Table of contents
Combined revision comparison
...
Inside of Hardware VPN Products
...
Encryption algorithms setting screen.
...
SSL Server Verification detects and prevents Man in the Middle Attack.
...
Security Alert pop-ups when the destination VPN Server presents an untrusted SSL certificate.
...
SoftEther VPN supports external server user authentication methods.
...
The simplest method is the plain password authentication. In this method, a Virtual HubHUB on the VPN Server has a user database within it. The user database has multiple users and user's passwords. Password is hashed by SHA algorithms for security. An administrator can create a lot of users on the database. Each user has different passwords. No one who doesn't know the correct combination of user ID and password can connect to the Virtual HubHUB.
...
The plain password authentication is simple and suitable for some purpose. But if a company has very huge numbers of employees and wants all of them to connect the VPN Server, it is inconvenient to define each user on the Virtual HubHUB. Such a company already has an external user authentication database. A company uses UNIX has Radius user-authentication server. A company uses Windows has Active Directory or NT Domain Controller server. SoftEther VPN Server can be configured in order to relay the authentication process to such an external user-authentication database. If an administrator adopts this method, then he doesn't need to create each user for each employee on the Virtual HubHUB. It must reduce bothering tasks. There is another benefit. If a user changed the password of him or her, then the required password for connecting VPN Server will be changed. This means that a company can enforce employees to a particular password security preventing any attacks with password speculation from outside attackers.
...
RADIUS and Active Directory are supported for external user-authentication.
...
RSA Certificate Authentication is easy to use.
...
Any Smart Cards or USB Tokens which are compatible to PKCS#11 are supported.
...
All user objects which are defined on the Virtual HubHUB by the administrator can be grouped. Groups can be created and a group can hold multiple users. It is very convenient to define the security policy or packet filtering policy to a group of several users.
...
You can set up the packet filter rules on the Virtual HubHUB of the VPN Server. The number of rules can be placed up to 4096 entries. Packet filter function is also called "Access Lists" .
...
Access Lists are easy-configurated on GUI Managerment Tool of VPN Server.
...
You can specify deep-level IP, TCP, UDP or other packets-header value to define a matching condition.
...
Security Policy can be set on either User Object or Group Object.
...
Filtering Harmful DHCP Packets
Via VPN Tunnel, any user can post harmful DHCP packets into the Ethernet segment by default. If a user sends a malicious and fake DHCP response packet to network where another user is waiting the DHCP response to determine his IP address, then the requesting user will take a wrong IP address. This will confuse the entire network. Then a security policy can restrict the type of DHCP packets which a user can send.
DHCP Spoofing and IP Addressing Enforcement
You can find some Ethernet switch produces on the contemporary market have DHCP spoofing functions in order to enforce a client computer to be assigned only the IP address which the DHCP server appointed. SoftEther VPN's Virtual Hub implements the exactly same features on it.
Prohibiting any Behavior as Bridges and Routers on VPN User's Side
Due to the character that SoftEther VPN Tunnel is fully virtualized layer-2 Ethernet network cable, then the remote-accessing VPN user can set up the router or the bridge on the user's side. It is easy for well-skilled users, in their home. It is not a good situation that any kidding users on their home can do some mischief with the VPN Session to the company's LAN. So a security policy can restrict any behavior as bridging or routing on the VPN Client side.
Prohibiting any Packets with Overlapped MAC Address and IP Address
If a user has IP address (for example, 192.168.3.2) and another user has the same IP address on the single Ethernet segment, it will be troublesome. Not only trouble, it also might be a risk of security because incorrect user can have an IP address and also can send an IP address imposing the correct one. So this type of behavior must be forbidden. This security policy can do it, not only for IP addresses, but also MAC addresses.
Reducing Broadcast Packets
If several hundreds of computers are connected on the single Ethernet segment via VPN, the number of broadcast packets will be increased by default. In such a case, turn this policy on to block all broadcast packets except ARP, DHCP and ICMPv6.
Privacy Filter Mode
A user which is set by this policy cannot communicate any other user who is set by this policy too. This policy is convenient the situation that the administrator allows users to access to only the central servers, but disallow to users to communicate each other, for security reason.
Preventing MAC and IP Address Table Flooding Attacks
A Virtual Hub on the VPN Server has FDB of MAC addresses. It also has IP Address tables. But some malicious VPN Client users might send random MAC addresses or IP addresses in source field of packets for the purpose to DoS attack (denial-of-service attack). It will consume the precious resource of VPN Server, especially the capacity of RAM. So use this security policy to limit the maximum numbers of both MAC Address and IP Address which is related on a user's VPN Session.
Bandwidth Limitation
Bandwidth Limitation can be applied on a VPN Session with a unit of bps (bits per seconds) to saving the entire bandwidth to the Internet. Both uploading (client-to-server) and downloading (server-to-client) can be specified separately as limitation value.
Limitation of Concurrent Multiple Logins of a User
By default, a user can connect to the VPN Server with multi VPN sessions concurrently. But you can restrict the maximum number of concurrent logins per a user by this security policy.
IPv6 Security Policy
You can also restrict the behavior of a user via VPN who is sending IPv6 packets. There are several new concepts in IPv6 than IPv4, then specific security policy dedicated for IPv6 is necessary. SoftEther VPN Server has fully functioned for IPv6 security enforcement.
...
Monitoring Function is a tapping function for all packets which are flowed in the Virtual Hub. This function can be used by network administrators of its VPN network. So this function is disabled by default, although an administrator can enable it if he wishes.
Monitoring Function is used from VPN Client with Ethernet tapping software, such as Wireshark, Ethereal, tcpdump or IDS (e.g. snort).
For Troubleshooting Purpose
You can use the monitoring function for troubleshooting purpose, because you can capture and analyze any packets flown in the VPN Server.
For IDS Purpose
You can use any kind of IDS (Intrusion Detection System) in order to detect potential security breaches on the network. You can attach IDS software to the VPN Server's Virtual Hub with the monitoring function.
...
Use Wireshark, tcpdump, snort or other analyzers to monitor all packets via Virtual Hub.
...
All packets which are flowed via the Virtual Hub on the Virtual Server can be logged as a log file on the hard disk of VPN Server. But if you log all packets to record on the disk, the disk will be full soon. Then SoftEther VPN Server has a filtering function to determine what kind of packets is to be logged. And you can choose whether entire packet's payloads must be logged, or only important headers of packets must be logged. Due to processing by software, all packets will be logged without missing.
This function is usable not only troubleshooting, but also as evidence for such a case if a user will do some illegal actions against the company. Enabling the logging allows you to monitor all communications between the file server and database server from employees via VPN.
...
Packet Logging settings screen.
...
The HTTP-based traffic will be "deep-analyzed" for the HTTP header. Each target URLs on the HTTP connection request packets will be logged on the packet-logging file with plaintext of destination URLs. The system administrator can keep the HTTP access logs of employees who are using VPN Server, in order to audit the usage of VPN Server.
...
An example of Packet Log.
You can see headers of Ethernet, IP, TCP/UDP packet header values, and HTTP request headers.
3.12. Virtual HubHUB Admin Delegation
A VPN Server can have a lot of Virtual Hubs. And the administrator of the entire of VPN Server can entrust someone as an appropriate administrator of a Virtual Hub, and can delegate the role of it to him.
In this situation, the entire VPN Server's administrator specifies the administration password for dedicated to particular Virtual Hub, and tells that password to someone to delegate. Then delegated person can access and manage the Virtual Hub. But he still can't manage other Virtual Hubs on the same server. Security functions and databases such as for user objects and packet filter rules are separated between Virtual Hubs completely.
...
SoftEther VPN Server service was supposed to be running constantly and continuously 24h / 365d permanently after once VPN Server process has been started. Very careful efforts have been spent to develop the code sets of SoftEther VPN Server, especially preventing memory leaks and possibilities crashes. Currently released SoftEther VPN Server programs are believed that there are no vital bugs.
However, if something trouble happened on the process of SoftEther VPN Server, it will be restarted automatically. To prevent the loss of configuration data, all configuration data and statistics about the VPN session will be saved on the disk automatically with regular period. If a process stops suddenly, then the recovery task will be automatically invoked and it will restore the last states as possible.
Version from 18:27, 22 Feb 2013
...
Inside of Hardware VPN Products
...
The simplest method is the plain password authentication. In this method, a Virtual HUB on the VPN Server has a user database within it. The user database has multiple users and user's passwords. Password is hashed by SHA algorithms for security. An administrator can create a lot of users on the database. Each user has different passwords. No one who doesn't know the correct combination of user ID and password can connect to the Virtual HUB.
...
The plain password authentication is simple and suitable for some purpose. But if a company has very huge numbers of employees and wants all of them to connect the VPN Server, it is inconvenient to define each user on the Virtual HUB. Such a company already has an external user authentication database. A company uses UNIX has Radius user-authentication server. A company uses Windows has Active Directory or NT Domain Controller server. SoftEther VPN Server can be configured in order to relay the authentication process to such an external user-authentication database. If an administrator adopts this method, then he doesn't need to create each user for each employee on the Virtual HUB. It must reduce bothering tasks. There is another benefit. If a user changed the password of him or her, then the required password for connecting VPN Server will be changed. This means that a company can enforce employees to a particular password security preventing any attacks with password speculation from outside attackers.
...
All user objects which are defined on the Virtual HUB by the administrator can be grouped. Groups can be created and a group can hold multiple users. It is very convenient to define the security policy or packet filtering policy to a group of several users.
...
You can set up the packet filter rules on the Virtual HUB of the VPN Server. The number of rules can be placed up to 4096 entries. Packet filter function is also called "Access Lists" .
...
3.12. Virtual HUB Admin Delegation
...
Current version
...
Encryption algorithms setting screen.
...
SSL Server Verification detects and prevents Man in the Middle Attack.
...
Security Alert pop-ups when the destination VPN Server presents an untrusted SSL certificate.
...
SoftEther VPN supports external server user authentication methods.
...
The simplest method is the plain password authentication. In this method, a Virtual Hub on the VPN Server has a user database within it. The user database has multiple users and user's passwords. Password is hashed by SHA algorithms for security. An administrator can create a lot of users on the database. Each user has different passwords. No one who doesn't know the correct combination of user ID and password can connect to the Virtual Hub.
...
The plain password authentication is simple and suitable for some purpose. But if a company has very huge numbers of employees and wants all of them to connect the VPN Server, it is inconvenient to define each user on the Virtual Hub. Such a company already has an external user authentication database. A company uses UNIX has Radius user-authentication server. A company uses Windows has Active Directory or NT Domain Controller server. SoftEther VPN Server can be configured in order to relay the authentication process to such an external user-authentication database. If an administrator adopts this method, then he doesn't need to create each user for each employee on the Virtual Hub. It must reduce bothering tasks. There is another benefit. If a user changed the password of him or her, then the required password for connecting VPN Server will be changed. This means that a company can enforce employees to a particular password security preventing any attacks with password speculation from outside attackers.
...
RADIUS and Active Directory are supported for external user-authentication.
...
RSA Certificate Authentication is easy to use.
...
Any Smart Cards or USB Tokens which are compatible to PKCS#11 are supported.
...
All user objects which are defined on the Virtual Hub by the administrator can be grouped. Groups can be created and a group can hold multiple users. It is very convenient to define the security policy or packet filtering policy to a group of several users.
...
You can set up the packet filter rules on the Virtual Hub of the VPN Server. The number of rules can be placed up to 4096 entries. Packet filter function is also called "Access Lists" .
...
Access Lists are easy-configurated on GUI Managerment Tool of VPN Server.
...
You can specify deep-level IP, TCP, UDP or other packets-header value to define a matching condition.
...
Security Policy can be set on either User Object or Group Object.
...
Filtering Harmful DHCP Packets
Via VPN Tunnel, any user can post harmful DHCP packets into the Ethernet segment by default. If a user sends a malicious and fake DHCP response packet to network where another user is waiting the DHCP response to determine his IP address, then the requesting user will take a wrong IP address. This will confuse the entire network. Then a security policy can restrict the type of DHCP packets which a user can send.
DHCP Spoofing and IP Addressing Enforcement
You can find some Ethernet switch produces on the contemporary market have DHCP spoofing functions in order to enforce a client computer to be assigned only the IP address which the DHCP server appointed. SoftEther VPN's Virtual Hub implements the exactly same features on it.
Prohibiting any Behavior as Bridges and Routers on VPN User's Side
Due to the character that SoftEther VPN Tunnel is fully virtualized layer-2 Ethernet network cable, then the remote-accessing VPN user can set up the router or the bridge on the user's side. It is easy for well-skilled users, in their home. It is not a good situation that any kidding users on their home can do some mischief with the VPN Session to the company's LAN. So a security policy can restrict any behavior as bridging or routing on the VPN Client side.
Prohibiting any Packets with Overlapped MAC Address and IP Address
If a user has IP address (for example, 192.168.3.2) and another user has the same IP address on the single Ethernet segment, it will be troublesome. Not only trouble, it also might be a risk of security because incorrect user can have an IP address and also can send an IP address imposing the correct one. So this type of behavior must be forbidden. This security policy can do it, not only for IP addresses, but also MAC addresses.
Reducing Broadcast Packets
If several hundreds of computers are connected on the single Ethernet segment via VPN, the number of broadcast packets will be increased by default. In such a case, turn this policy on to block all broadcast packets except ARP, DHCP and ICMPv6.
Privacy Filter Mode
A user which is set by this policy cannot communicate any other user who is set by this policy too. This policy is convenient the situation that the administrator allows users to access to only the central servers, but disallow to users to communicate each other, for security reason.
Preventing MAC and IP Address Table Flooding Attacks
A Virtual Hub on the VPN Server has FDB of MAC addresses. It also has IP Address tables. But some malicious VPN Client users might send random MAC addresses or IP addresses in source field of packets for the purpose to DoS attack (denial-of-service attack). It will consume the precious resource of VPN Server, especially the capacity of RAM. So use this security policy to limit the maximum numbers of both MAC Address and IP Address which is related on a user's VPN Session.
Bandwidth Limitation
Bandwidth Limitation can be applied on a VPN Session with a unit of bps (bits per seconds) to saving the entire bandwidth to the Internet. Both uploading (client-to-server) and downloading (server-to-client) can be specified separately as limitation value.
Limitation of Concurrent Multiple Logins of a User
By default, a user can connect to the VPN Server with multi VPN sessions concurrently. But you can restrict the maximum number of concurrent logins per a user by this security policy.
IPv6 Security Policy
You can also restrict the behavior of a user via VPN who is sending IPv6 packets. There are several new concepts in IPv6 than IPv4, then specific security policy dedicated for IPv6 is necessary. SoftEther VPN Server has fully functioned for IPv6 security enforcement.
...
Monitoring Function is a tapping function for all packets which are flowed in the Virtual Hub. This function can be used by network administrators of its VPN network. So this function is disabled by default, although an administrator can enable it if he wishes.
Monitoring Function is used from VPN Client with Ethernet tapping software, such as Wireshark, Ethereal, tcpdump or IDS (e.g. snort).
For Troubleshooting Purpose
You can use the monitoring function for troubleshooting purpose, because you can capture and analyze any packets flown in the VPN Server.
For IDS Purpose
You can use any kind of IDS (Intrusion Detection System) in order to detect potential security breaches on the network. You can attach IDS software to the VPN Server's Virtual Hub with the monitoring function.
...
Use Wireshark, tcpdump, snort or other analyzers to monitor all packets via Virtual Hub.
...
All packets which are flowed via the Virtual Hub on the Virtual Server can be logged as a log file on the hard disk of VPN Server. But if you log all packets to record on the disk, the disk will be full soon. Then SoftEther VPN Server has a filtering function to determine what kind of packets is to be logged. And you can choose whether entire packet's payloads must be logged, or only important headers of packets must be logged. Due to processing by software, all packets will be logged without missing.
This function is usable not only troubleshooting, but also as evidence for such a case if a user will do some illegal actions against the company. Enabling the logging allows you to monitor all communications between the file server and database server from employees via VPN.
...
Packet Logging settings screen.
...
The HTTP-based traffic will be "deep-analyzed" for the HTTP header. Each target URLs on the HTTP connection request packets will be logged on the packet-logging file with plaintext of destination URLs. The system administrator can keep the HTTP access logs of employees who are using VPN Server, in order to audit the usage of VPN Server.
...
An example of Packet Log.
You can see headers of Ethernet, IP, TCP/UDP packet header values, and HTTP request headers.
3.12. Virtual Hub Admin Delegation
A VPN Server can have a lot of Virtual Hubs. And the administrator of the entire of VPN Server can entrust someone as an appropriate administrator of a Virtual Hub, and can delegate the role of it to him.
In this situation, the entire VPN Server's administrator specifies the administration password for dedicated to particular Virtual Hub, and tells that password to someone to delegate. Then delegated person can access and manage the Virtual Hub. But he still can't manage other Virtual Hubs on the same server. Security functions and databases such as for user objects and packet filter rules are separated between Virtual Hubs completely.
...
SoftEther VPN Server service was supposed to be running constantly and continuously 24h / 365d permanently after once VPN Server process has been started. Very careful efforts have been spent to develop the code sets of SoftEther VPN Server, especially preventing memory leaks and possibilities crashes. Currently released SoftEther VPN Server programs are believed that there are no vital bugs.
However, if something trouble happened on the process of SoftEther VPN Server, it will be restarted automatically. To prevent the loss of configuration data, all configuration data and statistics about the VPN session will be saved on the disk automatically with regular period. If a process stops suddenly, then the recovery task will be automatically invoked and it will restore the last states as possible.
