Abstract: Virtual Private Network (VPN)
usage has grown in the last couple of years due to the increasing need of more
private, secure and anonymous connection. VPN providers claim to
provide the needs of anonymity, privacy and security, but, the question is how
well are they living up to their claim? Since VPN services claim to provide
secure user access and they are less expensive than a dedicated leased line,
they have become more attractive to enterprises. However, there are still a lot
of concerns regarding VPNs. VPN services are not as secure as they claim to be.
They can be unreliable for end users. So, this paper introduces VPN, how it
works, different types of VPN protocols like Point-to-Point Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP) and Open VPN, tries to address
various security issues of VPN services, analyze their claims of privacy and
security, discuss how do the VPN services suffer from ipv6 leakage and finally explore
possible solutions and alternatives for these vulnerabilities.
1.0 Introduction: In brief, Virtual
Private Network (VPN) is a secured, encrypted connection between a user and a
service provider designed to keep the communications private. The encryption is
to provide data confidentiality. VPN uses the tunneling mechanism to
encapsulate encrypted data into a secure tunnel. VPN tunneling requires
establishing a network connection and maintaining the connection. There are
various types of tunneling protocols which will be discussed later. VPN also
claims to provide data integrity. When we browse through the Internet, our
computer a request for a specific page then that request goes to our ISP’s
server, then the ISP translate the requested domain name into an IP(Internet
Protocol) address and requests the page on our behalf and finally sends the results back to our
computer. What VPN does is that it replaces our IP
address with that of the VPN 1. However, VPN does more than that otherwise it
wouldn’t be any different from a proxy server which are very insecure because
whatever is send using a proxy, a hacker can just read it if he or she wants. The
reason is proxy doesn’t use any encryption. This is what makes VPN different
from a proxy server. It builds a supposedly secure tunnel between our computer and
the VPN server. All our traffic is routed through this tunnel and no one can
check what’s going on there because it is protected by one or a several layers
of encryption, which means that the VPN service itself cannot know what we are
up to, since they are supposed to have a “no logs” policy in place. Most decent
services will not keep your logs (except maybe for some basic information,
known as metadata), though sorrowfully enough there are plenty of unscrupulous
services out there, too 2.
explained 3 how VPNs provide a means for organizations and individuals to
connect their various resources over the Internet (a very public network), but
not make the resources available to the public, instead only making them
available to those that are part of the VPN. VPNs provide a means for such
users to have resources scattered all over the world, and still be connected as
though they were all in the same building on the same network together, with
all the ease of use and benefits of being interconnected in such a manner.
Normally, without a VPN, if such a private connection was desired, the company
would have to expend considerable resources in finances, time, training,
personnel, hardware and software to setup dedicated communication lines. These
dedicated connections could be a variety of technologies such as 56k leased
lines, dedicated ISDN, dedicated private T1/T3/ and so on, connections,
satellite, microwave and other wireless technologies. Setting up an
organization’s private network over these dedicated connections tends to be
very expensive. With a VPN, the company can use their existing Internet
connections and infrastructure (routers, servers, software, etc.) and basically
“tunnel” or “piggyback” their private network inside the public network
traffic, and realize a considerable savings in resources and costs compared to
dedicated connections. A VPN solution is also able to provide more flexible
options to remote workers instead of only dial-up speeds and choices, they can
connect from anywhere in the world for just the cost of their Internet
connection, at whatever speed their ISP services may provide. There have been
many VPN technologies developed in recent years, and many more on the way. They
vary widely from simple, to very difficult to setup and administrate, from free
to very expensive, from light security to much heavier protection, from
software based to dedicated hardware solutions, and even some managed services
providers (for example www.devtodev.com or www.iss.net ) now entering into the
market to increase the VPN choices available. Most VPNs operate using various
forms of “tunneling” combined with many choices for encryption and
authentication. In this document “tunneling” is over IP based networks, though
other technologies exist as well (such as ATM based). This document will focus
on technologies that deliver VPN solutions over IP based networks, and refer to
them generically as “public” or “Internet” based networks, and only delve into
the specific “carrier” protocol when appropriate (IPX, ATM, and other protocols
are also used, but as IP has become quite dominant, many are now focused on
IP). This document will only cover IPv4 not IPv6. Use of MS PPTP over 802.11b wireless
technologies will also be briefly covered. The data of the “private network” is
carried or “tunneled” inside the public network packet, this also allows other
protocols, even normally “non-routable” protocols to become usable across
widely dispersed locations. For example, Microsoft’s legacy NetBEUI protocol
can be carried inside such a tunnel, and thus a remote user is able to act as
part of the remote LAN or two small LANS, in two very different locations,
would actually be able to “see” each other, and work together, over many hops
of routers, and still function, with a protocol that normally would not route
across the Internet, although there are many consequences in trying to stretch
such a protocol beyond it’s intended use. Tunneling in and of itself is not
sufficient security. For example, let’s use IP as the carrier public protocol,
carrying IPX inside as the private protocol. Anyone sniffing the “public”
network’s packets could easily extract the clear text information of the IPX
packets carried within the IP packets. This means that sufficient encryption of
the carried IPX packets is necessary to protect their data. These two
technologies suffice to provide a basic VPN, but will be weak if a third part
is missing or lax (as we will show in various examples throughout this
document). This third part would be anything related to authentication, traffic
control, and related technologies. If there aren’t sufficient authentication
technologies in place then it is quite simple for an intruder to intercept
various VPN connections and “hijack” them with many “man/monkey in the middle
attacks” and easily capture all data going back and forth between the VPN
nodes, and eventually be able to compromise data, and potentially all networks
and their resources, connected by the VPN. This document is based on research
and lab testing performed from March 1st through June 30th, 2002. The setup of
the lab will also be briefly detailed to assist others who may wish to go into
greater depth with this testing, and to help clarify under what circumstances
the lab information was gathered.
review: A Recent report 4 suggested that VPNs are not as secure as they
claim to be. VPN services claim that they provide privacy and anonymity. They studied
these claims in various VPN services. They analyzed a few of the most popular VPNs.
They decided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring is when
a user’s unencrypted information is collected by a third party, and DNS
hijacking is when the user’s browser is being redirected to a controlled Web
server which pretends to be a popular site like Twitter5. What their
experiment revealed is very agitating, that most of the VPN services suffer
from IPv6 traf?c leakage and most of the VPN services leaked information and
not only the information of the websites but also the user’s. They went on to
study various mobile platforms which use VPNs and found that these platforms
are much secure when an iOS is being used, however, were vulnerable when an
Android platform is being used. They
also talked about more sophisticated DNS hijacking attacks that allow all traf?c
to be transparently captured. To
make things worse, most of the VPNs that were part of the experiment used
Point-to-Point Tunneling Protocol with MS-CHAPv2 authentications, which
according to TechReport, makes them vulnerable to brute force hacks 6.
Akamai argued that VPNs cannot be a wise Security
Solution and that it can be a drawback for remote access for third party. If
you have an institution that requires interacting with third parties in a
regular basis who need remote access to enterprise applications hosted in your
hybrid cloud, a VPN is no way a good solution because, why would you hand over
the access of the whole network to a third party when that party only needs
access to a specific application only. Usually, a third party needs access just
to a specific program for a specific amount of time. It will take a lot of time
to configure and deploy different subnets for other parties and on top of that monitoring
users, adding users, they are all time consuming. So clearly this is a drawback.
VPN services are
considered to be a way of transfer private data. They are well known across the
world. However, recently7 the SOX mandates have urged organizations to install
end-to-end VPN security, which can only mean one thing that the VPN is no
longer enough by itself. Moreover, VPN systems cannot be managed easily and
maintaining the security of the clients is also a complicated process. It will
require keeping the clients up to date.
Another research 8 revealed that 90% SSL VPNs use age-old encryption
method and eventually it will put corporate data at risk. An Internet research
publicly-accessible SSL VPN servers was conducted by HTB (High Tech Bridge). From of four million randomly selected IPv4
addresses including popular suppliers such as Cisco, 10,436 randomly selected
publicly available SSL VPN servers were scanned which revealed the following
a few VPN services have SSLv2 and approximately 77% of SSL VPN services use
SSLv3 protocol which is being considered obsolete now. Both these protocols have
various vulnerabilities and both are unsafe.
76 per cent of SSL VPNS use an untrusted SSL certificate, which might result in
a man-in-the-middle attacks.
similar 74 per cent of certificates have an insecure SHA-1 signature, while
five per cent make use of even older MD5 technology. By 1 January 2017, the
majority of web browsers plan to deprecate and stop accepting SHA-1 signed
certificates, since the ageing technology is no strong enough to withstand
41 per cent of SSL VPNs use insecure 1024-bit keys for their RSA certificates.
RSA certificate is used for authentication and encryption key exchange. RSA key
lengths below 2048 are considered insecure because they open the door to
attacks, some based on advances in code breaking and crypto-analysis.
5. 1% of
SSL VPNs that use OpenSSL are vulnerable
to Heartbleed. This vulnerability was found in 2014. Heartbleed affected all products that use OpenSSL.
It allowed hackers to retrieve personal data like encryption keys
6. 97% of examined SSL VPNs are not
fulfilling the PCI DSS requirements, and all of them were not in compliant with
3.0 VPN categories:
VPNs can be categorized as follows:
1. A firewall-based VPN is one that is equipped with both firewall and
VPN capabilities. This type of VPN makes use of the security mechanisms in
firewalls to restrict access to an internal network. The features it provides
include address translation, user authentication, real time alarms and
2. A hardware-based VPN offers high network throughput, better
performance and more reliability, since there is no processor overhead.
However, it is also more expensive.
3. A software-based VPN provides the most flexibility in how traffic is
managed. This type is suitable when VPN endpoints are not controlled by the
same party, and where different firewalls and routers are used. It can be used
with hardware encryption accelerators to enhance performance.
4. An SSL VPN3 allows users to connect to VPN devices using a web
browser. The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer
Security) protocol is used to encrypt traffic between the web browser and the
SSL VPN device. One advantage of using SSL VPNs is ease of use, because all
standard web browsers support the SSL protocol, therefore users do not need to
do any software installation or configuration.
3.1.0 VPN Tunneling:
are two types of tunneling that are being commonly used-
voluntary tunneling, the VPN client manages connection setup. The client first
makes a connection to the carrier network provider (an ISP in the case of
Internet VPNs). Then, the VPN client application creates the tunnel to a VPN
server over this live connection.
compulsory tunneling, the carrier network provider manages VPN connection
setup. When the client first makes an ordinary connection to the carrier, the
carrier in turn immediately brokers a VPN connection between that client and a
VPN server. From the client point of view, VPN connections are set up in just
one step compared to the two-step procedure required for voluntary tunnels.
VPN tunneling authenticates clients and associates them with specific VPN
servers using logic built into the broker device. This network device is
sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS)
or Point of Presence Server (POS) 9.
3.2.0 Tunneling Protocols:
computer network protocols have been implemented specifically for use with VPN
tunnels. There are a few tunneling protocols but the three most popular VPN
tunneling protocols listed below 9 continue to compete with each other for
acceptance in the industry. These protocols are generally incompatible with
3.2.1 Point-to-Point Tunneling
corporations worked together to create the PPTP specification. People generally
associate PPTP with Microsoft because nearly all flavors of Windows include built-in
client support for this protocol. The initial releases of PPTP for Windows by
Microsoft contained security features that some experts claimed were too weak
for serious use. Microsoft continues to improve its PPTP support, though.
3.2.2 Layer Two Tunneling
original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features
of it and PPTP were combined to create a new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI model — thus the
origin of its name.
3.2.3 Internet Protocol
is actually a collection of multiple related protocols. It can be used as a
complete VPN protocol solution or simply as the encryption scheme within L2TP
concerns OF VPN:
Tunneling in and of itself is not sufficient security.
For example, let’s use IP as the carrier public protocol, carrying IPX inside
as the private protocol. Anyone sniffing the “public” network’s packets could
easily extract the clear text information of the IPX packets carried within the
IP packets. This means that sufficient encryption of the carried IPX packets is
necessary to protect their data. These two technologies suffice to provide a
basic VPN, but will be weak if a third part is missing or lax (as we will show
in various examples throughout this document). This third part would be
anything related to authentication, traffic control, and related technologies.
If there aren’t sufficient authentication technologies in place then it is
quite simple for an intruder to intercept various VPN connections and “hijack”
them with many “man/monkey in the middle attacks” and easily capture all data
going back and forth between the VPN nodes, and eventually be able to
compromise data, and potentially all networks and their resources, connected by
the VPN. This document is based on research and lab testing performed from
March 1st through June 30th, 2002. The setup of the lab will also be briefly
detailed to assist others who may wish to go into greater depth with this
testing, and to help clarify under what circumstances the lab information was
gathered 3. Followings are the potential risks of VPN 10-
3.3.1 Hacking Attack: A client
machine may become a target of attack, or a staging point for an attack, from
within the connecting network. An intruder could exploit bugs or
mis-configuration in a client machine, or use other types of hacking tools to
launch an attack. These can include VPN hijacking or man-in-the-middle attacks:
1. VPN hijacking is the unauthorized take-over of an established VPN connection
from a remote client, and impersonating that client on the connecting network.
2. Man-in-the-middle attacks affect traffic being sent between communicating
parties, and can include interception, insertion, deletion, and modification of
messages, reflecting messages back at the sender, replaying old messages and
redirecting messages. USER AUTHENTICATION By default VPN does not provide /
enforce strong user authentication. A VPN connection should only be established
by an authenticated user. If the authentication is not strong enough to
restrict unauthorized access, an unauthorized party could access the connected
network and its resources. Most VPN implementations provide limited
authentication methods. For example, PAP, used in PPTP, transports both user
name and password in clear text. A third party could capture this information
and use it to gain subsequent access to the network.
3.3.2 CLIENT SIDE
RISKS The VPN client machines of, say, home users may be connected to the
Internet via a standard broadband connection while at the same time holding a
VPN connection to a private network, using split tunneling. This may pose a
risk to the private network being connected to. A client machine may also be
shared with other parties who are not fully aware of the security implications.
In addition, a laptop used by a mobile user may be connected to the Internet, a
wireless LAN at a hotel, airport or on other foreign networks. However, the
security protection in most of these public connection points is inadequate for
VPN access. If the VPN client machine is compromised, either before or during
the connection, this poses a risk to the connecting network.
NETWORK ACCESS: Granting more access
rights than needed to clients or networks
INFECTIONS: If any client is malware infected, the connecting network might
get compromised as well unless it’s protected with an effective anti-virus
IPsec compliant software from two
different vendors may not always be able to work together, so, Interoperability
is also a concern
As we find ourselves relying more and
more on cloud services and multiple devices all connected to the Internet, it
is vital that we stay informed and take steps to ensure our privacy online. VPN
services claim to offer a private, secure network. There are a few VPN
technologies amongst which IPsec and SSL VPN are most popular. However, there
are a lot of vulnerabilities that needs to be addressed. A report suggested
that NSA had the ability to remotely extract confidential keys from Cisco VPNs
for over a decade, Mustafa Al-Bassam, a security researcher at payments
processing firm Secure Trading, told Ars. “This explains how they were
able to decrypt thousands of VPN connections per minute as shown in documents
previously published by Der Spiegel.” So, careful consideration must be
given to the risk involved. Security features such as support for strong
authentication, support for anti-virus software, and intrusion detection, industry-proven
strong encryption algorithms and so on are need to considered if we decide to
go for a VPN product.
5.0 Future work:
The following can be implemented when deploying a VPN for more secure and
1. Installing an Intrusion Detection system.
2. Using firewall.
3. Installing anti-virus software on both clients and
servers in the case if either end is infected with virus.
4. VPN connections should have secured and managed
5. Network connections should be recorded.
6. The log should be reviewed regularly.
7. Network administrators and supporting staff should be
trained so that they can implement VPNs in a proper way
8. TO protect the internal network, VPN entry point should
be placed in a Demilitarized Zone (DMZ)
9. During a VPN connection, split tunneling should be
avoided when accessing the Internet or any other network that is not secure simultaneously
1. J. Crace. “VPN Security: What You Need to
Know.” Cloudwards, 25 Sept, 2017. Online.Available: www.cloudwards.net/vpn-security-what-you-need-to-know/.
O’Sullivan. “Beginners Guide: What Is a VPN?” 3 Dec, 2017.
3. H. Robinson. “Microsoft PPTP VPN Vulnerabilities
Exploits in Action.” August 22nd 2002.
4. G. Tyson. “A Glance through the VPN
Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”.
5. K. Noyes. “Beware, VPN users: You may not be
as safe as you think you are.” 1 July, 2015. Online. Available: https://www.pcworld.com/article/2943472/vpn-users-beware-you-may-not-be-as-safe-as-you-think-you-are.html.
J. Martindale, “Many big VPNs have glaring security problems.” July1, 2015.
Online. Available: https://www.digitaltrends.com/computing/commercial-vpn-huge-security-flaws/.
7. R. Harrell. “VPN security:
Where are the vulnerabilities?” October, 2005. Online. Available: http://searchenterprisewan.techtarget.com/tip/VPN-security-Where-are-the-vulnerabilities.
8 J. Leyden. “90% of SSL VPNs
are ‘hopelessly insecure’, say researchers.” 26 February, 2016. Online.
9. B. Mitchell. “VPN Tunnels Tutorial”. July 21, 2017. Online.Available:
10. The Government of the
Hong Kong Special Administrative Region, VPN SECURITY. February, 2008.
11. D. Goodin. “How the NSA snooped on encrypted Internet traffic for a
decade.” August 20, 2016. Online. Available: https://arstechnica.com/information-technology/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/.