Chapter-01

Introduction

1.1 Overview

Virtual Private Network (VPN) is a means to securely and privately transmit data over
an unsecured and shared network infrastructure. VPN secure the data that is
transmitted across this common infrastructure by encapsulating the data, Encrypting
the data, or both
Encapsulating the data and then encrypting the data.
VPN connections allow users working at home or on the road to connect in a secure
fashion to a remote corporate server using the routing infrastructure provided by a
public inter network (such as the Internet). From the user’s perspective, the VPN
connection is a point-to-point connection between the user’s computer and a corporate
server. The nature of the intermediate inter network is irrelevant to the user because it
appears as if the data is being sent over a dedicated private link.

VPN technology also allows a corporation to connect to branch offices or to other

companies over a public inter network (such as the Internet), while maintaining secure
communications. The VPN connection across the Internet logically operates as a wide
area network (WAN) link between the sites.

1.2 Motivation
In a typical banking structure in Bangladesh transaction between different branches a
takes place by conventional telephone line. These types of transaction may be
unreliable as well as less secured; also time consuming for the banking personnel. In
this project introduce a network infrastructure by which transaction between braches
will be convenient and secured. The network also ensures the centralized system of
banking which is important terminology from the banking point of view.
1.2 Objective
The primary development objective of this project is to create a work that aids
banking personnel to make contact with their branch offices located different location.
This project covers efforts to integrate VPN technology into an existing banking
infrastructure.

1.3 Method
To understand the obligation of VPN and security aspects of which’s model are using,
a thorough description is given as a theory basis on configuration and security
services and mechanisms that are clearly defined. The theory will eventually,
throughout the thesis, be used when analyzing the configuration in more detail and
serve as a comparison framework when evaluating if the method provide the adequate
security services concerned in Cisco Router and Firewall. The configuration methods
will also be evaluated with respect to the security requirements expressed by Common
Criteria that is if the provided method can achieve an adequate level of security [1].

2
 Chapter-02

VPN History

2.1 Overview

Virtual Private Networks (VPN) were originally defined and first applied in voice
communications. For years, phone companies delivered voice services using what
they called "Virtual Private Networks" despite the fact that there wasn't and still isn't
much that is "virtual" about them. In fact, even today just about any software-defined
user group provisioned over any physical medium is considered VPN by the phone
companies. The term is still in use even though public switched telephone network
(PSTN) facilities are owned by the phone companies, thus making the technology
essentially a private network used for offering user group services.

With the rise of data communication the term VPN was adopted by data networking
industry and was given a new more accurate meaning. VPN were initially created
with dedicated link layer networking technologies such as Frame Relay PVC
(Permanent Virtual Circuit) or ATM VC (ATM stands for Asynchronous Transfer
Mode) links established between individual hosts or networks. In roughly 10 years
following the advent of these technologies, data VPN typically have been
implemented in this fashion with the main goal of replacing less efficient private
networks based on dedicated end-to-end leased facilities.

Internet Protocol (IP) networks quickly gained public interest and market acceptance.
A new generation of VPN services based on network layer technologies has been
introduced to the market. Like traditional VPN IP VPN utilize shared facilities to
emulate private networks and deliver reliable, secure services to end users. During the
initial IP VPN technology trials, equipment manufacturers and standards
organizations such as the IETF came up with a number of encapsulation and
encryption techniques in an effort to deliver on the promised cost advantages and
complexity reduction without compromising security requirements many potential

3
VPN customers have. The proprietary mechanisms like Layer Two Forwarding (L2F)
devised by Cisco and Point-to-Point Tunneling Protocol (PPTP) introduced by
Microsoft include such early examples. Ultimate the industry settled on the use of
standard based technologies such as IP Sec, L2TP, Generic Routing Encapsulation
(GRE) and Multi-Protocol Label Switching (MPLS) among others. Common
authentication and accounting methods largely based on the RADIUS protocol
previously defined to satisfy the demand for centralized subscriber management in the
remote dial-up industry were also selected and standardized for use with IP VPN.
Mobile wirelesses VPN are the latest members of this group.

In the remote dial-up industry were also selected and standardized for use with IP
VPN
Management.

A Virtual Private Network (VPN) involves transmitting private data over public
networks. It is not a new term for data communications. The term VPN initially came
from the specific carrier's design, where a part of the carrier's network (referred to as a
cloud) is separated from other parts and is leased by an enterprise for purposes of
voice data, and video communications Today VPN is more like a wire in the cloud
type of connection, under standing VPN and its complexities is more challenging than
for most other technologies on the market because of the many complex mathematical
algorithms and the wide range and types of both deployed and emerging solutions.

In this session learn about service provider-based VPN and enterprise VPN and their
classifications and categories. The focus on remote access solutions, so information
on service provider VPN is provided solely for the purpose of discussion. However,
this session explain a concise description of the following topics. Service provider
VPN enterprise VPN on the data link layer and on the network layer of open system
interconnection (OSI) IP Sec modes and protocols.

Key exchange, hashing, and encryption in IP Sec. World without VPN in the 1960s'
and 70s', when the use of computer was just a bit fancy to most of the people the
Network would only mean a connection between two routers using telephone line
communicating by command line.

4
 Figure 2.1: Network with two router

As time and technologies advances networks with several computers (called terminals
or workstations) servers and other resources (printers, scanners, etc.) in organizations
were formed. This kind of network (called LAN nowadays) is set up to share data and
resources among computers within the network (figure2.1). At this moment most
networks were physically separated from each other and no equipment was set up to
connect external network which is shown in (Figure 2.2)

Figure: 2.2 Early LAN with 4 workstations and a hub

In the late 1980s', the time that the term "internet" had started to be popular for every
computer users and organizations, routers were always installed in the LAN to
connect the internal network with internet. This (Figure2.3) shows a simple network
with router web server, a mail server connected to the LAN and to the Internet
through the router.

5
 Figure2.3: Typical LAN with router for internet access

During 1990s', internet is so popular that everyone and every businesses are both
talking about advertising on it for good. But the concern of internet security has also
become so acute.

Firewalls are therefore installed in many networks to provide some degree of

security.

Figure 2.4 LAN with router and firewall to control external access

Every computer in the LAN can access resource in the network freely, while
computers outside the LAN have only limited access through gateways to LAN
resource, like mail service and HTTP service. There should be no problem when the
organization is small and the demand for external access is low (Figure2.4) [1].

6
2.2 Advantage of VPN

The main advantage of VPN is cost saving on lease lines for remote users using
public network. This is very important if many members of an organization need to
connect outside the enable high speed remote user to securely connect though public
network. Nowadays, the use of VPN has been widespread in different fields in the
world. Some of the areas include, banking (especially E-banking service) some public
service of the government Commercial (like E-commercial, E-shopping, etc.)
educational use no workload on monitoring direct access data links of remote users.

There is chosen to handle IP security fundamentals in this section, since security is

tightly coupled with tunneling technologies in VPN provisioning, and in fact one of
the IP Security (IP Sec) options (IP Sec tunnel mode) is a tunneling mechanism
frequently used in IP VPN service provisioning. Then takes to the following section,
which helps in understanding the importance of authentication, authorization, and
accounting (AAA) to implement access control, a fundamental prerequisite for the
ability to meet service levels and to charge for services which description are given
below[2].

2.3 Tunneling and Labeling Technologies

Mobile VPN requires using technologies that leverage publicly available

infrastructure operated by service provider’s that allows for virtually private
connectivity between customer network sites and the mobile stations logically
belonging to them known as mobile VPN members or subscribers. Such technologies
are based on the encapsulation of the customer network data packets into other
packets delivered using the networking technology of the shared network. This allows
the use of the addressing scheme and technology of the shared network while
delivering customer data belonging to networks that may be using different
addressing schemes and different network of link layer protocols.
This encapsulation as it is more often referred to in the data networking world not
only provides the ability to deliver data to and from mobile stations but sometimes
also adds integrity and confidentiality protection. Also when the operator wants to
support QOS these technologies facilitate the delivery of predictable network transit
for instance via traffic-engineered paths identified by a sequence of labels like in

7
multi-protocol label switching (MPLS). MPLS also provides the means to maintain
the connectivity among multiple sites of a customer network in a fairly automatic
way. Sometimes the services offered by a carrier may simply be the forwarding of
data from a wireless access gateway to the customer network site via a tunnel or a
fixed access line. Other times the service may extend to a managed multiple-sites
VPN service where the wireless access gateway becomes simply one of the customer
network sites. Tunnels are also used to support mobility by keeping one endpoint
fixed and having the other "follow" the mobile data node at its point of attachment to
the network (where normally the link layer of the access network is terminated).
Mobile IP and GPRS tunneling protocol (GTP) covered in this chapter are good
examples of the letter.

The data may be transferred at the network layer or at the link layer using a protocol
such as point-to-point protocol (PPP). In this case the wireless network simply
terminates the wireless access protocols and relays the PPP or other link layer
protocol to a network access server in the customer network. This is pretty much
always the case with circuit switched data-based MVPN, but it can also be frequently
encountered in packet-based wireless data services, where it might be favored because
of the wide use of PPP-based remote access by enterprises on wire line access media.
The approach involving PPP is normally based on a tunneling protocol called L2TP
[3].

2.4 Layer Two Tunneling Protocol

Layer two tunneling Protocol (L2TP) is defined as an IETF protocol that provides a
standard approach to the tunneling of PPP frames over IP. Cisco and Microsoft had
originally developed proprietary ways to accomplish this (via Layer two forwarding,
or L2F and point-to-point tunneling protocol or PPTP respectively) but the industry
recognized the need for a standard-based approach. As a result the IETF PPP
Extensions (PPPEXT) Working Group was chartered with the task to define such a
standard. The outcome was a tunneling protocol that could potentially be transported
on any cell, frame or packet-based transport network. In particular, the widely used
UDP/IP transport was chosen as the preferred protocol (UDP stands for User
Datagram Protocol).

8
L2TP defines two network entities with two distinct roles to be the peers for this
protocol. The L2TP access concentrator (LAC) is located at the point of termination
of access network protocol and it can establish tunnels toward appropriate L2TP
network access servers (LNS) (Figure2.5).The LNS terminates tunnels from LAC and
also offers network access services such as user authentication and address
assignment.

Figure2.5: L2TP Tunnel

An LAC client running on a laptop or any other suitable computing device could also
be used to initiate L2TP tunnels toward LNS. The LAC client-based usage of L2TP
constitutes a technology-independent way to access remote networks L2TP defines a
reliable control channel. Over this control channel it is possible to establish a tunnel
between the LAC and the LNS. The tunnel establishment phase normally includes
authentication via the L2TP exchange of a secret between the LAC and LNS (in the
form L2TP tunnel; password). The authentication of the party attempting to set up a
tunnel is important since it is not desirable to have an LNS accept any L2TP
commands coming from an unknown LAC if they are not authorized to do so.
However since the L2TP protocol does not come with data origin authentication and
confidentiality, L2TP cannot be considered a secure protocol. In fact it is still possible
for an attacker to send packets to an LNS or an LAC and impersonate each node's
peer. Securing L2TP requires another IETF protocol suite defined for the support of
IP security IP Sec. Here’s provide details on IP Sec and IP Sec modes later in the
chapter, adding more information and explaining how to secure L2TP tunnels.

9
 Figure2.6: The L2TP message header.

When a tunnel is established between the LAC and LNS, it is possible to set up and
tear down a PPP session and to forward associate frames between the two nodes using
the L2TP encapsulation format over the L2TP data channel. The L2TP header (Figure
2.6) includes the Tunnel ID and the Session ID information to enable two levels of
multiplexing. The Tunnel ID defines a tunnel between two peers, and it therefore
implicitly identifies the peer node at the receiving end. The Session ID identifies the
particular PPP session within the tunnel. Because the Session ID information can be
exchanged only after the tunnel between the LAC and LNS is in place, PPP call setup
latency could be reduced if the L2TP tunnel is already set up when a PPP session
needs to be handled. Often carrier-class deployments establish L2TP tunnels up front.
User authentication within PPP sessions normally takes place transparently to the
LAC. The LAC merely decides to which LNS the L2TP session has to be set up and
subsequently forwards the incoming PPP frames to it. The selection of the LNS can
be based on information such as the destination number called, or when used in GPRS
network, on the identifier of the network the PPP user is requesting access to.
Forwarding PPP frames to the correct LNS lets the PPP authentication phase occur
between the LNS and the PPP client on the remote device. The LAC can also perform
proxy authentication by collecting authentication data from the incoming call and
relaying it to the LNS using L2TP signaling. This requires mutual trust relationships
to be established between the LAC and LNS operators. The LNS, after it has received
the proxy authentication data from the LAC may later optionally authenticate the user
at the PPP level by initiating a new PPP authentication phase before moving to the
configuration of the network layer.

The LAC may determine the LNS IP address dynamically based on the received
username and password, which may contain the Network Access Identifier (NAI)

10
defined in. The LAC can in this case conduct a first pass of user authentication with
the AAA infrastructure. The AAA infrastructure determines the user home AAA
server based on the NAI domain component. The AAA infrastructure could return,
when the user is granted access, L2TP tunnel information such as the LNS IP address
and the L2TP password. In fact, the LAC may decide whether the user requires an
L2TP tunnel to an LNS or simply access to a network directly attached based on the
domain component of the username (formatted like this: domain\user). In this way, it
works like a regular network access server (NAS). For instance, user JDoe, may want
to access the Internet using the username access JDoe, and the corporate network
using L2TP via the username Corpnet-access JDoe. L2TP can handle both calls
coming from the access network to the LAC, denominated "incoming calls" as well as
requests from the LNS to call a specific terminal on the access network denominated
outgoing calls [5].

Given its flexibility and its rich set of options L2TP has become widely used to
"divorce" the location of access termination from the location of termination of the
PPP protocol, with large deployments in global remote access facilities for large
corporations. It became a de facto standard for services such as remote access
outsourcing when an enterprise relies on a service provider to handle their remote
worker's PPP sessions at their facilities (POP equipped with remote access servers)
and then relay them to corporate data center for authentication and IP address
assignment. Given current L2TP popularity with corporations, it is not surprising that
both the GPRS/UMTS and CDMA2000 standards allow for its use as a way to
support compulsory access to corporate networks, thus providing an easy way to
integrate wireless and wire line access methods. Further information on L2TP can be
obtained from [4].

11
2.5 IP in IP Tunneling

IP in IP also referred to as IPIP, is the most basic tunneling service, it encapsulates an

IP packet into another IP packet. This encapsulation method is specified in, which has
been developed as a companion document. In IPIP the outer IP packet header
identifies the addresses of the tunnel endpoints, where the source address is the
address of the encapsulate and the destination address is the address of the
decapsulator.

Figure2.7: The minimal encapsulation for IP.

In recognition of the fact that sometimes encapsulating an IP packet in another IP

packet may lead to excessive overhead especially when small payload IP packets are
tunneled it was necessary to define a way to compress the information associated with
the inner IP packet header (Figure2.7). Describes the minimal IP in IP encapsulation
that defines an encapsulation header inserted between the outer IP packet and the
inner packet payload so that the decapsulator can reconstruct the inner IP packet
header. This can lead to 8 to 12 bytes of saving per packet [5].

2.6 GRE Protocol

The Generic Routing Encapsulation (GRE), specified is an IETF standard defining

multi protocol encapsulation format that could be suitable to tunnel any network layer
protocol over any network layer protocol. This concept was originally specified in,
which was an informational RFC. When this original protocol was moved to a
standards track, the decision was made to replace it with two separate. Is an extension
of the basic GRE header described in, It was determined necessary because does not

12
lend itself to encapsulation of PPP frames, since it does not have a sequence number
in the GRE encapsulation format. This limitation was removed by adding a sequence
number extension to the basic GRE header. Also does not allow for multiplexing onto
the same GRE tunnel of tunneled packets belonging to different administrative
entities possibly adopting overlapping private address spaces (a very useful feature for
the provision of Virtual Private Networks). This limitation was also removed by
adding a key field that is a numeric value used to uniquely identify a logically
correlated flow of packets within the GRE tunnel as an extension of the basic GRE
header. These extensions to a basic GRE defined by were especially useful in wireless
data communications. For example they allowed for in-sequence delivery of PPP
frames over the R-P interface in CDMA2000 and the provisioning of compulsory
MVPN services.

GRE as defined by these, is normally used in two classes of applications: the transport
of different protocols between IP networks and the provision of VPN services for
networks configured with potentially overlapping private address space. The GRE
header key field can be used to discriminate the identity of the customer network
where encapsulated packets originate. In this way, it provides a way to offer many
virtual interfaces to customer networks on a single GRE tunnel endpoint. This feature
allows for policy-based routing (that is when routing decisions are not based only on
the destination IP address but on the combination of a virtual interface identifier and
the destination IP address) and relatively easy per-user network accounting. Also a
GRE header allows the identification of the type of the protocol that is being carried
over the GRE tunnel, thus allowing IP networks to serve as a bearer service onto
which a virtual multi-protocol network can be defined and implemented [6].

13
2.7 IP Sec

The IP Sec architecture defines the components necessary to provide secure

communication between IP protocol peer entities along with the related terminology.
IP Sec extends the IP protocol with two extension headers. The ESP header (the IP
Encapsulating Security Payload, defined by and the AH (Authentication Header,
defined by). The ESP is used to provide implicitly data confidentiality, payload
integrity, and authentication, whereas AH is used to offer payload data integrity and
guarantees the integrity of the no mutable fields of the IP header as well. Both of
these headers can be used either to encapsulate an IP packet in another IP packet (IP
Sec tunnel mode) or to encapsulate only the payload of an IP packet (IP Sec transport
mode) (Figure2.8). AH is used to provide IP Sec Transport mode and ESP to provide
IP Sec transport mode, but a combination of AH and ESP is also possible, according
to the standards.

Figure2.8: IP Sec tunnel mode and transport mode with ESP and AH.

Although interoperable implementations of AH exist in the VPN industry the ESP

tunnel and transport modes are the most commonly used approaches. This is because
the AH only provides the subset of ESP capabilities and because, by including in the
authentication algorithm all the no mutable IP header fields, the data origin
authentication provided by AH can be offered by using IP tunnel mode with ESP. In
fact with the encryption service offered by the ESP tunnel mode, the inner IP packet,
IP header, and payloads are implicitly protected from alteration along the route from
tunnel ingress point to tunnel egress point. AH is nevertheless used by some
protocols, such as mobile IP which requires control messages to be protected via AH
transport mode (and their encryption is optional). These security mechanisms,

14
however, are general and are not forcing the use of a predefined encryption or
authentication algorithm. Therefore implementations can add encryption algorithms
as they become available, without changing the architectural model. The most
commonly used encryption protocol is Triple Data Encryption Standard (3DES), and
the most commonly used authentication protocols are based on hash functions such as
SHA-1 and MD-5. (SHA stands for Secure Hash Algorithm, MD for Message
Digest).Fundamental components in the IP Sec architecture are the Security Policy
Database (SPD) and Security Association Database (SAD). Every IP interface for
which IP Sec is enabled must be equipped with a database of security classification
rules and security actions. Each individual rule and action pair is known as a security
policy. A security association (SA) defines a unidirectional packet treatment in terms
of security policy enforcement actions that define which IP Sec headers are applied,
which encryption or authentication algorithms are used, and which keys are used to
execute these algorithms. For each IP interface, there is a pair of such databases: one
for the inbound traffic and one for the outbound traffic. If a packet does not match any
rule, the interface may be configured to discard it.

To better understand these concepts, here’s following an example of an entry in an

outbound IP Sec SPD and SAD. A possible security policy can be defined by the
following entry in the SPD of an IP interface. For all packets bound for destination IP
address (192.43.56.82) and port number 8080, apply security association ALFA.

Security association ALFA is an entry in the SAD of the same IP interface defined as
based on IP Sec tunnel mode with ESP and encryption algorithm 3DES and with an
encryption key manually exchanged and provisioned at the endpoints. In the literature
this SA is known as a symmetric key based SA. Security keys can be symmetric or
asymmetric. Symmetric or private keys are distributed to both parties involved in a
secure communication. Asymmetric keys are based on the RSA Data Security Inc.
patented public keys cryptography paradigm widely used in the industry to perform
both encryption and authentication. In this setup one party that wishes to engage in
secure communications with others makes available a public key for retrieval at a
well-known public keys repository. This approach is known as asymmetric key based
because it uses a pair of keys one that is public and widely distributed and another that

15
is kept secret and never disclosed. Material encrypted using a public key can be
decrypted only by using the associated private key conversely only the public key can
be used to decrypt material encrypted using the private key. An asymmetric key
system can be used to exchange a secret key necessary to run a symmetric-keys-based
encryption algorithm. In other words if a party knows the public key of an entity, it
can send it a secret key encrypted using the public key and this party could
unencrypted it using the private key and further use it for a symmetric-key-based
encryption communication. To communicate with a peer using a public key it is
necessary to trust the source of this key. It is therefore necessary that the repositories
of such information can be trusted (for instance their public key is known and they
digitally sign the public keys they hand out using their private key).These repositories
are known as certificate authorities (CAS), and they form the base of the PKI CAS
and the PKI are discussed in greater detail in the next section.

An SA can be manually provisioned or dynamically managed, together with the

security keys necessary to run the encryption or authentication protocols. This
protocol is known as SA and Key Management Protocol and the current IETF
standard for this is known as Internet Key Exchange (IKE).Over time, IKE has
undergone criticism of some of the engineering choices in its design. The IP Sec
Working Group in the IETF is currently mulling its evolution and expects with some
likelihood an IKEv2 at some time to come.

The IP Sec protocol can be deployed in host-to-host, host-to-router, or router-to-router

form. A router implementing IP Sec and applying security policies to IP traffic is
often referred to as an IP Sec gateway.

16
 The following figure (Figure2.9) describes the host-to-router and router-to-router
cases, which are of special interest for VPN service provisioning [7].

Figure2.9: Illustrates the Model with Network

17
 Chapter-03
Proposed Model

3.1 Topology
First of all, in order to understand the proposed topology some assumptions were
made about the establishment of a VPN both for site-to-site and remote access VPN.
The supported technology is IP sec for securing the communications over the insecure
public network (e.g. the Internet). Further the authentication methods and what type
of digital certificates (if required) to be used are agreed upon by each remote private
network. Also the encryption algorithms in the IP sec architecture is predefined in the
IP sec policy and the cryptographic keys are exchanged in a secure manner on every
VPN gateway. Through these assumptions no conflicting rules or misconceptions of
the IP sec policies of the VPN gateways are undertaken. There by each VPN gateway
is assumed to be properly configured.

In the proposed VPN topology that the VPN tunnels extend from the local VPN
appliance to each remote VPN appliance and not further. At the tunnel endpoints, all
the traffic is encrypted and decrypted by the devices that implement IP Sec. IP sec is
implemented in the VPN appliance on each corporate network. That is, the appliances
in the above figure are the VPN gateways that conforms the assumptions stated above.

Although performance is not the only advantage of this topology security is also
increased since this topology offers multilayered security, where different appliances
provide different security mechanisms. Even though still have a single-point-of-
failure at the edge router the services can still be provided assuming the edge router is
up and running. For example, if the VPN appliance has crashed non VPN traffic can
still flow in the network through the firewall and non VPN services can still be
accessed. This also applies to the firewall assuming that it is down the VPN traffic can
still enter the corporation network but only if the traffic comes from another corporate
network. Consequently the remote users will not be able to access the corporation
network [8].

18
3.2 Proposed VPN Design

In the current business environment organizations are under pressure to reduce costs
increase efficiency and maximize performance from the existing infrastructure. The
growth of the Internet together with new global business opportunities makes it
imperative that organizations provide secure 24x7 network access to employees and
locations around the world. Two scenarios in which remote access is typically used
are Remote client access. Remote clients are usually single computers such as home
computers or laptops of employees who need to access enterprise resources while
working at home or traveling.

Site-to-site access. Site-to-site access is used between branch offices and centralized
facilities of the organization to access resources and data at different logical and
physical locations. Both of these key remote access requirements of an enterprise
organization can provided using a VPN. Figure3.1 shows the topology of the network
that was used for analysis.

192.168.101.11/24 Internet
192.168.101.5/24

192.168.99.41/29

Br Router Core Router

Cisco 1841 Cisco 3845 202.84.36.41 Internet
192.168.20.253

192.168.99.42/29 HO VPN Firewall

CISCO ASA 5505
192.168.20.10/24
172.30.8.10/24
BR Firewall
CISCO ASA 5505 HO Core Switch

Remote Client
(10.1.1.0/24 Local
Br Switch Address When terminated
Partnerauth/DNS/
WINS Server
in the ASA)
HO Printer
192.168.20.220/24 192.168.20.100/24

Branch Client 2
172.30.8.12 Branch Client 1
172.30.8.11/24

Remote VPN and Site to Site VPN Topology

Figure: 3.1 Remote VPN and Site to Site VPN topology

19
20
3.3 Working Process
In this proposed Design that can assume a tunnel VPN with Network Security in a
multinational company that how does work and what kind of security such as
authentication encryption are used in this process. Here in two routers configured IP
sec over GRE tunneling protocol as established a site to site VPN using 3DES for
encryption Specified MD5 as hash algorithm in the IKE policy. Specified a pre share
key for authentication .Also specified Diffie-Hellman group and life time in IKE
policy and IKE SA. First time established a VPN tunnel between two routers (HQ and
Branch Office) where shows two Cisco Routers as 3845 and 1841 model. Here’s
defined IP address 192.168.101.5/24 in the outside interface of H/O Router and
192.168.101.11 in the outside interface of Branch Router. After establishing the
tunnel the HQ and Branch Office users can communicate both sides jointly when it is
required. But not defined any ACL for the outside and inside users and defined a
default route between two routers for connecting one side to another side easily into
the tunnel. Any traffic is accessible into the tunnel from outside to inside and inside to
outside.

In the outside of the Local LAN of Head Office where used an ASA Firewall as a
security device. Specified Xauth, IKE Mode Coning a authorization with RADIUS,
and a wildcard pre-shared key. In the ASA firewall outside interface, specified an
internet IP address 202.84.36.41/30 for internet user that a remote/internet user will be
able to connect using this real IP as remote users. If a remote user wants to get
permission to access into the local network, so defined an IP pool 10.1.1.0/24 for
remote/internet user that this kind of IP address are accessible in the ASA Firewall.
Defined ACL such as telnet, ftp and http are allowable in the local LAN (H.O) from
the remote side and only http is allowable in the local LAN (Branch Office) IP
address is 172.30.8.0/24 for the outside remote users which was stated briefly in the
configuration that these kinds of traffics are allowable in the Local LAN from the
remote outside.

Firstly all of the configuration works has done to establishing a VPN Tunnel between
two routers. Now Branch Office side and Head office side users can easily connect
one side to another side and may also be done file sharing, printer sharing etc. When it
is need to connect between two routers end users as stated briefly in the configuration.

21
There authentication encryption and users accessibility is defined/specified and did
not defined any ACL for outside and inside user of the Local LAN that all kind of
traffic are allowable to fix other resources in the network. So every user (Outside and
inside) are preferable to share their resources easily.

Secondly as usual a remote user internet user always tries to connect Local LAN
using VPN client to ASA Firewall which outside interface was configured with a real
IP for supporting Internet remote users. If a remote user wants to log on into the Local
network as internet user, so configured a Cisco ASA 5505 Firewall for providing
security to remote client/user and specified some security as what kind of traffics are
allowed to connect inside LAN from the outside or Internet. In this topology shows
that in ASA Firewall inside interface IP address: 192.168.20.10/24 for inside LAN as
a VLAN and outside IP address is an internet IP (public IP) for supporting a remote
user when tries to log on the description of process as given below.

1st step: When a remote Internet user (IP address 10.1.1.0/24) tries to connect with the
Local PC first time the remote user send a packet to ASA Firewall where specified an
internet IP to provide permission to the remote users, as both are connected with
internet. After receiving packet from the remoter user the ASA Firewall check and
verified that it be allowable or not if allowable then ASA firewall send another packet
to remote user as a pre shred key which was created. When it will be match than
establish a hand shaking between remote client and ASA firewall. After handshaking
Firewall supports an IP from the inside LAN to remote client user as like as inside IP.
Thus an authentic remote user client can connect to ASA Firewall using internet form
the out site of the network. When a remote user get permission access from the ASA
Firewall to access into the local LAN of the Head Office then the remoter user can
connect fix to other LAN devices of the Head Office which’s are connected through a
core switch.

22
2nd step: The remote user now got permission to access Head Office LAN that IP
Address: 192.168.20.0/24. In the Head Office Router in sided interfaces is defined
192.168.20.253 address which is configured as a gateway. So a remote user can
connect with this router easily and the entire devices of the Head Office LAN which
are connected with a switch are accessible from the remote user s configured into the
firewall.

3rd step: Here head office router and branch office router are connect with internet
where created a tunnel VPN. When a remote user got permission to connect with head
office router then this kind of users also be able to connect with branch router through
tunnel.

4th step: In branch router inside interfaces is configured 192.168.99.41/24 which is

directly connected with an ASA Firewall that which outside interface configured by
an IP is 192.168.99.42/29. Since branch boater and branch ASA firewall connected
directly, so a remote user can connect with branch firewall easily.

5th step: In branch ASA firewall inside interface we configured 172.30.18.10./24 IP

address as VLAN and which is using as a gateway of the branch local LAN. The ASA
firewall is directly connect with branch office LAN where used a switch and other
branch devices are connected with LAN through this switch. Since branch firewall
connected with branch switch, so a remote user can connect with any device of the
branch LAN.

After getting permission a remote user can access any other devices of the Local
Network as given permission in the router, ASA firewall as well as into the tunnel. In
the branch office LAN we denied all traffics from the remote outside users only http
is accessible. So a remote user can access 172.30.8.0/24 network by using a VPN
client getting permission from the network devices [9][23].

23
 Chapter-04

Security

4.1 Encryption

In the field of networking, the area of network security consists of the provisions and
policies adopted by the network administrator to prevent and monitor unauthorized
access, misuse, modification, or denial of the computer network and network-
accessible resources. Network Security is the authorization of access to data in a
network, which is controlled by the network administrator. Users are assigned an ID
and password that allows them access to information and programs within their
authority. Network security covers a variety of computer networks both public and
private that are used in everyday jobs conducting transactions and communications
among businesses government agencies and individuals. Once authenticated a firewall
enforces access policies such as what services are allowed to be accessed by the
network users. Communication between two hosts using a network could be
encrypted to maintain privacy. Security Management for networks is different for all
kinds of situations. A home or small office would only require basic security while
large businesses will require high maintenance and advanced software and hardware
to prevent malicious attacks from hacking and spamming. Encryption is the
conversion of data into a form, called a cipher text that cannot be easily understood by
unauthorized people. Decryption is the process of converting encrypted data back into
its original form, so it can be understood.

The use of encryption decryption is as old as the art of communication. In wartime a

cipher often incorrectly called a code can be employed to keep the enemy from
obtaining the contents of transmissions. (Technically a code is a means of
representing a signal without the intent of keeping it secret; examples are Morse code
and ASCII.)Simple ciphers include the substitution of letters for numbers the rotation
of letters in the alphabet and the "scrambling" of voice signals by inverting the
sideband frequencies.

24
More complex ciphers work according to sophisticated computer algorithms that
rearranges the data bits in digital signals.

In order to easily recover the contents of an encrypted signal, the correct decryption
key is required. The key is an algorithm that undoes the work of the encryption
algorithm. Alternatively a computer can be used in an attempt to break the cipher. The
more complex the encryption algorithm, the more difficult it becomes to eavesdrop on
the communications without access to the key.

Encryption decryption is especially important in wireless communications. This is

because wireless circuits are easier to tap than their hard-wired counterparts.
Nevertheless encryption decryption is a good idea when carrying out any kind of
sensitive transaction such as a credit-card purchase online, or the discussion of a
company secret between different departments in the organization. The stronger the
cipher that is, the harder it is for unauthorized people to break it the better, in general.
However, as the strength of encryption decryption increases, so does the cost.

In recent years a controversy has arisen over strong encryption. This refers to ciphers
that are essentially unbreakable without the decryption keys. While most companies
and their customers view it as a means of keeping secrets and minimizing fraud, some
governments view strong encryption as a potential vehicle by which terrorists might
evade authorities. These governments including that of the United States want to set
up a key-escrow arrangement. This means everyone who uses a cipher would be
required to provide the government with a copy of the key. Decryption keys would be
stored in a supposedly secure place, used only by authorities, and used only if backed
up by a court order. Opponents of this scheme argue that criminals could hack into the
key-escrow database and illegally obtain, steal, or alter the keys. Supporters claim that
while this is a possibility, implementing the key escrow scheme would be better than
doing nothing to prevent criminals from freely using encryption decryption [10].

25
4.2 Cisco’s Implementation of Network Data Encryption with Router
Authentication

To safeguard the network data, Cisco provides network data encryption and router
authentication services. Network data encryption is provided at the IP packet level. IP
packet encryption prevents eavesdroppers from reading the data that is being
transmitted. When IP packet encryption is used, IP packets can be seen during
transmission, but the IP packet contents (payload) cannot be read. Specifically the IP
header and upper-layer protocol (TCP or UDP) headers are not encrypted, but all
payload data within the TCP or UDP packet will be encrypted and therefore not
readable during transmission. The actual encryption and decryption of IP packets
occurs only at routers that we configure for network data encryption with router
authentication. Such routers are considered to be peer encrypting routers (or simply
peer routers). Intermediate hops do not participate in encryption decryption.

Typically, when an IP packet is initially generated at a host, it is unencrypted. This

occurs on a secured (internal) portion of the network. Then when the transmitted IP
packet passes through an encrypting router, the router determines if the packet should
be encrypted. If the packet is encrypted, the encrypted packet will travel through the
unsecured network portion (usually an external network such as the Internet) until it
reaches the remote peer encrypting router. At this point, the encrypted IP packet is
decrypted, and forwarded to the destination host as clear text. Router authentication
enables peer encrypting routers to positively identify the source of incoming
encrypted data. This means that attackers cannot forge transmitted data or tamper with
transmitted data without detection. Router authentication occurs between peer routers
each time a new encrypted session is established. An encrypted session will be
established each time an encrypting router receives an IP packet that should be
encrypted (unless an encrypted session is already occurring at that time).

To provide IP packet encryption with router authentication Cisco implements the

following standards: Digital Signature Standard (DSS), the Daffier-Hellmann (DH)
public key algorithm and Data Encryption Standard (DES). DSS is used in router
authentication. The DH algorithm and DES standard are used to initiate and conduct
encrypted communication sessions between participating routers [11].

26
4.3 Various Algorithms

There are of course a wide range of cryptographic algorithms in use. The following
are amongst the most well-known:

DES
This is the 'Data Encryption Standard'. This is a cipher that operates on 64-bit blocks
of data, using a 56-bit key. It is a 'private key' system.

RSA
RSA is a public-key system designed by Rivets, Shamir, and Ad leman.

HASH
A 'hash algorithm' is used for computing a condensed representation of a fixed length
message file. This is sometimes known as a 'message digest' or a 'fingerprint'.

MD5
MD5 is a 128 bit message digest function. It was developed by Ron Rives.

AES
This is the Advanced Encryption Standard (using the Randal block cipher) approved
by NIST.

SHA-1
SHA-1 is a hashing algorithm similar in structure to MD5, but producing a digest of
160 bits (20 bytes).Because of the large digest size it is less likely that two different
messages will have the same SHA-1 message digest. For this reason SHA-1 is
recommended in preference to MD5.

HMAC
HMAC is a hashing method that uses a key in conjunction with an algorithm such as
MD5 or SHA-1. Thus one can refer to HMAC-MD5 and HMAC-SHA1 [12].

27
4.4 3DES Encryption Algorithms
The purpose of encrypting packets exchanged between two PPP implementations is to
attempt to insure the privacy of communication conducted via the two
implementations. There exists a large variety of encryption algorithms, where one is
the DES algorithm. The DES encryption algorithm is a well-studied understood and
widely implemented encryption algorithm. Triple-DES means that this algorithm is
applied three times on the data to be encrypted before it is sent over the line. The
variant used is the DES-EDE3-CBC, which is described in more detail in the text. It
was also chosen to be applied in the security section of IP.
This document shows how to send via the Triple DES algorithm encrypted packets
over a point to point link. It lies in the context of the generic PPP encryption control
protocol. Because of the of the CBC mode a sequence number is provided to ensure
the right order of transmitted packets. So lost packets can detect. The padding section
reflects the result of the discussion on this topic on the PPP mailing list in this
document the key words “MUST”, SHOULD and recommended are to be interpreted
as described in [14].

28
4.4.1 Algorithm
The DES-EDE3-CBC algorithm is a simple variant of the DES-CBC algorithm. In
DES-EDE3-CBC an Initialization Vector (IV) is XOR with the first 64-bit (8 octet)
plaintext block (P1). The keyed DES function is iterated three times, an encryption
(E) followed by a description (D) followed by an encryption (E) and generates the
cipher text (C1) for the block. Each iteration uses an independent key. For successive
blocks, the previous cipher text block is XOR'd with the current 8-octet plaintext
block (Pi). The keyed DES-EDE3 encryption function generates the cipher text (Ci)
for that block (Figure4.1).

Kumar Standards Trac RFC 2420 PPP Triple-DES Encryption

P1 P2 Pi
| | |
IV--->(X) +------>(X) +-------->(X)
v | v | v
+-----+ | +-----+ | +-----+
k1->| E | | k1->| E | : k1->| E |
+-----+ | +-----+ : +-----+
| | | : |
v | v : v
+-----+ ^ +-----+ ^ +-----+
k2->| D | | k2->| D | | k2->| D |
+-----+ | +-----+ | +-----+
| | | | |
v | v | v
+-----+ | +-----+ | +-----+
k3->| E | | k3->| E | | k3->| E |
+-----+ | +-----+ | +-----+
| | | | |
+---->+ +------>+ +---->
| | |
C1 C2 Ci

Figure 4.1: Algorithm of Tripe -DES

To decrypt, the order of the functions is reversed: decrypt with k3 encrypt with k2
decrypt with k1 and XOR with the previous cipher- text block. When all three keys
(k1, k2 and k3) are the same DES-EDE3-CBC is equivalent to DES-CBC [13].

29
4.4.2 Keys
The secret DES-EDE3 key shared between the communicating parties is effectively
168 bits long this key consists of three independent 56-bit quantities used by the DES
algorithm. Each of the three 56- bit sub keys is stored as a 64-bit (8 octet) quantity
with the least significant bit of each octet used as a parity bit. When configuring keys
for 3DESE those with incorrect parity or so-called weak keys SHOULD be rejected
[15].

4.4.3 3 DES Configuration Option for ECP

The ECP 3DESE Configuration Option indicates that the issuing implementation is
offering to employ this specification for decrypting communications on the link and
may be thought of as a request for its peer to encrypt packets in this manner.
RFC 2420 PPP Triple-DES Encryption ECP 3DESE Configuration Option has the
following fields, which are transmitted from left to right:
0 1 2 3
01234567890123456789012345678901
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Initial Nonce ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4.2: ECP 3DESE Configuration Option
Type 2 to indicate the 3DESE protocol Length 10 Initial nonce.
This field is an eight byte quantity which is used by the peer implementation to
encrypt the first packet transmitted after the sender reaches the opened state. To guard
against replay attacks the implementation should offer a different value during each
ECP negotiation [16].

30
4.4.4 Padding

Since the 3DES algorithm operates on blocks of 8 octets, plain text packets which are
of length not a multiple of 8 octets must be padded prior to encrypting. If this
padding is not removed after decryption this can be injurious to the interpretation of
some protocols which do not contain an explicit length field in their protocol
headers .Therefore all packets not already a multiple of eight bytes in length MUST
be padded prior to encrypting using the unambiguous technique of Self Describing
Padding with a Maximum Pad Value (MPV) of 8. This means that the plain text is
padded with the sequence of octets 1, 2, 3, …7 since its length is a multiple of 8
octets. Negotiation of SDP is not needed. Negotiation of the LCP Self Describing
Option may be negotiated independently to solve an orthogonal problem. Plain text
which length is already a multiple of 8 octets may require padding with a further 8
octets (1, 2, 3 ... 8). These additional octets MUST only be appended, if the last octet
of the plain text had a value of 8 or less. When using Multilink and encrypting on
individual links it is recommended that all non-terminating fragments have a length
divisible by 8. So no additional padding is needed on those fragments.
After the peer has decrypted the cipher text, it strips off the Self Describing Padding
octets to recreate the original plain text. The peer SHOULD discard the frame if the
octets forming the padding do not match the Self Describing Padding scheme just
described .Note that after decrypting only the content of the last byte needs to be
examined to determine the presence or absence of a Self Described Pad [17].

31
4.4.5 Packet Format for 3DESE

The 3DESE packets that contain the encrypted payload have the following fields (Figure 4.3).

0 1 2 3
01234567890123456789012345678901
| Address | Control | 0000 | Protocol ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-ow | Cipher text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4.3: Address and Control Field Compression option (ACFC) of 3DESE

Protocol ID he value of this field is 0x53 or 0x55; the latter indicates the use of the
Individual Link Encryption Control Protocol and that the cipher text contains a
Multilink fragment. Protocol Field Compression MAY be applied to the leading zero
if negotiated.
These 16-bit numbers are assigned by the encrypt or sequentially starting with 0 (for
the first packet transmitted once ECP has reached the opened state). Cipher text the
generation of this data is described in the next section.

Encryption:
Once the ECP has reached the Opened state, the sender must not apply the encryption
procedure to LCP packets nor ECP packets. If the async control character map option
has been negotiated on the link, the sender applies mapping after the encryption
algorithm has been run. The encryption algorithm is generally to pad the Protocol and
Information fields of a PPP packet to some multiple of 8 bytes, and apply 3DES as
described in section 1.1 with the three 56-bit keys k1, k2 and k3.The encryption
procedure is only applied to that portion of the packet excluding the address and
control field .When encrypting the first packet after ECP stepped into opened state the
Initial Nonce is encrypted via 3DES-algorithm before its use [16].

32
4.5 Md5 Algorithm

MD5 is a hashing algorithm that takes a message of up to 264 bits and reduces it to a
digest of 128 bits (16 bytes). The algorithm is a development of the MD4 algorithm
invented by Ronald Rivets and announced in 1990. Unfortunately MD4 was flowed.
So Rivets made some revisions, and the resulting algorithm was christened MD5. Any
hashing (or digest) algorithm should be such that, given a digest and the
corresponding message from which it was derived it should be computationally
infeasible to construct a different message with the same digest. In cryptography MD5
(Message-Digest algorithm 5) is a widely used cryptography hash function with a
128-bit (16-byte) hash value. MD5 has been employed in a wide variety of security
applications and is also commonly used to check the integrity of files. However it has
been shown that MD5 is not collision resistant as such MD5 is not suitable for
applications like SSL certificates or digital signatures that rely on this property. An
MD5 has is typically expressed as a 32-digit hexadecimal number. MD5 was designed
by Ronald Rivets in 1991 to replace an earlier hash function MD4. In 1996, a flaw
was found with the design of MD5. While it was not a clearly fatal weakness
cryptographers began recommending the use of other algorithms such as SHA-1
(which has since been found also to be vulnerable). In 2004 more serious flaws were
discovered making further use of the algorithm for security purposes questionable
specifically a group of researchers described how to create a pair of files that share the
same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006
and 2007. In an attack on MD5 published in December 2008, a group of researchers
used this technique to fake SSL certificate validity. us-cert of the U. S. Department of
Homeland Security said MD5 should be considered cryptographically broken and
unsuitable for further use" and most U.S. government applications now require the
SHA-2 family of hash functions. MD5 processes a variable-length message into a
fixed-length output of 128 bits. The input message is broken up into chunks of 512 bit
blocks (sixteen 32-bit little in Dina integers) the message is padded so that its length
is divisible by 512. The padding works as follows: first a single bit 1is appended to
the end of the message. This is followed by as many zeros as are required to bring the
length of the message up to 64 bits fewer than a multiple of 512. The remaining bits
are filled up with a 64-bit integer representing the length of the original message in
bits. The main MD5 algorithm operates on a 128-bit state divided into four 32-bit

33
words denoted A, B, C and D. These are initialized to certain fixed constants. The
main algorithm then operates on each 512-bit message block in turn each block
modifying the state. The processing of a message block consists of four similar stages
termed rounds each round is composed of 16 similar operations based on a non-linear
function, modular addition, and left rotation [18].

4.5.1 Configuration of Md5 Encryption on Clear Text Password

First enter a clear text password which will be encrypted using MD5 algorithm

Ciscorouter (config) # username ciscoadmin secret ciscopass

where ciscoadmin is the user and his clear text password "ciscopass" which will then
be

converted into a MD5 encrypted text.

This is equivalent to

ciscoroute(config)# username ciscoadmin secret 0 ciscopass

Where "0" [default] indicates MD5 encryption on a clear text password [19].

4.5.2 Md5 encrypted text as password

Enter an MD5 encrypted password instead of a clear text password

ciscorouter(config)#

username ciscoadmin secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0

where "5" indicates the entered password is a MD5 encrypted text.[20]

4.5.3 To verity the logins with md5 encryption, clear text password:

ciscorouter# show running-config

version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!

34
hostname Cisco router
!
logging rate-limit console 10 except errors
no logging console
enable secret 0 $1$53Ew$Dp8.E4JGpg7rKxQa49BF9/
!
username cisco admin secret 5 $1$fBYK$rH5/OChyx/
!
4.5.4 Md5 encrypted text entered as password

ciscorouter# show running-config

!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ciscorouter
!
logging rate-limit console 10 except errors
no logging console
enable secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0
Username Cisco admin secret 5
!
Ip subnet-zero

Here the MD5 encrypted password entered itself is not displayed against the user
name The enhanced password security in Cisco IOS introduced in 12.0(18) S allows
an admin to configure MD5 encryption for passwords. Prior to this feature the
encryption level on type 7 passwords used a week encryption and can be cracked
easily and the clear text password (type 0) as anyone would know is completely
insecure. Anyone who can gain access to the privilege mode can view/decrypt these

35
passwords. To configure enhanced password security, create a user with MD5
password encryption as follows from the Global configuration mode [20].

4.6 Security Considerations

This proposal is concerned with providing confidentiality solely. It does not describe
any mechanisms for integrity, authentication or non repudiation. It does not guarantee
that any message received has not been modified in transit through replay, cut-and-
paste or active tampering. It does not provide authentication of the source of any
packet received or protect against the sender of any packet denying its authorship.
Security issues are the primary subject of this memo. This proposal relies on exterior
and unspecified methods for retrieval of shared secrets. It proposes no new
technology for privacy, but merely describes a convention for the application of the
3DES cipher to data transmission between PPP implementations. Any methodology
for the protection and retrieval of shared secrets, and any limitations of the 3DES
cipher are relevant to the use described here.

36
 Chapter-05

Analysis
5.1 Overview
This section provides an evaluation of how the different models secure the
application. The previous chapter gave an assessment of how an adequate level of
security can be achieved within a range and with respect to the application. By
providing security to applications in a network environment in various ways ranging
from securing the network pear meter, with no modifications to the application
software to building in the security into the software. This section emphasized
different security issues related with each. .

5.2 Virtual Private Networks

This model makes the application more secure by protecting it from external attacks
with aid of implementation of diverse security protocols that already incorporates
thoroughly defined defense mechanisms. A satisfiable level of security can be assured
to the whole network and not only to the applications. Assuming that no
misconceptions or miss configurations of security policies are present of course. The
obvious advantage of VPN is that the security is applied at the network perimeter, by
which every application within the internal network is secured and not visible to the
external network, due to the encapsulation mechanisms offered by IP sec. This means
that applications can be added without any modifications to them, or at most some
minor configuration modifications in terms of IP addresses, access lists, etc.
Furthermore, our proposed VPN design uses multi-layered defenses, where each
appliance offers a barrier that a possible opponent must cross. Note that, the
applications themselves do not necessarily need to incorporate any security services
however they will still be secured (in means of network security) by the security
services implemented in the appliances .Virtual Private Networks ought to be the
primary security model for any larger organization or company that consists of
different corporate remote sites, and wish to exchange confidential and valuable
information across the entrusted public network.

37
5.3 Application-proxy
Just as with VPN an application-proxy is situated far from the application, but still in
the same private network and here is where the similarities end. Application-proxies
offer security to applications by addressing the various analyzed weaknesses and
vulnerabilities in the underlying protocol used by the application in question. Thus
any vulnerability that could be exploited by internal or external attacks can be
inhibited through inspection of packets all the way up to the application layer. These
packet inspections also thwart the possibilities of malicious code from entering or
bypassing this single point of defense. Furthermore, application-proxies that
implement the access control service enables security mechanisms to only allow
authorized users to gain access of resources. When an application is configured to
communicate with the application-proxy, there is no other way to contact the
application besides through the application-proxy, which makes the application secure
from any unwanted attacks. Application-proxies are implemented specifically for each
application as proxy services, which can be comprehended as a major drawback. This
because each application needs a careful protocol examination before any security can
be offered to the application, thus different implementations and designs require time,
effort and money. Furthermore, one protocol does not resemble another, so reusability
is not an optional choice for this model Finally this model does not offer, probably the
most important security services in our opinion namely, confidentiality and integrity.
This is impossible in the sense that, when packets leave the network (encrypted and
signed) the reverse must be performed on the other end (decrypt and verify) which is
not a general deployment of an application-proxy.

38
5.4 Filter
This model is a perfect solution to implement the abstract descriptions of the security
services described in X.800 all outgoing and incoming TCP-traffic is secured hence
security is provided to any application in question. The filters communicate with each
other and not application-to-application. Thus the specified security policies can be
implemented within the filter and no changes to the application is required
Furthermore this daemon-process (filter) is transparent to the application which makes
it possible to reuse the design and implementation of a filter. It is also important that
the communicating filters use the same byte-order if they are designated on different
platforms. In other words if one filter on a platform uses big-endian and one filter on
another platform uses small in Dina, then these filters have to rearrange the bytes
transferred over a network to the same byte-order. However in Java the bendiness is
performed behind the scenes by the Java Virtual Machine. With respect to this, byte
order rearrangements were not considered when we implemented our filter [21][25].

5.5 Plug in

Plug in are a very common way of adding functionality to applications that developers
have forgotten or left out intentionally. In means of security the application can be
offered security features if the original application provides the developers with an
API. As mentioned previously the application using (executing) the plug in is not
changed what so ever. It must have been designed and implemented originally to offer
an API with the intensions to be extended in the future. Plug in development is a
language and platform dependent task. It requires a deep knowledge and
understandings of its language and offered interfaces. It is therefore a great challenge
to an un experienced developer to familiarize them selves with the environment the
application is executing in [22].

39
5.6 Built-in to the Software

This model introduces security into the software with a unification of software
engineering and security engineering in the same software development life-cycle.
This approach advocates that traditional software design principles are not adequate to
produce almost defect-free software. Therefore, practices to develop secure software,
as for example team software process (TSP) is needed. This forces organizations and
companies to change their software development processes and discreetly improving
them. There is evidence showing that, when trying to build security into the
applications, that this approach is the best way. Simply because, using the
methodology leads to low KLOC-values, and high security goes hand-in-hand with
low KLOC-values. Thus reducing errors in the implementation and the design
consequently his vulnerabilities are also reduced [23].

40
 Chapter-06

Conclusion

The development work conducted during this project has shown a number of
interesting facts related to security policies in general and to policies in the VPN
context in specific. While the form of a security policy might be as simple as a text
document an employee is required to sign, its implications can and normally are of
manifold nature. This Project has shown that complete and all-embracing policy
enforcement is not feasible in the context assumed during this work. When providing
a secure communication line to a remote location, clients cannot be forced to comply
with certain regulations dictated by a central body. However the degree of compliance
to such a policy document can be investigated to a certain extent. The arbitrary
complexity the systems could be subjected to hinders a thorough compliance check at
all levels. Feasible compliance analysis tools include a set of small bricks that aid an
engineer or security officer to gain an improved view over the entire situation
developed a number of these tools that support technical staff at running these
compliance investigations and help them identify a set of policy violations.

Another important conclusion drawn from this Project is the importance of the
business implications of such a security policy shown that it is vital for an
organization to understand the importance and impact of a vertical security policy
affecting all employees in the same way. As mentioned in the introduction of this
work, a thorough understanding of one’s assets is required in order to devise an in-
depth defense strategy against threats that become even more sophisticated. In
addition the human factor is of critical importance. Employees that are not aware of
the repercussions of a successful social engineering attack will not be able to
efficiently thwart an attack. With the security policy becoming a more central element
in an employee’s business day the awareness can be greatly elevated. A third
conclusion resulting from this project is the added security by clearly identified
structures and procedures. Implementing a security policy consider organization
forces the responsible managers to re-think and assess their information system
infrastructure properly and reviewed regularly.

41
 References
[1]http://www.veylan.net/vpn_history.htm
http://www.veylan.net/vpn_history.htm

[2] http://homepages.uel.ac.uk/u0117002/networks.com/aa010701c.htm

[3] http://pubs.acs.org/doi/abs/10.1021/nl10 11323

[4]http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/l2tpT.html#wp5
939

[5] http://lartc.org/howto/lartc.tunnel.ip-ip.html

[6] http://mplsinfo.org/gre-protocol.html

[7] http://www.freebsd.org/doc/handbook/ipsec.html

[8] http://www.math.admu.edu.ph/~fpmuga/proceedings/proposed_topology.pdf

[9] http://www.ciscopress.com/bookstore/product.asp?isbn=1587051117

[10] http://computer.howstuffworks.com/vpn7.htm

[11]http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scencryp
.hml

[12]http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scencryp
.html

[13]http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scencryp
.html

[14]http://en.wikipedia.org/wiki/Algorithm#Why_algorithms_are_necessary:_an_info
rmal_definition

[15]http://moneyover55.about.com/od/socialsecuritybenefits/tp/securityretirementben
efits.html

[16] http://rfc-ref.org/RFC-TEXTS/2420/chapter2.html

[17] http://softwaretopic.informer.com/hp-touch-pad-cisco-vpn/

[18]http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ft_md5.html

[19]http//www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ft_md5.html

42
[20]http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzatj
%2Fappprox.htm

[21]http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzatj
%2Fappprox.htm

[22] http://www.velocityreviews.com/forums/t161620-how-do-i-filter-vpn-
traffic.html

[23]http://www.stanford.edu/group/macosxsig/blog/2009/08/using_cisco_vpnwith_sn
ow_leop.html

[24] Richard A. Deal, 2006, The complete Cisco VPN configuration guide
illustrated, Computer Network, Network Security etc.

[25] Jazib Frahim and Omar Santos, 2010, VPN Adaptive Security Appliance
VPN, VPN security with ASA etc.

43