Rising Demand for VPNs Globally

CHAPTER 1: INTRODUCTION

Background Studies

Recently, the demand for and use of virtual private networks has risen steadily globally. In countries such as Hong Kong, the surge of the virtual private networks saw more than 150 times in the month of May 2020 over concern of increasingly government censorship and surveillance. As report by Reuters (2020), the installation that saw a jump of up to 520% downloads and installation of VPNs in the country came following report that proposed national security law and, to that an extension, Chinese government would extend its restriction of internet access to Hong Kong. Currently, Hong Kong has unrestricted and uncensored access to such platforms and websites as Google, Twitter, WhatsApp, and Facebook, all restricted by Chinese government in mainland China (Daniel, 2020). According to Google trends data, interest on VPNs by Hong Kong citizens sudden rocketed by more than 1680%.

Using the same note, VPNs have been widely shared as a way of by passing the restricted and censored networks at a country level, institution (university or organization), and by network providers. By using a VPN, a user is able to bypass restrictions set on his/her internet usage, accessing internet content blocked in respective region or system, and hiding his/her location. Moreover, the rise of VPNs usage has been widely attributed to the heightening concern of privacy and cyber security. According to (REF), data collection by unauthorised parties as well as companies has driven more people to consider using VPNs to mask their privacy and uphold their anonymity. People are increasingly realising the need to protect their privacy either from companies commercialising and profiting from people’s data or hackers who exploit weakness in internet network to gain access to personal details or location. The trends on interest in VPNs correlate to internet users seeking privacy. In 2019, there was a sharp download and use of VPNs in the United Kingdom (UK) following the government announcement of a requirement under section 14 (1) of the Digital Economy Act (2019) for porn users and viewer to provide their details for age verification (O'Flaherty, 2019; Martin, 2019). Although the provision aimed to protect children from accessing the adult content, as pointed by Burgess (2019), the fear of privacy, surveillance, and data breaches showed immediate sharp in interest in VPNs in the country. Additionally, increasing internet surveillance particularly in countries with ‘14-eyes’ jurisdiction such as US, UK, Canada, New Zealand, and Canada that allow surveillance agencies to monitor activities of people online has seen increasingly adoption of VPN systems. Although some countries such as China have banned or control VNP use, reports indicate people use VPNs to bypass restrictions as well as making connection anonymous. In global perspective, the projections measured in market share indicate a steady rise in popularity and use between 2016 and 2025 from $15.64 billion to $35.73 billion respectively, an estimate of 12% growth rate (Statista, 2020). These growth in largely attributed to rising cybercrime, data breaches, proliferation of internet services, demand for security and privacy by across business environment and by organizations, and compliance with regulations to implement additional security. Additionally, the grow of Bring Your Own Device (BYOD) in workplace, a practice allowing employees to use personal devices and systems to access and use organisations applications and data has also pushed adoption of the VPNs. As pointed by Utley (2018), myriad threats and vulnerabilities such as malware or tools/ theft associated with mobile device putting emphasis on the mobile application management (MAM) and mobile device management (MDM) driven by need for data protection, privacy, and data loss. The device-centric approach such as implementation of VPNs based on Secure Sockets Layer (SSL) to secure remote access by mobile devices that include smartphones and PCs.

The rise surveillance culture has made adoption of privacy and anonymity techniques that include use of VPNs part of daily life for most people in addition to beating censorship of contents. Currently, internet access is mostly wireless and shared that include those found in coffee shops, cafes, libraries, and public arenas. According to Carter and DeMuro (2018), as internet access shifts from computer to mobile-based devices and inclusive of access via public and shared Wi-Fi and hotspots has increased the vulnerability risks and unsecure leaving the users open to exploitation by hackers and unauthorised persons. VPN has been lauded to bridge this gap. Arežina (2019) reported that 50% of the people using VPN choose so to gain access to restricted content, 34% to access social media and news websites, 30% of the user using while at work, while 18% saying using to avoid government surveillance whereas, 17% of the users indicating using to get access to Tor web browser. Currently, there are several service providers offering VPN services offering censorship, location fencing, anonymity, and traffic encryption by tunnelling the users’ internet traffic through an encrypted path other than internet service providers (Hodge and Gewirtz, 2020). The most popular services VPN providers include; Cyberhhost, ExpressVPN, IPVanish, NordVPN, and PureVPN. One can use a VPN-based tunnelling to bypassing such streamed content as Netflix or YouTube that are geo-blocked. Despite increasing popularity where 26% of the internet users use it, VPNs particularly the services providers have been critics for data breaches and problem related to privacy and rising illegal activities done via the network (Bradley, 2019). Although, the VPNs can mask the packets sent to a device particularly in public insecure Wi-Fi and allowing users to access internet services anonymously, there have been concerns relating to level privacy and anonymity offered by the approach in addition to security at service providers’ level (Brittain and Sette, 2020). As such, this research project is built around addressing issues surrounding VPN that include whether it can be used to conduct illegal activities such as black market and unauthorised access.

Project aim

The project aims to investigate the operations of VPNs outlining the types and security and privacy measures and issues surrounding VPNs. This research project further delved into the issues related to if unauthorised personnel can access the VPNs-based networks and whether the networks has facilitated an illegal activities such as black market.

Project Objectives

To investigate ways in which VPNs are operated

To differentiate different types of VPN and establish the best working VPN type and method

To evaluate whether it is safe to use VPN-based encryption methods

To investigate issues surrounding the use of the VPN covering hacking and its use in facilitating black market

Research Questions

This research project is rooted on the following questions

Broad question

How are virtual private networks operated?

Specific questions

What are the different types and methods of the virtual private networks?

What is the level of security does VPN offer to systems and networks in terms of upholding privacy and prevention against unauthorised access?

Does VPN facilitate illegal activities such as hacking and black market?

Can hackers exploit VPN system, if yes, is there a way to determine source of the unauthorised access?

Structure of the report

This report is outlined into five chapters each modelled in a manner that collectively answer the research questions on operation of virtual private network (VPN). The first chapter is an introductory covering the background studies into rise and current perspective of issues related to VPN that include popularity and broadly, factors pushing for increasing adoption. Moreover, the chapter outline problems, which informed undertaking of this research as well as questions shaping this research direction. Third chapter is literature review. It reviews existing literature on VPN, architecture, operation, VPN types, and related security issues. Chapter 3 is artefact section encompassing the findings and results into the research. The discussion of the findings linking back to the literature review is done in the fourth chapter. Lastly, the conclusion is the sixth chapter that brings together the research problem, objectives, questions, literature, and findings informing inferences drawn.

CHAPTER 2: LITERATURE REVIEW

Overview

Going by the described given by Sobh and Aly (2011), virtual private network (VPN) allows provision of private services overs public network such as the internet. In essence, the technique transforms a publicly shared network that might be exposing the user to unauthorised access, non-secure into a private secure network by using encryption tunnels and other security mechanism. Hence, ideally, packets of data can be sent via internet to the target users without modification, and it modified, it would be detected. Before it invention by Singh-Pall in 1996, Point-to-Point Tunnelling Protocol (PPTP) existed as Point to Point Protocol (PPP). However, the reinvention to incorporate tunnelling allowed data to be passed from point A to B via as many other nodes as required by creating secure tunnels (REF).

Tunnelling

As described by Jahan et al. (2017) in VPN, tunnelling is a process whereby data transferred between devices or network securely over an environment considered non-secure, public internet while ensuring privacy and confidentiality are upheld. Ideally, tunnelling involves protection of data by repackaging it through encryption and encapsulation taking a different format. The encapsulated and encrypted data travel through the same network, public internet, as other data with no physical tunnel (Su et al., 2008; Bhat et al., 2016). The encapsulation insulates the packet of data from the other data while encryption ensures data is unreadable or invisible to unauthorised persons, hackers. According to Aqun et al. (2000), the encapsulation wraps data packets layers of control information aimed at making sure the data is unrecognisable and encryption of the data makes the plaintext readable data unreadable (cipher text) to a person who intercepts it. In addition to enhancing privacy and security, VPN tunnel hides the user IP address preventing identification while using the internet by only showing the VPN server location one is connected to.

Type of VPN tunnelling protocols

Point-to-Point Protocol (PPTP)

Point-to-Point tunnelling protocol is one of the oldest protocols. Narayan et al. (2008) illustrated that the protocol encrypts packets and rout in encapsulated format via the unsecure internet. PPTP is based on point-to-point protocol (PPP) on the data link layer (layer 2) that enables transfer of data via physical quantity between two routers without any host or other networking in between (Jahan et al., 2017; Xu and Radcliffe, 2011; Fall and Stevens, 2011). According to Modarressi et al. (2010), the point-to-point connection allows the user’s computer to access another specific remote system over the internet, in adding the tunnelling enhances the privacy and confidentiality of the data transmitted between the two points. In this case, the PPP is enveloped inside TCP/IP protocol taking an assumption of direct connection between two points in spite being created over the internet. Microsoft engineers originally designed point-to-Point Tunnelling Protocol back in 1996. As such, a device running Microsoft Windows operating systems supports the protocol by default making installation and running tend to be easy (Jaha, and Libya, 2015). Moreover, setting it up does not necessary need installation of computer certifications or public key infrastructure to access and use (Jain, 2011). Therefore, ease of use is relatively high because the data is normally not encrypted using IP security. Compared to other protocols, the PPTP is relative cheap attributed to easy to use and less complexity in setting it up.

Layer 2 Tunnelling Protocol (L2TP)/Internet Protocol Security (IPsec)

L2TP is an extension of the PPTP enabling VPN operations over the internet, used mostly by service providers. Theoretically, the L2TP is used to support through tunnelling the L2 traffic over an IP network (Singh and Gahlawat, 2012). As illustrated by Xu (2009), L2TP connection consists of a session and a tunnel. Hu et al. (2011) explained that the tunnel provides a channel between two L2TP points, L2TP Network Server (L2TP) and L2TP Access Concentrator (LAC), where controlled packets are only transmitted whereas the session is logically contained within the tunnels carrying user data. The bidirectional setup allowing transfer of data between the peers is initiated by either LNS or LAC by establishing of a L2TP session. In L2TP, packets are categorised as either data packets or control packets with no reliability offered for former while control packets provided with reliability features (Fan et al., 2012). It is worth noting that a tunnel is capable to containing multiple sessions, in this case, a session identifier number encapsulating headers of the data is used to separate the users. However, the L2TP by itself lacks security or authentication mechanisms. Therefore, in VPN, it is deployed with Internet Protocol security (IPsec) to offer such features. As pointed by Fan et al. (2012), pairing of L2TP and IPsec ensures the data being transmitted through L2 tunnel is encrypted in addition to being in a controlled channel. In this case, IPsec encapsulate the packets between the endpoints and then hidden by encryption. The encryption include wrapping packets, encoding original source and destination IP address using a 256-bit key. However, the L2TP/IPsec channels has been criticised for difficulty in getting around firewalls because it is based on UDP port 500, and less efficient compared to OpenVPN. In some case, for it to go through firewalls it need additional configuration.

OpenVPN

OpenVPN is an open source VPN protocol allowing users to scrutinise its sources code for vulnerabilities and able to reuse. The protocol relies of SSL/TLS for encryption and authentication, a relatively standard security approach for point-to-point or remote site-to-site connections (Crist, and Keijser, 2015). Coonjah et al. (2015) illustrated that it is relatively new and configurable protocol built around User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). When used in transmission of data, the protocol utilizes UDP and TCP. Using TCP, the error is checked and then, if any, the transmission is dropped (Hall, and Jain, 2008). The dropped packets are then retransmitted increasing reliability at the expense of latency. As illustrated by Hoekstra et al. (2011), every time a packets get transmitted using TCP, the sender has to receive confirmation before sending next packet slowing down the connections and transmission process. Alternatively, User Datagram Protocol enables sending of next packet without any confirmation making it faster in communication between server and user (Coonjah et al., 2011). However, data not received cannot be retransmitted, hence the term ‘stateless’ protocol. Although UDP can be configured to run on any port, transmitting data without acknowledgement or retries make it less reliable compared to TCP.

VPN Architecture

As pointed by Singh & Gupta (2016) and Bhat et al. (2016), most of users use VPN, a software setup that creates a secure encrypted connection between the internet user and source of content (website or organization servers), to protect their privacy particularly when using public networks, Wi-Fi, and securely accessing work systems and network remotely.

As shown by figure 3 above, the VPN consists of four main components as follows. First, VPN client, secondly, VPN protocol, thirdly, VPN server (a tunnel terminating device), and lastly, a Network Access Server (NAS). Typically, the user Notably, as described by Venkateswaran (2001), Braun et al. (1999), and Andersson and Madsen (2005), one can classify VPN systems based on:

The tunnelling protocol: using in tunnelling the traffic

The tunnel termination point locations: on the network-provider edge or customer edge

Topology type: remote access or site-to-site

Level of security provided

OSI layer in connecting network- layer 2 or layer 3 connectivity

Simultaneous connections

Provider provisioned VPNs (PPVPNs) are essentially enterprise-level virtual networks used primarily for business-based allowing secure access of organizations systems and data by the staff. As pointed by Callon and Suzuki (2005), PPVPNs gives a secure access to systems in different location and network by connect physically via the internet. As such, for instance, an organization can build own dedicated VPN system a single integrated network or releases a PPVPNs from a service providers. Fundamentally, PPVPNs utilises virtual tunnels created suing such protocols as L2TP, Ipsec, MPLS, PPTP, and GRE enabling organizations private traffic to transverse the public internet without connecting to it or compromising the data (Carugi, and McDysan, 2005; Augustyn, and Serbest, 2006). Given that VPNs operate through the public internet, the transport protocols play a crucial role in connection security and data. In PPVPNs, Generic Route Encapsulation (GRE) is typically used to capture any protocol into internet protocol (IP) and used together with PPTP in creating VPN tunnels (Rekhter et al., 2007). As illustrated by Malkin (1997) and Knight and Lewis (2004), layer 3 tunnels - (GRE) encapsulate the non-IP traffic for traffic for transport via the Internet without encryption. Early version of the VPNs connecting to remote sites were through dial-up modem and leased line based on virtual circuits such as Frame Relay, X.25, and Asynchronous Transfer Mode (ATM) passively securing the data being transmitted by creating a logical data streams, hence considered not true VPNs (Buckwalter, 2000). Currently, VPNs are based on IP and IP/Multi-protocol Label Switching (MPLS) networks driven by need of increased bandwidth and cost-reductions provided by fibre-optic and digital subscriber line (DSL) networks. Venkateswaran (2001) and Zeng & Ansari (2003) characterised VPNs as either remote access/ host-to-network connecting a single device to a network or site-to-site connecting two or more networks. In a corporate environment, a remote-access network allow employees to access the organization’s system and data from a remote device typically over intranet whereas, a site-to-site VPNs enables establishment of secure connections over the public internet of offices in multiple fixed locations, for instance, in different country.

Other classification of VPNs can take the format of:

Remote access VPN

Site-to-site VPN

Mobile VPN

Hardware VPN

VPN appliance

Dynamic multipoint Virtual private network (DMVPN)

VPN reconnect

Security Levels using a VPN

As pointed by Pavlicek and Sudzina (2018), VPNs by themselves neither make the internet completely anonymous nor offer adequate security but rather increase privacy and security based on the protocol being used. For instance, some transport protocols contain encryption functionality while others do not have. Moreover, typically, data travelling through VPNs are protected between gateway edge devices meaning data traversing between the gateway edge and hosts at each end are not protected, according to Rangarajan et al. (2004) and Jingyao et al. (2019), by allowing only authenticated access using encryption techniques and tunnelling protocols. As such, providing confidentiality such that in the event that unauthorised person manages to access the network compromising it at the packet level, s/he would only access and see encrypted data. Moreover, the VPN security authenticate the sender preventing an unauthorised person from accessing the network and content being transmitted in addition to ensuring data integrity detecting any instances of tampering (Singh, and Gupta, 2016). As explained by Uskov (2012) and Kosta et al. (2010), VPN security requires user to authorise, authenticate, and encrypt data as core functionality of the network. As discussed by Jahan et al. (2017), VPN security is based on tunnelling approach and encryption techniques. Although depending on the protocol, security measures vary but two prominent standards are using Secure Sockets Layer (SSL) and Transport Layer Security (TLS), and Internet Protocol security (IPsec). Both TLS and SSL are primarily used in providing security between the servers and end user. While SSL provide basic confidentiality and authentication through creation of master secret, TLS through pseudo-random functionality has enhanced security features as it involved from SSL. In VPN, TLS/SSL based connection initiated through handshake that establishes cypher suite detailing session and encryption keys. Additionally, the handshake handles authentication by using public key where, normally, the server identifies self to the user proving it actually the server the client wanted (Bhargavan et al., 2014). Notably, public key encryption that uses one-way encryption enables anyone with a private key to unscramble the packet boosting authenticity, but only the user with original key is a position to encrypt and read the data (Harmening, 2017). Moreover, using message authentication code (MAC) that is verifiable by recipient to sign the packet after encryption and authentication ensures integrity of the data is upheld.

CHAPTER 3: ARTEFACTS

Findings

In order to determine the level of security offered by VPN, focusing on whether the assertion that the protocol safely and degree to which it protect users from unauthorised access while upholding individual privacy and confidentiality, this research demonstrated instances where security can be compromised. Similarly, the chapter explores the possibility of conducting illegal activities such as selling and buying illegal items, widely referred to as black market, by VPN users.

Hacking of VPN: PPTP

The criticism levelled against the PPTP is that it offers poor standards of security. According to Jones et al. (2019), the protocol is unreliable particularly in unstable networks. Cracking the initial MS-CHAPv2 authentication can be reduced to difficulty if cracking a single DES 56-bit key. In essence, with a powerful personal computer, a brute-force cracking could take a few minutes to have unauthorised access. Moreover, using a strong password as a security method is considerably irrelevant because one can search the entire 56-bit keyspace within practical timeframe. For instance, an attacker can do a man-in-the-middle (MITM) attack to capture the handshake and any other traffic. Moreover, the attacker can do an offline crack of the handshake deriving the RC4 key the decrypt and analyse the PPTP VPN traffic. The RC4 cipher, although it provides encryption, it does not offer authentication encryption with associated data (AEAD) features hence fails to verify the integrity of data.

PPTP VPN type can be ‘easy’ cracked. Using chap2asleap tool, one can clone the HTTP address by copying and setting up VPN network, in this case a Windows operating system devices. From figure below capture through wireshark, a challenge was sent to then response sent back showing successful connection.

Moreover, once the response is received, one can get the data details that include size, value, and name (vpnbook) although it is encrypted.

However, by using the user name and challenge value and response from challenge packet and respond packet, one can crack user password within considerably short time.

Similarly, in L2TP/IPsec VPN, an authenticated access can be done through root penetration. After accessing the user’s devices, the attacker can access the user details (password and username) stored as plaintext in the system registry and memory. In addition to using tunnel establishment and key, IPsec employs Internet Key Exchange (IKE) protocol for authentication. Using the IKE aggressive mode in creation of new IPsec tunnels compromises security. By using IKECrack tool, one can use brute force to attack pre-shared key (PSK) authentication passwords. Scanning through discovering, fingerprinting, and testing is a use approach in determining vulnerability in IPsec VPN systems. However, in this case,

On the other hand, the security tools employed by OpenVPN that include TCP, UDP, and NAT are not very secure by themselves but protection is enhanced by use of TLS encryption. The compression side-channel attack referred as CRIME in 2012 where attackers were able access the information by calculating the size of compressed packets was done through port 443 of TLS connection. In 2013, the BREACH attack exploited HTTP responses and compression, however shielding the traffic after compression protects the users from the attack. VORACLE attack on OpenVPN in 2018 taking advantage of vulnerabilities exploited by both BREACH and CRIME by attacking the HTTP response (Mitchell, 2019). An attacker can access compressed packet then decompress, decrypting before returning it to the user. Notably, the attacker must first have access to target data, mostly done by redirecting the packet HTTP controlled by the attacker or a third-party HTTP that s/he can manipulate.

Use of the VPN in conducting illegal activities

As noted before, VPN allows users to access website sites and services banned in their geographical locations in addition to enhancing privacy and confidentiality. A VPN user can access more than information and movies blocked within their locations but also e-commerce websites. Different governments put in place different restrictions on selling and buying commodities online as well as limiting the quantity and pricing. Similarly, some products such Huawei products that include mobile phones and telecommunication devices are banned entirely in some countries such as United State (US) and restricted in European Union (EU) regions for myriad reasons ranging from security concerns to other linked to political reasons (Gartenberg, 2020). In some cases, regulatory authorities place huge import levies and taxation on some products making relative expensive in some countries than countries. Recently, such products as European cars and wine have been known to attract heavy import levy in the US and vice versa for some European products in the US structure as such to boost local sector (Duvignau, 2020). However, data show more and more VPN users use the services ability to change the location and hide their identity to purchase airline tickets and prescription drugs (Hindermann, 2018; Sankaranarayanan, 2016). Recently report indicated airlines use geographical locations in modelling their ticket pricings offering different prices on same exact flights based on the country’s GDP. The price discrimination is strategy adopted by most airline offer same product, different price for reasons such as competition, consumer demand, consumer purchasing behaviour, and consumer willingness to pay more. Connecting to a VPN server located in low-income countries such as those in South America, South-East Asia, Africa, and Caribbean, then connect to a VPN server located destination country, for example France, and lastly, choosing a server located in an Airline’s home country, US for United Airlines. For instance, US IP address, one-way economy ticket from Chicago to France by United Airlines cost approximately $3,600. However, by using Bulgarian IP addressing the pricing drop to $3,150 for the same airline, flight ticket, and economy class. There is not international law against taking advantage of pricing discrimination and by pricing it in buying airline tickets via VPN. However, can only be illegal in countries where use of VPN is banned or restricted but not purchasing the tickets. Similarly, North American products such as apparel and shoes tend to be very expensive in such countries as Eastern Europe and Africa. Hence, once can take advantage of the same in purchasing at a lower pricing. Moreover, some organisations have geo-fenced their products such that only consumers from certain locations can access and buy (Chornous, and Iarmolenko, 2018). Some businesses entities such as Netflix have strict restrictions of using VPN to stream movies from its platforms immediately disconnecting if detect a user is using a VPN server. More so, booking accommodation and rental care. In tourism and travelling industry, locals are offered cheaper prices for room or car rental compared to travellers and foreigners. As suc, using VPN, change locations of the servers to that of country travelling to then proceed to book a room at a considerably cheaper prices.

All of the above are legal purchases. However, same as accessing and streaming movies banned by a given government, a VPN user can purchase prescription drugs that are note available in a given country or they are expensive (Greenberg, 2016). For instance, prescription drugs in the US tend to very expensive compared to other countries such as Canada caused by factors associated with health systems and consumer culture. However, the notion that one can sell or buy illegal drugs via VPN platforms is arguably multifaceted. As stated, principally, VPN system is build public internet meaning user accesses websites and content that are in public domain either in user’s end or in VPN servers end. However, such drugs as cannabis are legal in some countries such as Canada and some US states, but banned in most European countries (Chornous and Iarmolenko, 2018). Therefore, a user in the UK and change the IP adopting that of a VPN server in the Canada then buy the drug. Similarly, by changing the IP address a buyer and seller bother in the UK where it is illegal to buy or seller cannabis drug can communicate and conduct transactions while masking as through both reside in Canada (Khalaf, 2018). Using this logic, the VPN can be part of illegal market. In doing online purchasing, it is importance to delete all cookies before connecting to the server to avoid being tracked.

CHAPTER 4: DISCUSSION AND EVALUATION

Security limitation

Exploitation of VPN by Hackers

On investigation of ways hackers gain access network and system via VPN, the findings of this research indicate unauthorised persons can exploit VPN vulnerability and access the network and encrypt the masked data. The recent reports of Iranian hackers exploiting the network vulnerability such as Citrix (CVE-2019-19781), Fortinet FortiOS (CVE-2018-13379), Palo Alto Networks' Global Protect (CVE-2019-1579), and Pulse Secure Connect (CVE-2019-11510). The research disclosed that attackers could exploit the Palo Alto GlobalProtect SSL VPN solution widely adopted by organisations as a security measures. Once the SSL VPN server is compromised, attackers can easily infiltrate the users’ network and even take over the entire SSL VPN server (Narang, 2019). The vulnerability of Palo Alto SSL VPN is a simple bug with no authentication required.

The handshake between the user and server is handled by the sslmgr gateways and during a parameter extraction, scep-profile-name is searched and its values passed as snprintf that in returned used to fill in the buffer. In this format, one can easily crash the service with %n.

In the Pulse Secure Connect (PSC), the attacker would specific created URI to read arbitrarily file vulnerability. Similarly, in 2019, Fortinet reported being affected by traversal and buffer overflow vulnerabilities in implementation of SSL VPN. The CVE-2018-13379, the traversal vulnerability, showing possibility of allowing an attacker to penetrate the system and download file by using a specifically created HTTP resource requests. Whereas, the buffer overflow, CVE-2018-13383 vulnerability showed capability of SSL VPN web service to terminate logged in users that allows remote code execution. In additional to buffer overflow and traversal vulnerabilities, other notable vulnerability associated with FortiSO SSL VPN is ‘magic’ string value created previous at the request of a client to implement change in password but expired. However, the string value tend to be reusable on its own enabling change of password within users’ credentials. As pointed out by Fortinet (2019), the improper authorisation vulnerability enables attackers and unauthorised individuals to change password of SSL VPN platform by creating a specific HTTP requests. On the other hand, the vulnerability affecting Citrix devices referred to as CVE-2019-19781 was discovered, if exploited, could allow an attacker to perform arbitrary code execution (Seguin, 2020). As demonstrated below, one need to send only two request to exploit vulnerability without any authentication.

OpenVPN is arguably the most secure protocols that encrypt the data using AES-256 encryption key with 160-bit SHA1 hash algorithm, and 2048-bit RSA authentication. OpenSSL supports static Key Mode encryption using pre-shared keys (PSK) in addition to public key security based on server and client certifications. As pointed by (REF), the protocol not only built on security measures; it is adaptable through third party software. The protocol is also available for almost every platform (iOS, Android, Solaris, FreeBSD, OpenBSD, Linux, Blackberry, and Windows) making it easy to install and use, hence it popularity. However, scholars have criticised it for slow speed. Unlike secure socket tunnelling protocol (SSTP) that is integrated into Windows operating systems as a proprietary protocol, OpenVPN is not making it more useful in other supporting platforms. In term of extensibility, OpenVPN is extensible allowing more advanced logging, dynamic firewall updates, and boosting authentication (passwords and username), and integration of Remote Authentication Dial-In User Service (RADIUS) by using third party plug-ins or scripts referred to defined entry points. PPTP or L2TP protocols are typically used for remote access VPNs connecting a single user to corporate network via DLS router or wireless LAN whereas IPsec, MPLS, and GRE protocols are typically used for VPNs connecting more two or more site networks. The tunnels operating at layer 2 or 3 of the OSI-defined communication layers are established at both the customer (Customer Edge) and provider (Provider Edge) ends. For PPTP, an attacker can use an ARP poisoning forcing a target (user) to send MSCHAPv2 handshake through the attacker’s network or system. By using packet-capturing tool such as Wireshark, the attacker can then capture the handshake. The captured handshake can be cracked recovering username, hash, password, and encryption keys, that attacker can then decrypt the targets traffic and information. VPN security requires user to authorise, authenticate, and encrypt data as core functionality of the network. As pointed by Fan et al. (2012) and Lakbabi et al. (2012), VPNs by themselves do not offer adequate security but rather depended on the protocol being used. For instance, some transport protocols contain encryption functionality while others do not have. Moreover, typically, data travelling through VPNs are protected between gateway edge devices meaning data traversing between the gateway edge and hosts at each end are not protected. Furthermore, PPTP does not do additional integrity checks such as hash-based message authentication code (HMAC) hence vulnerable to bit-flipping attacks. For instance, an attacker can do modification to the PPTP packets with little possibility of detection. Arguably, numerous attacks such as Royal Holloway attack (2013), Bar-mitzvah attack (2015), and Numerous Occurrence Monitoring Recovery Exploit (NOMORE) attack (2015) have be discovered on RC4 cipher making it a bad choose for securing sensitive, private, and large amount of data. The NOMORE attack against RC4 in both WPA-TKIP (Temporal Key Integrity Protocol) and TLS demonstrated in practice founded that an attack can be completed within an hour and 75 hours respectively allowing attackers to decrypt and inject arbitrary packets.

For a VPN network to be considered secure, it must have protocols that include the following:

Internet Protocol Security (IPsec)

Transport Layer Security (SSL/TLS)- OpenVPN/ SoftEther VPN

Datagram Transport Layer Security (DTLS) used in Openconnect VPN–Anyconenct VPN solving –SSL/TLS issues it has with tunnelling over TCP such as delays/latency and connection aborts

Point-to-Point tunnelling –Microsoft Point-to-Point Encryption (MPPE)

Multi Path Virtual Private Network (MPVPN)

Secure Shell (SSH) VPN

WireGuard

Kang and Balitanas (2009) pointed that security measures embodied in policies to be followed by VPN relies on the such aspects as access rights, access controls rights (IP address source, data packet content, and destination), management responsibilities encompassing authorisation, enforcement, and overseeing the VPN and certification, encryption types and levels. The degree and type of encryption covers such aspects as specific decisions in setting security protocol, management and distribution of private and public security keys, and certification type and length. Other attributes described include virtual private endpoints involving IP tunnelling. However, VPN is not a standalone infrastructure but rather depended on other IT feature as well as relied on organizations security policy for it protect and secure sensitive information. In some countries, government can demand access to VPNs users’ data citing ‘Fourteen Eyes’ provision. The laws in countries such as the US, UK, and Australia where the services providers can be forced to provide access to the respective governments, to some point defeats the need of privacy and avoiding surveillance.

CHAPTER 5: CONCLUSION

Principally, the IP address of the VPN users is masked taking external IP of the server provider. While VPN connections enable safe and secure browsing public internet connections, there have been reports of misuse such conducting illegal activities. As pointed by (REF), using DPI, one track easily the browsing behaviour right do to the user capture the activities done, period, and time. Notably, VPN enhances security, privacy, and confidentiality by using a shared server IP in transmitting the data, hence IP can be traced to the user’s location. Building from the findings, VPN encapsulate and encrypt the data being sent and connection to the internet making tracking or hacking the user hard. Such protocols as PPTP protocol does not provide forward secrecy so vulnerability of one PPTP session puts the other sessions, including previous, at risk of access by attacker using the same credentials. However, OpenVPN and L2TP/IPsec tend to have higher security and privacy measures.

Traditionally, VPNs are more secure offer higher privacy and confidentiality compared remote desktop protocol (RDP). There exist several protocols, security measures, and services providers releasing significant software patches regularly, an approach taken advantage by cybercriminals. Failure to update the software that including security measures, the network become prime targets for ransomware and malicious. For instance, such vulnerabilities as CVE-2019 and CVE-2019 enabling unauthenticated users to compromise the VPN network and performing arbitrary remote access of files. In event where users use the platform to conduct illegal activities such as selling drugs and distribution of banned or restricted content, services providers keep the data and in some jurisdiction, government can force the provider to hand over the data. For instance, increased internet surveillance in countries such countries China, UK, Canada, New Zealand, and USA with ‘14-eyes’ jurisdiction allowing surveillance agencies to monitor activities of people online can sanction the providers for users’ data.

The answer to the question on whether there is a way of tracking and tracing unauthorised access (hacker) is, Yes.

Recommended security measures for organizations to reduce VPN vulnerabilities issues:

Enabling Multi-Factor Authentication (MFA),- Here, the approach ensure the person connected via VPN is the authorised user and not an attacker.

Patch the servers- this is conducted with aim of reducing vulnerability and minimising the possibility of attack

Avoid old PPTP or L2TP/IPSec protocols but rather use only latest versions of OpenVPN protocol--- considered extremely secure

Encryption: make sure VPN providers offer 2048-bit or 256-bit (branded doubleVPN) encryption because they are extremely hard to bypass

REFERENCES

Andersson, L. and Madsen, T., 2005. Provider provisioned virtual private network (VPN) terminology.

Aqun, Z., Yuan, Y., Yi, J. and Guanqun, G., 2000, August. Research on tunneling techniques in virtual private networks. In WCC 2000-ICCT 2000. 2000 International Conference on Communication Technology Proceedings (Cat. No. 00EX420) (Vol. 1, pp. 691-697). IEEE.

Augustyn, W. and Serbest, Y., 2006. Service requirements for layer 2 provider-provisioned virtual private networks. RFC 4665, September.

Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A. and Strub, P.Y., 2014, May. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy (pp. 98-113). IEEE.

Bhat, A.Z., Al Shuaibi, D.K. and Singh, A.V., 2016, September. Virtual private network as a service—A need for discrete cloud architecture. In 2016 5th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO) (pp. 526-532). IEEE.

Braun, T., Günter, M., Kasumi, M. and Khalil, I., 1999. Virtual private network architecture. Charging and Accounting Technology for the Internet (Aug. 1, 1999)(VPNA).

Callon, R. and Suzuki, M., 2005. A framework for layer 3 provider-provisioned virtual private networks (ppvpns). Request for Comments (RFC), 4110.

Chornous, G. and Iarmolenko, I., 2018, May. Recognition of Price Discrimination in the Online Sale of Airline Tickets. In ICTERI (pp. 46-60).

Coonjah, I., Catherine, P.C. and Soyjaudah, K.M.S., 2015, December. Experimental performance comparison between TCP vs UDP tunnel using OpenVPN. In 2015 International Conference on Computing, Communication and Security (ICCCS) (pp. 1-5). IEEE.

Fan, Y.Q., Li, C. and Sun, C., 2012. Secure VPN based on combination of L2TP and IPSec. Journal of Networks, 7(1), p.141.

Hoekstra, B., Musulin, D. and Keijser, J.J., 2011. Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Universiteit Van Amsterdam, System & Network Engineering, Amsterdam, pp.2010-2011.

Hu, M., Zhao, Q., Kuramoto, M., Cho, F. and Zhang, L., 2011, October. Research and implementation of layer two tunneling protocol (L2TP) on carrier network. In 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology (pp. 80-83). IEEE.

Jahan, S., Rahman, M.S. and Saha, S., 2017, January. Application specific tunneling protocol selection for Virtual Private Networks. In 2017 International Conference on Networking, Systems and Security (NSysS) (pp. 39-44). IEEE.

Jahan, S., Rahman, M.S. and Saha, S., 2017, January. Application specific tunneling protocol selection for Virtual Private Networks. In 2017 International Conference on Networking, Systems and Security (NSysS) (pp. 39-44). IEEE.

Jingyao, S., Chandel, S., Yunnan, Y., Jingji, Z. and Zhipeng, Z., 2019, March. Securing a Network: How Effective Using Firewalls and VPNs Are?. In Future of Information and Communication Conference (pp. 1050-1068). Springer, Cham.

Knight, P. and Lewis, C., 2004. Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts. IEEE Communications Magazine, 42(6), pp.124-131.

Lakbabi, A., Orhanou, G. and El Hajji, S., 2012, December. VPN IPSEC & SSL technology Security and management point of view. In 2012 Next Generation Networks and Services (NGNS) (pp. 202-208). IEEE.

Malkin, G.S., 1997, November. Dial-in virtual private networks using layer 3 tunneling. In Proceedings of 22nd Annual Conference on Local Computer Networks (pp. 555-561). IEEE.

Narayan, S., Kolahi, S.S., Brooking, K. and de Vere, S., 2008, December. Performance evaluation of virtual private network protocols in Windows 2003 environment. In 2008 International Conference on Advanced Computer Theory and Engineering (pp. 69-73). IEEE.

Pavlicek, A. and Sudzina, F., 2018, December. Internet Security and Privacy in VPN. In International Conference on Digital Information ManagementInternational Conference on Digital Information Management (Vol. 9, No. 4, pp. 133-139).

Rekhter, Y., Bonica, R. and Rosen, E., 2007. Use of provider edge to provider edge (PE-PE) generic routing encapsulation (GRE) or IP in BGP/MPLS IP virtual private networks. Internet Engineering Task Force.

Singh, A. and Gahlawat, M., 2012. Internet Protocol Security (IPSec). IRACST–International Journal of Computer Networks and Wireless Communications (IJCNWC), ISSN, pp.2250-3501.

Su, Y., Tian, Y., Wong, E., Nadarajah, N. and Chan, C.C., 2008. All‐optical virtual private network in passive optical networks. Laser & Photonics Reviews, 2(6), pp.460-479.

Zeng, J. and Ansari, N., 2003. Toward IP virtual private network quality of service: a service provider perspective. IEEE Communications Magazine, 41(4), pp.113-119.