More and more enterprises are allowing remote connectivity to their internal networks. This service provides employees and other permitted users the ability to login and use the enterprise's network. This may be particularly useful for telecommuting employees and regular employees who occasionally need to work from their homes or simply need to check their email. Typically, this service is provided by a user logging into the system and creating a VPN (virtual private network). A VPN is a private communications network usually used within a company, or by several different companies or organizations, to communicate over a public network. VPN message traffic is carried on public networking infrastructure (e.g., the Internet) using standard (often insecure) protocols, or over a service provider's network providing VPN service guarded by well defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider.
There are two VPN types, trusted VPNs and secure VPNs. Secure VPNs (SVPNs) use cryptographic tunneling protocols to provide the necessary confidentiality (e.g., to prevent snooping), sender authentication (e.g., to prevent identity spoofing), and message integrity (e.g., to prevent message alteration) to achieve the privacy intended. Secure VPN technologies may also be used to enhance security as a “security overlay” within dedicated networking infrastructures. Secure VPN protocols include the following, IPsec (IP security); SSL (secure socket layer) used either for tunneling the entire network stack; and PPTP (point-to-point tunneling protocol).
Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. Multi-protocol label switching (MPLS) is commonly used to build trusted VPNs. Other protocols for trusted VPNs include, L2F (layer 2 Forwarding); L2TP (layer 2 Tunneling Protocol); and L2TPv3 (layer 2 Tunneling Protocol version 3).
Layer 2 (L2) is the data link layer of the seven-layer OSI (Open Systems Interconnection) model. L2 responds to service requests from the network layer, issues service requests to the physical layer, and provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the physical layer. L3 (layer 3) is the network layer and provides functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks while maintaining the quality of service requested by the transport layer. The Network layer performs network routing, flow control, segmentation/desegmentation, and error control functions. Routers and switches may operate at this layer, sending data throughout the extended network (e.g., the Internet). A well known example of a L3 protocol is the Internet Protocol (EP).
Returning to VPN solutions, in a L2 trusted VPN solution, the client has an access-router that has an L2 connection, for example a DSL/ATM-PVC connected directly into a headend router in the VPN headend. One of the specific security properties of a layer 2 VPN solution is that it is physically fixed with respect to location due to the explicitly provisioned L2 connection.
When a L2 solution is replaced with a L3 (layer 3) secure VPN, such as an IPsec based VPN, a home router has a “standard” Internet connection and builds an lPsec (communications) tunnel across that Internet connection back to the VPN headend router. In this solution, the physical location of the VPN access router is no longer fixed, but can be essentially located anywhere in the world. However, the fact that the location of the VPN access router in an L3 solution cannot be validated like a L2 solution raises security concerns.
This security concern can be addressed in a L3 solution by requiring the “authentication-proxy” functionality on the VPN access-router. This function inhibits any traffic from a device, such as a CPE (customer premises equipment) device, across the IPsec tunnel initially and redirects any Web/HTTP connections from the device to a server where a web-page is brought up on the CPE-device to authenticate the device/user. Once that authentication is successful, the VPN access router passes further traffic to and from the authenticated device unconstrained across the EPsec tunnel.
However, the “authentication-proxy” based approach is unusable for CPE devices other than locally-operated end-user devices with web-browser capability. If any end-user device has to be operated remotely (e.g., from behind the IPsec tunnel), or if it does not have local-web-server capabilities, or if the usage profile is such that it needs to be available (e.g., after a reboot of the VPN access-router) before a user can authorize, then that device becomes effectively unusable in the context of a changed service offering.