Introducing OpenVPN

One of the most commonly used open source SSL VPNs is OpenVPN, which uses TAP and TUN virtual drivers. TUN (network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TAP (network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge. For Linux version 2.4 or later, these drivers are already bundled with the kernel. OpenVPN tunnels traffic over the UDP port 5000. OpenVPN can either use the TUN drivers to allow the IP traffic; OpenVPN can also use the TAP drivers to pass the Ethernet traffic. OpenVPN requires configuration to be set in the configuration files. OpenVPN has two secure modes. The first OpenVPN mode is based on SSL/Tls security using public keys like RSA, and the second is based on using symmetric keys or pre-shared secrets. RSA certificates and the keys for the first mode can be generated by using the openssl command. Details about these certificates or the private keys are stored in our *.cnf files to establish vpn connection.

The .crt extension will denote the certificate file, and .key will be used to denote private keys. The SSL-VPN connection will be established between two entities, one of which will be a client, which can be your laptop, and the other will be a server running at your office or lab. Both these computers will have .conf files, which define the parameters required to establish an SSL-VPN connection.

Open VPN: The Pros and Cons of SSL VPN

SSL VPN is one way to transfer the information since a web browser can be used to establish an SSL VPN connection. Since SSL VPN is clientless, it will result in cost savings and can be configured to allow access from corporate laptops, home desktops, or any computer in an Internet cafe. SSL VPNs also provide support for authentication methods and protocols, some of which include:

  • Active Directory (AD)
  • Lightweight Directory Access Protocol (LDAP)
  • Windows NT LAN Manager (NTLM)
  • Remote Authentication Dial-In User Service (RADIUS)
  • RSA Security’s RSA ACE/Server and RSA SecurID

Many SSL VPNs also provide support for single sign-on (SSO) capability. More sophisticated SSL VPN gateways provide additional network access through downloadable ActiveX components, Java applets, and installable Win32 applications. These add-ons help remote users access a wide range of applications, including:

  • Citrix MetaFrame
  • Microsoft Outlook
  • NFS
  • Remote Desktop
  • Secure Shell (SSH)
  • Telnet

However, not all SSL VPN products support all applications.

SSL VPN can also block traffic at the application level, blocking worms and viruses at the gateway. SSL VPN is again not bound to any IP address. Hence, unlike IPsec vpn, connections can be maintained as the client moves. SSL VPN differs from IPsec VPN in that it provides fine-tuned access control. By using SSL VPN, each resource can be defined in a very granular manner, even as far as a URL. This feature of SSL VPN enables remote workers to access internal web sites, applications, and file servers. This differs from IPsec VPN, since the entire corporate network can be defined n a single statement. SSL-based VPN uses Secure HTTP on TCP port 443. Many corporate network firewall policies allow outbound access for port 443 from any computer in the corporate network. In addition, since HTTPS traffic is encrypted, there will be limited restrictive firewall rules for SSL VPN.

As you know, SSL-based VPN offers a greater choice of client platforms and is easy to use. However, an organization that wants to be sure their communication channel is encrypted and well secured will never assume that any computer in an Internet cafe is trusted. This in turn requires a trust association with an untrusted client connection. To address the concern of an untrusted client, whenever a client from an untrusted platform connects to the VPN, a small Java applet is downloaded to the client that searches for malicious files, processes, or ports. Based on the analysis of the computer, the applet can also restruct the types of clients that can connect. This may sound theoretically feasible; to do it practically requires the mapping of policies of one anti-virus and anti-spyware tool into an endpoint security tool used by VPN. In addition, these applets are prone to evasion and can be bypassed. However, note it carefully; you also need to have administrative access to perform many of the operations like deleting temporary files, deleting cookies, clearing cache, and so forth. If you have administrative rights in an Internet cafe, you can assume that the system will be infected with keystroke loggers and sophisticated malicious remote access tools. [A good example would be Back Orifice.]

By using SSL VPN, a user can download sensitive files or confidential, proprietary corporate data. This sensitive data has to be deleted from the local computer when an SSL VPN is terminated. To ensure the safety of confidential data, a sandbox is proposed and used. A sandbox is used to store any data downloaded from a corporate network via SSL VPN. After the SSL VPN session is terminated, the data in the sandbox is securely deleted. After a session is terminated, all logon credentials require deletion as well. You know that SSL VPN can be established even from a cyber cafe. It might happen that a user can leave the system unconnected. To prevent such issues, periodic authentication is required in some systems. as SSL VPN works on the boundary of Layers 4 and 5, each application has to support its use. In IPsec VPN, a large number of static IP addresses can be assigned to the remote client using RADIUS. This in turn provides the flexibility to filter and control the traffic based on source IP address. In the case of SSL VPN, the traffic is normally proxies from a single address, and all client sessions originate from this single IP. Thus, a network administror is unable to allocate privileges using a source IP address. SSL-based VPN allows more firewall configurations as compared to IPsec VPN to control access to internal resources. Another cause of concern with SSL-based VPN is packet drop performance. IPsec will drop the malformed packet at the IP layer, whereas SSL will take it up the layer in the OSI model before dropping it. Hence, a packet will have to be processed more before it is dropped. This behavior of SSL-based VPN can be misused, used to execute DoS attacks, and if exploited, can result in a high capacity usage scenario.

External Links:

The official OpenVPN site

OpenVPN on Wikipedia

TUN/TAP on Wikipedia


Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy