Banks are currently one of the primary targets of criminals; quick access to cash or personal bank account information is a juicy haul. Automated teller machines (ATMs) are a security weak point and while bank-located machines usually have cameras and other security measures in place, off-site ATMs installed independently don’t have the same kind of infrastructure. There are plenty of articles on the Internet about ATM skimming, which is when a thief attaches an external device to an ATM to capture a card’s electronic data, including the PIN, in order to recreate an exact copy of the card. See this link to read an article from the North American press on ATM skimming.
The current state of the art technology allows you to activate security mechanisms in different network communication devices, so guaranteeing data confidentiality, integrity of transmitted data and availability of said information.
By now IP devices are already more than just a fancy hype. The Internet of Things (IoT) will connect about 5 billion terminals and devices this year, with a rising tendency – in 2020 about 25 billion intelligent objects are expected to be connected to the Internet, about three times more than the world’s current population.
The requirements for connecting branches or company subsidiaries are not only a technical issue but are also substantially driven by costs. In order to keep up in a global environment chain, operators have to keep their costs low and ensure lean, fast processes. This means basically that branches and subsidiaries have to be managed and administrated centrally. An elementary part is the IT infrastructure connecting all users within the network securely, economically and without great effort.
In essence a Virtual Private Network (VPN) consists in using a normally public network (IP) but at such a level of abstraction the said network is only used as a transport mechanism between two ends over which a private network has been constructed. The inherent fact of using a public network requires security, up to the point where both concepts, VPN and security, become one, independently of whether the core of the network providing connectivity is public or private. For this purpose, the connections between the points are often called “tunnels” thus concealing the private information being transported over the public network.
Security being a key element in these communications, it’s essential to know the different VPN techniques, understanding which is the best to apply to each scenario. The problem arises when handling the amount of acronyms associated to the VPN, which on occasions seem as cryptic as the protocol itself it’s referring to (GRE, L2TP, IPSec, DMVPN, GDOI, SSLVPN, WebVPN, etc.).
VPN at the network layer
This consists of the implantation of the VPN at the OSI layer level 3; this means that the devices and the applications at either end of the “tunnel” can see each other (at level 3) in the same way as they can through a direct connection; consequently this type is VPN is transparent to any protocol and application:
- GRE (Generic Router Encapsulation) and L2TP (Layer 2 Tunneling Protocol) are simple protocols that permit you to construct VPNs at the network layer, despite being both proven compatible and standardized protocols, they do not have a sufficient security level developed for them and consequently are not widely used except for an auxiliary protocol for VPN interconnection.
- IPSec (Internet Protocol Security) is an alternative standardized, fully compatible protocol for VPNs over which a suitable security level has been developed, being the standard de facto as a security protocol and VPN and widely used in the routers at the exterior of the network
- DMVPN (Dynamic Multipoint Virtual Private Networks) is a VPN architect based on the simultaneous use of GRE and IPSec. GRE is used for connectivity and IPSec for security. The advantage of using GRE for connectivity is that it allows you to send routing information so the tunnel ends in the private networks talk to each other thus reducing the effort of configuration to construct VPNs for a high number of points. DMVPN is based on a central point (Hub) that all the remote points (Spokes) connect to, and that distribute the routing information between them. DMVPN is based on the RFC 2332 NBMA Next Hop Resolution Protocol (NHRP).
- GETVPN (Group Encrypted Transport Virtual Private Networks) or GDOI (Group Domain Of Interpretation) is an additional mechanism to IPSec that simplifies key management. Also based on RFC and interoperable, this is based on a central server that generates and sends keys to all the points. GETVPN does not construct “tunnels” consequently this only operates if the host addressing is public.
Branch office routers establish VPNs at the network layer which are transparent to the local network devices although it’s also possible to find implementations (typically IPSec and L2TP) in hosts, either as part of the operating system (Windows, Linux, Android, IOS), or as additional network services developed for third parties.
VPN at the application layer
This consists of establishing the VPN without the intermediate routers or the host network stack intervening. The base is SSL (Socket Security Layer) protocol from an HTTP session. In the most basic version (clientless), the SSL server maintains a safe session with the HTTP browser through the public network and presents resources from the internal network (applications, file servers, etc.), in a web format to the client; this is known as HTTP Reverse Proxy.
A more advanced version (Full Network Access) downloads in the client applet creating virtual interfaces to intercept private traffic to exchange between the client and the private network, thus efficiently achieving the establishment of a VPN between the host and the private network connected to the server.
SSL is an original Netscape implementation; version 3.0 has been standardized by the IETF, now know as TLS (Transport Layer Security) 1.0, however the standardized part consists of the security protocol but not the reverse HTTP Proxy features nor the applets, which are proprietary.
Which VPN is the best?
This depends on one’s needs. VPNs at the application layer are the solution to individually interconnect a device from any point on the public network outside the branches; for example mobile users that connect their portable devices from Internet (PCs, tablets, telephones, etc.), or even public PCs. The VPN servers at the application layer are usually found at head offices and not in the access routers.
To establish VPNs between different company branches, the solution consists of VPNs at the network layer from the access routers in each branch office, IPSec being the standard de facto.
Teldat is world class leader in VPN technology interoperability for networks (L2TP, GRE, DMVPN, GETVPN), with ample references from large corporations and clients .We offer you all the advice you need about VPN networks. Because the best way to earn your trust, is to offer you the best service.
Our daily data traffic on the Internet has reached dimensions which can hardly be put into numbers. For example, in June 2014, an average of 1.7 Tbit/s of data has been transmitted at the German DE-CIX (the largest Internet exchange point worldwide, situated in Frankfurt). Indeed, numerous transactions related to critical applications such as financial or personal data are conducted. Whether stock market transactions, online shopping or home banking, anyone who carries out such transactions counts implicitly that security, integrity and authenticity are guaranteed at any time.
For years, such processes and methods have been well established on the basis of deploying according technologies which permit to appropriately encrypt and secure data transmissions. Here, the use of SSL has become a quasi-standard.
However, it has also turned out that web server, NAS, gateways and routers, due to an implementation error are vulnerable, as sensitive data can be retrieved without being able to detect the spying of data as an attack. Furthermore, particularly worrying is that a variety of services which protect their data, typically via SSL/TLS, are affected. This also includes e-mails (POPS, IMAPS, SMTP with STARTTLS).
Anatomy of a “heart defect“
By looking closely at the problem, one realizes that the actual error is comparatively simple. In order to maintain a communication, so-called heart beats will be sent out between the communicating partners. In this process the sender transmits data (payload) to the receiver who in return sends the data back.
The problem, however, results from the fact that the receiver does not verify how much data has actually been sent. This means, if the sender “lies” and actually only sends one single byte but claims to send 16 Kbyte, the receiver responds willingly by sending back data from its random access memory. This results in phishing the random access memory of the remote station by the attacker.
If someone uses this procedure systematically and with high computing power, large quantities of credit card information and passwords can be gathered and spied upon. Furthermore, it was possible to get to the innermost part of servers in order to spy out the private key. The consequence would be that perfect imitations of servers can be placed on the Internet and the users won’t notice because they won’t get a warning message of faked certificates.
Is it possible for your data security to recover from a “heart attack”?
Users and people affected are in a rather uncertain situation. Concerning the systems to which we have access, we have to explore as soon as possible whether a serious threat exists. This can be carried out in cooperation with the corresponding manufacturer.
If this is the case, appropriate measures have to be taken quickly in order to update the affected systems. In this context, it is also advisable to replace the digital certificates and to declare already existing certificates as invalid, although this may “only” be a precaution. For services to which we do not have access, we have to rely on the respective service provider to ensure security as soon as possible. It only makes sense to change passwords, after the provider has renewed certificates.
Take security preventive measures
The use of Open Source and especially in this case of OpenSSL, shows how a fundamental and critical infrastructure on the Internet can crumble overnight.
When you look behind the scenes and see how many software engineers actually work full-time on the maintenance and development, it is indeed thought-provoking.
As a manufacturer, we also ask ourselves the question, which is the correct way into the future?.
In none of Teldat´s products are the software components mentioned above deployed. Nevertheless, we see it as part of our responsibility, towards our partners and clients, to keep developing our products continually and even more intensively.
AUTHOR: Bernd Büttner