VIRTUAL PRIVATE NETWORKS (VPN)

A private network is made up of com puters owned by a single organization, which share
information with each other.

Let us assume that an organization wants to connect two of its branch networks to each other. The
trouble is that these branches are located quite a distance apart. One branch is in Delhi and the
other branch is in Mumbai. Two solutions out of all the available ones seem logical:

• Connect the two branches using a personal network, i.e. lay cables between the two offices
your self or obtain a leased line between the two branches.
• Connect the two branches with the help of a public network, such as the Internet.

A VPN is a mechanism of employing encryp tion, authentication and integrity protection so that we
can use a public network (such as the Internet) as if it is a private network (such as a physical
network created and controlled by you). VPN offers high amount of security and yet does not
require any special cabling on behalf of the organization that wants to use it. Thus, a VPN combines
the advantages of a public network (cheap and easily available) with those of a private network
(secure and reliable).

A VPN is thus a mechanism to simulate a private network over a public network, such as the
Internet. The term virtual signifies that it depends on the use of virtual connections. These
connections are temporary and do not have any physical presence. They are made up of packets.

VPN Architecture

Suppose an organization has two networks, Network 1 and Network 2, which are physically apart
from each other and we want to connect them using the VPN approach. In such a case, we set up
two firewalls, Firewall 1 and Firewall 2.

Network Setup:

• Two networks, Network 1 and Network 2, are connected to the Internet via their respective
firewalls: Firewall 1 and Firewall 2.
 • A VPN tunnel is established between these two firewalls to securely transfer data over the
Internet.

Purpose of the VPN Tunnel:

• It creates a secure, encrypted path between the two firewalls, allowing private
communication across a public network like the Internet.

Data Flow Example (Host X to Host Y):

• Step 1: Host X on Network 1 creates a data packet with:

o Source IP: IP of Host X

o Destination IP: IP of Host Y

Original Packet

• Step 2: The packet reaches Firewall 1, which:

o Replaces the source IP with its own (e.g., F1)

o Replaces the destination IP with Firewall 2’s IP (e.g., F2)

o Encrypts and authenticates the packet

o Sends the packet through the VPN tunnel over the Internet

Firewall 1 changes the packet contents

• Step 3: The packet reaches Firewall 2, which:

o Removes the VPN header

o Decrypts and verifies the packet

o Recognizes the original destination as Host Y and forwards the packet to it

Firewall 2 retrieves the original packet contents

VPN Protocols (Brief Overview)

1. PPTP (Point-to-Point Tunneling Protocol)

o Designed for user-to-LAN VPNs

o Mostly used on older Windows NT systems

2. L2TP (Layer 2 Tunneling Protocol)

o Developed by IETF

o Supports both user-to-LAN and LAN-to-LAN

o Often used with IPSec for stronger security

3. IPSec (Internet Protocol Security)

o Provides encryption and authentication at the network layer

o Can be used alone or with other protocols like L2TP

INTRUSION

No system is fully secure—intruders will always attempt to break in.They target both private (LAN)
and public (Internet) networks.Intruders and viruses are among the most common security threats.

(a) Masquerader: A user who does not have the authority to use a computer, but penetrates into a
system to access a legitimate user’s account is called as a masquerader. It is generally an external
user.

(b) Misfeasor: There are two possible cases for an internal user to be called a misfeasor:

• A legitimate user, who does not have access to some applications, data or resources
accesses them.
• A legitimate user, who has access to some applications, data or resources misuses these
privileges.

(c) Clandestine User: An internal or external user who tries to work using the privileges of a su
pervisor user to avoid auditing information being captured and recorded is called as a clandestine
user.

How do intruders try to attack? A simple example may be considered, where the attackers try to
obtain the passwords of legitimate users, so as to impersonate them. Some of the popularly known
methods of password guessing are as follows:

1. Try all possible short password combinations (2-3 characters).

2. Collect information about users, such as their full name, names of family members, their
hobbies, etc.
3. Try default passwords that are provided by the supplier of a software product (e.g. Oracle
comes with scott as the user name and tiger as the password).
 4. Try words that people choose as passwords most often. Hacker bulletin boards maintain
these lists. Also, try words from dictionary.
5. Try using phone numbers, dates of birth, social security numbers, bank account numbers,
etc.
6. Tap the communication line between a user and the host network.

Audit Records:

One of the most important tools in intrusion detection is the usage of audit records, also called
audit logs. Audit records are used to record information about the actions of users. Traces of
illegitimate user actions can be found in these records, so as to detect intrusions so as to take
appropriate actions.

Audit records can be classified into two categories: Native audit records and Detection-specific audit
records.

(a) Native Audit Records All multi-user operating systems have accounting software built-in.
(b) Detection-specific Audit Records This type of audit records facility collects information
specific only to intrusion detection.

Intrusion Detection

Intrusion prevention is almost impossible to achieve at all times. Hence, more focus is on intrusion
detection. Following factors motivate efforts on intrusion detection:

(a) The sooner we are able to detect an intrusion, the quicker we can act. The hope of recovering
from attacks and losses is directly proportional to how quickly we are able to detect an intrusion.

(b) Intrusion detection can help collect more information about intrusions, strengthening the
intrusion prevention methods.

(c) Intrusion detection systems can act as good deterrents to intruders.

Intrusion detection mechanisms, also known as Intrusion Detection Systems (IDS) are classified into
two categories: Statistical anomaly detection and Rule-based detection.

(a) Statistical Anomaly Detection:

a. Threshold Detection In this type, thresholds are defined for all the users as a group
and frequency of various events is measured against these thresholds.
b. Profile-based Detection In this type, profiles for individual users are created and
they are matched against the collected statistics to see if any irregular patterns
emerge.
(b) Rule-based Detection A set of rules is applied to see if a given behavior is suspicious enough
to be classified as an attempt to intrude.
a. Anomaly Detection Usage patterns are collected to analyze deviation from these
usage patterns, with the help of certain rules.
b. Penetration Identification This is an expert system that looks for illegitimate
behavior.

Honeypots

Modern intrusion detection systems make use of a novel idea, called as honeypots.

A honeypot is a trap that attracts potential attackers. A honeypot is designed so as to do the

following:

• Divert the attention of a potential intruder from critical systems.

• Collect information about the intruder’s actions.
• Provide encouragement to the intruder so as to stay on for some time, allowing the
administrators to detect this and swiftly act on it.

Honeypots are designed with two important goals in mind:

(a) Make them look like real-life systems. Put as much of real-looking (but fabricated) information
into them as possible.

(b) Do not allow legitimate users to know about or access them.

Naturally, anyone trying to access a honeypot is a potential intruder. Honeypots are armed with
sensors and loggers, which alarm the administrators of any user actions.