Virtual Private Network

VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption.

A VPN spanning the Internet is similar to a wide area network (WAN). From a user perspective, the extended network resources are accessed in the same way as resources available within the private network. Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.

VPNs allow employees to securely access the corporate intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo-restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.

Why Use VPN?  What is the most frequent Use-Case of a VPN?

Imagine you check-in into a hotel in China.  The hotel may provide a Wifi service.  The traffic from your phone/laptop may be easily eavesdropped by other “fellow” tourists or a criminal who might have embedded a sniffing tool within the hotel premises.  Over and above this scenario, the hotel may itself present a proxy server / gateway through which all internet traffic from the hotel rooms have to go through to be routed to the public Internet.  This proxy server is able to inspect all your unencrypted traffic.  Furthermore, some hotels might also do a Man-In-The-Middle for your SSL sessions (you are presented with an SSL certificate by the hotel’s proxy server when you try to visit https://www.google.com/ for example).  This would result in the proxy server able to intercept and read all your SSL traffic.

The only safe way to protect yourself in such a scenario is to use a VPN service.  All the traffic originating from your mobile/laptop will be encrypted and sent to a secure remote proxy server for decryption and release into the Public Internet; Protected from the prying eyes and  ears in the hotel environment.

OpenVPN

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively and contains many security and control features.

VPN Services

There are many VPN service providers to choose from.

An example – Private Tunnel VPN service is a commercial VPN service based on the OpenVPN platform.  They provide free VPN service for upto 500 MB.  Their charging model is based on the amount of data transferred rather than monthly recurring charges.  This business model of paying per GB could be a very useful asset for those that only need intermittent secure internet connections.

References:

https://en.wikipedia.org/wiki/Virtual_private_network

https://en.wikipedia.org/wiki/OpenVPN

https://openvpn.net/index.php/open-source/333-what-is-openvpn.html

http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

http://www.techradar.com/news/networking/wi-fi/why-you-should-avoid-hotel-wi-fi-like-the-plague-1292555/2

Virtual Private Network

Patch SSL Vulnerabilities in your Browser and Server

Patch SSL Vulnerabilities in your Browser and Server

Use SSL Labs to test your Browser and Server for SSL vulnerabilities.  The most common vulnerabilities and how to patch them are mentioned below:

1) Certificate uses weak hashing algorithm (example: MD5, SHA-1, etc)

Get new SSL certificates issued with the latest hashing algorithm (example: SHA-2, SHA-3)

2) SSL v2 / v3, which are vulnerable versions of SSL, are supported by the browser / server.

Update your browser to the latest version.

To mitigate server side SSL vulnerabilities, please refer to https://wiki.mozilla.org/Security/Server_Side_TLS  to learn about the best SSL configuration for common server platforms.

3) Forward Secrecy is not enabled.

The ordering of a ciphersuite is very important in deciding which algorithms are going to be selected in priority. The recommendation in the mozilla link above prioritizes algorithms that provide perfect forward secrecy.

4) Weak cipher suites are enabled.

Refer to the recommendations in the mozilla link above for common servers.

4) Vulnerable to SSL Fallback attack.

Upgrade to the latest version of OpenSSL which supports the TLS_FALLBACK_SCSV implementation which prevents an SSL protocol downgrade attack.

Note: For IBM HTTP Servers, refer to this link to learn more about how to configure SSL.  The commands are not covered in the mozilla link above.  But, the idea is to learn from the mozilla link and implement using the IBM proprietary directives mentioned in the IBM link.

References

http://unix.stackexchange.com/questions/162478/how-to-disable-sslv3-in-apache

http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566

http://stackoverflow.com/questions/26406586/how-to-enable-tls-fallback-scsv-on-apache

https://www-01.ibm.com/support/knowledgecenter/linuxonibm/liaag/wascrypt/l0wscry00_configihssslsupport.htm

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ssldirs.html

https://developer.ibm.com/answers/questions/210626/does-ibm-http-server-support-apache-directive-sslh.html

Patch SSL Vulnerabilities in your Browser and Server