1.5 Bolstering Security
Offering sufficient security is one of the most important matters for
PacketiX VPN software designed and developed for the purpose of
supporting backbone communication by company network, etc. Compared with
older VPN solutions, PacketiX VPN software has new advanced security
functions and offers sufficient security for VPN construction that can
withstand use for backbone work of businesses from small scale VPN. This
section contains a description of the security functions offered by
PacketiX VPN.
1.5.1 Abundant User Authentication Options
The types of user authentication when connecting PacketiX VPN Client
or PacketiX VPN Bridge by VPN to PacketiX VPN Server include all sorts
of methods as well as simple password database. All types of user
authentication and parameters can be set in detail for each user.
Because the user database is managed separately for each Virtual HUB,
Virtual HUBs are independent of each other.
User authentication methods that can be used include the following.
For details see 「2.2 User Authentication」.
- Anonymous authentication
Anonymous authentication
allows connection as long as at least the user name is known, and is
used when establishing widely offered Virtual HUB service, etc. It
is not usually used for businesses, etc.
- Password Authentication
Standard password
authentication is the method of conducting user authentication by
user name and password and is the method for which security can be
most easily maintained. Users can also change the password
themselves using VPN Client. The password is hashed when typed in
and because password confirmation is conducted by challenge and
response when authenticating, the password and hash data do not flow
on the network.
- RADIUS server authentication
Method of user
authentication using RADIUS authentication server already owned by
company, etc.
- NT domain and Active Directory authentication
Method
of user authentication using Windows NT main controller or Active
Directory of user database of Windows 2000 / Server 2003 already
owned by company, etc.
- Certificate authentication (PKI authentication)
Method
of user authentication whereby those connected to VPN are identified
by mathematically calculating whether or not those connected have a
private key by having those connected to VPN present a client
certificate to VPN Server. Because a fixed character string such as
password is not used, it is the most secure method of user
authentication.
1.5.2 Robust Encryption
With PacketiX VPN protocol, all communication contents and data
related to user authentication is encrypted by Secure Socket Layer (SSL)
encryption. SSL is currently the standard security protocol for the
Internet, and is used for communication between HTTP server and web
browser (called "HTTPS protocol").
There are several versions of SSL, but the only one that is
compatible with PacketiX VPN is SSL Version 3, which is considered to be
the most secure; older versions of SSL protocol that have weaknesses are
not used at all.
SSL primarily offers three functions: encryption, electronic
signature, and certificate authentication. All three of these functions
are utilized for PacketiX VPN to maintain security of VPN sessions
between PacketiX VPN Server and VPN connection source.
With the SSL implemented for PacketiX VPN algorithms used for
encryption and those used for electronic signature are not fixed; the
VPN Server administrator can choose the algorithm. The RC4 128 bit
encryption algorithm and MD5 hash algorithm are selected by default, but
algorithms such as DES, AES, or SHA-1 can be selected by specifying the
number of bits.
Fig. 1-5-1 Robust VPN session encryption by various
encryption algorithms |
1.5.3 Server Certificate Verification
Many older VPN protocols have a user authentication function to
identify and authenticate connection source users that have connected to
the VPN server. Oppositely the majority of VPN clients have no function
to confirm whether or not the VPN server they are about to connect to is
authentic.
If constructing VPN using a public IP network such as the Internet,
however, there is the possibility of a malicious cracker, etc., lurking
somewhere in the line setting up a false VPN server and relaying VPN
communication from the client, reading or tampering with the packets
flowing through the VPN by "man-in-the-middle" (MITM) attack.
Commonly used protocols such as HTTPS and SSH check the certificate
of the connection destination web server and SSH server and connect only
if the certificate is authentic. If the certificate is not authentic,
the connection is interrupted and a warning is displayed. VPN
communications requires a way to authenticate the connection destination
server to guard against masquerading or MITM attack.
The server certificate presented by the connection destination server
can be trusted, and PacketiX VPN can make sure the server has the RSA
private key for the secret by mathematical calculation. If the
connection destination VPN Server presents a suspicious certificate, VPN
connection to the server is interrupted and a warning is displayed.
PacketiX VPN keeps a list of certificates that can be trusted.
Certificates not signed by a reliable certification institution are
regarded as untrustworthy (the user can keep a list of certificates).
Server certificate verification is conducted by the connection source
software side such as cascade connected VPN Server or VPN Bridge or VPN
Client connected to remote VPN Server by usual method. For details on
server certificate verification, see 「4.4.5 Server-Certificate Verification」, etc.
Fig. 1-5-2 Verifying server certificate presented by VPN
Server |
1.5.4 Use with Smart Cards
When conducting user authentication for VPN connection to VPN Server,
if password authentication or conventional certificate authentication is
used, a certain degree of security can be maintained, but the following
problems also exist.
-
If using password authentication, if the password in not long or
complicated enough, there is danger of the password being guessed
for unauthorized access. If a third party obtains a password from a
second party that observes the password being input, there is danger
of unauthorized access by the third party.
-
Certificate authentication provides a method of authentication that
is more secure than password protection, but under ordinary
circumstances, private key data of the certificate is kept in the
hard disk of the computer. If the computer's hard disk is stolen by
a malicious third party or only the certificate data is extracted,
the third party can masquerade as the user using the private key
data of the certificate and connect to the VPN server.
With PacketiX VPN, if certificate authentication is used to
authenticate users when VPN Client connects to the VPN Server, the
certificate and private key data are written in a smart card or other
hardware security token device instead of saving on the computer hard
disk, and user authentication can be carried out by inputting each time
the client connects to VPN Server.
Smart cards or other hardware security token devices have a built-in
chip that performs RSA calculation, and electronic signature can be
accomplished using certificate and private key from the memory of the
smart card without exposing the private key externally. Also with
PacketiX VPN, existing certificates and private key objects stored in
smart cards can be specified and used for user authentication.
Smart cards and other hardware security token devices are designed so
that once private key data is written inside, it cannot be extracted.
The data in smart cards is protected by a PIN code consisting of several
digits. Smart cards are designed so that the smart card itself halts
access if the PIN code doesn't match. Because of this protection, the
private key can be loaded into the smart card, and by conducting user
authentication using the private key in the smart card when connecting
to the VPN Server, even if the computer itself or smart card is lost or
stolen, a malicious third party can be prevented from access by
masquerading.
For information on how to use the user authentication function using
a smart card, see 「4.6 Using and Managing Smart Cards」.
Fig. 1-5-3 Smart card authentication |
|