PacketiX VPN 2.0 Manual Chapter 12 PacketiX VPN Software Specification 12.4 PacketiX VPN Protocol Specification

< 12.3 PacketiX VPN Bridge 2.0 Specs12.5 Error Codes>

12.4 PacketiX VPN Protocol Specification

This section contains information about the VPN communication protocol used by all PacketiX VPN 2.0 software, the PacketiX VPN Protocol.

12.4.1 Protocol Specs

The specs for the PacketiX VPN Protocol are given below.

Item Value
Communication Protocol (Upper Layer) SSL version 3.0
(Secure Socket Layer) 
Communication Protocol (Lower Layer) TCP/IP 
Port TCP/IP Default port: 443, 992 and 8888
(The user can change this freely.)
Supported encryption and digital signature algorithms RC4-MD5
RC4-SHA
AES128-SHA
AES256-SHA
DES-CBC-SHA
DES-CBC3-SHA 
Data Compression Streamed data compression
Session Key Length 128 bits
Base Protocol SSL/HTTP over SSL (HTTPS) Extension
High Speed Communication Between 1 and 32 TCP/IP connections can be established for efficient load balancing and/or timing control
Automatic Reconnection Specified number of attempts or infinite retries
Connection Methods 1. Direct TCP/IP Connection
2. Connect Via HTTP Proxy Server
3. Connect Via SOCKS Proxy Server
User Authentication (Client Authentication) Methods 1. Anonymous Authentication
2. Standard Password Authentication
3. Radius Server Authentication
4. NT Domain Controller or Active Directory Authentication
5. X.509 Certificate/RSA Private Key File Authentication
6. Smart Card (With Certificate) Authentication
Server Authentication Methods X.509 Certificate/RSA Private Key File Authentication
(SSL Server Certificate Authentication)
Protocols for encapsulation and packet classifications Ethernet (IEEE802.3) Frames

12.4.2 Packets Sendable Over a VPN

The packets that can be encapsulated and tunneled by the PacketiX VPN protocol are standard Ethernet (IEEE802.3) frames with a MAC header and payload. Also, the MAC header and payload together must not exceed more than 1,514 bytes in length.

12.4.3 How to Detect the PacketiX VPN Protocol

Detecting the PacketiX VPN Protocol

At SoftEther we have taken into consideration network administrators of large corporate networks and have designed our software in such a way that PacketiX VPN Client makes a connection to PacketiX VPN Server it will send a TCP/IP packet to that server containing the string "PX-VPN2-PROTOCOL". This makes it easy for network administrators to quickly detect any usage of the PacketiX VPN protocol.

If you want to detect if employees on your corporate network are using the PacketiX VPN software to connect to a PacketiX VPN Server on the Internet, or block this activity entirely, you can check for this PacketiX VPN Protocol connection packet.

By detecting the ASCII string "PX-VPN2-PROTOCOL" (16 bytes) within a TCP/IP protocol data stream, you can detect any usage of the PacketiX VPN Protocol.

If you are using snort, you could make the following type of signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET any:
        (msg:"PacketiX VPN 2.0 Connection"; content:"PX-VPN2-PROTOCOL"; )

Important Points

  1. We do not guarantee that the signature given above will always function properly.
  2. We do not guarantee that the "PX-VPN2-PROTOCOL" packet will always be sent for all network environments.
  3. It is possible to mistakenly detect usage of the PacketiX VPN Protocol by using the method given above. For example, if a document or e-mail sent across the network contains the phrase "PX-VPN2-PROTOCOL" it would mistakenly be picked up as the PacketiX VPN Protocol connection packet.
  4. The above information is only relative to the PacketiX VPN 2.0 build number/version referred to in this manual. This information may not apply to other versions of the software.
  5. The snort signature given above can successfully detect PacketiX VPN 2.0 communication but can not block (filter) it. After you have used the above method to detect packets containing the string "PX-VPN2-PROTOCOL" you can specify the packet's source IP address, destination IP address, and destination TCP port and filter packets to the Internet to successfully block (filter) VPN communication. This type of filtering is generally not possible with intrusion detection systems (IDS) such as snort. You may have to take the results given by snort (or some other IDS) and write a script to automatically add that data into your firewalls packet filtering rules. (Because each IDS and/or firewall system is different, please consult with the Administrators in charge of these systems, or contact the vendor for details on how to perform these operations.)
  6. If the VPN client must go through a proxy server to perform a VPN connection (for example, within a company that requires all traffic to the Internet be routed through a proxy server), you should add the filtering rule as described above between the client and the proxy server.

Other VPN Protocol Detection Methods

Using the above method you can easily detect any usage of the PacketiX VPN Protocol. However, if you want to prevent employees on your corporate network from making any type of VPN connection, not just with PacketiX VPN, you will need to detect and/or intercept all types of VPN protocol connections.

Internal users can still connect to an external VPN server and send/receive information through other VPN protocols such as PPTP, IPSec, SSH, SOCKS, SSL-VPN, and many more. SSL-VPN products have notably been gaining popularity in recent years. Most of these products use packets that are indistinguishable from HTTPS packets, so you have to be very careful in order to detect them.

 

 

< 12.3 PacketiX VPN Bridge 2.0 Specs12.5 Error Codes>

PacketiX VPN 2.0 Online Manual 2.20.5320
Copyright © 2004-2007 SoftEther Corporation. All Rights Reserved.
 Contact Plat'Home for inquiries. | Support | Notes