People love using VPNs for a variety of reasons but if you’re the administrator of any network they can be a real problem. Of course, the primary function of a VPN is security and if users simply used the VPN to encrypt and secure their data then that would be fine. However in reality what you’ll really find is users connecting through a VPN in order to bypass blocks or access sites normally restricted by your network rules. Using a VPN service watch UK TV is a common issue in our US/European network.
The problem is that these sites and activities are blocked for a reason. Having twenty people streaming the latest episode of ‘Strictly’ over the companies network uses the same bandwidth as about a 100 ordinary users simply working. It doesn’t matter that the traffic is being carried over the VPN it still uses our own bandwidth to deliver to the client. So it’s hardly surprising that we need to restrict the use of these VPN clients and the issues they cause. Here’s an example of what people can use these VPN services to do and the problems we can have in blocking them –
As you can see in this particular VPN service called Identity Cloaker there are lots of configuration options which can be used to hide the use of the service. Most of the recommended measures rely on blocking the standard footprints of a VPN service, but as you can see when you are able to switch outgoing ports and create a non-standard configuration it becomes much harder.
There is little in the data you can pick up on so those content filters are pretty much useless. The problem here is that most VPNs are encrypted so that even the destination address is encrypted (although obviously not the IP address). It’s simple to block the web based proxies and VPN services simply by restricting access to their URLs but these clients are much more difficult.
As you can see most services usually have the option to switch between hundreds of different IP addresses even doing so automatically. This is another way you can identify a simple proxy or VPN looking for consistent traffic patterns and single IP addresses. Filtering access to a VPN service which automatically switches server and IP address every few minutes is extremely difficult. Unless they do something with a distinct pattern and very heavy usage like anonymous torrenting then any footprint is almost impossible to detect.
Most administrators usually adopt an attitude of blocking the simplest VPN access and leaving it at that. The reality is that a technical user who is using a sophisticated VPN service like Identity Cloaker is going to be very difficult to stop. You should rely on enforcing User policies within the network and stressing the penalties if people are found using such services.
One other method to consider is ensuring that most users are not able to install or configure the VPN clients on their local laptops or computers. These can normally enforced very easily particularly in Windows environments. Simply configure local user policy and apply restrictive Group Policy settings to remove admin access to users. Unfortunately programs like Identity Cloaker also come with a ‘lite’ version which don’t need installing and can be run directly from a single executable. It can even be run from a memory stick and still interact with the network stack on the local computer.
The remote server would access the request, then authenticate through something like a username and password. The tunnel would be established and used to transfer data between the client and server.
If you want to emulate a point to point link, the data must be wrapped with a header – this is normally called encapsulation. This header should provide essential routing information which enables the data to traverse the public network and reach it\’s intended endpoint. In order to keep the link private on this open network all the data would normally be encrypted. Without this route information the data would never reach it\’s intended destination. The encryption ensures that all data is kept confidential. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.
One of the most important uses of remote access VPN connections is that it allows workers to connect back to their office or home by using the shared infrastructure of a public network such as the internet. At the users point, the VPN establishes an invisible connection between the client and the organisation’s servers. There is normally no need to specify and aspects of the shared network as long as it is capable of transporting traffic, the VPN tunnel controls all other aspects. This does mean it’s very difficult to block these VPN connections as the BBC is discovering.
These connections are also known as router to router connections which are established between two fixed points. They are normally setup between distinct offices or based again using the public network of the internet. The link will operate in a similar way to a dedicated wide area network link, however at a fraction of the costs of a dedicated line. Many companies use these increasingly in order to establish fixed connections without the expense of WAN connections. It should be noted that these VPN connections operate over the data link layer of the OSI model.
One of the problems many network administrators find is that users on networks can set up their own VPN connections. These can be very difficult to detect and allow a direct tunnels into a corporate network especially as they are often used for trivial issues such as obtaining an IP address for Netflix. Needless to say having users stream encrypted videos streams to their desktops is not good for network performance or security.
Remember a site to site connection will establish a link between two distinct private networks. The VPN server will ensure that a reliable route is always available between the two VPN endpoints. One of the routers will take the role of the VPN client, by requesting the connection. The second server will authenticate and then reciprocate the request in order for the tunnel to be authenticated at each end. In these site to site connections, the packets which are sent across the routers will typically not be created on the routers but clients connected to these respective devices.
For those of us who grew up with a selection of cables, leads and analogue modems PPP was quite a common protocol. It was developed across the internet community to both encapsulate and transmit IP data across all sorts of links but initially serial point to point ones. The other popular scheme which to some extent where often interchangeable was SLIP (Serial Link Internet Protocol). Although SLIP was the original of these two protocols, there is little doubt that PPP was more common mainly because it offered the ability to interconnect with other protocols. The main advantage of this was the ability to work with IPX which enabled it to function in Novell networks for example.
PPP is extremely adaptable and allowed connections from routers and hosts between each other. In it’s earliest guise though it was most commonly used to enable internet connections over telephone dial up lines. Most modem software would offer the user the choice to connect via either SLIP or PPP however the latter was normally the default.
Using PPP the home user would dial into a server run by their ISP using the telephone line. After the modem has established the connection, the PPP session would allow user authentication to check the account. This part of the process would also assign an IP address to the user’s computer. This address is essential to communicate across the internet and essential to access any of the internet. In fact all web based activities from browsing a page to watching UK TV in USA need a valid IP address assigned to your computer or device.
When this exchange has taken place the user’s computer is effectively an extension of the ISP’s IP network in the same way as it might be connected using an ethernet cable plugged into a port. The serial port and modem have exactly the same functionality as any other network card plugged into the network.
In order to encapsulate high level protocol data and transmit them then PPP has to use a simple framing method. Using this method PPP can support data transmission using a physical cable in asynchronous and synchronous modes. This obviously operates over the physical layer and needs serial communication protocols to transmit too. The data link layer is managed on the same frame structure using HDLC, it uses a Link Control Protocol to establish and manage the links when established. This is also responsible for encapsulation methods and packet sizes, also the compression methods that might be available.
The other important function is of course user authentication primarily using simple usernames and passwords. LCP is able to verify or reject packets based on any of these criteria and can manage the configuration options. A network control protocol is used to further manage the type of protocol configuration and the data being transferred between the two hosts. Remember there is no client/server model both ends of the connection are considered equal and the protocol is responsible for managing the connection not either of the two connection end points.
For many people, there is a very strong requirement to mask their true identity and location online. IT might be for privacy reasons, perhaps to keep safe or you simply don’t want anyone to log everything you do online. There are other reasons, using multiple accounts on websites, IP bans for whatever reason or simple region locking – no you can’t watch Hulu on your holidays in Europe. The solution usually now revolves around hiding your IP address using a VPN or proxy as a minimum.
Yet the choice doesn’t end there, proxies are pretty much useless now for privacy and security. They’re easily detected when you logon and to be honest of very little use anymore. VPN services are much better, yet even here it’s becoming more complicated to access media sites for example. The problem is that it’s not the technology that is now the issue but the originating IP address. These are actually classified into two distinct groups – residential and commercial which can both be detected by most websites.
A residential IP address is one that appears to come from a domestic account assigned from an ISP. It’s by far the most discrete and secure address to use if you want to keep completely private. Unfortunately these IP addresses are difficult to obtain in any numbers and also tend to be very expensive. Bottom line is the majority of people for whatever reason who are hiding their true IP address do it by using commercial addresses and not residential ones.
Most security systems can easily detect whether you are using a commercial or residential vpn service provider, how they use that information is a little more unsure. So at the bottom of the pile for security and privacy are the datacentre proxy servers which add no encryption layer and are tagged with commercial IP addresses.
Do I really need a residential VPN IP Address? Well that depends on what you are trying to achieve, for running multiple accounts on things like craigslist and Itunes – residential is best. If you want to try and access the US version of Netflix like this, then you’ll definitely need a residential address. Netflix last year filtered out all commercial addresses which means that very few of the VPNs work anymore, and you can’t watch Netflix at work either.
If you just want to mask your real IP address then a commercial VPN is normally enough. The security is fine and no-one can detect your true location, although they can determine you’re not a home user if they check. People who need to switch IPs for multiple accounts and using dedicated tools will probably be best advised to investigate the residential IP options.
Most networks of any size need to have some sort of system for storing and managing their log files. Most network devices produce logs and many of them can contain lots of useful information. However without a way of analysing and reporting this data then it can simply become another system administration chore with little or no benefit.
One of the oldest methods of centralising these system messages and logs is by using a syslog server. Syslog messaging was originally used on UNIX system for the logs produced by network devices, applications and operating systems. Most modern network devices can be configured to generate Syslog messages which can be picked up by a server. These messages are normally generated and then transmitted using UDP to a server running a Syslog daemon that can accept the messages.
Over the years more and more devices have been created which cab support and generate Syslog messages. Despite being fairly old technology many firms have started to move away from specialized technology towards simply using a central Syslog server to receive, store and archive messages generated from network devices. These servers can also be used to create automatic notifications if specific critical events are generated – for example if an important default gateway becomes unresponsive. This means that IT support personnel can be made aware of potential issues quickly and often before it affects users directly or at least minimize downtime.
Although there are many other methods of receiving and sending system messages across a network using Syslog has many advantages. For a start it works directly with many reporting technologies and almost all network devices will support the Syslog message format. This is very important because as soon as you have multiple logging formats and messaging you’re faced with the prospect of installing multiple system log servers. This creates a hierarchy which can be difficult to support especially for network support staff who need access to all logs in order to troubleshoot issues.
For example if you have a RAS (Remote Access Server) which is configured to use a different system messaging system from other devices in your network you could miss vital pieces of information. In addition, problems in these servers can be missed and so important devices can suffer longer periods of downtime. Many remote users rely on having access through a good VPN service when travelling in order to connect back from remote networks.
If you do have different devices which don’t support the Syslog standard and aren’t able to get rid of them there are some other options. You can use software like Microsoft’s Log Parser program which can convert many formats into a log message that Syslog can understand.
There is little excuse for not installing an IDS (Intrusion Detection System) on your Network, even the usual culprit of budget doesn’t apply. In fact one of the leading IDS systems called Snort is actually available completely free of charge and is sufficient for all but the most very complex network infrastructures. It is virtually impossible to effectively monitor and control your network, particularly if it’s connected to the internet, without some sort of IDS in place.
There are certain questions about the day to day operation of your network that you should be able to answer. Questions like the following will help you determine if you really have control over your network and it’s hardware =
Can you tag and determine how much traffic on your network is associated with malware or unauthorised software.
Are you able to determine which of your clients do not have the latest client build?
Can you determine which websites are most popularly requested. Are these requests from legitimate users or as a result of malware activity.
Can you determine which users are the top web surfers (and is it justified).
How much mail are your SMTP server’s processing?
It is surprising how many network professionals simply wouldn’t have a clue about obtaining this information from their network however, it’s impossible to ensure that the network is efficient without it. For example a few high intensive web users can create much more traffic than the majority of ordinary business users. Imagine two or three users in a small department who used a working BBC VPN to stream TV to their computer 8 hours a day. The traffic that would generate would be huge and could easily swamp an important network segment.
All security professionals should ensure that they have the tools and reporting capacity to answer simple questions like this about network usage. Knowing the answers to these questions, will help control and adapt your network to meet it’s users needs. Of course a simple IDS won’t provide the complete solution but it will help keep control in your network. Malware can sit and operate for many weeks in a network which is not monitored properly. This will heavily impact performance and can enable it to spread to other devices and eventually other networks. In network environments where performance is important, then being aware of the sorts of situations can make a huge difference.
For many people, travel is becoming much easier and as a species our geographical horizons are perhaps wider than ever. Inexpensive air travel and soft borders like the European Union means that instead of just looking to work in another city or town, another country is just as viable. The internet of course enables this somewhat, many corporations have installed infrastructure to allow remote or home working which means many people can work from wherever they wish. Instead of sitting in cubicles in vast expensive office space, the reality is that people can work together just as easily using high speed internet connections from home.
Unfortunately there are some issues from this digital utopia, of which most are self inflicted. Instead of being a vast unfettered global communications medium, the internet in some senses has begun to shrink somewhat. Not so much in size but rather an increasing number of restrictions, filters and blocks being applied to web servers across the planet. For instance the company I work for has two main bases one in the UK and the other in Poland, which means there is quite a bit of travel between the two countries. Not surprisingly employees who are working away from home for some time, use the internet to keep in touch with their homelife, yet this can be frustrating.
A common issue is the fact that many websites are not really accessible globally, they are locked to specific regions. Take for example the main Polish TV channel – TVN, it has a fantastic website and a media player by which you can watch all their shows. However a Polish citizen who tries to watch the local News from Warsaw from a hotel in the UK will find themselves blocked, the content is only available to those physically located in Poland. It’s no one off either, this behaviour is shared by pretty much every large media company on the web who block access depending on your location.
There is a solution and for our employees it’s actually quite simple, all they need to do is fire up their VPN client and remotely connect back to their home server in Poland. The instant they do this, their connection looks like it’s based in Poland and all the Polish TV channels will work perfectly. There’s a post about something similar here – using a Polish proxy to watch TVN and some other channels although this one is through a commercial service designed to hide your location. It’s a practice that is becoming increasingly necessary, the more we travel the more we find our online access is determined by our physical location.
The use of proxies and more recently VPNs allows you to break out of these artificial intranets which companies are creating by blocking access from other countries. The idea is that if you have the ability to switch to various VPNs across the world you can effectively take back control and access whatever website you need. Your physical location becomes unimportant again, by taking control of your virtual location you have an huge advantage over other internet users by choosing the location you wish to appear from. There are even some other options now take a look at this UK DNS proxy which does something fairly similar and can be used to watch the BBC and Netflix from outside the UK.
The technology sector is at the moment somewhat confused about what a VPN actually is. However the confusion is understandable as the VPN has continually evolved over the last few years into a somewhat different networking technology. In the passed, the VPN could be described as a private network which is able to carry voice and data usually built into existing carrier services.
This is not how a VPN is defined commonly today, it’s probably best to split into the following different definitions.
Voice VPN – a single carrier which handle all the voice call switching. The ‘virtual’ in VPN here implies that a virtual voice switching network has been created within the switching equipment. This is probably the most dated definition under the concept of traditional carrier based voice vpns.
Carrier Based Data VPN – Traditional packet, cell switching and frame networks normally carry data in discrete bundles which are then routed through a complex mesh of networks and switches to their destination. These networks would be shared between many owners and users. A VPN would be a web of individual virtual circuits which form a virtual private network over another carriers packet-switched network.
Internet VPN – this is probably the definition which is most relevant today, similar to the previous carrier based data network. Here an IP network is the underlying transport and the common medium the shared hardware of the internet.
The internet VPN like this is the most common today probably because it is by far the easiest and cheapest one to set up. There might not be the same bandwidth and data quality guarantees than a traditional virtual circuit, however the popularity of simple VPN client and server accessible from anywhere in the world is a powerful tool for many reasons.
What’s more the internet VPN can be created and used by almost anyone without exception. Companies for instance will often install generic VPN client software on their laptops so any employee can dial in to the corporate servers using any internet connection safely and securely. This means that employees can work remotely from almost any location all they need is a simple internet connection and an account on the VPN server.
A decade ago these were used over simple dial up modems but now most countries have a fairly large internet access infrastructure allowing high speed access from most public places and from home internet connection. The other advantage is that an internet VPN requires no real investment in hardware apart from the central server. Users can leverage the internet connection of their ISP or even a hotel wifi access point, a fairly insecure setup but if you connect through a virtual private network then all your data is securely encrypted and protected from prying eyes.