1.5 Strong Security Features

Version from 18:49, 3 Mar 2013

Offering sufficient security is one of the most important matters for SoftEther VPN software designed and developed for the purpose of supporting backbone communication by company network, etc. Compared with older VPN solutions, SoftEther VPN software has new advanced security functions and offers sufficient security for VPN construction that can withstand use for backbone work of businesses from small scale VPN. This section contains a description of the security functions offered by SoftEther VPN.

...

The types of user authentication when connecting SoftEther VPN Client or SoftEther VPN Bridge by VPN to SoftEther VPN Server include all sorts of methods as well as simple password database. All types of user authentication and parameters can be set in detail for each user. Because the user database is managed separately for each Virtual Hub, Virtual Hubs are independent of each other.

...

• Anonymous authentication
  Anonymous authentication allows connection as long as at least the user name is known, and is used when establishing widely offered Virtual Hub service, etc. It is not usually used for businesses, etc.
• Password Authentication
  Standard password authentication is the method of conducting user authentication by user name and password and is the method for which security can be most easily maintained. Users can also change the password themselves using VPN Client. The password is hashed when typed in and because password confirmation is conducted by challenge and response when authenticating, the password and hash data do not flow on the network.
• RADIUS server authentication
  Method of user authentication using RADIUS authentication server already owned by company, etc.
• NT domain and Active Directory authentication
  Method of user authentication using Windows NT main controller or Active Directory of user database of Windows Server already owned by company, etc.
• Certificate authentication (PKI authentication)
  Method of user authentication whereby those connected to VPN are identified by mathematically calculating whether or not those connected have a private key by having those connected to VPN present a client certificate to VPN Server. Because a fixed character string such as password is not used, it is the most secure method of user authentication.

...

There are several versions of SSL, but the only one that is compatible with SoftEther VPN is SSL Version 3, which is considered to be the most secure; older versions of SSL protocol that have weaknesses are not used at all.

...

Many older VPN protocols have a user authentication function to identify and authenticate connection source users that have connected to the VPN server. Oppositely the majority of VPN clients have no function to confirm whether or not the VPN server they are about to connect to is authentic.

...

Commonly used protocols such as HTTPS and SSH check the certificate of the connection destination web server and SSH server and connect only if the certificate is authentic. If the certificate is not authentic, the connection is interrupted and a warning is displayed. VPN communications requires a way to authenticate the connection destination server to guard against masquerading or MITM attack.

The server certificate presented by the connection destination server can be trusted, and SoftEther VPN can make sure the server has the RSA private key for the secret by mathematical calculation. If the connection destination VPN Server presents a suspicious certificate, VPN connection to the server is interrupted and a warning is displayed. SoftEther VPN keeps a list of certificates that can be trusted. Certificates not signed by a reliable certification institution are regarded as untrustworthy (the user can keep a list of certificates).

...

When conducting user authentication for VPN connection to VPN Server, if password authentication or conventional certificate authentication is used, a certain degree of security can be maintained, but the following problems also exist.

• If using password authentication, if the password in not long or complicated enough, there is danger of the password being guessed for unauthorized access. If a third party obtains a password from a second party that observes the password being input, there is danger of unauthorized access by the third party.
• Certificate authentication provides a method of authentication that is more secure than password protection, but under ordinary circumstances, private key data of the certificate is kept in the hard disk of the computer. If the computer's hard disk is stolen by a malicious third party or only the certificate data is extracted, the third party can masquerade as the user using the private key data of the certificate and connect to the VPN server.

With SoftEther VPN, if certificate authentication is used to authenticate users when VPN Client connects to the VPN Server, the certificate and private key data are written in a smart card or other hardware security token device instead of saving on the computer hard disk, and user authentication can be carried out by inputting each time the client connects to VPN Server.

...

Smart cards and other hardware security token devices are designed so that once private key data is written inside, it cannot be extracted. The data in smart cards is protected by a PIN code consisting of several digits. Smart cards are designed so that the smart card itself halts access if the PIN code doesn't match. Because of this protection, the private key can be loaded into the smart card, and by conducting user authentication using the private key in the smart card when connecting to the VPN Server, even if the computer itself or smart card is lost or stolen, a malicious third party can be prevented from access by masquerading.

...

Version as of 18:15, 18 Jan 2014

Offering sufficient security is one of the most important matters for SoftEther VPN software designed and developed for the purpose of supporting backbone communication by company network, etc. Compared with older VPN solutions, SoftEther VPN software has new advanced security functions and offers sufficient security for VPN construction that can withstand the backbone work of businesses from small scale VPN. This section contains a description of the security functions that is offered by SoftEther VPN.

...

The types of user authentication when connecting SoftEther VPN Client or SoftEther VPN Bridge by VPN to SoftEther VPN Server include all sorts of methods as well as simple password database. All types of user authentication and parameters can be set in details for each user. Because the user database is managed separately for each Virtual Hub, Virtual Hubs are independent of each other.

User authentication methods that can be used will include the following. For details see 2.2 User Authentication.

• Anonymous authentication
  Anonymous authentication allows connection as long as at least the user name is known, and is used when establishing widely offered Virtual Hub service, etc. It is not usually used for businesses, etc.
• Password Authentication
  Standard password authentication is the method of conducting user authentication by user name and password. Also it is the method for which security that can be most easily maintained. Users can also change the password themselves by using VPN Client. The password is hashed when typed in so the password confirmation is conducted by challenge and it responses when authenticating, the password and hash data do not flow on the network.
• RADIUS server authentication
  Method of user authentication using RADIUS authentication server is already owned by company, etc.
• NT domain and Active Directory authentication
  Method of user authentication using Windows NT main controller or Active Directory of user database of Windows Server is already owned by company, etc.
• Certificate authentication (PKI authentication)
  Method of user authentication whereby those are connected to VPN is identified by mathematically calculating whether or not, those connection have a private key. By having those connection to VPN present a client can certificate to VPN Server. Because a fixed character string such as password is not used,we believe this is the most secure method of user authentication.

...

There are several versions of SSL, but the only thing that can be compared with SoftEther VPN is SSL Version 3, which is considered to be the most secure; older versions of SSL protocol that the weaknesses are not used at all.

...

Many older VPN protocols have a user authentication function to identify and authenticate connection source users that have connected to the VPN server. Oppositely the majority of VPN clients have no function to confirm whether or not the VPN server that they are about to connect to will be authentic.

If you are constructing VPN by using a public IP network such as the Internet, however, there is the possibility of a malicious cracker, etc., lurking somewhere in the line setting up a false VPN server and relaying VPN communication from the client, reading or tampering with the packets flowing through the VPN by "man-in-the-middle" (MITM) attack.

Commonly used protocols such as HTTPS and SSH check the certificate of the connection destination web server and SSH server and connect only if the certificate is authentic. when the certificate is not authentic, the connection is interrupted and a warning will be displayed. VPN communications requires a way to authenticate the connection destination server to guard against masquerading or MITM attack.

The server certificate presented by the connection destination server that can be trusted, and SoftEther VPN can make sure the server has the RSA private key for the secret by mathematical calculation. If the connection destination VPN Server presents a suspicious certificate, the VPN connection to the server is interrupted and a warning will be displayed. SoftEther VPN keeps a list of certificates that can be trusted. Certificates that is not signed by a reliable certification institution are regarded as untrustworthy (the user can keep a list of certificates).

Server certificate verification is conducted by the connection source software side, such as cascade connected VPN Server or VPN Bridge or VPN Client connected to remote VPN Server by usual method. For details on server certificate verification, see 4.4 Making Connection to VPN Server, etc.

...

When you are conducting user and are going to authenticate for VPN connection to VPN Server, if the password authentication or conventional certificate authentication is used, a certain degree of security can be maintained, but the following problems will be also existed.

• If you are using password authentication, or if your password in not long or complicated enough, there is danger of the password that can be guessed for unauthorized access. If a third party obtains a password from a second party that could observe the password being input, there will be a danger of unauthorized access by the third party.
• Certificate authentication provides a method of authentication that is more secure than password protection, but under ordinary circumstances, private key data of the certificate is kept in the hard disk of the computer. If the computer's hard disk is stolen by a malicious third party or only the certificate data is extracted, the third party can masquerade as the user using the private key data of the certificate and will be able to connect to the VPN server.

With SoftEther VPN, the certificate authentication is used to authenticate users when VPN Client connects to the VPN Server, because the certificate and private key data are written in a smart card or other hardware security token devices, instead of saving on the computer hard disk, the user authentication can be carried out by inputting each time the client connects to VPN Server.

Smart cards or other hardware security token devices have a built-in chip that performs RSA calculation, and electronic signature can be accomplished by using certificate and private key from the memory of the smart card without exposing the private key externally. Also with SoftEther VPN, existing certificates and private key objects stored are in smart cards can also be specified and used for user authentication.

Smart cards and other hardware security token devices are designed to be as once private key data is written inside, it cannot be extracted. The data in smart cards is protected by a PIN code consisting of several digits. Smart cards are designed to be as the smart card itself halts access if the PIN code doesn't match. Because of this protection, the private key can be loaded into the smart card, and by conducting user authentication using the private key in the smart card when you connect to the VPN Server, even if the computer itself or smart card has been lost or stolen, a malicious third party can be prevented from access by masquerading.

...