PacketiX VPN 2.0

Security

1. Strong Encryption
2. User authentication options
3. Server Certificate Verfication
4. Authentication by smart card
5. Further Information

Security is one of the strong points of the PacketiX VPN software. Compared to conventional VPN solutions, PacketiX VPN includes advanced security functions to offer safety from small-scale VPNs to company-wide implementations that shoulder the main share of data communication.

PacketiX VPN uses the encrypted TCP/IP packets (SSL / HTTPS) for data transfer. The encryption and hash algorithm can be chosen by the system administrator, with RC4 and MD5 as default choices.

Furthermore, PacketiX VPN offers authentication for both clients and servers. For server authentication, electronic signature certificates based on X.509 and RSA are used. For user/client authentication, a number of methods are available to meet the security demands of the customer. To integrate the user authentication in the existing network of an organization, PacketiX VPN can access the user database of a RADIUS, NT Domain or Active Directory Server. For especially sensible networks, PacketiX supports user authentication by smart card.

User authentication by PacketiX VPN protocol

Strong encryption

The PacketiX protocol encrypts all transmitted content via SSL (Secure Socket Layer). SSL is the standard security protocol of the Internet, and is generally used for secure communication between HTTP servers and Web browsers. But PacketiX uses only SSL 3, the current, most secure version. To avoid security risks, PacketiX VPN does not support older SSL versions.

Robust VPN session encryption by various encryption algorithms

SSL offers three functions: encryption, electronic signature and certified authentication. PacketiX VPN employs all three of them to create a secure environment for its VPN connections.

The SSL encryption algorithm and digital signature method employed by PacketiX VPN is not fixed, instead an appropriate algorithm can be chosen by the server administrator. The default algorithms are RC4 128 bit for encryption and MD5 as hash algorithm. Apart from these, DES and AES (encryption), SHA-1 (hash) and other algorithms are available at different bit lengths.

Supported Algorithms and Protocols

• Transfer protocol: SSL 3.0
• Encryption algorithms: RC4 128bit, AES 128bit, AES 256bit, DES 656bit, Triple-DES 168bit
• Hash algorithms: MD5 128bit, SHA-1 160bit
• PKI client/server authentication: X.509 certificate authentication + RSA 1024bit

Broad range of user authentication options

While of course PacketiX VPN offers the standard user authentication by password, various other options for user authentication are available.

• Anonymous Authentication
  Anonymous authentication allows anyone with a valid user name to login to the VPN. While this method is not recommended for company VPNs, it can be used for VPN services offered to the public.
• Normal password authentication
  Normal password authentication means that users identify themselves with a password. This is the most simple way to maintain security. On the server, passwords are stored as hashes. For the challenge-response authentication between client and server, nothing is exchanged on the network except for the password and its hash value .
  Users can change their passwords in the Client at any time.
• Authentication by RADIUS Server
  With this method, the virtual hub refers to an existing RADIUS server (hardware or software) to retrieve user authentication information. The administrator can set this as a general rule, or let the hub look up only selected users.
• NT Domain and Active Directory Authentication
  The PacketiX VPN virtual hub can also refer to the user database of an existing Windows NT Domain controller or a Windows 2000 / Windows 2003 Server Active Directory. This allows users to log onto the VPN with their Windows Domain password. The unified password database means less work for the administrator.

Referring to a NT Domain Controller or Active Directory Server for user authentication
• Authentication using Public Key Infrastructure (PKI)
  With this authentication method, the user presents a certificate that was signed with a private encryption key to the server. The server determines the authenticity of the certificate by a mathematical operation. This method is the more secure than passwords, because a private key cannot be guessed or peeked while it is typed. To increase security further, PacketiX VPN offers support for smart cards to store the private key and user certificates.

All parameters and settings related to user authentication can be adjusted in detail by the system administrator. The user database is administered on the level of the individual virtual hub, and virtual hubs are independent from each other. This allows for different authentication methods to be used on one VPN.

Server Certificate Verfication

When constructing a VPN over a public IP network like the Internet, protection against a number of different attacks is necessary. While most older VPN protocols did have an authentication function to determine the identity of the client that wanted to connect to the server, a majority of them had no function for the client to ensure that the server they connect to is the real one. This is a serious security risk, as attackers could use a fake server to intercept or change packets of the transmission, or steal passwords and sensible data.

With PacketiX VPN, as with HTTPS, SSH and other secure protocols, a certificate with an electronic signature of the Web Server is checked, and a connection is only opened if the certificate is valid.

Verifying the server certificate presented by the VPN Server

The certificate is decrypted by using the server's public key to check whether the server is in possession of the corresponding private RSA key. In case of a server that cannot be trusted, the connection is cancelled and a warning message is displayed.

Authentication by smart card

While passwords are the usual method to authenticate the user for a VPN connection, there are a number of problems. If the password is too short or not complex enough, there is the danger that it can be guessed or cracked. If a third person gets a glance at the password while it is entered, that person can gain unwanted access. And even though there are more secure ways to store password data, most software stores it on the computer harddisk. If attackers gain access to the harddisk, such as through a trojan horse program or a stolen laptop, the password data can be stolen.

Where sensible data are handled, a more secure user authentication method than passwords is necessary. Smart cards and hardware security tokens offer a way to safely store user authentication data (private key and certificate) on a separate, secure device. With PacketiX VPN these devices can be used for VPN user authentication. It supports a broad range of of existing systems, so it is not necessary to introduce new hardware if a company or organization already employs such devices.

Authentication by smart card

For the electronic signature, smart cards and other security tokens carry a special chip to do the necessary mathematical operations. This way an electronic signature can be given while the private key is kept safe within the device and never handed out.

To safeguard against lost or stolen smart cards / security tokens, a PIN must be entered every time the device is used, and internal security measures protect the key and other data within the device from being read by attackers.

Further Information

PacketiX VPN 2.0 Online Manual

• Chapter 1.5: Bolstering Security
• Chapter 3.5: Virtual HUB Security
• Chapter 11.4: Additional Security Information
• Chapter 12.4: PacketiX VPN Protocol Specifications