Apr152017 by sysadminNo Comments

Security Overview

General, Technology
OpenVPN cryptographic layer This is a technical overview of OpenVPN's cryptographic layer, and assumes a prior understanding of modern cryptographic concepts. For additional discussion on OpenVPN security. OpenVPN has two authentication modes: Static Key -- Use a pre-shared static key TLS -- Use SSL/TLS + certificates for authentication and key exchange In static key mode, a pre-shared key is generated and shared between both OpenVPN peers before the tunnel is started. This static key contains 4 independent keys: HMAC send, HMAC receive, encrypt, and decrypt. By default in static key mode, both hosts will use the same HMAC key and the same encrypt/decrypt key. However, using the direction parameter to --secret, it is possible to use all 4 keys independently. In SSL/TLS mode, an SSL session is established with bidirectional…
Read More
Apr152017 by sysadminNo Comments

Circuit Network Components

E3, General, Research, Technology
In the context of RFC 2547bis, our PCC is a collection of policies, and these policies control connectivity among a set of sites. A customer site becomes a node connected to our backbone and their private communication circuit ports, where we provide each port with a VPN routing table. In RFC 2547bis terms, the VPN is then dynamically defined to support forwarding and the PCC.
Read More
Apr152017 by sysadminNo Comments

RFC 2547 – BGP/MPLS VPN Fundamentals

Research, RFC, Technology
*** Obsoleted by: 4364 **** RFC 2547bis: BGP/MPLS VPN Fundamentals BGP/MPLS VPN Overview RFC 2547bis defines a mechanism that allows service providers to use their IP backbone to provide VPN services to their customers. RFC 2547bis VPNs are also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing information across the provider's backbone and because MPLS is used to forward VPN traffic from one VPN site to another. The primary objectives of this approach are as follows.  Make the service very simple for customers to use even if they lack experience in IP routing. Make the service very scalable and flexible to facilitate large-scale deployment. Allow the policies that are used to create a VPN to be implemented by the service provider alone, or by the…
Read More
Apr152017 by sysadminNo Comments

Hardened Security

General, Technology
One of the often-repeated maxims of network communication security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. We use several mechanisms to add additional security layers to hedge against such an outcome. The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against: DoS attacks or port flooding on the OpenVPN UDP port. Port scanning to determine which server UDP ports are in a listening state. Buffer overflow vulnerabilities in the SSL/TLS implementation. SSL/TLS handshake…
Read More