ViPNet Technology

From Wikipedia, the free encyclopedia

ViPNet Technology – is the name of a VPN technology implemented in products developed and produced by the Infotecs Company. It is an alternative to existing VPN technologies such as IPSec and SSL. ViPNet technology was designed to address common VPN issues: access control, data verification, authentication and validation, protection from packet fraud, and security generally. It also has several distinguishing features:

•ViPNet uses both symmetrical keys, generated and distributed from the administration program, and asymmetrical keys, distributed amongst the users of the PKI system periodically;

•ViPNet allows a user to choose among encryption algorithms: (GOST, DES, 3DES, AES);

•ViPNet uses a proprietary packet encapsulation protocol: ViPNet modules encapsulate standard IP-packet into another standard IP-packet, which remains transparent to network appliances and conforms to international standards (UDP or IP-241 packets. IP-241 is a special ViPNet IP protocol with the 241 identifier. The protocol was developed by Infotecs);

•Software products using ViPNet technology are integrated with a firewall, with an IDS (Intrusion Detection System), and a function to monitor both registered and unregistered applications;

•ViPNet uses a proprietary technique for assigning virtual IP addresses; these are assigned by all nodes for the other computers ;

•ViPNet technology allows pere-to-peer communication between clients without involving a ViPNet server. ViPNet technology encrypts all client-server, server-server, and client-client connections.

ViPNet VPN products currently consist of three software modules: ViPNet Manager, ViPNet Coordinator and ViPNet Client. The ViPNet Manager is administrative software used to create the ViPNet network structure, and to generate all key and password information for ViPNet nodes. A computer with a ViPNet Coordinator module installed on it is a communication center of the ViPNet network, providing services to other ViPNet nodes. It is required for the network to function properly. The ViPNet Client is an end-user software suite that connects computers to the ViPNet network. ViPNet Client protects traffic exchanged with other ViPNet nodes. It includes a personal firewall protecting the computer from network attacks. ViPNet modules also provide several other services such as protected instant messaging (ViPNet Chat), protected data exchange (ViPNet FileExchange), protected email client (ViPNet Business Mail), a plug-in for MS Outlook (ViPNet CryptoExtension), etc. The three primary software modules, and additional applications, are usually supplied in VPN software packages named ViPNet OFFICE or ViPNet TUNNEL.

Contents 1 ViPNet Routing and Encapsulation Technology 1.1 Common Principles of Node Interaction inside a ViPNet Network 1.2 Nodes with Firewall Type set to "ViPNet Coordinator" (In this case the Use FirewallUse Firewall option is disabled) 1.3 Nodes with the Firewall Type set to "ViPNet Coordinator" 1.4 Nodes with Firewall Type set to "With static NAT" 1.5 Nodes with Firewall Type set to "With dynamic NAT"

[edit] ViPNet Routing and Encapsulation Technology

The following discussion illustrates how a ViPNet VPN product implementation helps organize secure communication between computers working in IP networks, and also why no modification of existing network structure is needed.

[edit] Common Principles of Node Interaction inside a ViPNet Network

Network nodes (ViPNet Client workstations and Coordinators) in a ViPNet network may be deployed freely anywhere in the global Internet, or behind firewalls or other devices isolating nodes from the open Internet in private networks (ie, concealed by network address translation (NAT)). Selection of the working mode of the ViPNet module depends on how that node is connected to the network.

Workstations are notified about the status of other network nodes (ie, condition and IP address) by their IP address server (a function handled by Coordinators).

The functions responsible for establishing tunnelled VPN connections and traffic filtering are inside the low level driver of the ViPNet module. This driver interacts directly with the operating system's network interface (real or virtual/emulated) drivers, regardless of the exact details of how the computer is connected to the network. The ViPNet module automatically supports the TCP transport layer. Two types of IP protocols are used to establish tunnelled VPN connections between network nodes, into which all other IP protocol packets are packed. They are IP type 241 packets and UDP packets using the default port 55777 (the port assignment can be changed by the user). The more economical IP/241 protocol (which doesn't send the 12-bit UDP headers) is used when two workstations can connect to each other directly (ie, with no NAT translations “in their way”). The same protocol is used between network nodes located inside the same LAN. Traffic between nodes incapable of directly interacting with each other by using real network addresses (ie, those with NAT translation between them – including a possible Coordinator) is automatically packed into the UDP protocol, and eventually passed through a firewall or NAT translating device.

To ensure the ability to communicate with Clients located anywhere on the network, ViPNet modules use four connection types:

a) Independent work (not concealed behind a NAT translating device)

b) Connection through a Coordinator (ie, firewall type – “ViPNet-Coordinator")

c) Connection through a firewall/NAT device, in which static routing rules can be modified (ie, firewall type - “With static NAT”)

d) Connection through a firewall/NAT device, whose settings cannot be modified (ie, firewall type – “With dynamic NAT”)

Implementation of ViPNet's broadcasting and network node status/location autoregistration technology is based on:

• each network node broadcasts its IP address, and the additional information needed to access it, to the node’s IP addresses server or other Coordinators (ie, if the specific node is a Coordinator) at startup time
• at startup, and periodically thereafter, each network node receives information about the IP addresses of other nodes connected to it, as well as additional information needed to access them, from the node’s IP addresses server or other Coordinators (ie, if a node is a Coordinator).

If a public Internet or corporate network IP address is bound to a network node on the side of any other network nodes that node will interact with, it is sufficient to broadcast only the IP address to other nodes. That is, it is accessible by ordinary routing techniques. In this case, mode a) will be selected. If the IP address is not reachable by ordianry routing techniques, i.e., a firewall/NAT translation intervenes, a network node must send much more information to another node. This includes the Client’s IP address and the proxy IP address and access port of the NAT device in use at the moment. In this case, one of the other three connection types must be used.

Mode b) is used if a Coordinator is located in the network, which can also be located behind other NAT devices.

Mode c) is selected in cases in which no Coordinator is available on the local network, but there is a a firewall or NAT translation whose routing rules can be modified to provide interaction with a specific internal address via UDP using the specified port (default: 55777).

Mode d) is used for the node if there is no ViPNet Coordinator on the local network and access to the Internet is provided by NAT translation or a firewall whose routing table cannot be modified (eg, xDSL routers, wireless services, GPRS, etc.).

Any node connecting to another node, which can be reached by broadcast packets, will connect directly using the provided IP address of the network node.

[edit] Nodes with Firewall Type set to "ViPNet Coordinator" (In this case the Use FirewallUse Firewall option is disabled)

This mode is used if a network node has at least one IP address bound to it which can be accessed directly from all other Clients (ie, a public IP address). Nodes using this mode always communicate with each other directly by using the available address. Thus, traffic between workstations using this mode is encapsulated in IP/241 compliant IP packets. Traffic with other nodes, located behind a Coordinator, other types of firewall or NAT translation, is always packed into the IP/UDP protocol.

If a network node with such a setup is located inside a LAN with private IP addresses, accessing the internet via a firewall/ NAT system it cannot communicate with network nodes located outside the LAN.

If a Coordinator is using this connection type and is on a boundary between two network segments, it provides NAT services for all ViPNet connections in both directions. All IP packets packed into UDP packets (ie, tunneled) passing the Coordinator are forwarded as from the address of the corresponding network adapter of the Coordinator. Furthermore, the Coordinator acts as a tunnel-server, by encrypting open traffic from the local network, packing it in UDP packets and sending it to other ViPNet network nodes or to other unprotected nodes behind another Coordinator.

The traffic from/to devices located on either site of the network interface can be tunnelled. In this case closed traffic is forwarded from the Coordinator’s interface IP address, the traffic is leaving from (i.e. NAT is carried out). If a ViPNet node interacts with a computer tunnelled by a Coordinator and this computer is in the subnet which is set for the ViPNet node, the ViPNet node will interact with the computer directly without encoding the traffic. Decrypted packets for tunnelled computers are always sent to the network from the name of the real or virtual address of the computer sending the specific packet.

[edit] Nodes with the Firewall Type set to "ViPNet Coordinator"

If the Coordinator functions as the gateway of a LAN, other Clients may connect to the network from behind the Coordinator – ie, using the Coordinator as the network node, through which and in whose name the traffic between network nodes in different networks will flow. In this case, the Firewall Type is “ViPNet Coordinator”. If a node is set up to connect to the network through a Coordinator, the node’s in- and out-bound traffic to other network nodes, not reachable by broadcast packets, and • is located on the side of different network interfaces of the Coordinator, or • are not set up behind this Coordinator is automatically routed to the address of its Coordinator (the IP and MAC addresses are replaced in this process), which will, once the addresses are replaced, transfer the packets further from its own address. Inbound traffic is received in a similar way.

[edit] Nodes with Firewall Type set to "With static NAT"

Whenever a firewall of a different brand and acting as a NAT device is deployed on the border of a LAN and traffic to the external network has to pass through this device (whetehr because of a security policy or because of the lack of additional IP addresses) any ViPNet network node may be set up behind such a device with the firewall type set to “With static NAT”, if the device supports modification of its static routing table.

If several ViPNet nodes are needed in a network, it can be applicable to use a Coordinator with one or more network adapters. The settings of one of these adapters need to be set to „with static NAT“. In addition, the default gateway of the system the Coordinator is installed on should be set to use the firewall as the gateway (or define a routing table for remote subnets). All workstations will automatically set up themselves behind this Coordinator, i.e. their firewall type will automatically be set to (this) “ViPNet Coordinator”. In this case, all IP packets of the workstations to the external firewall are routed through the Coordinator using the Coordinator’s IP address.

If nodes in the local network have no access to a Coordinator, the firewall type of these Clients must be set to "with static NAT" and the operating system’s default gateway should be switched to the address of the firewall/NAT device. It is also necessary to define the unique access port on each workstation.

To pass the encrypted ViPNet traffic correctly, the following static rules should be set on the firewall:

• Pass outgoing UDP packets with the sender’s address and port (after replacing them with it’s own):
  • if a Coordinator exists – of the Coordinator (defaultport – 55777, however, this setting could have been changed)
  • if no Coordinator exists on the network – of all standalone workstations

Forward all incoming IP packets to the local addresses of the node according to the UDP port specified for them or, if a Coordinator exists – to the Coordinator’s port (default: 55777).

[edit] Nodes with Firewall Type set to "With dynamic NAT"

This connection type is universal and can be used in most cases. The main goal of this connection type is to allow connections to network nodes located behind NAT translation or a firewall, whose routing table cannot be modified. This situation is typical for "simple" network devices like DSL or Wireless routers.

All NAT devices pass UDP traffic thanks to so-called dynamic NAT rules: all outgoing packets are passed and the address and port information is processed (dynamic rules for incoming traffic are created to allow it to pass). This results in the packets being passed for some time, if the parameters correspond to the parameters of either of the dynamic rules. Some preset time after the last outgoing packet, the dynamic rule is erased and incoming packets are blocked again. This means that external sources may not initiate a connection with a network node behind such a NAT device, without receiving traffic from the network node first, and will be bloced if no traffic is coming from the node from time to time.

To establish secure connection, the node's (located behind the NAT device) firewall type must be set to “With dynamic NAT”. Furthermore, a Coordinator with a permanent public IP address must exist on the external network. This Coordinator must be selected as the IP addresses server of all such workstations. Such a network node will send "keep-alive' UDP packets to its IP address server periodically (default is 25 seconds). This allows the network node located behind a strict NAT device to receive packets from any external network node, which is sent through the workstation’s Coordinator. After receiving an answer from the node (a network node behind a NAT always sends outgoing packets directly, without taking a detour over the IP address server), the external network node is able to communicate with the node behind NAT translation directly. This technique allows uninterrupted accessibility of a network node located behind a strict NAT device and at the same time increases the speed of the traffic exchange between such nodes.