Issues on Blocking VPN Access from Networks

People love using VPNs for a variety of reasons but if you’re the administrator of any network they can be a real problem. Of course, the primary function of a VPN is security and if users simply used the VPN to encrypt and secure their data then that would be fine. However in reality what you’ll really find is users connecting through a VPN in order to bypass blocks or access sites normally restricted by your network rules. Using a VPN service watch UK TV is a common issue in our US/European network.

The problem is that these sites and activities are blocked for a reason. Having twenty people streaming the latest episode of ‘Strictly’ over the companies network uses the same bandwidth as about a 100 ordinary users simply working. It doesn’t matter that the traffic is being carried over the VPN it still uses our own bandwidth to deliver to the client. So it’s hardly surprising that we need to restrict the use of these VPN clients and the issues they cause. Here’s an example of what people can use these VPN services to do and the problems we can have in blocking them –

As you can see in this particular VPN service called Identity Cloaker there are lots of configuration options which can be used to hide the use of the service. Most of the recommended measures rely on blocking the standard footprints of a VPN service, but as you can see when you are able to switch outgoing ports and create a non-standard configuration it becomes much harder.

There is little in the data you can pick up on so those content filters are pretty much useless. The problem here is that most VPNs are encrypted so that even the destination address is encrypted (although obviously not the IP address). It’s simple to block the web based proxies and VPN services simply by restricting access to their URLs but these clients are much more difficult.

As you can see most services usually have the option to switch between hundreds of different IP addresses even doing so automatically. This is another way you can identify a simple proxy or VPN looking for consistent traffic patterns and single IP addresses. Filtering access to a VPN service which automatically switches server and IP address every few minutes is extremely difficult. Unless they do something with a distinct pattern and very heavy usage like anonymous torrenting then any footprint is almost impossible to detect.

Most administrators usually adopt an attitude of blocking the simplest VPN access and leaving it at that. The reality is that a technical user who is using a sophisticated VPN service like Identity Cloaker is going to be very difficult to stop. You should rely on enforcing User policies within the network and stressing the penalties if people are found using such services.

One other method to consider is ensuring that most users are not able to install or configure the VPN clients on their local laptops or computers. These can normally enforced very easily particularly in Windows environments. Simply configure local user policy and apply restrictive Group Policy settings to remove admin access to users. Unfortunately programs like Identity Cloaker also come with a ‘lite’ version which don’t need installing and can be run directly from a single executable. It can even be run from a memory stick and still interact with the network stack on the local computer.

Network Layer Switches

Network switches play a critical role in the performance of local area networks. They may be used in private networks like the intranet and extranet, segmenting the networks into more manageable sections. The resulting networks are known as HFC, please see the glossary for definitions. Setting up a sizable computer network can be an intimidating undertaking and one needs an in-depth understanding of the role of every networking device to construct an efficient network. Thus, it’s accountable for setting up the essential network for transferring data from 1 user to other. In truth, it is the largest SDH-based transport network on earth. It establishes a relation to the device by choosing the essential service or application.

Packet routing is extremely essential task in order to prevent congestion. When a data packet would like to reach a specific destination, it must traverse through these networks. The file transfer protocol supplies a way to move data efficiently from 1 machine to another. Routing protocols transmit information concerning the network. Most routing protocols do not consist of layer two information that’s necessary to set up a VCC connection. It’s an unreliable, connectionless protocol for applications which do not want TCP’s sequencing on flow control and want to provide their own. In large, complex networks servers need access to this sort of throughput – imagine the strain on something like Netflix IP servers broadcasting video to millions.

Every computer online or a local network becomes assigned an exceptional address commonly called Internet Protocol address or simply the IP address. It is not just a vast array of computers, connected to each other. You may also browse the internet for articles, discussions and suggestions. Optical communication links and networks are crucial for the online backbone along with for interconnects utilised in data centres and high-performance computing systems.

While doing this, it must manage problems like network congestion, switching issues, etc.. It can help you comprehend the working of a network in an easy and quick method. Many times, once an application would like to communicate with a different application, then there must be communication between these associated processes. Working of the web is based on a collection of protocols. To have the ability to find that massive network to work and get our LANs to act jointly there has to be a routing protocol that enables it. It uses TCP at the transport layer again to find out the reliability.

If you have a relatively new mobile handset, then it’s most inclined to be equipped with an integrated web browser. It selects device and execute a service discovery to look for available services or applications. Bluetooth devices operate in a variety of about ten meters. It functions as an intermediary between wireless and wired devices which are part of a network. Aside from the computers themselves, there are numerous intermediary devices which make data transfer possible. It can also allow a network to detect, reroute or simply block specific types of transport presumably it is how the BBC has blocked VPNs like this story details.

Window flow control mechanisms weren’t modeled, so as to extend the reach of the study to congestion collapse regions. After you prepare the export feature, NetFlow information is exported whenever a flow expires. The principal use of the router is to ascertain the very best network path in a complicated network. The third main purpose of LAN switches is Layer two loop avoidance. Besides this, the gateway functionality has to be enabled. Each P-NET module also has to have a service channel that may identify unknown participants.

Computer Security: Phishing

Out of all the weapons available to a cyber criminal, phishing is probably one of the most widely used. It is generally described as a random, un-targeted attack with the intention of tricking someone into revealing confidential information by replying to an email, clicking a link or filling in a bogus webpage. Most of the popular phishing attacks rely on an element of social engineering. That is deceiving people into gaining access rather than directly hacking into a target system.

Usually the main delivery mechanism is via email and using modern mailing systems they can target millions of email addresses at one time. There are many variations of the phishing attacks ranging from installing keyloggers, duplicate websites or similar. The intent is always to steal personal information such as username, passwords and account numbers.

It is fairly common for these phishing emails to include attachments or links that can install various types of malware onto the victims computer in order to steal their information too.

Quick Summary of Phishing Attacks

There are as explained lots of different types of Phishing attacks and their popularity changes quite regularly.

Email Phishing – is probably the most well known and centers around mass distributions of emails, they are very random and usually rely on volume to succeed.

Spear Phishing – is a more targeted term for phishing which follows the basic premises. However they are usually more sophisticated and tailored towards a certain type of user or organisation.

Man in the Middle (MiTM) attacks involve the attacker positioning themselves between a legitimate website or company and the end user, the goal is to record any information sent. It\’s normally one of the most difficult to operate but also to detect as the transactions are normally legitimate but simply intercepted.

There are many other methods available to capture information with things like keyloggers and screen capture programs popular too, the ideas are always to simply gain passwords or other personal information.

Some other variants include pharming which is even less targeted than phishing just installing malicious code onto servers to redirects any user to fake websites. There are various methods of doing this including several involving DNS like modifying a users host file to redirect them without their knowledge. A particularly sinister version of pharming is known as DNS (Domain Name System) poisoning where users are directed to fraudulent websites without the need for corruption of the personal host file.  Others use legitimate or at least semi-legitimate services to trick people to using them.  One of the more popular methods was to put free proxy servers out on the internet for people to bypass region blocks, these were then used to steal peoples credentials as they were using them.   This explains the method of region lock bypass using a proxy to watch the BBC although the example used in the post was a commercial service.

Malware Phishing – Is the process of download malware on a users’ device either through an attachment in an email, a downloadable web file or exploiting software vulnerabilities.

Further Reading – Security Information and UK VPN trial

What Is VPN?

The remote server would access the request, then authenticate through something like a username and password. The tunnel would be established and used to transfer data between the client and server.

If you want to emulate a point to point link, the data must be wrapped with a header – this is normally called encapsulation. This header should provide essential routing information which enables the data to traverse the public network and reach it\’s intended endpoint. In order to keep the link private on this open network all the data would normally be encrypted. Without this route information the data would never reach it\’s intended destination. The encryption ensures that all data is kept confidential. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.

One of the most important uses of remote access VPN connections is that it allows workers to connect back to their office or home by using the shared infrastructure of a public network such as the internet. At the users point, the VPN establishes an invisible connection between the client and the organisation’s servers. There is normally no need to specify and aspects of the shared network as long as it is capable of transporting traffic, the VPN tunnel controls all other aspects.   This does mean it’s very difficult to block these VPN connections as the BBC is discovering.

These connections are also known as router to router connections which are established between two fixed points. They are normally setup between distinct offices or based again using the public network of the internet. The link will operate in a similar way to a dedicated wide area network link, however at a fraction of the costs of a dedicated line. Many companies use these increasingly in order to establish fixed connections without the expense of WAN connections. It should be noted that these VPN connections operate over the data link layer of the OSI model.

One of the problems many network administrators find is that users on networks can set up their own VPN connections.  These can be very difficult to detect and allow a direct tunnels into a corporate network especially as they are often used for trivial issues such as obtaining an IP address for Netflix.  Needless to say having users stream encrypted videos streams to their desktops is not good for network performance or security.

Remember a site to site connection will establish a link between two distinct private networks. The VPN server will ensure that a reliable route is always available between the two VPN endpoints. One of the routers will take the role of the VPN client, by requesting the connection. The second server will authenticate and then reciprocate the request in order for the tunnel to be authenticated at each end. In these site to site connections, the packets which are sent across the routers will typically not be created on the routers but clients connected to these respective devices.

 

OSI ( Open Systems Interconnection) Model

In the early 1980s the International Organization for Standardization started work on a set of protocols designed to promote open network environments.  These were essential to allow the multi-vendor computer systems to all talk to each other using internationally accepted communication protocols.   These standards and protocols eventually developed into the OSI reference model.

The protocols defined in each layer of the model have different responsibilities but generally these fall into two specific categories.

  • Communicating with the same level protocol layer on another computer.
  • Providing services to one layer above it.

This peer level communication offers a method in which each layer can exchange messages or other forms of data.  The model is the same whether you’re routing through a US IP address to Netflix to a secure communication link to an application server.  For instance, the transport protocol is able to send a transmission requesting a pause to a peer computer in the sending computer.  It’s able to do this not using a direct connection but by placing a message in the packet where it is managed by the layer below.   All lower layers must provide this service to the layer above them taking messages and passing them down to the lowest level of the protocol stack.    At this point they can be transmitted across the physical link to the remote destination.

It is important to remember that the OSI is merely a reference model in that it provides a general description of what services should be provided at which layer.  The OSI model itself does not provide any specifics of the standard protocols.  In fact you’ll often find the OSI model used to define all sorts of other protocols including TCP/IP for example.   The Internet Protocol was often described as a network layer protocol, purely because it performs the same functions that are defined in the network layer of the OSI reference model.

The ISO did create some protocols that followed the OSI model, however these were never widely adopted and you’ll be lucky to find them in use anywhere.  The main reason for this was the popularity of a rival communication suite – TCP/IP.

Further Reading:

BBC Block VPN services – http://www.iplayerabroad.com/2016/07/20/bbc-vpn-block-real/

No Comments Networking, Protocols

PPP (Point to Point Protocol)

For those of us who grew up with a selection of cables, leads and analogue modems PPP was quite a common protocol.  It was developed across the internet community to both encapsulate and transmit IP data across all sorts of links but initially serial point to point ones.  The other popular scheme which to some extent where often interchangeable was SLIP (Serial Link Internet Protocol).    Although SLIP was the original of these two protocols, there is little doubt that PPP was more common mainly because it offered the ability to interconnect with other protocols.  The main advantage of this was the ability to work with IPX which enabled it to function in Novell networks for example.

PPP is extremely adaptable and allowed connections from routers and hosts between each other.  In it’s earliest guise though it was most commonly used to enable internet connections over telephone dial up lines.  Most modem software would offer the user the choice to connect via either SLIP or PPP however the latter was normally the default.

Using PPP the home user would dial into a server run by their ISP using the telephone line.    After the modem has established the connection, the PPP session would allow user authentication to check the account.  This part of the process would also assign an IP address to the user’s computer. This address is essential to communicate across the internet and essential to access any of the internet.  In fact all web based activities from browsing a page to watching UK TV in USA need a valid IP address assigned to your computer or device.

When this exchange has taken place the user’s computer is effectively an extension of the ISP’s IP network in the same way as it might be connected using an ethernet cable plugged into a port.   The serial port and modem have exactly the same functionality as any other network card plugged into the network.

In order to encapsulate high level protocol data and transmit them then PPP has to use a simple framing method.  Using this method PPP can support data transmission using a physical cable in asynchronous and synchronous modes.   This obviously operates over the physical layer and needs serial communication protocols to transmit too.  The data link layer is managed on the same frame structure using HDLC, it uses a Link Control Protocol to establish and manage the links when established.   This is also responsible for encapsulation methods and packet sizes, also the compression methods that might be available.

The other important function is of course user authentication primarily using simple usernames and passwords. LCP is able to verify or reject packets based on any of these criteria and can manage the configuration options.  A network control protocol is used to further manage the type of protocol configuration and the data being transferred between the two hosts.  Remember there is no client/server model both ends of the connection are considered equal and the protocol is responsible for managing the connection not either of the two connection end points.

 

 

 

BBC Blocking VPNs – http://www.iplayerabroad.com/2017/04/07/bbc-iplayer-blocking-vpn-2017/

No Comments Networking, Protocols, VPNs

What’s a Virtual Circuit?

In simple terms a virtual circuit is a dedicated communication line between two end points usually on a packet switched or cell relay network.   A common use is to provide a temporary or dedicate link through a router or switch connected network.   Any devices along the circuit will be programmed with the specific circuit number so that when packets arrive the switch has the correct information to forward them.   This saves the potentially lengthy process of examine the packet header in detail.

virtual circuit

Using a predefined path like this can improve performance substantially and also reduces the size of frames and packets specifically by ensuring the header sizes are much smaller. The underlying physical routes of these connections may change in a standard packet switching network however the two end stations will retain a connection and update paths as appropriate.  Typically this could happen when the network is experiencing congestion or perhaps some sort of physical problem with a downed line.

There are two main types of virtual circuits which can be described as follows:

PVC: (Permanent Virtual Circuit) – a connection between end points defined in advance. often with a predetermined bandwidth and speed allowance.  In commercial public switched carrier networks (like ATM) or frame relay the customers will be allocated the endpoints of the PVC in advance.   In internal networks the administrators create the PVCs to direct applications or certain traffic to specific parts of the network.  For example a common use would be to retain bandwidth and define a network path for video enabled applications such as video conferencing.  Video needs specific quality to operate correctly so it makes sense to define specific routes – although this could also be done to block access to external video applications like Netflix.

SVC: (Switched Virtual Circuit) – an on-demand connection which is normally temporary between two stations.    An easy way to visualize an SVC is something like a phone call which is a temporary connection created to transfer voice.   Connections on an SVC will only last as long as necessary to complete the transaction, they are then taken down.  Many carriers let customers establish these ‘on the fly’ or a carrier may set up a number of defined SVCs which can be used when required.  Perhaps these could be useful for establishing internal secure channels such as a VPN or IP Cloaker application.

It’s best remembered that PVCs are most effective when there is a large amount of specific data anticipated between two locations on a regular basis.  Using an SVC is much more suitable for temporary or recurring connections for example unscheduled video or voice conferences.   Most commercial carriers prefer to set up PVCs because they are easier to manage bandwidth requirements in advance than SVCs.    It is very common for PVCs to have monthly costs, rates or bandwidth allowances assigned to them making it easier to allocate costs and budgets against them.

 

Using Reverse Proxies in your Environment

Many IT administrators use proxies extensively in their networks, however the concept or reverse proxying is slightly less common.  So what is a reverse proxy? Well, it refers to the setup where a proxy server like this is run in such a way that it appears to clients just like a normal web server.

Specifically, the client will connect directly to the proxy considering it to be the final destination i.e. the web server itself, they will not be aware that the requests could be relayed further to another server.   It is possible that this will even be an additional proxy server.   These ‘reverse proxy servers’ are also often referred to as gateways although this term can have different meanings too.  To avoid confusion we’ll avoid that description in this article.

In reality the word ‘reverse’ refers to the backward role of the proxy server. In a standard proxy, the server will act as a proxy for the client initially.  Any request by the proxy is made on behalf of the received client request.  This is not the case in the ‘reverse’ scenario because because it acts as a proxy for the web server and not the client.  This distinction can look quite confusing, as in effect the proxy will forward and receive requests to both the client and server however the distinction is important.  You can read RFC 3040 for further information on this branch of internet replication and caching.

A standard proxy is pretty much dedicated to the client’s needs,  all configured clients will forward all their requests for web pages to the proxy server.   In a standard network architecture they will normally sit fairly close to the clients in order to reduce latency and network traffic.   These proxies are also normally run by the organisations themselves although some ISPs will offer the service to larger clients.

In the situation of a reverse proxy, it is representing one or a small number of origin servers.  You cannot normally access random servers through a reverse proxy because it has to be configured to specifically access certain web servers.  Often these servers will need to be highly available and the caching aspect is important,  a large organisation like Netflix would probably have specific IP addresses (read this) pointing at reverse proxies.  The list of servers that are accessible should always be available from the reverse proxy server itself.   A reverse proxy will normally be used by ‘all clients’ to specifically access certain web resources, indeed access may be completely blocked by any other route.

Obviously in this scenario it is usual for the reverse proxy to be both controlled and administered by the owner of the origin web server.  This is because these servers are used for two primary purposes to replicate content across a wide geographic area and two replicate content for load balancing.  In some scenarios it’s also used to add an extra layer of security and authentication to accessing a secure web server too.

 

Do I Need a Residential or Datacenter IP Address

For many people, there is a very strong requirement to mask their true identity and location online.  IT might be for privacy reasons, perhaps to keep safe or you simply don’t want anyone to log everything you do online.  There are other reasons, using multiple accounts on websites, IP bans for whatever reason or simple region locking – no you can’t watch Hulu on your holidays in Europe. The solution usually now revolves around hiding your IP address using a VPN or proxy as a minimum.

Yet the choice doesn’t end there, proxies are pretty much useless now for privacy and security.  They’re easily detected when you logon and to be honest of very little use anymore.   VPN services are much better, yet even here it’s becoming more complicated to access media sites for example.   The problem is that it’s not the technology that is now the issue but the originating IP address. These are actually classified into two distinct groups – residential and commercial which can both be detected by most websites.

 

A residential IP address is one that appears to come from a domestic account assigned from an ISP. It’s by far the most discrete and secure address to use if you want to keep completely private. Unfortunately these IP addresses are difficult to obtain in any numbers and also tend to be very expensive. Bottom line is the majority of people for whatever reason who are hiding their true IP address do it by using commercial addresses and not residential ones.

Most security systems can easily detect whether you are using a commercial or residential vpn service provider, how they use that information is a little more unsure. So at the bottom of the pile for security and privacy are the datacentre proxy servers which add no encryption layer and are tagged with commercial IP addresses.

Do I really need a residential VPN IP Address? Well that depends on what you are trying to achieve, for running multiple accounts on things like craigslist and Itunes – residential is best. If you want to try and access the US version of Netflix like this, then you’ll definitely need a residential address. Netflix last year filtered out all commercial addresses which means that very few of the VPNs work anymore, and you can’t watch Netflix at work either.

If you just want to mask your real IP address then a commercial VPN is normally enough. The security is fine and no-one can detect your true location, although they can determine you’re not a home user if they check. People who need to switch IPs for multiple accounts and using dedicated tools will probably be best advised to investigate the residential IP options.

On-Demand Caching for Proxies

It is arguably the most important function of a web proxy at least as far as performance is concerned and that’s on-demand caching.  That is documents or web pages which are cached upon request by a client or application.    It’s important to remember that a document can only be cached if it has actually been requested by a user.  Without a request, it will not be cached and indeed the proxy server will not even be aware of it’s existence.

This is a different method than using a replication model which is typically used to distribute data and updates.   This is more often used on larger, busier networks where data can be replicated onto specific servers, this method is also known as mirroring and also useful for sharing over the internet.     One of the most common examples for mirroring is when a large software package is being distributed instead of a single server being responsible, multiple duplicates are replicated onto different servers.

One of the best ways to facilitate performance increases is to use a method called round-robin DNS.  This involves mapping a single host name to multiple physical servers.  These servers must be assigned separate IP and physical addresses and their addresses distributed evenly among the clients requesting the software.    When using the DNs method, the clients will be unaware of the existence of multiple servers because they will appear as a single logical server.

Most of the caching solutions used by proxies are centred around removing the load on a specific server.  However when a proxy caches resources locally without mirroring or replication then it’s still the single server which is responsible.    The physical loads doesn’t decrease however it does reduce the number of network requests that the server has to implement.   This also reduces the number of name requests that the server makes which can also introduce some levels of latency.

Having caching enabled can reduce the speed of the server responses significantly.  However this does depend largely on the sort of requests that are made, imagine a proxy used specifically to obtain a Czech IP Address and directly download a specific resource.  Caching that resource locally would improve the speed significantly as long as the content didn’t change much, however this would be different for sites which stream audio or video and contained large amounts of multimedia content.

Further Reading