to user authentication, VPN also needs to check whether the transmitted information comes from a trusted source, and confirm whether the information has been tampered with during the transmission process;

（5）IPSec ：

◆ Abbreviation for IPSec Internet Protocol Security. In the TCP/IP protocol network, due to the security vulnerabilities of the IP protocol, such as address forgery, vulnerability to tampering, eavesdropping, etc., the Internet Engineering Group (IETF) established an IPSec working group to study and propose security solutions to solve the above problems. According to the security requirements of IP, the IPSec working group has formulated a series of relevant IP security specifications: Authentication Header (AH), Encapsulatin Security Payload (ESP) and key exchange protocol;

◆ IP AH：

▶ IPAH is a security protocol , also known as the authentication header protocol . Its security purpose is to ensure the integrity of IP packets and provide data source authentication , and to provide connectionless integrity, data source authentication and replay attack resistance services for IP data messages .

▶ The basic method is to use the encryption algorithm and the Hash algorithm to perform mixed calculations on part of the IP packet to generate an integrity check value, referred to as ICV , and append the ICV to the IP packet;

◆ IP ESP ：

▶ IP ESP is also a security protocol , its purpose is to ensure the confidentiality of IP packets , while IPAH cannot provide confidentiality services for IP packets

▶ The basic method is to encrypt the IP packet , securely encapsulate the entire IP packet or the data domain of the IP, generate an IP packet with ESP protocol information, and then send the new IP packet to the recipient of the communication;

▶ Both IP AH and IP ESP have two working modes , namely transparent mode and tunnel mode ;

▶ Transparent mode only protects the data field in the IP packet ;

▶ Tunnel mode protects the header and data field of IP packets ;

◆ Key exchange protocol:

▶ IPSec also involves the key management protocol , that is, the security association between the communication parties has been successfully established in advance , and the method of establishing the security association can be manual or automatic . The method of manual configuration is relatively simple. The two parties agree on the AH security key, ESP security key and other parameters in advance, and then write them into the databases of both parties respectively. The automatic configuration method is that the various parameters of the security association of both parties are negotiated by the KDC and the communication parties, and the process of mutual agreement must follow a common protocol, which is the key management protocol . Currently, IPSec-related key management protocols mainly include Internet Key Exchange Protocol IKE, Internet Security Association and Key Management Protocol ISAKMP, and Key Exchange Protocol Oakley ;

（6）SSL ：

◆ SSL is a security protocol applied to the transport layer . It is used to build a secure channel between client VPN technology principles and applications and servers ; it includes handshake protocol, password specification change protocol, alarm protocol and record layer protocol;

▶ Handshake protocol: used for identity authentication and security parameter negotiation ;

▶ Password specification change protocol : used to notify changes in security parameters ;

▶ Alarm protocol: used to close notifications and alarm errors ;

▶ Record layer protocol: used for segmentation, compression and decompression, encryption and decryption, integrity verification, etc. of transmitted data;

◆ SSL protocol is a secure communication protocol between application layer and TCP layer ;

◆ The SSL protocol provides three secure communication services :

▶ Confidential communication: The handshake protocol generates a secret key (secret key) before starting to encrypt and decrypt data. Encryption and decryption of data use symmetric cryptographic algorithms , such as DES, AES , etc.;

▶ Point-to-point identity authentication : using asymmetric cryptographic algorithms , such as RSA, DSS, etc.;

▶ Reliable communication: information integrity check is included when information is transmitted , and a key-protected message authentication code (MAC for short) is used to calculate MAC using a secure hash function , such as SHA, MD5 ;

◆ Data processing process of SSL record protocol:

▶ SSL divides data (data) into manageable block lengths;

▶ Choose whether to compress the divided data;

▶ Add message authentication code (MAC);

▶ Encrypt the data and generate the message to be sent;

▶ The receiving end decrypts, verifies, decompresses the received message, reassembles it and transmits it to a higher layer (such as the application layer), that is, the reception is completed;

（7）PPTP ：

◆ PPTP It is a point-to-point secure tunneling protocol . The goal of this agreement is to provide VPN security services to users who use the Internet by phone;

（8）L2TP ：

◆ L2TP is used to protect the communication between the client and the server where L2TP-enabled is set. The client requires the installation of L2TP software. L2TP uses a dedicated tunnel protocol that runs on UDP port 1701;

VPN main products and technical indicators:

(1)VPN main products:

◆ IPSec VPN：

▶ Working modes of IPSec VPN products : support tunnel mode and transmission mode , where tunnel mode is suitable for host and gateway implementation , and transmission mode is an optional feature and is only applicable to host implementation ;

◆ SSL VPN：

▶ The working modes of SSL VPN products are divided into two types : client-server mode and gateway-gateway mode ;

(2) Main technical indicators of VPN products:

◆ The State Cryptozoology Administration promulgated the "IPSec VPN Technical Specifications" and "SSL VPN Technical Specifications", which set forth requirements for IPSec VPN and SSL VPN. The main contents are introduced as follows:

◆ Password algorithm requirements:

IPSec VPN uses the asymmetric cryptographic algorithm, symmetric cryptographic algorithm, cryptographic hash algorithm and random number generation algorithm approved by the State Cryptography Administration . The algorithms and usage methods are as follows:

▶ Asymmetric cryptographic algorithm : Use 1024-bit RSA algorithm or 256-bit SM2 elliptic curve cryptographic algorithm for entity verification, digital signatures, digital envelopes, etc.;

▶ Symmetric cipher algorithm : The SM1 block cipher algorithm using 128-bit blocks is used for encryption protection of key agreement data and encryption protection of message data. The working mode of this algorithm is CBC mode;

▶ Password hash algorithm : Use SHA-1 algorithm or SM3 password hash algorithm for symmetric key generation and integrity verification. Among them, the output of the SM3 algorithm is 256 bits;

▶ Random number generation algorithm: The generated random numbers should be able to pass the test specified in the "Randomness Testing Specifications" ;

The SSL VPN algorithm and usage are as follows:

▶ Asymmetric cryptographic algorithms : including 256-bit group-order ECC elliptic curve cryptographic algorithm SM2 IBC identity cryptographic algorithm SM9 and more than 1024-bit RSA algorithm;

▶ Block cipher algorithm : SMl algorithm, used for encryption protection of key agreement data and encryption protection of message data. The working mode of this algorithm is CBC mode;

▶ Password hash algorithm : including SM3 algorithm and SHA-1 algorithm, used for key generation and integrity verification;

◆VPN product function requirements:

▶ The main functions of IPSec VPN include: random number generation, key negotiation, secure packet encapsulation, NAT traversal, and identity authentication . Identity authentication data should support digital certificate or public-private key pair , and IP protocol version should support IPv4 protocol or IPv6 protocol;

▶ The main functions of SSL VPN include: random number generation, key negotiation, secure message transmission, identity authentication, access control, key update, client host security check;

◆VPN product performance requirements:

▶ IPSec VPN main performance indicators:

(1) Encryption and decryption throughput rate; (2) Encryption and decryption delay; (3) Encryption and decryption packet loss rate; (4) Number of new connections per second;

▶SSL VPN main performance indicators:

(1) Maximum number of concurrent users; (2) Maximum number of concurrent connections; (3) Number of new connections per second; (4) Throughput rate;

VPN technology applications:

VPN application scenarios:

◆ VPN can be divided into application types: remote access virtual network (Access VPN), enterprise internal virtual network (Intranet VPN), enterprise extended virtual network (CExtranet VPN)

(1) Remote secure access:

◆ Access VPN mainly solves the security problem of remote users . Remote office users should not only be able to remotely obtain the information of the enterprise intranet , but also ensure the security of users and the enterprise intranet. Remote users use VPN technology to access through dial-up and ISDN Company intranet. Access VPN generally includes two parts, remote user VPN client software and VPN access equipment; (human)

(2) Build an internal security private network:

◆ The purpose of Intranet VPN is to securely interconnect local area networks of corporate offices scattered in different geographical areas through public networks , such as the Internet, to achieve secure sharing of internal information and corporate office automation. (branch)

(3) External network security interconnection:

◆ Extranet VPN uses VPN technology to securely connect partner's network or host computer to the intranet of the enterprise on the public communication infrastructure (such as the Internet) , so as to facilitate the sharing of information and services between the enterprise and its partners . Extranet VPN solves the problems of access security and communication security of external organizations of the enterprise, and also reduces network construction costs. (Partner)

Study books: Tutorial for Information Security Engineers.