Encryption

I think it would be beneficial to have an overview of how an IPsec VPN is built so we can at least see the “big picture” before delving into the specifics.  There are essentially five main phases.  They are as follows:

1.  “Interesting Traffic” initiates the VPN process on the security appliance.

There are usually many different data streams flowing through your devices and not all of them will be part of the VPN tunnel.  Some may be HTTP traffic, SMTP connections etc.  There needs to be a way of the appliance distinguishing what traffic should be tunnelled and what shouldn’t.  The most common method is to use an Access Control List (ACL) or rulebase.

2.  IKE Phase 1.  IKE (Internet Key Management protocol)

IKE Phase 1 is the process that occurs when the two endpoints first establish connectivity.  The purpose of which is to create a secure connection between VPN peers that will facilitate the IKE Phase 2 security parameters agreement.

3.  IKE Phase 2

Once a temporary secure connection has been formed between the two VPN peers, IKE Phase 2 will negotiate the security parameters that will be used between the two endpoints for the VPN tunnel and then periodically renegotiate them throughout the lifetime of the tunnel to ensure maximum security in the event of an attack.

4.  IPsec VPN Tunnel Established

Once IKE Phase 2 has completed both peers may now send data to each other.  As data is sent and received through the tunnel it will be encrypted and decrypted by the VPN peers using the security parameters agreed upon in IKE Phase 2.

5.  IPsec VPN Tunnel Terminated

IPsec VPN tunnels will be torn down after a specified period or by manually stopping the IPsec.  The tunnel can be re-established before the timeout is reached if new security parameters can be agreed again using IKE Phase 2.  This ensure a stable connection and no interuption of data flow should the timeout expire during communications.

I intend for this to be the first of a number of articles explaining VPN technologies.  The articles that follow on from this one will provide a more in-depth discussion of Virtual Private Networks.  VPNs have become increasingly popular due to the flexibility they offer and the cost of site-to-site circuits.  The demand for unified communications and mobility means that companies must ensure their networks facilitate inter-site communications while keeping costs reasonable.  VPN technology enables us to safely transmit data streams over a public network (the internet) without fear of it being compromised.

There are many different vendors producing appliances responsible for terminating VPN tunnels and it is because of this that VPNs must conform to open standards for interoperability.  The IPsec protocol suite was developed to provide a means of securing data transfer between two points and it can provide data encryption, authentication and anti-replay mechanisms.

IPsec works at layer 3 in the OSI stack and can therefore be used independently of application encryption.  As this article is intended as a guide please remember that this is a brief overview of IPsec.

Amongst others discussed later, IPsec uses two protocols to provide these services, both of which offer different security parameters.  They are:

Authentication Header (AH)

and

Encapsulating Security Payload (ESP)

Nowadays, AH is used when the data being sent and received is not deemed confidential and therefore does not require to be encrypted.  AH offers connectionless integrity and data origin authentication and also optionally provides an anti-replay mechanism using sequence numbers.  This function is enabled by default but it is optional to the receiver if they perform anti-replay checking on it.  AH provides authentication by appending a hash value to the packet.

ESP provides data origin authentication, integrity and confidentiality.  The latter being the reason ESP is far more popular than AH.  ESP uses an encryption algorithm to scramble data that only the receiver can unscramble at the other end.  This means that as well as ensuring you are connected to the correct person and the data hasn’t been modified, you can relax knowing that in the event someone is sniffing data along the path they cannot decipher what has been sent.  ESP can use different forms of encryption algorithms to provide confidentiality - more on this in later articles.

Well, that is a a very brief overview of IPsec VPNs.  My next article will discuss the process of a VPN being established, used and then torn down and articles from there on in will discuss individual areas of an IPS VPN.  Once I have bored you all to tears with IPsec I’ll do a few articles about GRE tunnels.

Stay tuned and please remember before commenting that this a brief overview and I’ll focus on the other areas as each article progresses.

Ian

How many USB keys are lost or stolen every year?  Lots.

How many of those keys have confidential corporate information on them?  Lots.

How many of those data keys are encrypted?  Not many.

USB Data Keys..  A great little gadget that allows users to store up to 320GBs of data in their pocket that’s accessible simply by plugging it into a USB slot on a PC.

or

USB Data Keys..  An Information Security nightmare!  Taking data security away from secured systems and putting it in the trust of a user.

Anyone who knows a little about IT security can appreciate the risks involved with using USB data keys.  Don’t get me wrong, I think they’re great little tools and I have one myself, in fact, I rely quite heavily upon it!  I use it for storing programs, files, data sheets, expense claims and even my Linux distribution that boots from it.  It’s a brilliant little thing.

But what happens when we lose it?  And let’s face it; they are easy to lose.  Why do companies present themselves with and accept this huge risk?  Everything and anything can be stored on these keys by your users – users that can’t remember passwords for more than one week let alone secure a small, easily lost data key filled with sensitive information!

There are two solutions:

1)    Disable the use of USB data keys through a group policy or PC build configuration.

2)    Secure the data on the USB key so that if it is lost it cannot be read or recovered.

The first one is an instant no-go.  Getting that signed off under the IT security policy would be extremely difficult given the convenience of mobile data to users.

Securing the data is where we really need to focus our attention when looking for a solution to our problem and there are two ways of doing so.

1)    Use a date key with built in hardware encryption.

2)    Use third party software to encrypt the USB drive/data.

Option 1 – I’m sure there are a few vendors out there who manufacture USB keys with built in encryption but the leader by far in this area is a company called IronKey.  Their USB keys appear to be very easy to use for the end user (I said appear as I’ve never used one - send me one for review IronKey! ).  Basically, it is a USB key with a encryption chip between the USB interface and the memory chip that encrypts and decrypts data as it is passed to and fro the USB memory chip.  When the USB key is inserted the user is prompted for a password and that is used as the key to encrypting/decrypting the data on the fly.  Don’r worry about brute force attacks on the password either, 10 strikes and you’re out!  Dangerous, but secure - I like it.  Reports indicate that the data transfer speeds are very quick due to the high quality memory being used internally.  So, we have a very secure, fast and easy to operate USB memory key with IronKey, the only drawback is the price.  IronKeys are a fair bit more expensive than traditional USB memory keys with prices starting at $79 for the 1GB Basic version right up to $299 for the 8GB Basic version but hey, you get what you pay for right?

Option 2 – If something like an IronKey is out of your price range or you would simply rather not pay for the convenience that they offer then the alternative is to use third party encryption software (as I do) such as TrueCrypt.  TrueCrypt allows you to either encrypt the whole USB stick or create a secure “container” on it and encrypt that.  The container is then mounted using the TrueCrypt application and is seen as another volume.  The only drawback is that you have to use the application to mount the volume however this can be stored on an unencrypted area of the disk for use on any PC.  TrueCrypt will run on Windows, Linux, OS X and is free to use for personal and enterprise use.

Hope that helps!

Ian