1.

0 The Introduction to Virtual Private Network (VPN) According to Lewis, Mark (2006), virtual private network (VPN) can be described as the extended private network as well as the resources that consist in the network across the public networks like the Internet. The implementation of the Virtual Private Network (VPN) will play an important role to allow the host computer to send as well as received the data across shared or public networks. It can emulate the properties of the private network such as shares, server access, as well as printer by establishing and maintaining the security as well as management policies of the respective private network in the organization. Obviously, the Virtual Private Network (VPN) can be done by establish the point to point connection via the uses of either the dedicated connection or via the encryption or even combining both of the methods. According to the explanation from R. Morris and K. Thompson (1979), the Virtual Private Network System can be classified according to: The protocols used to tunnel the traffic The tunnels termination point, Whether they offer site- to-site or remote access connectivity The levels of security provided The OSI layer they present to the connected network.

Diagram 1.0 The example of Internet Virtual Private Network (VPN)

2.0 Evaluation of the Encryption Methods and Security Issues According to H. Krawczyk, M Bellare and R. Canetti (1997), encryption is an important method to use in the virtual private network (VPN). It is to ensure the virtual private network (VPN) is secure and limiting user access so that the data is protected and only can be accessed by the authenticated person only. As in virtual private network (VPN), it uses the cryptosystem to scramble the data into the cipher text, then decrypted back into readable text by the recipient. There are two types of cryptosystem that been used in virtual private network (VPN), namely symmetric and asymmetric. Overall, the symmetric cryptography is very likely to be much faster to deploy and used in the Virtual Private Network. Obviously, it is commonly used to exchange large packets of data between two parties who know each other, and use the same private key to access the data. However, the asymmetric systems that been used to encrypt the data that send via the VPN server and client are far more complex. It is because the users are requiring a pair of mathematically related keys to do the decryption. The keys are public and one private in order to be accessed. This method is often used for smaller, more sensitive packets of data, or during the authentication process in the virtual private network (VPN). Obviously, D. Harkins and D. Carrel (1998) explained that the longer encryption key, the strongest it was. It is because the bit length of the algorithm determines the amount of effort required to crack the system using a brute force attack, where computers are combined to calculate all the possible key permutations. So, the users are advised to use the longer encrypted key so that the data that been transmitted from the virtual private network (VPN) server and clients are save. However, the Virtual Private Network (VPN) data encryption does not provide the end to end data encryption. According to R. Pereira and S. Beaulieu (1999), the end-to-end encryption is the data that encrypted between the client applications and server hosting the resources or even the services that is accessed by the client application.

On the other hand, D. Harkins and D. Carrel (1998) explained that there are many relevant secure VPN protocols are used to transfer or transmit the data from the Virtual Private Network (VPN) server to the clients. Among the Virtual Private Network (VPN) protocols that been used are: IPSec (Internet Protocol security) Transport Layer security (SSL) Datagram Transport Layer security Microsoft Point to point encryption Secure Socket Tuning protocol MPVPN Secure Shell

However, there are still many security related issues occurred in the Virtual Private Network (VPN). Each of the security issues will be discussed clearly and relevant examples will be provided to support the discussion.

(A) Many Authentication Methods are too weak to Provide Adequate Security for most organizations As explained by H. Krawczyk, M Bellare and R. Canetti (1997), the first security issues that happened in the Virtual Private Network (VPN) is the authentication methods that been used is too weak and easily broken by the unauthorized person. It is simply because there are many organizations use authentication methods that expose their network to a variety of security attacks. The most secure method of authentication is Extensible Authentication ProtocolTransport Level Security (EAP-TLS) when used in conjunction with smart cards. However, EAP-TLS and smart cards require a public key infrastructure (PKI), which can be complicated to deploy. Therefore, it will become a serious threat for the users of Virtual Private Network (VPN) in the office.

(B) Remote Access Account Logout can Deny Network access to authorized users. According to R. Morris and K. Thompson (1979), the authorized users might be blocked from access the network, It Is because if a malicious user attempts a dictionary attack with the logon name of an authorized user, both the malicious user and the authorized user are locked out of the account until the account lockout threshold is reached. Therefore, it will cause very inconvenience for the authorized users especially when they wish to access the Virtual Private Network (VPN) to get some data or resources. Therefore, it is a security related issue that happens in the Virtual Private network (VPN).

(C) Man-in-the-Middle Attacks As for the third security issues that occurred in the Virtual Private Network (VPN), it is call man-in-the-middle attacks. H. Krawczyk, M Bellare and R. Canetti. (1997) explained that the security issue happens when the Virtual Private Network (VPN) server is using IKE Aggressive Mode, and it is possible to determine a valid username and password, then an ISAKMP SA can be established to the Virtual Private Network (VPN) server. Even if the VPN server enforces a second level of authentication, this often relies on the security of this ISAKMP SA. As for this case, if it is possible to establish an ISAKMP SA in the virtual private network (VPN), it causing the second level of authentication would not provide complete protection. It is because it would be vulnerable to a man-in-the-middle attack. Therefore, it will lead the data that sent and transmitted via the Virtual Private Network (VPN) facing a problem that been tapped by the third parties or unauthorized people. Due to that, it is an important and critical security issues in Virtual Private Network (VPN).

3.0 Suggestion about the Appropriate Authentication Mechanism As discussed in section 2.0, there are many security flaws and issues that occurred along the process of transfer the data from Virtual Private Network (VPN) server and clients. Therefore, better and appropriate authentication mechanism will be suggested and discussed in detail in this section in order to solve respective problems in the future. Appropriate examples will be given to support the respective discussion in this section. As we know, the simply encryption methods like symmetric and asymmetric encryption method is far not enough to guarantee the security of the virtual private network (VPN). Thus, extra secure VPN protocols are proposed to be used to transfer or transmit the data from the Virtual Private Network (VPN) server to the clients. According to H. Krawczyk, M Bellare and R. Canetti (1997), the strengths of the security in Virtual Private Network (VPN) is making harder for eavesdropping and interception on the connection between the Server and clients in the network. Thus, few Virtual Private Network (VPN) related security protocol will be suggested to improve and enhance the security features of the communication between the server and clients in the Virtual Private Network (VPN). Among the Virtual Private Network (VPN) protocols that been used are: IPSec (Internet Protocol security) o According to International Engineering Consortium. (2001), it is an Internet Protocol security that developed Internet Engineering Task Force (IETF). As in this particular protocol, the standard-based security protocol is used to provide function of authentications, integrity, and confidentially for the data transfer in the Virtual Private Network (VPN). It can encrypt and encapsulate an IP packet inside the IPSec packet, then de-encapsulation will be happened at the end of the data transmission tunnel, where the original IP packet is decrypted and forward to the destination. Thus, it is more secure for the data to be transferred in the Virtual Private Network (VPN)

Transport Layer security (SSL) o It is the tunnel for the entire virtual private network (VPN) to send and receive the data between the VPN server and clients. As in the SSL, R. Morris and K. Thompson. (1979) explained that the Virtual Private Network (VPN) can connect from the locations where the IPSec is runs into the trouble with the Network Address Translation as well as firewall rules. There are a number of cryptographic features provided by SSL / TLS and these include confidentiality, integrity, and digital signatures. Once the SSL been used in the Virtual Private Network (VPN), the SSL VPN gateway can do the authentication itself on the Web user using the SSL server certificate that signed by the trusted Certification Authority (CA). This certification authority is very important to verify that the users are talking to a trusted server via their browser. As in the reality life, certain SSL VPNs will use a self-signed digital certificated that is not normally well trusted by most of the web browsers. Therefore, the users need to add the SSL VPNs self-signed digital certificated to the users own list of trusted certificates so that the browser can be used.

Datagram Transport Layer security o Normally, the datagram transport layer security will be used in the Cisco AnyConnect Virtual Private Network (VPN) in order to solve the issues that occurred in the Secure Socket Layer (SSL) has with tunnelling over User Diagram Packet (UDP).

Microsoft Point to point encryption o H. Krawczyk, M Bellare and R. Canetti. (1997) explained that this mechanism will work with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms. It is an OSI layer two protocols that built on top of the point-to-point protocol. The authentication mechanism that been used in PPP connection is supported in a PPTP-based Virtual Private Network (VPN) connection. As for this connection, EAP (Extensible Authentication Protocol), MSCHAP (Microsoft Challenge Handshake Authentication Protocol), CHAP, SHAP (Shiva Password

Authentication Protocol) as well as PAP (Password Authentication Protocol) will be used. Microsofts Secure Socket Tuning protocol o This security mechanism will work in Window Vista Services Pack 1 whereby the SSTP tunnels Point-to-point protocol (PPP) or layer 2 tunneling protocol traffic through an SSL 3.0 channel that can be implemented in the Virtual Private Network (VPN)

Secure Shell VPN o It is the OpenSSH that provides the Virtual Private Network (VPN) tunneling to secure remote connection to the network or inter-network links. As in this particular method, the OpenSSH will provide the limited numbers of concurrent tunnels and it lets the Virtual Private Network (VPN) to configure itself so that no support the personal authentication.

Apart of that, SOCKS5 is another new security mechanism that can be implemented in the Virtual Private Network (VPN) in order to improve the security features during the transmitting of data between the Virtual Private Network (VPN) server and clients. Obviously, H. Krawczyk, M Bellare and R. Canetti (1997) explained that SOCKS5 is a circuit level proxy protocol that was initially designed to facilitate authenticated firewall traversal. As for the SOCKS 5, it will offers a secure, proxy architecture with extremely granular access control, in order ensure the excellent choice for extranet configurations. Obviously, the SOCKS v5 is able to support a broad range of authentication, encryption, and tunnelling as well as key management scheme. At the mean time, the SOCKS v5 also can be used for some security features that are impossible with IPSec, PPTP or other VPN technologies. Firstly, the new SOCKS v5 can offers the extensible architecture that allows developers to build system plug-ins, such as content filtering like denying access to Java applets or ActiveX controls as well as the extensive logging and auditing of users. Therefore, SOCKS 5 is able to offer the Virtual Private Network more complete and intensive security features compare to any other technology in the market like IPSec, PPTP or other VPN technologies.

On the other hand, R. Morris and K. Thompson (1979) explained that the user of Virtual Private Network (VPN) can integrate the technologies of both IPSec and SOCKS together to make the whole security features and mechanism in Virtual Private Network (VPN) become even stronger than before. As for the configuration part, the IPSec could be used to secure the underlying network transport, while SOCKS could be used to enforce user-level and application-level access control. Therefore, the security level of the Virtual Private Network (VPN) will be improved in the future.

4.0 Conclusion As the conclusion, the Virtual Private Network (VPN) is useful networks that allow the host computer to send as well as received the data across shared or public networks. It can emulate the properties of the private network such as shares, server access, as well as printer by establishing and maintaining the security as well as management policies of the respective private network in the organization. However, there are many security flaws and issues that because the Virtual Private Network (VPN) not been trusted by the users since it can easily cause the interception or eavesdropping along the process of sending and receiving the data between the server as well as clients in the VPN. Thus, few new security mechanism been proposed to improve and enhance the security features in the Virtual Private Network (VPN). Among the new suggested security mechanism are include implemented Virtual Private Network (VPN) protocols like IPSecs (Internet Protocol Security), Transport Layer Security (SSL / TSL), Datagram Transport Layer Security, Point-to-point Encryption Protocol, Secure Socket Tuning Protocol, and Secure Shell VPN. Besides that, SOCKS version 5 will be another ideal security mechanism that can be used to improve the security levels in the Virtual Private Network (VPN).

5.0 Reference D. Harkins and D. Carrel. (1998). RFC 2409 The Internet Key Exchange (IKE) International Engineering Consortium. (2001). Digital Subscriber Line 2001. Intl. Engineering Consortiu, 2001, p. 40. Lewis, Mark. (2006). Comparing, Designing. And Deploying VPNs. Cisco Press, p. 5 R. Hills. (2003). NTA Monitor UDP Backoff Pattern Fingerprinting White Paper, http://www.nta-monitor.com/ike-scan/whitepaper.pdf R. Morris and K. Thompson. (1979). Password Security: A Case History, Communications of the ACM, Vol.22, No.11, November, 1979, pp.594-597. H. Krawczyk, M Bellare and R. Canetti. (1997). RFC 2104 HMAC: Keyed-Hashing for Message Authentication. R. Pereira and S. Beaulieu. (1999). Extended Aut (XAUTH) R. Hill. (2002). SecuRemote usernames can be guessed or sniffed using IKE exchange, Bugtraq Mailing List. hentication within ISAKMP/Oakley