Seamless VPN

Makoto Kayashima <kayashi@sdl.hitachi.co.jp>
Minoru Koizumi <m-koizu@sdl.hitachi.co.jp>
Tatsuya Fujiyama <fujiyama@sdl.hitachi.co.jp>
Masato Terada <terada@sdl.hitachi.co.jp>
Kazunari Hirayama <hiraya-k@soft.hitachi.co.jp>
Hitachi Ltd.
Japan

Abstract

Internet technologies are being used in various situations. Especially in the business field, the VPN (Virtual Private Network) system, which is one of the construction methods for private networks over the Internet, is gaining prominence. VPNs are currently being used for corporate networks, but we think they will also be applied to private networks for distributed departments in organizations. We think that corporate networks will then be constructed using multiple firewalls.

But currently, VPN architecture does not consider multiple firewalls, which creates some problems. We propose a "Seamless VPN," a new VPN construction method for a multiple-firewall environment. It consists of a transport layer gateway program on each firewall and a socket library for end-point clients. Each gateway has a user-based access control function, a relay circuit setup function, a user authentication function, and an end-to-end data encryption function. Using these functions, the Seamless VPN is able to construct a VPN in a multiple-firewall environment.

Keywords: VPN, Internet, intranet, information integrity, system availability, firewall, IP security, seamless.

Contents

Introduction

Technologies such as IPSec (IP Security)[1] are now being developed to provide secure communication on the Internet. Using this technology, we can build a VPN over the Internet, and at the same time increase the security of traffic on that network. A VPN can provide a good infrastructure for a low-cost corporate network (known as an intranet) (figure 1).


Figure 1. VPN environment.

If we want to share secret information and important servers, we must maintain confidentiality using encryption and address issues such as information integrity and system availability. The firewalls that prevent IP forwarding between corporate networks and the Internet and control access need VPN security.

VPNs are currently being used for corporate networks, but we think there is a need to provide private VPNs for distributed departments in organizations. If we provide a VPN for a department within a corporate VPN, the corporate network will be constructed using multiple firewalls. But currently VPN architecture does not take multiple firewalls into consideration, which brings about some problems. In this paper, we propose a "Seamless VPN" for IP-unreachable networks and a multiple-firewall environment.

Analysis of VPN Architecture

In this section, we classify VPNs by system architecture and implementation layer.

Classification for System Architecture

We can classify VPNs by the arrangement of entities that have a data encryption/decryption function and an authentication function. We call these entities "VPN entities."
  1. Group VPN

    VPN entities with the same functions are installed in the gateways of the Internet encrypt/decrypt data, and authenticate with each other (figure 2). Usually, the VPN entities are installed in the firewall server or router. Group VPNs are used for close connection between domains.


    Figure 2. Group VPN.

  2. Personal VPN

    The VPN entities consist of the two devices in the client-server system (figure 3). The combinations of VPN entities are a PC-client with a firewall server, or a dial-up server, which substitutes for the PC-client, with a firewall server. Personal VPNs are often used for mobile clients.


    Figure 3. Personal VPN.

Classification for Implementation Layer

We can classify VPN systems by the implementation method of the data encryption/decryption function.
  1. Network layer VPN

    The data encryption function is used in the encapsulation method for IP packets (figure 4). Mutual authentication between entities is executed at the start of a session, or it is executed by an authentication header that is added in each packet. Network layer VPNs can apply all protocols over IP.


    Figure 4. Principal of encapsulation.

  2. Transport layer VPN

    Transport layer VPNs use a special protocol that has a data encryption/decryption function and an authentication function. Usually, authentication between entities is executed at the start of a session.

Table 1 classifies systems by authentication and implementation layer. Most VPN systems are network layer VPNs.

Table 1. System classification
Group VPN Personal VPN
Network Layer VPN IPSec[1]
IPSec[1]
PPTP[2]
Transport Layer VPN - SSL[3]
Socks V5[4]
Seamless VPN

Problems with the Multiple-Firewall Environment

VPNs are currently being used for corporate networks, but we think there is a need to provide private VPNs for distributed departments in organizations. We think that the corporate network will then be constructed using multiple firewalls. In this subsection, we explain some problems that occur when current VPNs are used in this environment.
  1. Independence from network topology

    To construct private VPNs for distributed departments in organizations, we must establish firewalls to protect subnetworks. (We call these firewalls "internal firewalls.") These internal firewalls are not IP reachable from the Internet because there is a firewall that partitions the private network from the Internet (figure 5). (We call this firewall the "external firewall.") Network layer VPNs deliver packets using IP reachability, thus a VPN cannot be constructed in this environment.
    Figure 5. Problem of IP unreachability.

  2. Packet transform efficiency

    If we want to construct a VPN between subnetworks in a corporate VPN, packets must be encapsulated repeatedly as shown in figure 6. (1) Multiple encapsulation of packets brings about loss of efficiency, greater packet data size, and an overhead of encryption processing. (2) The data encryption/decryption process is high load; thus, if it is executed at a traffic concentration point such as the external firewall, the performance of the external firewall will decline.


    Figure 6. Problem of performance.

Seamless VPN

Seamless VPN aims to provide a secure and transparent communication channel over the Internet. Users of the Seamless VPN need not be conscious of multiple firewalls that partition an organization's network.


Figure 7. Seamless VPN environment.

In order to provide secure and transparent access in a VPN, the Seamless VPN has a user authentication base access control mechanism, a user key management base data encryption mechanism, and a communication routing control mechanism. The transport layer gateway program, called hs-gw, and a socket library module with security function for client applications, called secure socket, guarantee secure access of all TCP-based network services.

Components

The Seamless VPN system components (figure 8) have the following functions:

  1. User-based access control
  2. Relay circuit setup
  3. User authentication
  4. End-to-end data encryption/decryption

Figure 8. System components.

There may be multiple hs-gws on the route between client and server. The hs-gw that is directly connected to the server is called the "terminal hs-gw."

Function

User-based access control

Hs-gw controls the access of the server by using an access control list (figure 9). The access control list has the following parameters:
  1. The addresses of source and destination
  2. Service name or port number
  3. User ID

Figure 9. Access control method.

Using these parameters, hs-gw provides IP address-based access control, service-based access control, and user-based access control.

Relay circuit setup

Using this function, the Seamless VPN can set up a relay circuit in a multiple-firewall environment.

User authentication

To provide user-based access control, the Seamless VPN uses the authentication method specified in ISO/IEC 9798[5]. If there are multiple hs-gws on the route between client and server, all hs-gws authenticate client users and control access using the authentication result (figure 11).


Figure 11. Authentication sequence.

End-to-end data encryption

The Seamless VPN encrypts communication data from the client to the terminal hs-gw. The data encryption/decryption process is executed for only the client and the terminal hs-gw (figure 12).


Figure 12. End-to-end data encryption.

The client and the terminal hs-gw generate the session key using information shared in the authentication process. Using this function, the Seamless VPN is able to limit packet data size.

Conclusions

The Seamless VPN solves the following problems in a multiple-firewall environment:
  1. Independence from network topology

    Using the routing control function of hs-gw, we will be able to create a secure path in an IP unreachable network environment.

  2. Packet translate efficiency

    In the Seamless VPN, the data encryption/decryption process is executed only for the client and the terminal hs-gw; thus there is no loss of efficiency (packet data size does not increase). Moreover, the hs-gw on the external firewall does not execute the encryption/decryption process; thus the performance of external firewall does not decline.

References

  1. R. Atkinson. Security Architecture for the Internet Protocol (RFC1825).
  2. Kory Hamzeh et al. Point-to-point Tunneling Protocol --PPTP (draft-ietf-pppext-pptp-00.txt).
  3. Alan O. Freier et al. The SSL Protocol Version 3.0 (draft-freier-ssl-version3-01.txt).
  4. M. Leech et al. SOCKS Protocol Version 5 (RFC1928).
  5. ISO. Information technology - Security techniques - Entity authentication mechanisms - Pert2, 1991.