Table of contents

1.5 Strong Security Features

    Table of contents
    You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

    Version from 00:36, 3 Mar 2013

    This revision modified by yagi (Ban)

    Offering sufficient security is one of the most important matters for SoftEther VPN software designed and developed for the purpose of supporting backbone communication by company network, etc. Compared with older VPN solutions, SoftEther VPN software has new advanced security functions and offers sufficient security for VPN construction that can withstand use for backbone work of businesses from small scale VPN. This section contains a description of the security functions offered by SoftEther VPN.

    1.5.1 Abundant User Authentication Options

    The types of user authentication when connecting SoftEther VPN Client or SoftEther VPN Bridge by VPN to SoftEther VPN Server include all sorts of methods as well as simple password database. All types of user authentication and parameters can be set in detail for each user. Because the user database is managed separately for each Virtual Hub, Virtual Hubs are independent of each other.

    User authentication methods that can be used include the following. For details see 2.2 User Authentication.

    • Anonymous authentication
      Anonymous authentication allows connection as long as at least the user name is known, and is used when establishing widely offered Virtual Hub service, etc. It is not usually used for businesses, etc.
    • Password Authentication
      Standard password authentication is the method of conducting user authentication by user name and password and is the method for which security can be most easily maintained. Users can also change the password themselves using VPN Client. The password is hashed when typed in and because password confirmation is conducted by challenge and response when authenticating, the password and hash data do not flow on the network.
    • RADIUS server authentication
      Method of user authentication using RADIUS authentication server already owned by company, etc.
    • NT domain and Active Directory authentication
      Method of user authentication using Windows NT main controller or Active Directory of user database of Windows Server already owned by company, etc.
    • Certificate authentication (PKI authentication)
      Method of user authentication whereby those connected to VPN are identified by mathematically calculating whether or not those connected have a private key by having those connected to VPN present a client certificate to VPN Server. Because a fixed character string such as password is not used, it is the most secure method of user authentication.

    1.5.2 Robust Encryption

    With SoftEther VPN protocol, all communication contents and data related to user authentication is encrypted by Secure Socket Layer (SSL) encryption. SSL is currently the standard security protocol for the Internet, and is used for communication between HTTP server and web browser (called "HTTPS protocol").

    There are several versions of SSL, but the only one that is compatible with SoftEther VPN is SSL Version 3, which is considered to be the most secure; older versions of SSL protocol that have weaknesses are not used at all.

    SSL primarily offers three functions: encryption, electronic signature, and certificate authentication. All three of these functions are utilized for SoftEther VPN to maintain security of VPN sessions between SoftEther VPN Server and VPN connection source.

    With the SSL implemented for SoftEther VPN algorithms used for encryption and those used for electronic signature are not fixed; the VPN Server administrator can choose the algorithm. The RC4 128 bit encryption algorithm and MD5 hash algorithm are selected by default, but algorithms such as DES, AES, or SHA-1 can be selected by specifying the number of bits.

    1-5-1.png

    Robust VPN session encryption by various encryption algorithms.

     

    1.5.3 Server Certificate Verification

    Many older VPN protocols have a user authentication function to identify and authenticate connection source users that have connected to the VPN server. Oppositely the majority of VPN clients have no function to confirm whether or not the VPN server they are about to connect to is authentic.

    If constructing VPN using a public IP network such as the Internet, however, there is the possibility of a malicious cracker, etc., lurking somewhere in the line setting up a false VPN server and relaying VPN communication from the client, reading or tampering with the packets flowing through the VPN by "man-in-the-middle" (MITM) attack.

    Commonly used protocols such as HTTPS and SSH check the certificate of the connection destination web server and SSH server and connect only if the certificate is authentic. If the certificate is not authentic, the connection is interrupted and a warning is displayed. VPN communications requires a way to authenticate the connection destination server to guard against masquerading or MITM attack.

    The server certificate presented by the connection destination server can be trusted, and SoftEther VPN can make sure the server has the RSA private key for the secret by mathematical calculation. If the connection destination VPN Server presents a suspicious certificate, VPN connection to the server is interrupted and a warning is displayed. SoftEther VPN keeps a list of certificates that can be trusted. Certificates not signed by a reliable certification institution are regarded as untrustworthy (the user can keep a list of certificates).

    Server certificate verification is conducted by the connection source software side such as cascade connected VPN Server or VPN Bridge or VPN Client connected to remote VPN Server by usual method. For details on server certificate verification, see 4.4 Making Connection to VPN Server, etc.

    1-5-2.png

    Verifying server certificate presented by VPN Server.

    1.5.4 Use with Smart Cards

    When conducting user authentication for VPN connection to VPN Server, if password authentication or conventional certificate authentication is used, a certain degree of security can be maintained, but the following problems also exist.

    • If using password authentication, if the password in not long or complicated enough, there is danger of the password being guessed for unauthorized access. If a third party obtains a password from a second party that observes the password being input, there is danger of unauthorized access by the third party.
    • Certificate authentication provides a method of authentication that is more secure than password protection, but under ordinary circumstances, private key data of the certificate is kept in the hard disk of the computer. If the computer's hard disk is stolen by a malicious third party or only the certificate data is extracted, the third party can masquerade as the user using the private key data of the certificate and connect to the VPN server.

    With SoftEther VPN, if certificate authentication is used to authenticate users when VPN Client connects to the VPN Server, the certificate and private key data are written in a smart card or other hardware security token device instead of saving on the computer hard disk, and user authentication can be carried out by inputting each time the client connects to VPN Server.

    Smart cards or other hardware security token devices have a built-in chip that performs RSA calculation, and electronic signature can be accomplished using certificate and private key from the memory of the smart card without exposing the private key externally. Also with SoftEther VPN, existing certificates and private key objects stored in smart cards can be specified and used for user authentication.

    Smart cards and other hardware security token devices are designed so that once private key data is written inside, it cannot be extracted. The data in smart cards is protected by a PIN code consisting of several digits. Smart cards are designed so that the smart card itself halts access if the PIN code doesn't match. Because of this protection, the private key can be loaded into the smart card, and by conducting user authentication using the private key in the smart card when connecting to the VPN Server, even if the computer itself or smart card is lost or stolen, a malicious third party can be prevented from access by masquerading.

    For information on how to use the user authentication function using a smart card, see 4.6 Using and Managing Smart Cards.

    1-5-3.png

    Smart card authentication.

    Version as of 18:49, 3 Mar 2013

    This revision modified by genya (Ban)

    Offering sufficient security is one of the most important matters for SoftEther VPN software designed and developed for the purpose of supporting backbone communication by company network, etc. Compared with older VPN solutions, SoftEther VPN software has new advanced security functions and offers sufficient security for VPN construction that can withstand use for backbone work of businesses from small scale VPN. This section contains a description of the security functions offered by SoftEther VPN.

    1.5.1 Abundant User Authentication Options

    The types of user authentication when connecting SoftEther VPN Client or SoftEther VPN Bridge by VPN to SoftEther VPN Server include all sorts of methods as well as simple password database. All types of user authentication and parameters can be set in detail for each user. Because the user database is managed separately for each Virtual Hub, Virtual Hubs are independent of each other.

    User authentication methods that can be used include the following. For details see 2.2 User Authentication.

    • Anonymous authentication
      Anonymous authentication allows connection as long as at least the user name is known, and is used when establishing widely offered Virtual Hub service, etc. It is not usually used for businesses, etc.
    • Password Authentication
      Standard password authentication is the method of conducting user authentication by user name and password and is the method for which security can be most easily maintained. Users can also change the password themselves using VPN Client. The password is hashed when typed in and because password confirmation is conducted by challenge and response when authenticating, the password and hash data do not flow on the network.
    • RADIUS server authentication
      Method of user authentication using RADIUS authentication server already owned by company, etc.
    • NT domain and Active Directory authentication
      Method of user authentication using Windows NT main controller or Active Directory of user database of Windows Server already owned by company, etc.
    • Certificate authentication (PKI authentication)
      Method of user authentication whereby those connected to VPN are identified by mathematically calculating whether or not those connected have a private key by having those connected to VPN present a client certificate to VPN Server. Because a fixed character string such as password is not used, it is the most secure method of user authentication.

    1.5.2 Robust Encryption

    With SoftEther VPN protocol, all communication contents and data related to user authentication is encrypted by Secure Socket Layer (SSL) encryption. SSL is currently the standard security protocol for the Internet, and is used for communication between HTTP server and web browser (called "HTTPS protocol").

    There are several versions of SSL, but the only one that is compatible with SoftEther VPN is SSL Version 3, which is considered to be the most secure; older versions of SSL protocol that have weaknesses are not used at all.

    SSL primarily offers three functions: encryption, electronic signature, and certificate authentication. All three of these functions are utilized for SoftEther VPN to maintain security of VPN sessions between SoftEther VPN Server and VPN connection source.

    With the SSL implemented for SoftEther VPN algorithms used for encryption and those used for electronic signature are not fixed; the VPN Server administrator can choose the algorithm. The RC4 128 bit encryption algorithm and MD5 hash algorithm are selected by default, but algorithms such as DES, AES, or SHA-1 can be selected by specifying the number of bits.

    1-5-1.png

    Robust VPN session encryption by various encryption algorithms.

     

    1.5.3 Server Certificate Verification

    Many older VPN protocols have a user authentication function to identify and authenticate connection source users that have connected to the VPN server. Oppositely the majority of VPN clients have no function to confirm whether or not the VPN server they are about to connect to is authentic.

    If constructing VPN using a public IP network such as the Internet, however, there is the possibility of a malicious cracker, etc., lurking somewhere in the line setting up a false VPN server and relaying VPN communication from the client, reading or tampering with the packets flowing through the VPN by "man-in-the-middle" (MITM) attack.

    Commonly used protocols such as HTTPS and SSH check the certificate of the connection destination web server and SSH server and connect only if the certificate is authentic. If the certificate is not authentic, the connection is interrupted and a warning is displayed. VPN communications requires a way to authenticate the connection destination server to guard against masquerading or MITM attack.

    The server certificate presented by the connection destination server can be trusted, and SoftEther VPN can make sure the server has the RSA private key for the secret by mathematical calculation. If the connection destination VPN Server presents a suspicious certificate, VPN connection to the server is interrupted and a warning is displayed. SoftEther VPN keeps a list of certificates that can be trusted. Certificates not signed by a reliable certification institution are regarded as untrustworthy (the user can keep a list of certificates).

    Server certificate verification is conducted by the connection source software side such as cascade connected VPN Server or VPN Bridge or VPN Client connected to remote VPN Server by usual method. For details on server certificate verification, see 4.4 Making Connection to VPN Server, etc.

    1-5-2.png

    Verifying server certificate presented by VPN Server.

    1.5.4 Use with Smart Cards

    When conducting user authentication for VPN connection to VPN Server, if password authentication or conventional certificate authentication is used, a certain degree of security can be maintained, but the following problems also exist.

    • If using password authentication, if the password in not long or complicated enough, there is danger of the password being guessed for unauthorized access. If a third party obtains a password from a second party that observes the password being input, there is danger of unauthorized access by the third party.
    • Certificate authentication provides a method of authentication that is more secure than password protection, but under ordinary circumstances, private key data of the certificate is kept in the hard disk of the computer. If the computer's hard disk is stolen by a malicious third party or only the certificate data is extracted, the third party can masquerade as the user using the private key data of the certificate and connect to the VPN server.

    With SoftEther VPN, if certificate authentication is used to authenticate users when VPN Client connects to the VPN Server, the certificate and private key data are written in a smart card or other hardware security token device instead of saving on the computer hard disk, and user authentication can be carried out by inputting each time the client connects to VPN Server.

    Smart cards or other hardware security token devices have a built-in chip that performs RSA calculation, and electronic signature can be accomplished using certificate and private key from the memory of the smart card without exposing the private key externally. Also with SoftEther VPN, existing certificates and private key objects stored in smart cards can be specified and used for user authentication.

    Smart cards and other hardware security token devices are designed so that once private key data is written inside, it cannot be extracted. The data in smart cards is protected by a PIN code consisting of several digits. Smart cards are designed so that the smart card itself halts access if the PIN code doesn't match. Because of this protection, the private key can be loaded into the smart card, and by conducting user authentication using the private key in the smart card when connecting to the VPN Server, even if the computer itself or smart card is lost or stolen, a malicious third party can be prevented from access by masquerading.

    For information on how to use the user authentication function using a smart card, see 4.6 Using and Managing Smart Cards.

    1-5-3.png

    Smart card authentication.