Tag: VPNs

Articles – From the horse’s mouth

Google

A standard and certification program now exists for mobile application security

A New Standard for Mobile App Security (Google Security Blog post)

Internet Of Secure Things Alliance (ioXT)

ioXt Alliance Expands Certification Program for Mobile and VPN Security (Press Release)

Mobile Application Profile (Reference Standard Document – PDF)

My Comments

There is a constant data-security and user-privacy risk associated with mobile computing.

And this is being underscored heavily as a significant number of mobile apps are part of “app-cessory” ecosystems for various Internet-of-Things devices. That is where a mobile app is serving as a control surface for one of these devices. Let’s not forget that VPNs are coming to the fore as a data-security and user-privacy aid for our personal-computing lives.

Expect this to appear alongside mobile-platform apps to signify they are designed for security

But how can we be sure that an app that we install on our smartphones or tablets is written to best security practices? What is being identified is a need for an industry standard supported by a trademarked logo that allows us to know that this kind of software is written for security.

A group called the Internet of Secure Things Alliance, known as ioXT, have started to define basic standards for secure Internet-of-Things ecosystems. Here they have defined various device profiles for different Internet-of-Things device types and determined minimum and recommended requirements for a device to be certified as being “secure” by them. This then allows the vendor to show a distinct ioXT-secure logo on the product or associated material.

Now Google and others have worked with ioXT to define a Mobile Application Profile that sets out minimum security standards for mobile-platform software in order to be deemed secure by them. At the moment, this is focused towards app-cessory software that works with connected devices along with consumer-facing privacy-focused VPN endpoint software. For that matter, Google is behind a “white-box” user-privacy VPN solution that can be offered under different labels.

This device profile has been written in an “open form” to cater towards other mobile app classes that need to have specific data-security and user-privacy requirements. This will come about as ioXT revises the Mobile Application Profile.

Conclusion

The ioXT Internet-of-Secure-Things platform could be extended to certifying more classes of native mobile-platform and desktop-platform software that works with the Internet of Everything. The VPN aspect of the Mobile Application Profile can also apply to native desktop VPN-management clients or native and Web software intended to manage router-based VPN setups.

At least a non-perpetual certification program with a trademarked logo now exists for the Internet of Everything and mobile apps to assure customers that the hardware and software is secure by design and default.

Routers like the Draytek Vigor 2600N which support VPN endpoint and IP-PBX functionality could benefit from simplified configuration processes for these functions

Increasingly, the virtual private network, virtual local-area network and IP-based voice and video telephony setups are becoming more common as part of ordinary computing.

The VPN is being seen as a tool to protect our personal privacy or to avoid content-blocking regimes imposed by nations or other entities. Some people even use this as a way to gain access to video content available in other territories that wouldn’t be normally available in their home territory. But VPNs are also seen by business users and advanced computer users as a way to achieve a tie-line between two or more networks.

The VLAN is becoming of interest to householders as they sign up to multiple-play Internet services with at least TV, telephony and Internet service. Some of the telcos and ISPs are using the VLAN as a way to assure end-users of high quality-of-service for voice or video-based calls and TV content made available through these services.

… as could the AVM Fritz!Box routers with DECT base station functionality

It may also have some appeal with some multiple-premises developments as a tool to provide the premises occupiers access to development-wide network resources through the occupiers’ own networks. It will also appeal to public-access-network applications which share the same physical infrastructure as private networks such as FON-type community networks including what Telstra and BT are running.

VoIP and similar IP-based telecommunications technologies will become very common for home and small-business applications. This is driven by incumbent and competing telecommunications providers moving towards IP-based setups thanks to factors like IP-driven infrastructure or a very low cost-of-entry. It also includes the desire to integrate entryphone systems that are part of multi-premises buildings in to IP-based telecommunications setups including the voice-driven home assistants or IP-PBX business-telephony setups.

A device like the Amazon Echo could be made in to a VoIP telephone through an easy-to-configure Alexa Skill

In the same context, an operating-system or other software developer may want to design a “softphone” for IP-based telephony in order to have it run on a common computing platform.

What is frustrating these technologies?

One key point that makes these technologies awkward to implement is the configuration interface associated with the various devices that benefit from these technologies like VPN endpoint routers or IP-based telephony equipment. The same situation also applies if you intend to implement the setup with multiple devices especially where different platforms or user interfaces are involved.

This kind of configuration also increases the chance of user error taking place during the process which then leads to the setup failing with the user wasting time on troubleshooting procedures to get it to work. It also makes the setup process very daunting for people who don’t have much in the way of IT skills.

For example, you have to complete many steps to enrol the typical VPN endpoint router with a consumer-facing privacy-focused VPN in order to assure network-wide access to these VPNs. This involves transcribing configuration details for one of these VPNs to the router’s Web-based management interface. The same thing also applies if you want to create a VPN-based data tie-line between networks installed at two different premises.

Similarly, IP-based telephony is very difficult to configure with customers opting for pre-configured IP telephone equipment. Then it frustrates the idea of allowing a customer to purchase equipment or software from different resellers thanks to the difficult configuration process. Even small businesses face this same difficult whether it is to add, move or remove extensions, create inter-premises tie-lines or add extra trunk lines to increase call capacity or provide “local-number” access.

This limits various forms of innovation in this space such as integrating a building’s entryphone system into one’s own telephone setup or allowing Skype, Facebook Messenger, WhatsApp or Viber to permit a business to have a virtual telephone link to their IP-telephony platforms.

It also limits the wide availability to consumers and small businesses of “open” network hardware that can answer these functions. This is more so with VPN-endpoint routers or routers that have IP-based telecommunications functionality which would benefit from this kind of simplified configuration process.

What can be done?

A core requirement to enable simplified provisioning of these technologies is to make use of an XML-based standard configuration file that contains all of the necessary configuration information.

It can be transferred through a download from a known URL link or a file that is uploaded from your computing device’s local file system. The latter approach can also apply to using removable storage to transfer the file between devices if they have an SD-card slot or USB port.

Where security is important or the application depends on encryption for its operation, the necessary binary public-key files and certificates could be in a standard form with the ability to have them available through a URL link or local file transfer. It also extends to using technologies based around these public keys to protect and authenticate the configuration data in transit or apply a digital signature or watermark on the configuration files to assert their provenance.

I would also see as being important that this XML-based configuration file approach work with polished provisioning interfaces. These graphically-rich user interfaces, typically associated with consumer-facing service providers, implement subscription and provisioning through the one workflow and are designed to he user-friendly. It also applies to achieving a “plug-and-play” onboarding routine for new devices where there is a requirement for very little user interaction during the configuration and provisioning phase.

This can be facilitated through the use of device-discovery and management protocols like UPnP or WSD with the ability to facilitate the upload of configuration files to the correct devices. Or it could allow the creation and storage of the necessary XML files on the user’s computer’s local storage for the user to upload to the devices they want to configure.

Another factor is to identify how a device should react under certain situations like a VPN endpoint router being configured for two or more VPNs that are expected to run concurrently. It also includes allowing a device to support special functions, something common in the IP-based telecommunications space where it is desirable to map particular buttons, keypad shortcodes or voice commands to dial particular numbers or activate particular functions like door-release or emergency hotline access.

Similarly, the use of “friendly” naming as part of the setup process for VLANs, VPNs and devices or lines in an IP-telephony system could make the setup and configuration easier. This is important when it comes to revising a configuration to suit newer needs or simply understanding the setup you are implementing.

Conclusion

Using XML-based standard provisioning files and common data-transfer procedures for setup of VLAN, VPN and IP-based-telecommunications setups can allow for a simplified setup and onboarding experience. It can also allow users to easily maintain their setups such as to bring new equipment on board or factor in changes to their service.

Article – French language / Langue Française

Mise à jour Freebox : du Wi-Fi programmable et un VPN intégré | DegroupNews.com

My Comments

Freebox Révolution to be a VPN endpoint

Free.fr have been adding some extra functionality to their Freebox Révolution and Freebox Crystal “n-box” Internet-gateway devices. This is being delivered through a free firmware update (version 2.1.0) as in the nature of the highly-competitive French Internet-service market and users can download and implement them in these devices.

VPN Endpoint Router

One key product is the ability for a Freebox Révolution or Freebox Crystal Internet-gateway to become a fully-fledged small-business-grade VPN router. Here, you could set these devices to work as an endpoint for a client-to-box VPN or, perhaps, a box-to-box VPN joining two small networks via the Internet backbone. For example, you could set up a secure-browsing or secure-file-transfer link to your home or small-business network in Paris or even buy a Draytek VPN router for your home network in the UK and a Freebox  Révolution for that chic French “bolthole” and establish a “box-to-box” VPN for backing up data between both locations, including making the same media available at both locations.

This is made feasible with hardware or software endpoints that work to PPTP or OpenVPN technology, which would suit software endpoints available on all the main desktop and mobile platforms as well as most other VPN endpoint routers.

Even the “seedbox” BitTorrent client integrated in these devices has been updated to be able to take advantage of the VPN functionality for user privacy.

Wi-Fi network improvements

The Freebox Révolution has been able to benefit from a software-based 802.11ac implementation which opens it up to high-speed data transfer with 802.11ac clients. Typically this would have required one to replace or add hardware to upgrade to the newer 802.11ac standard.

Similarly, the firmware has mad it easier for a Freebox user to optimise their Wi-Fi network performance by changing the channel the Wi-Fi access point is working on. It also includes a “site-survey” function which lists what Wi-Fi networks are operating on what channels at what strengths so you can choose the right channel to work on. This can be important in a neighbourhood where everyone is running a home network and could make things also easier for Free’s technical-support staff.

There is even the ability to turn Wi-FI functionality on or off according to a schedule which can be of importance for people who are sensitive to RF emissions or need to keep a lid on out-of-hours access to the Wi-Fi network.

Conclusion

You just never know what Free or other French ISPs have in store to increase the real value that they offer to their customers in that highly-competitive market.

What is remote-access and VPNs

The concept of remote-access and VPNs is primarily about gaining access to computer resources located in a location that is physically distant from where we are. The typical applications that we talk of are access to business data held out our small business’s shopfront from our home office’s computer or gaining access to data as we travel.

The method that is usually implemented is to set up a Virtual Private Network or VPN which is a virtual secure network link between one or more computers in one network and computers in another network. This link is hosted over another network infrastructure like an Internet service and acts as the secure data “tunnel” or path between these networks.

This will typically allow one to “draw down” files held on a remote hard disk or more likely use a “remote desktop” program to operate a computer from afar. The latter application would typically be performed using programs like VNC or Microsoft’s Remote Desktop / Terminal Services with a server component running on the host computer (which has the data and programs) and a remote-terminal client program on the computer that the user is working from.

One of Draytek's VPN-endpoint ADSL modem routers

Previously, a VPN was based around two Internet-connected computers with one, typically a file server, being a “VPN server” and the remote computer being something like a laptop or home computer. Now the VPN can have a specially-enabled router as the “VPN server” or can become a secure link between two physical networks separated by an Internet connection and facilitated by specially-enabled routers. 

Two types of VPN

There are two types of VPN setup that are in use. They are the “Client to Box” setup and the “Box to Box” setup.

“Client-to-Box” – Remote computer to local network

The “Client to Box” setup has a user operating a single computer to gain access to the remote network. This is typically used to allow a mobile worker or a telecommuter to gain access to company resources from their laptop or home computer.

The computer runs a “VPN-client” program that is either part of the operating system or a separately-supplied program. Here, this program provides the login experience for the user and authenticates the computer to the main network. Then it effectively “bridges” the computer’s resources to that network.

Single-Client Remote Access VPN

“Box-to-Box” – Connecting multiple logical networks

The “Box to Box” setup is simply a secure link that is established between networks established in different locations. The typical reason to do this is to avoid the costs of renting a dedicated line between the locations and use the economies of scale that the Internet offers. This is typically established with the use of special “VPN endpoint” routers joining the networks and these routers create a secure encrypted “tunnel” for the data to move between the networks.

"Box-to-Box" VPN connecting two networks

Relevance to the small business and home users

These VPNs do appeal to small businesses and home users in many ways. One is to allow a shopkeeper to have access to data held at either their home office or their shop from the other location. Similarly, a small-business owner can establish a branch of their business in a new location and make sure they have access to the business resources at the main location from the branch’s network.

Another example for a “client-to-box” setup is to allow a tradesman or similar worker to gain access to customer data held on his home-office computer from the road through the use of a laptop computer connected by a wireless-broadband link or use of a wireless hotspot.

There is even the prospect of home users using this VPN technology to gain access to media held on a home media server from remote locations. One example would be to “pull up” audio material held on the home media server from one’s car using a wireless-broadband link to download or stream the material. Another example would be to have the same media that you have “at home” available on a home network installed at a secondary home that you own or rent.

As well, it could be feasible to use VPN technology as part of home security and automation, especially when it comes to managing remote properties.

Similarly, there can be the ability to support the use of the home network’s facilities in households where one or more members maintain separate Internet services and networks. Examples of this may include a business that is operated from home and a separate Internet connection for business-owned equipment; lodgers, students who want to have their own Internet use on their own terms

Limitations with the current technology

Hard to provision

The main limitation for home and small-business users when dealing with the VPN is that the VPN is typically hard to provision, whether it is to set up for the first time or to adapt it to suit future needs. 

The user need to make sure each location’s local network uses a different IP address range which would be a difficult task especially as most small networks are set up to the IP-address specifications that are determined by default when you get the network-Internet “edge” router.

Then they need to know the VPN protocols, security protocols and the VPN passphrase and set these in the “hub” VPN endpoint. They have to make sure this is accurately copied and copy these details to the “spoke” VPN endpoints at the remote locations. Here they may become confused with determining which is “outbound” and which is “inbound” for each tunnel when configuring each endpoint.

They would also have to make sure that one of the VPN endpoints or the one that is to be the “hub” endpoint either has a fixed Internet IP address or can support a dynamic DNS service like DynDNS.org or TZO and is set up for this service.

Most of these tasks would then daunt most home and small-business computer users unless they had a lot of detailed computer knowledge and skills.

Limited protocol and application set

Most VPNs can only handle the protocols associated with bulk file transfer between two or more general-purpose printers. They don’t properly support device discovery for other devices which is important for the home and small-business user.

As well, they don’t work properly when it comes to streaming of real-time media between sites due to issues with streaming protocols and quality of service. Here, VPN applications involving these applications may have to implement application-layer gateways to facilitate the QoS and protocol needs.

Action to facilitate these networks

The UPnP Forum have released the “RemoteAccess” Device Control Profile for facilitation remote access and VPN use especially when it comes to supporting UPnP-compliant devices on the “other side” of a remote access link or VPN tunnel from “your side”. The first version is pitched at the “client-to-box” VPN setup, mainly to allow smartphone and laptop users to gain access to media on the home network. The second version, to be coming over the next year, is intended to support “box-to-box” setups like multi-site “super-networks”.

This has been released in conjunction with the “ContentSync” Device Control Profile which allows for synchronising of content collections (or parts thereof) between two UPnP AV MediaServer devices.

It has then made a relevant case for home users to value VPN and remote-access technology for personal-media applications such as keeping copies or subsets of media libraries at other locations or playing media held at one location from another location.

What needs to happen

Improve provisioning experience

The routine associated with provisioning a remote-access setup or VPN “super-network” needs to be simplified in a manner similar to what has happened to Wi-Fi wireless networking. Here, this was facilitated by the user not needing to work out any new data except to identify a wireless-network segment via its SSID.

In a VPN or remote-access network, the user sets up a “hub” endpoint which would work on machine-determined VPN protocol settings. Here, the user determines the location name, dynamic-DNS service or fixed IP address; and the VPN network password.

As well, a dynamic-DNS service that has a lot more “meat” such as increased reliability could be a service that is sold by carriers and Internet service providers as a value-added service. These services could typically be packaged as a product differentiator between different Internet-access-package lineups or just simply as an add-on item.

Then the user sets up a “spoke” endpoint or client terminal by providing the fully-qualified location name and the VPN network password as well as an identifier for the “spoke” endpoint.

This setup could support the use of machine-generated passwords that have been successfully implemented with Windows Connect Now easy-Wi-Fi setup method in Windows XP Service Pack 2 and Vista; as well as the HomeGroup password in Windows 7. Similarly, there could be support for configuration files like what has happened with Windows Connect Now – USB setup where a configuration file is uploaded to a Wi-Fi router or client device to facilitate quick wireless-network enrolment.

A client-to-box setup could be set up with the user entering the VPN name and password in to a VPN client program that is part of the computer’s or smartphone’s operating system.

Site-local subnets (logical networks)

The provisioning process for a “box-to-box” remote-access network should make it easy to create site-local subnets that are peculiar to each logical network. This could require the “hub” endpoint to keep track of the subnets and cause “spoke” endpoints to determine new subnets as part of the setup process.

It can include the ability to reinforce a DHCP “refresh” so that all network devices that are in a logical network obtain new IP addresses if the addressing scheme has to be redefined for that network. This is because most network devices in home and small business networks are allocated IP addresses using DHCP rather than the user defining them in order to simplify setup of equipment on these networks.

Use of a logo for easy-setup VPN systems

A VPN or remote access system needs to work to an industry standard that is supported by many vendors. Here, equipment and software that complies to this standard needs to be identified with a trademark and  logo which denotes this compatibility so customers can choose the right hardware and software for an easy-to-provision remote access setup.

Retroactive upgrading programs

There are small businesses who run VPN setups that are typically based on VPN-endpoint routers that have existed for a long time and are currently in service. The standards for providing “easy-setup” VPN systems could be retroactively implemented in these units by applying updated firmware that incorporates this functionality to existing VPN-endpoint routers. This may happen more easily for devices that are based on open-source firmware.

Conclusion

Once the industry makes it easier for home and small-business users to establish or manage their remote-access setups and VPN-based multi-premises super-networks, the kind of features that larger businesses take for granted can be of benefit to this class of user.