Makoto Kayashima <kayashi@sdl.hitachi.co.jp>
Minoru Koizumi <m-koizu@sdl.hitachi.co.jp>
Tatsuya Fujiyama <fujiyama@sdl.hitachi.co.jp>
Masato Terada <terada@sdl.hitachi.co.jp>
Kazunari Hirayama <hiraya-k@soft.hitachi.co.jp>
Hitachi Ltd.
Japan
But currently, VPN architecture does not consider multiple firewalls, which creates some problems. We propose a "Seamless VPN," a new VPN construction method for a multiple-firewall environment. It consists of a transport layer gateway program on each firewall and a socket library for end-point clients. Each gateway has a user-based access control function, a relay circuit setup function, a user authentication function, and an end-to-end data encryption function. Using these functions, the Seamless VPN is able to construct a VPN in a multiple-firewall environment.
Keywords: VPN, Internet, intranet, information integrity, system availability, firewall, IP security, seamless.
Technologies such as IPSec (IP Security)[1] are now being developed to provide secure communication on the Internet. Using this technology, we can build a VPN over the Internet, and at the same time increase the security of traffic on that network. A VPN can provide a good infrastructure for a low-cost corporate network (known as an intranet) (figure 1).
Figure 1. VPN environment.
If we want to share secret information and important servers, we must maintain confidentiality using encryption and address issues such as information integrity and system availability. The firewalls that prevent IP forwarding between corporate networks and the Internet and control access need VPN security.
VPNs are currently being used for corporate networks, but we think there is a need to provide private VPNs for distributed departments in organizations. If we provide a VPN for a department within a corporate VPN, the corporate network will be constructed using multiple firewalls. But currently VPN architecture does not take multiple firewalls into consideration, which brings about some problems. In this paper, we propose a "Seamless VPN" for IP-unreachable networks and a multiple-firewall environment.
VPN entities with the same functions are installed in the gateways of the Internet encrypt/decrypt data, and authenticate with each other (figure 2). Usually, the VPN entities are installed in the firewall server or router. Group VPNs are used for close connection between domains.
Figure 2. Group VPN.
The VPN entities consist of the two devices in the client-server system (figure 3). The combinations of VPN entities are a PC-client with a firewall server, or a dial-up server, which substitutes for the PC-client, with a firewall server. Personal VPNs are often used for mobile clients.
Figure 3. Personal VPN.
The data encryption function is used in the encapsulation method for IP packets (figure 4). Mutual authentication between entities is executed at the start of a session, or it is executed by an authentication header that is added in each packet. Network layer VPNs can apply all protocols over IP.
Figure 4. Principal of encapsulation.
Transport layer VPNs use a special protocol that has a data encryption/decryption function and an authentication function. Usually, authentication between entities is executed at the start of a session.
| Group VPN | Personal VPN | |
| Network Layer VPN | IPSec[1] |
IPSec[1] PPTP[2] |
| Transport Layer VPN | - | SSL[3] Socks V5[4] Seamless VPN |
To construct private VPNs for distributed departments in organizations,
we must establish firewalls to protect subnetworks. (We call these
firewalls "internal firewalls.") These internal firewalls are not
IP reachable from the Internet because there is a firewall that partitions
the private network from the Internet (figure 5). (We call this firewall
the
"external firewall.") Network layer VPNs deliver packets using IP
reachability, thus a VPN cannot be constructed in this environment.
Figure 5. Problem of IP unreachability.
If we want to construct a VPN between subnetworks in a corporate VPN, packets must be encapsulated repeatedly as shown in figure 6. (1) Multiple encapsulation of packets brings about loss of efficiency, greater packet data size, and an overhead of encryption processing. (2) The data encryption/decryption process is high load; thus, if it is executed at a traffic concentration point such as the external firewall, the performance of the external firewall will decline.
Figure 6. Problem of performance.
Figure 7. Seamless VPN environment.
In order to provide secure and transparent access in a VPN, the Seamless VPN has a user authentication base access control mechanism, a user key management base data encryption mechanism, and a communication routing control mechanism. The transport layer gateway program, called hs-gw, and a socket library module with security function for client applications, called secure socket, guarantee secure access of all TCP-based network services.
There may be multiple hs-gws on the route between client and server. The hs-gw that is directly connected to the server is called the "terminal hs-gw."
Using these parameters, hs-gw provides IP address-based access control, service-based access control, and user-based access control.
| Destination | Service Name | GW Address | Port |
Destination is a domain name to which the connection must be made. The negative operator "~" can be used.
Service Name is specified in file /etc/services. "*" is a wild card.
GW Address is the IP address of hs-gw.
Port is the port number of hs-gw.
Figure 10. Network example.
The proxy file for client (supper.food.com) is shown below.
| vegetable.food.com*potato.vegetable.food.com* |
| fruit.food.com * lemon.fruit.food.com* |
| ~food.com * dinner.food.com * |
Table 2 shows the relay gateways selected for the target server using the above definition.
| Target server | Relay gateway |
| In the fruit.food.com domain (banana, kiwi) | lemon |
| In the vegetable.food.com domain (carrot) | potato |
| Not in the food.com domain | dinner |
Using this function, the Seamless VPN can set up a relay circuit in a multiple-firewall environment.
Figure 11. Authentication sequence.
Figure 12. End-to-end data encryption.
The client and the terminal hs-gw generate the session key using information shared in the authentication process. Using this function, the Seamless VPN is able to limit packet data size.
Using the routing control function of hs-gw, we will be able to create a secure path in an IP unreachable network environment.
In the Seamless VPN, the data encryption/decryption process is executed only for the client and the terminal hs-gw; thus there is no loss of efficiency (packet data size does not increase). Moreover, the hs-gw on the external firewall does not execute the encryption/decryption process; thus the performance of external firewall does not decline.
