ECI TruSecc PCC-VPN

Our PCC (Private Communication Ciruit) framework is based on OpenVPN’s VPN security model and RealVNC RFB protocol for VNC can be summarized as such: Use the IPSec ESP protocol for tunnel packet security, but then drop IKE in favor of SSL/TLS for session authentication. This allows for a lightweight, portable VPN implementation that draws on IPSec’s strengths, without introducing the complexity of IKE.

PCC stands for Private Communication Circuit.  PCC’s Benefit a company in the following ways –

  • Extends Geographic Connectivity- a PCC connects remote workers to central resources, making it easier to set up global operations.
  • Boosts Employee Productivity- A PCC solution enables telecommuters to boost their productivity by 22% – 45% (Gallup Organization and Opinion Research) by eliminating time-consuming commutes and by creating uninterrupted time for focused work.
  • Improves Internet Security – An always-on broadband connection to the Internet makes a network vulnerable to hacker attacks. Our PCC  solutions include additional security measures to counteract the different types of network security threats.
  • Scales Easily – A PCC allows companies to utilize the remote access infrastructure. Therefore, companies are able to add a virtually unlimited amount of capacity without adding significant infrastructure.

First we use hardware encryption generated and managed inside the infrastructure of the circuit thru our router nodes that connect every location over the internet but on its own private IP address space.  Once this network is established we use Host based VPN’s to double encrypt and further obfuscate the network. This second tunnel serves to segregate users and applications to reduce exposure an eliminate target illumination.

A low level of “squitter traffic generated on the hardware encrypted network to maintain network quality and performance. This also obfuscates all metadata available to external sources.

While it’s impossible to assure with certainty that no weaknesses exist, ECI’s TruSecc has multiple levels of security to protect against a single flaw causing a catastrophic security breach. For example, by using a specific null accounts you can ensure that even if some kind of remote buffer overflow exploit were discovered, the exploit would be unable to elevate its privilege to root. Another example is using SSL/TLS security with –tls-auth. Using –tls-auth ensures that even if a remote buffer overflow is discovered and exploited in the SSL/TLS authentication code in the OpenSSL library, it could not be used to attack an OpenVPN session that is protected with a –tls-authpassword. In addition, if you use SSL/TLS authentication, you have the benefit of “perfect forward secrecy”.

Overkill? Maybe but why not be “DeepSec” with “TruSecc” if you can?

Virtual.
Virtual means not real or in a different state of being. In a VPN, private communication between two or more devices is achieved through a public network the Internet. Therefore, the communication is virtually but not physically there.

Private.
Private means to keep something a secret from the general public. Although those two devices are communicating with each other in a public environment, there is no third party who can interrupt this communication or receive any data that is exchanged between them.

Network.
A network consists of two or more devices that can freely and electronically communicate with each other via cables and wire. A VPN is a network. It can transmit information over long distances effectively and efficiently.

Secure Sockets Layer (SSL) is a cryptographic protocol that enables secure communications over the Internet. SSL was originally developed by Netscape and released as SSL 2.0 in 1995. A much improved SSL 3.0 was released in 1996. Current browsers do not support SSL 2.0.

Transport Layer Security (TLS) is the successor to SSL. TLS 1.0 was defined in RFC 2246 in January 1999. The differences between TLS 1.0 and SSL 3.0 were significant enough that they did not interoperate. TLS 1.0 did allow the ability to downgrade the connection to SSL 3.0. TLS 1.1 (RFC 4346, April 2006) and TLS 1.2 (RFC 5246, August 2008) are the later editions in the TLS family. Current browsers support TLS 1.0 by default and may optionally support TLS 1.1 and 1.2.

Hypertext Transfer Protocol Secure (HTTPS), or “HTTP Secure,” is an application-specific implementation that is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is used to provide encrypted communication with and secure identification of a Web server. In addition to HTTPS, SSL/TLS can be used to secure other application-specific protocols such as FTP, SMTP, NNTP and XMPP.

Virtual Network Computing (VNC) is a process by which a system’s desktop can not only be viewed but also engaged in an interactive session as well. The use of such a tool gives the system administrator the ability to administer and troubleshoot a system remotely. In this way, a target system on the next floor, the next building or even at an employee’s home is within reach. There are other methods available of establishing this type of remote viewing. The obvious example is Symantec’s PCAnywhere(http://www.symantec.com/pcanywhere/Consumer/).

A VPN – Virtual Private Network – is one solution to establishing long-distance and/or secured network connections. VPNs are normally implemented (deployed) by businesses or organizations rather than by individuals, but virtual networks can be reached from inside a home network. Compared to other technologies, VPNs offers several advantages, particularly benefits for wireless local area networking.

For an organization looking to provide a secure network infrastructure for its client base, a VPN offers two main advantages over alternative technologies: cost savings, and network scalability. To the clients accessing these networks, VPNs also bring some benefits of ease of use.

A VPN supplies network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN).

The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely on private leased lines. VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic security.

A VPN supports at least three different modes of use:

Remote access client connections
LAN-to-LAN internetworking
Controlled access within an intranet

Virtual private networks (VPNs) are generally considered to have very strong protection for data communications. What are the key VPN security technologies? So-called secure VPNs provide both network authentication and encryption. Secure VPNs are most commonly implemented using IPsec or SSL.

Using IPsec for VPN Security

IPsec has been the traditional choice for implementing VPN security on corporate networks.

Enterprise-class network appliances from companies like Cisco and Juniper implement the essential VPN server functions in hardware. Corresponding VPN client software is then used to log on to the network. IPsec operates at the layer 3 (the Network layer) of the OSI model.
Using SSL for VPN Security

SSL VPNs are an alternative to IPsec that rely on a Web browser instead of custom VPN clients to log on to the private network. By utilizing the SSL network protocols built into standard Web browsers and Web servers, SSL VPNs are intended to be cheaper to set up and maintain than IPsec VPNs. Additionally, SSL operates at a higher level than IPsec, giving administrators more options to control access to network resources. However, configuring SSL VPNs to interface with resources not normally accessed from a Web browser can be difficult.

Limitations of a VPN

Despite their popularity, VPNs are not perfect and limitations exist as is true for any technology. Organizations should consider issues like the below when deploying and using virtual private networks in their operations:

1. VPNs require ?a detailed understanding of network security issues and careful installation / configuration to ensure sufficient protection on a public network like the Internet.

2. The reliability and performance of an Internet-based VPN is not under an organization’s direct control. Instead, the solution relies on an ISP and their quality of service.
3. Historically, VPN products and solutions from different vendors have not always been compatible due to issues with VPN technology standards. Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings.

The term “VPN,” or Virtual Private Network, has become almost as recklessly used in the networking industry as has “QoS”  (Quality  of  Service) to describe a broad set of problems and “solutions,” when the objectives themselves have not been properly articulated.  This confusion has resulted in a situation where the popular trade press, industry pundits, and vendors and consumers of networking technologies  alike, generally use the term “VPN” as an offhand reference for a set of different technologies. This paper attempts to provide a common sense definition of a VPN, and an overview of different approaches to building them.