3. Security and Reliability

You might have a question that whether SoftEther VPN is really secure as same as hardware VPN products or not.

Someone might think that software VPNs is inferior to hardware VPNs. Of course, SoftEther VPN is implemented as a software code, not hardware as either specific integrated circuit. But it is absolutely correct that SoftEther VPN has an adequate security fulfillment as same as hardware's one, and moreover it might be superior to hardware VPN.

Inside of Hardware VPN Products

Please see the fact that almost all hardware VPNs on the today's market is not a pure hardware. They are nearly software program, actually. Do you have any experience to open the top cover of any Cisco Router? You can see that inside devices on the Cisco Router is almost same as today's computer. The major differences are only the architecture of CPU. To reduce the manufacturing cost, Cisco and other VPN vendors adopts cheaper CPU than computers, such as MIPS, ARM and PowerPC. Anything more important differences are there between a desktop computer and a hardware VPN router. And you can analyze the inside mechanism of Cisco Router by some information leaked from the Internet or books. Cisco VPN Router and other manufacturer's router are running the software operating system on their device. On the operating system, the routing and VPN session-managing software is also working to process VPN communication. Virtually almost all important processes are implemented as software, not as hardware, on the existing hardware VPN products in the today market. You can prove this thing about asking some friend in such a hardware company.

No Differences of Encrypting Strength between Hardware ASIC and Software Programs

It must be mentioned that some expensive VPN Router hardware products, such as Cisco VPN Concentrator, has ASIC (application-specific integrated circuit) for encryption and decryption of packets. Someone has misunderstanding that encryption processing by ASIC is more secure than processing by software programs. But it is absolutely wrong. The consequence of encryption and decryption are exactly identical between ASIC and software. And there is no weak-point in software processing of encryption at all, because all cipher algorithms are truly same no matter whether on ASIC or software. For example, Cisco's ASIC encryption processing unit implements AES-256, which is a standard cipher specification published by U.S. government. AES-256 is implemented as software code too, and the strengths of both are accurately same. Please do not confuse that ASIC is more secure than software processing module in an aspect of cryptology science.

SoftEther VPN is Certainly Safer than Legacy Hardware VPN Products

It is no exaggeration to say that security strength of SoftEther VPN is superior to legacy hardware VPNs. As you know, Cisco Systems and other legacy VPN vendors hide their code of both software and ASIC, so anyone can exanimate whether the inside steps of codes are really safe or not, and whether they implemented the secret backdoor in the product in order to allow anyone who knows a secret (for example, the government of theirs, or themselves) to enter a customer's private network without customer's permit or not. Anyone can prove the existence of such of security risks. Due to the fact that all internal software codes are written in the hardware ICs, we cannot do any reverse-engineering against it. These facts can say that legacy hardware VPNs has no certainly security to customers.

And in legacy VPN hardware products, the developer of operating system layer and the developer of VPN layer are the same vendor. This character will be vital security problem. In any codes, there must be some unknown vulnerabilities. Operating system layer is very large and complicated than VPN layer in the system. Then more vulnerability will be discovered in the operating system layer rather than VPN layer in future. Their closed and dedicated operating system is on their hand at all. So unless they decide to fix it and distribute a patch to all existing users, everyone will be affected but there is nothing to do users can. This case is very dangerous.

Two Reasons Why SoftEther VPN is so Secure than Hardware Vendor's VPNs

In comparison with hardware VPN products, SoftEther VPN can be said more secure, better than hardware products. There are two reasons. First, important parts of SoftEther VPN are now released as open-source software since 2010. Then the developer of SoftEther VPN cannot implement any backdoors on the software. It is impossible, because if the developer did it, anyone who analyzed the open-sourced code notice the implemented backdoor. So in the possibilities of existence of backdoor or some malicious code, SoftEther VPN is safer than other closed vendor's hardware VPN products.

Secondly, SoftEther VPN can run on many operating systems, such as Windows, Linux, FreeBSD, Solaris and Mac OS X. Today, these operating systems are very popular, so if a vulnerable weak-point is found on an OS, then someone will analyze it and post a patch code to publish. In the standard case, the major developer will publish and distribute the fix patch to everyone as free as fast as possible. You know about Windows Update system and Linux Distribution Update Program. SoftEther VPN's strong-point is that is completely separated to the operating system layer. Then all found security problems in the operating system can be solved in the operating system layer. Users have no risks that a developer is reluctant to fix the security issues on the operating system if a user uses SoftEther VPN. Using other legacy hardware VPN products has a risk of such a thing.

About Opening a TCP/IP Port on the Operating System for SoftEther VPN

In order to run SoftEther VPN Server on the server computer, you have to accept on particular TCP/IP port for incoming VPN connections. Generally, the port number is TCP 443 (HTTPS port).

Today's operating system has good software firewall features. It prevents any packets to any TCP/IP ports. Firewall functions are always turned on by default. So there are no possibilities to be passive from any attacks from the Internet's attackers and viruses. You have to open only the minimal TCP/IP ports in order to accept VPN sessions on the VPN Server. This is very secure, and no reason to say that using Windows or Linux for VPN purpose is dangerous.

Upper Layer of VPN Tunneling Protocol

SoftEther VPN Protocol for tunneling is according to HTTPS (HTTP over SSL) Protocol. HTTP is today's most frequently used protocol for web browsing. HTTPS is an extension to ensure a security on HTTP. You might use SSL everyday on the Internet. There are no safer protocols than HTTPS in the world.

Intermediate Layer of VPN Tunneling Protocol

Both SSL 3.0 and TLS 1.0 are supported. User can choose which protocol to use. SSL is Secure Socket Layer protocol. TLS is Transport Layer Security protocol. Both of them are widely used in the Internet, and the safety and reliability are proved for more decades by standing despite everyone's mercilessly analysis who is engaging the cryptography science and industry.

Lower Layer of VPN Tunneling Protocol

Lower Layer of VPN Tunneling Protocol is according to TCP/IP, (Transmission Control Protocol on Internet Protocol), which is one of the Internet standard protocol. SoftEther VPN can use both IPv4 and IPv6 with TCP.

Encryption and Deception Algorithms

The following cipher algorithms can be specified in SoftEther VPN. All of them are international standards.

• RC4 (128 bits)
• AES128 (128 bits)
• AES256 (256 bits)
• DES (56 bits)
• Triple-DES (168 bits)

RC4 is a stream algorithm and others are block algorithms.

Hashing Algorithms for HMAC

SoftEther VPN also uses hashing algorithms for HMAC (Hash-based Message Authentication Code) as follows. All of them are international standards.

• SHA-1 (160 bits)
• MD5 (128 bits)

Plain Password Authentication

The simplest method is the plain password authentication. In this method, a Virtual HUB on the VPN Server has a user database within it. The user database has multiple users and user's passwords. Password is hashed by SHA algorithms for security. An administrator can create a lot of users on the database. Each user has different passwords. No one who doesn't know the correct combination of user ID and password can connect to the Virtual HUB.

Authentication with Radius and Active Directory

The plain password authentication is simple and suitable for some purpose. But if a company has very huge numbers of employees and wants all of them to connect the VPN Server, it is inconvenient to define each user on the Virtual HUB. Such a company already has an external user authentication database. A company uses UNIX has Radius user-authentication server. A company uses Windows has Active Directory or NT Domain Controller server. SoftEther VPN Server can be configured in order to relay the authentication process to such an external user-authentication database. If an administrator adopts this method, then he doesn't need to create each user for each employee on the Virtual HUB. It must reduce bothering tasks. There is another benefit. If a user changed the password of him or her, then the required password for connecting VPN Server will be changed. This means that a company can enforce employees to a particular password security preventing any attacks with password speculation from outside attackers.

From the reason that SoftEther VPN is according to the standard protocol of Radius, any modern user-authentication mechanism, such as one-time password tokens, can be used if that mechanism's authentication server is implemented to be compatible with Radius protocol.

RSA Certificate Authentication as PKI up to 4096bits

Password authentication mechanisms don't provide adequate security for particular demands. Because user might forget passwords, so some users memorize the password on the post-it or notepad on theirs. Then the risk of password leakage will be increased.

Another alternative solution is to use PKI (Public Key Infrastructures). PKI uses RSA (Rivest, Shamir and Adleman) certificate files and its private key files. This way is also international standard.

If a user is specified to use PKI, a user doesn't need any passwords typing. Instead, a user must posses a private key. A private key can be held on both hard disks and security tokens.

Supporting Smart Cards and USB Tokens for PKI

It is safest way to use PKI with smart cards or USB tokens. Smart cards and USB tokens prevent the private key leakage from user, because such devices always require PIN number to access the internal private key. Moreover, at any time, anyone cannot read out the private key from such a device. Devices can only make a signature to given challenge random numbers. This mechanism is perfectly secure and no one can break this security. If you adopt this methods, highest security strengths is promised. Please note that not all smart cards and tokens are supported on SoftEther VPN. Supported device lists can be found on the web.

Grouping Users

All user objects which are defined on the Virtual HUB by the administrator can be grouped. Groups can be created and a group can hold multiple users. It is very convenient to define the security policy or packet filtering policy to a group of several users.