Data residing in a static form on a storage device is fairly simple to secure. As long as physical access control is maintained and reasonable logical access controls are implemented, stored files remain confidential, retain their integrity, and are available to authorized users. However, once data is used by an application or transferred over a network connection, the process of securing it becomes much more difficult. Communications security covers a wide range of issues related to the transportation of elec- tronic information from one place to another. That transportation may be between systems on opposite sides of the planet or between systems on the same business network. Data becomes vulnerable to a plethora of threats to its confidentiality, integrity, and availability once it is involved in any means of transportation. Fortunately, many of these threats can be reduced or eliminated with the appropriate countermeasures. Communications security is designed to detect, prevent, and even correct data transportation errors i.e., integrity protection. This is done to sustain the security of networks while support- ing the need to exchange and share data. This chapter takes a look at the many forms of com- munications security, vulnerabilities, and countermeasures. The Telecommunications and Network Security domain for the CISSP certification exam deals with topics of communications security and vulnerability countermeasures. This domain is discussed in this chapter and in the preceding chapter Chapter 3. Be sure to read and study the materials from both chapters to ensure complete coverage of the essential material for the CISSP certification exam. Virtual Private Network VPN A virtual private network VPN is simply a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary network. Most VPNs use encryption to protect the encapsulated traffic, but encryption is not necessary for the con- nection to be considered a VPN. VPNs are most commonly associated with establishing secure communication paths through the Internet between two distant networks. However, VPNs can exist anywhere, including within private networks or between end-user systems connected to an ISP. VPNs provide confidentiality and integrity over insecure or untrusted intermediary net- works. VPNs do not provide or guarantee availability. Tunneling Before you can truly understand VPNs, you must first understand tunneling. Tunneling is the net- work communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol. The encapsulation is what creates the logical illusion of a communications tunnel over the untrusted intermediary network. This virtual path exists between the encapsulation and the deencapsulation entities located at the ends of the communication. In fact, sending a letter to your grandmother involves the use of a tunneling system. You cre- ate the personal letter the primary content protocol packet and place it in an envelope the tun- neling protocol. The envelope is delivered through the postal service the untrusted intermediary network to its intended recipient. The Need for Tunneling Tunneling can be used in many situations, such as when you’re bypassing firewalls, gateways, proxies, or other traffic control devices. The bypass is achieved by encapsulating the restricted content inside packets that are authorized for transmission. The tunneling process prevents the traffic control devices from blocking or dropping the communication because such devices don’t know what the packets actually contain. Tunneling is often used to enable communications between otherwise disconnected systems. If two systems are separated by a lack of network connectivity, a communication link can be established by a modem dial-up link or other remote access or wide area network WAN net- working service. The actual LAN traffic is encapsulated in whatever communication protocol is used by the temporary connection, such as Point-to-Point Protocol PPP in the case of modem dial-up. If two networks are connected by a network employing a different protocol, the pro- tocol of the separated networks can often be encapsulated within the intermediary network’s protocol to provide a communication pathway. Regardless of the actual situation, tunneling protects the contents of the inner protocol and traffic packets by encasing, or wrapping, it in an authorized protocol used by the intermediary network or connection. Tunneling can be used if the primary protocol is not routable and to keep the total number of protocols supported on the network to a minimum. If the act of encapsulating a protocol involves encryption, tunneling can provide a means to transport sensitive data across untrusted intermediary networks without fear of losing confi- dentiality and integrity. Tunneling Drawbacks Tunneling is not without its problems. It is generally an inefficient means of communicating because all protocols include their own error detection, error handling, acknowledgment, and ses- sion management features, so using more than one protocol at a time compounds the overhead required to communicate a single message. Furthermore, tunneling creates either larger packets or more numerous packets that in turn consume additional network bandwidth. Tunneling can quickly saturate a network if sufficient bandwidth is not available. In addition, tunneling is a point-to-point communication mechanism and is not designed to handle broadcast traffic. How VPNs Work Now that you understand the basics of tunneling, let’s discuss the details of VPNs. A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even a client using an Internet connection for access to an office LAN. A VPN link acts just like a typical direct LAN cable connection; the only possible difference would be speed based on the intermediary network and on the connection types between the client system and the server system. Over a VPN link, a client can perform the exact same activities and access the same resources they could if they were directly connected via a LAN cable. VPNs can be used to connect two individual systems or two entire networks. The only dif- ference is that the transmitted data is protected only while it is within the VPN tunnel. Remote access servers or firewalls on the network’s border act as the start points and endpoints for VPNs. Thus, traffic is unprotected within the source LAN, protected between the border VPN servers, and then unprotected again once it reaches the destination LAN. VPN links through the Internet for connecting to distant networks are often inexpensive alter- natives to direct links or leased lines. The cost of two high-speed Internet links to local ISPs to sup- port a VPN is often significantly less than the cost of any other connection means available. Implementing VPNs VPNs can be implemented using software or hardware solutions. In either case, there are four common VPN protocols: PPTP, L2F, L2TP, and IPSec. PPTP, L2F, and L2TP operate at the Data Link layer layer 2 of the OSI model. PPTP and IPSec are limited for use on IP networks, whereas L2F and L2TP can be used to encapsulate any LAN protocol. Point-to-Point Tunneling Protocol PPTP is an encapsulation protocol developed from the dial-up protocol Point-to-Point Protocol PPP. PPTP creates a point-to-point tunnel between two systems and encapsulates PPP packets. PPTP offers protection for authentication traffic through the same authentication protocols supported by PPP; namely, Microsoft Challenge Handshake Authentication Protocol MS-CHAP, Challenge Handshake Authentication Proto- col CHAP, Password Authentication Protocol PAP, Extensible Authentication Protocol EAP, and Shiva Password Authentication Protocol SPAP. The initial tunnel negotiation pro- cess used by PPTP is not encrypted. Thus, the session establishment packets that include the IP address of the sender and receiver—and can include usernames and hashed passwords—could be intercepted by a third party. Cisco developed its own VPN protocol called Layer 2 Forwarding L2F, which is a mutual authentication tunneling mechanism. However, L2F does not offer encryption. L2F was not widely deployed and was soon replaced by L2TP. Layer 2 Tunneling Protocol L2TP was derived by combining elements from both PPTP and L2F. L2TP creates a point-to-point tunnel between communication endpoints. It lacks a built- in encryption scheme, but it typically relies upon IPSec as its security mechanism. L2TP also supports TACACS+ and RADIUS, whereas PPTP does not. The most commonly used VPN protocol is now IPSec. IP Security IPSec is both a stand- alone VPN protocol and the security mechanism for L2TP, and it can only be used for IP traffic.