Protecting a Corporate Network with ViPNet Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network
Introduction Scope ViPNet technology protects information systems by means of encryption and traffic filtering. As a corporate or private user, you can implement ViPNet protection tools of secure peer-to-peer data exchange into your pre-existing information system of any topology. ViPNet default settings will ensure the standard security level for your information system. Moreover, you can adjust the security level exactly to your needs. This document generalizes all the best practices and how-tos in ensuring the proper level of security for your information system by using the ViPNet technology. Key Questions How does ViPNet provide confidential data exchange. How do virtual IP addresses eliminate IP address conflicts in VPN connections. How does the integrated ViPNet firewall ensure the high security level for a protected system. How to configure ViPNet software for concurrent operation with third-party firewalls. What to do next if you want to provide an even higher level of security on your ViPNet hosts. Audience Network security specialists, including leads and staff of in IT security, integration, and technical support departments. 2
Terms and Definitions Coordinator: a server in a protected ViPNet network, which performs service functions ensuring secure communication of ViPNet hosts. As a cryptographic gateway, a coordinator tunnels IP traffic of LAN computers, which do not have any ViPNet software installed. Protected IP traffic: the flow of IP packets encrypted by ViPNet technology and transferred over the protected channels of a ViPNet network. The traffic can go protected between ViPNet hosts. Tunneled host: a computer or a device in a LAN protected by a coordinator (functioning as a cryptographic gateway). Unencrypted IP traffic: the flow of IP packets sent or received by a ViPNet host without encryption/ decryption. Data exchange with public services and unprotected resources in a LAN is unencrypted. ViPNet client software: a software, which protects computers or devices and the traffic they exchange. The client software connects a computer or a device to a ViPNet network. ViPNet firewall: a firewall based on ViPNet technology. As opposed to third-party firewalls, ViPNet firewall allows you to configure filtering rules separately for the protected and the unencrypted traffic. ViPNet host (protected host): a host connected to a ViPNet network. ViPNet hosts have ViPNet software installed on them. ViPNet network: a computer network protected by ViPNet technology. Data exchange within a ViPNet network is secure due to VPN connections encrypted by ViPNet technology. Each host within a ViPNet network is protected by a ViPNet firewall, which filters the traffic. Tunneled resources are protected by a firewall of their cryptographic gateway (a coordinator). Other ViPNet components provide tools providing additional security features, software for management and monitoring of a ViPNet network. This includes software for centralized configuration of firewall filtering on ViPNet hosts (ViPNet Policy Manager). Virtual IP addresses (in ViPNet technology): IP addresses that are assigned by each ViPNet host to all other remote ViPNet hosts and tunneled resources instead of their real IP addresses. Virtual IP address technology prevents conflicts of real IP addresses in case address ranges in different local networks overlap. Visibility IP address of another ViPNet host on your host: an IP address (either virtual or a real) used by your ViPNet host for secure communication with another ViPNet host. Traffic sent to the visibility IP address is encrypted. VPN (virtual private network): a general definition of technologies which allow for deploying a protected logical network over a pre-existing network with low level of trust. Communication of hosts within VPNs is protected by IP packet encryption. Protecting a Corporate Network with ViPNet 3
Overview of ViPNet Technology ViPNet tools for cryptographic and traffic filtering provide comprehensive protection of information systems. These tools are adapted for seamless integration into existing systems with already matured infrastructure. When ViPNet is implemented, hosts (computers and devices) of your network are connected into a ViPNet network. There are two ways a computer is protected by means of the ViPNet technology. The first is to deploy a ViPNet client on your computer. The other is to place the computer within a LAN protected by a coordinator (a ViPNet cryptographic gateway). This computer is then considered a tunneled host, and its coordinator tunnels its traffic as it passes through a public network. A ViPNet network provides the following security factors: ViPNet hosts (clients, coordinators) communicate over encrypted VPN channels (encryption algorithm: AES; the cryptographic module is validated according to FIPS 140-2 #2282). VPN channels are established immediately without prior handshaking and can start processing any type of IP traffic any time. The ViPNet technology automatically paves the shortest way for the encrypted traffic. The topology (as well as hosts location in- or outside a LAN) imposes no restrictions on the ViPNet network connectivity. When ViPNet hosts communicate, there are no intermediate VPN gateways that would decrypt the encrypted data these ViPNet hosts exchange (peer-to-peer connection). ViPNet hosts encrypt and decrypt the traffic themselves. As a result, the data remains encrypted along the entire way of its transmission, including LANs. Thus, the unauthorized access to the data is impossible. When tunneling is performed, the traffic is encrypted only on its way from the tunneling coordinator to the other ViPNet hosts. On the way from the tunneled host to its coordinator (that is, within a LAN) the traffic is not encrypted. For this reason we recommend to use tunneling only within LANs that you trust. The integrated firewall protects clients and coordinators. Its distinctive feature is that it allows you to configure filtering rules separately for unencrypted traffic and for traffic transferred over VPN channel. Due to this, your staff can securely access your corporate resources over a protected VPN channel and surf the Internet at the same time. Administrative ViPNet software enables you to manage ViPNet network (its topology, ViPNet firewall settings, etc.) and monitor it centrally. ViPNet product line also includes additional security tools that you can use when necessary. 4
How to Protect Your Corporate Network with ViPNet By installing ViPNet software with default settings on computers of your system, you ensure the standard security level for your corporate network. Still, you can increase the security of your corporate network even more, if you configure your ViPNet software with regard to your common workflow and take additional security measures. Ensure support for virtual IP addresses within your corporate network The virtual IP address technology eliminates IP address conflicts, which are resolved automatically. For virtual IP addresses to function properly, you need either to ensure protection of your DNS server and other name servers with ViPNet software, or to configure the usage of DNS names in the administrative ViPNet software centrally. On configuring the virtual IP address, see Virtual IP Addresses in a ViPNet Network on page 6. Configure the ViPNet firewall To adjust security rules with the security requirements of your corporate network, you can perform the advanced customization of traffic filtering on ViPNet hosts. If you need external hosts to access protected local resources, grant access only to the trusted hosts (for example, to certain hosts of your LAN). See General Principles of Traffic Filtering in a ViPNet Network on page 10. Configure two firewalls to work concurrently In case there is a third-party firewall installed on a ViPNet host (in addition to the integrated ViPNet firewall), we strongly recommend you either to disable it, or to configure it properly in order to avoid conflicts with ViPNet software. See How do Third-Party Firewalls Operate in a ViPNet Network on page 12. Install and configure antivirus on your ViPNet hosts To protect ViPNet hosts against spyware (for example, Trojans), install antivirus software on them. This is especially important for the hosts which are allowed to access the Internet. On using antiviruses together with the ViPNet software, see Using Antivirus Software in a ViPNet Network on page 14. Protecting a Corporate Network with ViPNet 5
Virtual IP Addresses in a ViPNet Network Support of virtual IP addresses makes a ViPNet network extremely scalable, provides automatic configuration and flexible establishment of peer-to-peer connections between any ViPNet hosts. The correct use of virtual IP addresses provides comfortable and safe work in a ViPNet network. The challenge of IP address intersection in VPNs In common VPN solutions, whether an outgoing IP packet should be encrypted or not depends on its destination IP address. Remote hosts, with which you exchange traffic that needs to be protected, normally have private IP addresses, because they are located in corporate LANs or access the Internet via their providers. As a result, some remote hosts may appear to have matching IP addresses or the IP address of a remote host may coincide with the one of the host within your subnetwork. Therefore, VPN connection configuring takes a plenty of resolving of IP address conflicts that arise here and there. The common solution is the following. When a remote VPN client accesses corporate LAN resources, the LAN s main gateway allocates a virtual IP address to this VPN client. This virtual address belongs to a certain address range used by the given gateway for assigning virtual addresses. The remote client operates on the VPN using this IP address. Normally, a virtual IP address is assigned to a virtual adapter created on the client computer. Such an approach eliminates the IP address conflicts, if hosts obtain virtual IP addresses from the same VPN gateway. But when addresses are allocated by different VPN gateways, this does not work without the address negotiation between several LANs. This happens when two VPN clients obtain their virtual address from different VPN gateways that use the same address space for assigning virtual addresses, a VPN client connects to several subnetworks served by different VPN gateways that use the same address space for assigning virtual addresses, the virtual address assigned to a VPN client falls into the address space of the client s subnetwork. In this case, the configuration of communication with partner networks becomes extremely complicated. So does the configuration of communication between segments of your own corporate network when its topology is mazy enough. Solution of the IP address intersection in a ViPNet network On each ViPNet host, a real IP address of every other ViPNet host or a tunneled resource is automatically allocated a special virtual IP address. Unlike in common VPN solutions, in a ViPNet network, a host knows nothing of what virtual IP addresses are allocated to it on other ViPNet hosts. Virtual addresses do not conflict with one another. When a new virtual address is created, it is verified for possible conflicts (within virtual address pool of the given host), so its uniqueness is guaranteed. Virtual addresses are not transferred to other hosts and therefore do not cause conflicts on the other party. This technology completely resolves IP address conflicts for any types of communication between ViPNet hosts or resources that they tunnel. 6
When the use of virtual IP addresses is enabled On your ViPNet host, you can explicitly define, whether every other ViPNet host should be accessed (in other words, visible from your host) by its real or virtual IP address. This address is called visibility IP address. By default, for each other host, the automatic selection of its visibility address is enabled: Advantages of virtual IP addresses Your users and network administrators do not need to cope with intersection of real and virtual IP addresses of VPN clients. Configuration is performed automatically and independently on each VPN host. There is no need to negotiate on using virtual IP addresses. Thus, a network administrator saves efforts on configuring partner network connections. real IP addresses are used for connection with ViPNet hosts of the same subnetwork as your host, virtual IP addresses are used for connection with hosts located outside of your host s subnetwork. You can explicitly enable visibility of a certain host by its virtual or a real IP address. The traffic directed to the other hosts visibility address is encrypted. When you assign a visibility address, it is automatically verified for conflicts (for example, you are guaranteed not to enable occasionally communication by real IP address for two hosts with matching IP addresses). Protecting a Corporate Network with ViPNet 7
How to enable the use of virtual IP addresses in services and applications installed on a ViPNet host If, on your ViPNet host, the visibility of the remote host X is set by its virtual IP address, all your applications that exchange traffic with this remote host must use exactly its virtual IP address. The applications will work with a virtual IP address just like they do with the real one. Applications obtain information on other hosts IP addresses via standard name services. If you want a name service to provide the proper visibility address to the applications (the virtual or the real one), install ViPNet software on it or make it to be tunneled by a coordinator. DNS server, the ViPNet software will substitute the IP address in this request by the visibility address, which corresponds to the DNS name of the corporate resource in the request. The ViPNet solution includes proprietary tools for communication between ViPNet network users (among others, instant messaging, file exchange, secure email client, tools for remote access to other ViPNet hosts and their resources). These ViPNet services do not require a name server, because they automatically address remote hosts by their visibility addresses. Virtual IP addresses of other ViPNet hosts are available in the ViPNet software interface. In this case, the following rules will be applied for the applications installed on a ViPNet host or a tunneled resource: When an application requests a name service for an IP address, it receives the visibility address of the remote ViPNet host. When an application receives an IP packet from a remote ViPNet host, this packet includes visibility address of the remote host as its source address. The ViPNet software components support the receiving of correct visibility addresses from all common name services: DNS, WINS, multimedia services (that use SIP, H323 and other multimedia service protocols). You can also provide access to corporate resources by their DNS names by using a public DNS server, which doesn t have any ViPNet software installed. For this, DNS names of corporate ViPNet resources need to be specified in the ViPNet software on network hosts (this can be done either centrally or locally on the hosts themselves). When a host will send a DNS request and receive a response from the 8
How to use virtual addresses correctly When your host sends data to a remote host X by its visibility address (either virtual or a real), the traffic is transferred encrypted. For example, if the host X has its virtual address as the visibility address, then only the traffic addressed to this virtual address is encrypted. The real IP address of the host X will not be considered as belonging to it, because this address can as well belong to an unprotected host of your own LAN or to remote hosts of other LANs. Consequently, when the remote host X is visible by a virtual address: The traffic sent to its real IP address is not encrypted. An unencrypted packet received from the host X with the host s real IP address as the packet s source is considered to be received from some unprotected host on your LAN. Therefore, if on your ViPNet host a virtual IP address is defined as the visibility address of the host X, prevent your applications from addressing the host X by its real IP address. If in your network applications need to access a certain resource by its real IP address (for example, hosts cannot address the resource by its DNS name), you can force other hosts to see this resource by its real IP address. In this case, the entire IP traffic directed from the ViPNet hosts to the real IP address of the resource will be encrypted. Protecting a Corporate Network with ViPNet 9
General Principles of Traffic Filtering in a ViPNet Network Separate processing of different kinds of traffic A ViPNet network creates a trusted environment within the basic untrusted network. In addition to what common VPN solutions provide (transmission of confidential data over protected channels), a ViPNet network allows for differentiated access by various protocols even within the trusted environment. Due to this, you can consider the level of trust towards each user that works within your trusted environment. ViPNet firewall enables you to configure different filters for encrypted and unencrypted traffic. The reason is that the ViPNet firewall processes the traffic at the moment when the ViPNet software encrypts and decrypts it. Filters for encrypted traffic are bound to ViPNet host identifiers and remain independent of hosts IP addresses. Therefore, a third party cannot bypass the filters by substituting IP addresses and working under permissions defined for other hosts. Any traffic transmitted from one host to another is identified unambiguously. With ViPNet firewall, you can securely communicate with trusted hosts over VPN connections, limit the data exchange within VPN over certain protocols with those partners that you do not fully trust, and prohibit unused protocols for unencrypted traffic. On ViPNet hosts, we recommend you to use only ViPNet firewall and to disable any third-party firewalls. The ViPNet firewall is a fully-functional solution for traffic filtering, which alone is enough to ensure reliable protection for your host. So, there is no need to use it together with any additional third-party firewalls, including the Windows firewall. Nevertheless, if, for whatever reason, you need to use a third-party firewall, see How do Third-Party Firewalls Operate in a ViPNet Network on page 12. How to configure a ViPNet firewall on ViPNet hosts Configuration of traffic filtration on ViPNet hosts is performed by the ViPNet network administrator: either directly on each host (upon logging on with administrator s credentials), or centrally by using the ViPNet Policy Manager software. What to consider when allowing inbound unencrypted traffic By default, the ViPNet client software is pre-configured to allow any encrypted connections, initiative (outgoing) connections, and connections over certain protocols necessary for your computer to function properly in the network (DHCP, NetBIOS, and WINS traffic). A ViPNet host may receive public (unencrypted) traffic at someone s attempt to access it from the public network. When you allow such connections, it may put security of your corporate network to a risk, because a third party can use the host as an entry point for accessing the corporate resources. That is why we recommend you to allow the access of public hosts to ViPNet hosts only in case of necessity, over certain protocols, for the users of your LAN. 10
Coordinators By default, the ViPNet firewall on a coordinator is pre-configured to do the following: To block connections with public resources. To block the public forward traffic (unencrypted traffic passing through the coordinator from one host to another). You should configure filters for this traffic according to the needs of your company. To allow the encrypted forward traffic between ViPNet hosts. To allow the traffic between hosts tunneled by the coordinator and remote ViPNet hosts (this traffic is unencrypted within a LAN on its way from tunneled host to coordinator and is encrypted in the public network). Coordinators ensure protection of the LAN on the edge of which they are located. Their proper configuration and performance is important for your network security. That is why we recommend that you allow access to coordinators (and among the rest, to their settings and controls) only to ViPNet hosts, but block it for unprotected hosts. Whether to or not to allow data exchange via a coordinator between remote unprotected computers and your LAN, depends on the security requirements of your corporate network. ViPNet clients By default, the ViPNet firewall on a client is pre-configured to do the following: to allow initiative (outgoing) connections with public hosts. to allow any encrypted connections with ViPNet hosts (provided that communication with these hosts is also allowed by the ViPNet administrative software). In case you do not consider such a level of protection reliable enough, you are free to block the host s connection with public hosts, partly or entirely. If you do not fully trust certain hosts within your ViPNet network, you can limit their allowed connections; for example, you can restrict their access to the hosts of utmost importance. What to consider when deploying server applications on ViPNet hosts When there are server applications installed on your ViPNet client or coordinator, we do not recommend you to allow the corresponding unencrypted traffic between these applications and their users. Instead, we recommend that you ensure this traffic is encrypted. To do this, install the ViPNet Client software on computers of the server users. If you trust computers of your internal network, you may allow the corresponding server client traffic to go unencrypted. However, mind that, according to statistics, most of the successful attacks come from the internal network. Protecting a Corporate Network with ViPNet 11
How do Third-Party Firewalls Operate in a ViPNet Network A third-party firewall and ViPNet traffic Third-party firewalls do not configure filtering of unencrypted and encrypted traffic separately. ViPNet host traffic gets encrypted/decrypted between the network layer and the data-link layer of the OSI/ ISO network protocol stack model. The effect of a third-party firewall on the ViPNet traffic depends on layer of the protocol stack, on which the firewall operates: above or below the encryption phase. If the third-party firewall operates above the layer of encryption This section applies to the Windows firewall. In this case, a third-party firewall makes no difference between the unencrypted and the ViPNet-encrypted traffic. Therefore, the firewall applies filtering rules to the entire traffic, be it encrypted or not: If you block certain protocols for unencrypted traffic willing to secure your computer, this traffic will be blocked within secure VPN connections as well. On the other hand, if you allow access over certain protocols within the VPN, then the same access will be allowed for public connections similarly. If the third-party firewall operates on the same layer with the encryption In this case, the third-party firewall conflicts with the ViPNet software and puts your computer at a risk of a crash. 12
If the third-party firewall operates below the layer of encryption In this case, the encrypted ViPNet traffic passes through a third-party firewall only in the form of UDPor TCP-encapsulated packets. The entire information on these packets (protocols, ports, addresses) is unavailable to the firewall, except for the source and destination addresses of the encapsulated packet. Such a third-party firewall cannot filter encrypted traffic by its inner properties. May I use ViPNet firewall together with a thirdparty firewall? When necessary, you can use Windows firewall together with the ViPNet components. However, it complicates configuring of the filtering rules. As regards to other third-party firewalls, we recommend you to disable them in order to avoid possible conflicts with the ViPNet software (including serious failures in the entire system operation). If you decide to use ViPNet firewall together with a third-party firewall, mind the following: The way a third-party firewall processes the ViPNet traffic depends on the layer of the network protocol stack on which it operates. Only those packets are allowed which are allowed by both firewalls. The packet is blocked when at least one of the firewalls blocks it. May I use a third-party firewall instead of the ViPNet firewall? When a third-party firewall does not conflict with ViPNet firewall, technically, it is possible to disable blocking rules of the ViPNet firewall and to enable the third-party one. However, with third-party firewalls, you cannot configure filtering rules for unencrypted and encrypted traffic separately, which means you are unable to ensure reliable protection for a host. Protecting a Corporate Network with ViPNet 13
Using Antivirus Software in a ViPNet Network We recommend you to use antivirus software on ViPNet hosts in order to protect them against malware. To avoid possible conflicts with ViPNet software, either disable the firewall integrated in the antivirus software, or configure this firewall to operate correctly with the ViPNet firewall (see How do Third-Party Firewalls Operate in a ViPNet Network on page 12). The following antivirus software is tested and guaranteed to work correctly with ViPNet software: AVG Antivirus 2014 Avira Antivirus Pro BitDefender Antivirus BullGuard Antivirus Dr.Web Antivirus for Windows ESET NOD32 F-Secure Antivirus G DATA Antivirus Business Kaspersky Antivirus 2014 MacAfee Antivirus Plus 2014 Norton Antivirus 2013 Sophos Antivirus Business Trend Micro Titanium Antivirus+ 2014 14
Disclaimer This document describes the given issues as of the date of its creation. The vendor, InfoTeCS JSC, is permanently improving their technology in response to the volatile requirements of the market. Therefore, recommendations provided hereby may not be regarded as final and unequivocal. Our recommendations and references are intended to help you to get familiar with the ViPNet technology and to develop security practices most suitable for your business regarding the specific features of your corporate network. The whole responsibility for providing the safety and reliability of the information system of a customer is laid upon those responsible for the implementation and support of the ViPNet security solution in customer s network. Copyright InfoTeCS JSC, 1991 2014. All rights reserved. No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means electronic, mechanical, recording, or otherwise for any purpose, without the prior written consent of Infotecs. ViPNet is a registered trademark of Infotecs. All brands and product names that are trademarks or registered trademarks are the property of their owners. Protecting a Corporate Network with ViPNet 15
Infotecs Americas Inc., 41 Madison Avenue, New York, NY, 10010 Tel: +1 (646) 589-8571 (sales) +1 (646) 589-8570 (support) Email: support@infotecs.us Web: http://www.infotecs.us 00131-01 101 01 ENU