31-07-2014, 10:56 AM
SECURITY AND COLLABORATIVE ENFORCEMENT OF FIREWALL POLICIES IN VPNS
SECURITY.pdf (Size: 231.79 KB / Downloads: 16)
ABSTRACT
A virtual private network (VPN) is a private network that uses public network to connect remote sites. It enables host computer to
send and receive data across shared or public network as if they were integral part of private network with all functionality,
security and management policies of private network. To access organization network’s resource an encrypted VPN tunnel is
formed between home network and foreign network. Although VPN technology is very useful, it brings down security threats on
remote network because its firewall does not what traffic is flowing inside the VPN tunnel. To address this problem, VGuard was
proposed, a frame work that allows a home network and a foreign network to collaboratively determine whether the request
satisfies the policy without the home network knowing the request and the foreign network knowing the policy. In this paper we
study a protocol called Xhash, which allows two parties, where each party has a key, to compare whether they have the same keys,
without disclosing their keys to each other. VGuard frame work that uses Xhash as the basic building block. In order to make the
existing approach better, this paper presents a DES-192 algorithm which uses 24 byte key input. This algorithm is used to increase
the security among Policy Owner and Request Owner, which makes encryption algorithm more robust to attackers.
INTRODUCTION
VPN is a globally used technology that can help to provide secure private network traffic over an unsecured network, such as the
Internet. VPN helps to provide a secure mechanism for encrypting and encapsulating private network traffic and moving through an
intermediate network. Date is encrypted for confidentiality and packets that might be intercepted on shared network or public network
are unreadable without the correct encryption keys. Data is also encapsulated or wrapped with IP header containing routing
information.
The two major concerns in supporting roaming users across administrative field are security and privacy. As we all know, VPN [4] is
deployed in many organization to protect their users when they roam into foreign networks. When a roaming user establishes a VPN
tunnel with his home network, he can access not only the private resources within the home network, but also redirect his Internet
traffic through the VPN tunnel, which is typically encrypted to protect the privacy of user traffic. While roaming users enjoy the
security protection offered by VPNs, little consideration has been given to the impact of such encrypted tunnels on foreign network. In
particular, the foreign network’s firewall cannot effectively regulate such tunnelled traffic, because it is unable to examine the
encrypted connection properties, such as destination IP address and ports. As a result, certain connections that are normally prohibited
by the foreign network, for either security or policy reasons, can now evade the firewall regulation. The existence of such unregulated
tunnels not only weakens the security protection for roaming users, but more importantly leaves the foreign network widely open to
various security threats from the public Internet. A typical VPN can deploy as shown in Figure 1.
DESCRIPTION OF XHASH PROTOCOL
In this module we study the simple and efficient Xhash protocol to achieve oblivious comparison [3]. The Xhash protocol
works as follows first, Policy Owner sends N1⊕K1 to Request Owner then; Request Owner computes HMAC k
(N1⊕K1⊕K2) and sends the results to Policy Owner. Second, Request Owner sends N2⊕K2 to Policy Owner. Third,
Policy Owner computes HMAC k (N2⊕K2⊕K1) and compares it with HMAC k (N1⊕K1⊕K2), which was received
from the request Owner. Finally, the condition N1=N2 holds if only if HMAC k (N2⊕K2⊕K1) = (N1⊕K1⊕K2).
The above function HMAC is a keyed –Hash Message Authentication Code, such as HMAC-MD5 or HMACSHA1, which
satisfies the one-wayness property (i.e. given HMACk(x), it is impracticable to compute x and k) and the collision
resistance property (i.e. it is computationally infeasible to find two distinct numbers x and y such that HMACk(x) =
HMACk(y)). Note that the key shared between Policy Owner and Request Owner. Although hash collision for HMAC
does exist in theory, the probability of collision is negligibly small in practice. Furthermore, by properly choosing shared
key k, can safely assume that HMAC has no collision
AODV ROUTING PROTOCOL AND ITS OPERATION
3.1 Aodv Protocol Overview
The AODV (Ad Hoc On Demand Distance Vector) routing protocol is a reactive routing protocol, hence routes are
determined only when needed. Figure 3 shows how the messages are exchanged in the AODV protocol [11, 12].
Hello messages are used to detect and monitor links to neighbors. Each active node periodically broadcasts a Hello
message to all its neighbors. A link break is detected, when a node fails to receive several Hello messages from its
neighbors.
When a source wants to transmit the data to unknown destination, it broadcasts a Route Request (RREQ) fro that
destination. A route to the source is created, when a RREQ is received at each intermediate node. If the receiving node
has not received this RREQ before, is not the destination and does not have current route to the destination, it
rebroadcasts the RREQ. If the receiving node is the destination or has a current route to the destination, it generates a
Route Reply (RREP). The RREP is unicast in a hop by hop fashion to the source. Once the RREP propagates, each
intermediate node creates a route to the destination. When the source receives the RREP, it records the route to the
destination and can begin sending data. If multiple RREPs are received by source, the route with shortest hop count is
chosen
CONCLUSION
We implemented proposed algorithm using NS 2.34 network simulator. We carried out our experiments on a
Fedora/Linux operating syetm with 4GB memory and intel core i3 processor. Our results shows that proposed algorithm
provides security among Policy Owner and Request Owner which is robust to attackers.
In this paper, we present a DES-192 algorithm, which is an enhancement to VGuard technique. VGuard is more secure of
two main reasons. First, VGuard converts existing firewall policies of an ordered list of overlapping rules to an equivalent
non-ordered set of non-overlapping rules. Second, VGuard makes sure rule decisions, which helps to prevent Policy
Owner from knowing the decision for the given packet.
Our proposed algorithm has following advantages:
1. The VGuard framewwork along with DES-192 algorithm helps to preserve the privacy of communication in VPN.
2. The proposed algorithm not only focus on privacy preservation but also on robustness to attackers.
Future work intends to improve the security among the third party and the Policy Owner. For that time based firewall
policies is used to find the appropriate time to transfer the packets between third party and Policy Owner.