8

Previously, I asked the question Why is it difficult to catch “Anonymous” or “Lulzsec” (groups)? I understood every answer except the VPN thing. Its because I never knew what VPNs were. Any how that answer said:

With the VPN, all your traffic is relayed through it so wherever you connect it can only track back the IP addy to the VPN itself and no further (unless the VPN is keeping logs in which case you shouldn't use it anyways).

So, I thought VPNs are like some kind of private proxy servers and usually they don't keep logs.

Then I encountered Which VPN Providers Really Take Anonymity Seriously? which compares the list of VPN providers who keep logs and who don't. Nice! I wanted to learn more about these VPNs and try one of these out.

So, I bought a book on VPN Beginning OpenVPN 2.0.9. I'm through the first two chapters. And I'm completely lost! He changed the entire definition of VPNs.

According to the author and wikipedia:

VPNs are actually used for connecting different branches of an organization and forming a private network (virtually) over an real network using some encryption protocols and firewalls.

Now, I'm confused! If VPNs are used to avoid leased lines and establish a network between the different branches of organization. How can these help in anonymity? How exactly are these black hats use to hide their identity?

PS: Also, can any one kindly suggest a good book on VPNs? Most of the VPN books on amazon have poor rating. I don't know why.

Community
  • 1
claws
  • 2,145
  • 5
  • 19
  • 22

3 Answers3

5

"VPN" is a large umbrella concept for a variety of situations; they all have the following common points:

  • there is a need for confidential communication;
  • involved parties should, ultimately, behave as if they were part of a common shared network;
  • however, there is no physical separation between that private network, and the rest of the Internet; the same wires are used; separation is done cryptographically, hence the "virtual".

A typical VPN situation is when an organization wants to link two sites together. Users of computers should be able to connect to all computers on both sites as if they were all on a single LAN; but all data which has to go over the Internet (to cross from one site to another) is channeled through an encrypted tunnel. From the outside (i.e. someone eavesdropping on the link between the sites), all that can be observed is that data flows from one site to another; but the encryption covers both the data itself, and the source and destination addresses (the IP addresses of the involved hosts within the private network). The attacker only sees traffic between the external routers of both site, but cannot know which specific machines within both sites are currently communicating.

This is the level of privacy that a VPN offers: if hides both the exchanged data, and the true source and destination addresses. Attackers can still infer the amount of data, and which sites are active, but not the exact machines.

This model extends to traveling salesmen, who connect to their home office from their hotel room. They open a VPN connection, at which point their laptop is "as if" it was in the office, connected to the office network. But eavesdropper only see that the laptop is linked to "the office" in general, not what specific office server is contacted.

The distinction between VPN and proxy servers is kind of fuzzy; do not try to read too much in it. When we say "VPN", we want to emphasize that the encryption layer should work for all protocols, because the VPN is supposed to transmit IP packets; whereas a proxy is normally dedicated to a single protocol, or a small set of protocols, such as HTTP.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • +1 Thanks for your explanation. Its interesting to know that VPN hides (encrypts) the entire IP layer datagram (packet).But how is it possible? I mean, with the entire IP packet encrypted. How would the routers in between me & VPN Proxy know how to process that packet. Its not IP packet any more. It doesn't know the source address. I'm still little confused. – claws Jan 07 '12 at 18:16
  • Also, wouldn't it be easy to just adding a dummy/random value in Source field of IP datagram. That would take care of my anonymity. Destination field is that of proxy server. And the data is encrypted. Why go through the trouble of encrypting entire IP datagram? – claws Jan 07 '12 at 18:24
  • @claws: in the case of IPsec, the complete IP packet with header is encrypted, and a _new_ header is added. The new header says "comes from router A, goes to router B". Router B decrypts the packet, recovers the old header, and forwards it. Thus, only A's and B's addresses are visible for the eavesdropper. For a SSL-based VPN, the concept is identical, with an extra TCP layer (packet does as data within a SSL tunnel, which is over TCP, which uses IP packets between A and B). – Tom Leek Jan 07 '12 at 22:32
  • Router B decrypts the packet? :O If router B is compromised by attacker then its useless. Isn't it? – claws Jan 08 '12 at 03:14
  • @claws: a VPN is a tunnel between two points. It protects against attacks which occur _between_ these two points. The strongest lock on the sturdiest door does not protect the house against a burglar who is already inside it... – Tom Leek Jan 08 '12 at 21:23
  • I apolozise from ignorance but, source --> router A --> router B --> destination. How come routers A & B are not in between the two points "source" & "destination". – claws Jan 10 '12 at 09:08
  • 1
    @claws: the setup is: source S -> router A -> the Wild Internet -> router B -> destination D. "source" and "destination" are blissfully unaware of the VPN. "A" is between Local Network 1 (LN1), and the Wild Internet. "B" is between Local Network 2 (LN2), and the Wild Internet. The VPN tries to make LN1 and LN2 appear as a single local network, from the point of view of S and D (merging LN1 and LN2). The VPN is implemented as an encrypted tunnel from A to B. Attackers are in the Wild Internet: they only see traffic "from A to B", not "from S to D". – Tom Leek Jan 10 '12 at 11:53
4

I think it would be very helpful to you if you started out with a book on Networking instead of VPNs.

How would the routers in between me & VPN Proxy know how to process that packet. Its not IP packet any more. It doesn't know the source address. I'm still little confused

The routers between you and the end point (What you are defining as VPN Proxy) are only aware of the VPN "tunnel" - not what is going through it. In layman's terms there are 2 layers of networking going on.

Also, you could spoof the source IP address but then you would not be able to get any return traffic, because who ever you're "talking to" wouldn't have the correct address to talk back to.

VPNs only hide traffic between 2 end points. It is common for folks to connect to a VPN for business use. So they go into starbucks and connect and then have access to their office network. Now, that person starts browsing the web over that VPN. So... any person on the internet (ie, someone sniffing at starbucks, or the ISP that starbucks uses) cannot see your web browsing traffic exlicitly. All they would see is a VPN tunnel. For all they know it could be web traffic, a skype call, torrents, anything. They just see encrypted packets going from end point to end point.

http://www.howstuffworks.com/vpn.htm

This would be a good place for you to start. I have been through the OpenVPN book and it is not a good place to start if you are not familiar with VPN architecture. It is obviously a book about a particular VPN software.

LVLAaron
  • 291
  • 2
  • 3
3

Let us suppose that Bob has a computer at his home and an Internet account with his local internet service provider. Say, SuperNet Inc.

When Bob accesses a website from his computer, say www.google.com, the following takes place (simplified):

  1. Bob's computer asks SuperNet Inc's DNS server for IP address of Google's web server. DNS, or domain name system, is like an address book: look up 'www.google.com' and get 74.125.237.84.

  2. SuperNet Inc's DNS server tells Bob's computer that 'www.google.com' indeed resolves to 74.125.237.84.

  3. Bob's computer initiates a connection to another compute on the Internet with globally unique IP address 74.125.237.84.

Bob's computer may be anywhere in the world and is not directly connected to Google's web server in any way. Therefore, the connection is routed (relayed) through several intermediary routing servers on the Internet, including of course SuperNet Inc's router. These servers have nothing to do with Google but pass messages between Bob's computer and Google's web servers.

Similar process takes place for all other Internet communication, including communication with email servers, file servers, etc.

A proxy server is a server that can do something for you by proxy, or on your behalf. For example, if Bob configures his web browser to use a proxy server, then instead of initiating a connection to 74.125.237.84 when he tries to access 'www.google.com', his computer will instead initiate a connection to the proxy server and will ask it to fetch / retrieve the www.google.com web page on Bob's behalf. As a consequence Google's web server will receive a connection from a proxy server, not from Bob's computer.

Virtual Private Networks

Usually, all computers connected to the same network can communicate with each other directly. For example, at Bob's home his computer can connect to his brother's computer to copy files, and Bob can print files to his wireless printer.

Mostly for security reasons, computers do not allow connections to them from the Internet. You wouldn't want random strangers accessing your files from the Internet, would you?

A VPN enables a computer on one network to communicate with computers on another network. Additionally, a VPN protocol (language in which a VPN connection is established and maintained) usually encrypts all communication that takes place over the VPN.

In the scenario above where Bob accesses Google web server, SuperNet Inc's router and each and every other network relay can 'see' all communication between Bob's computer and Google. Similarly, even when Bob uses a proxy server, SuperNet Inc's router and each and ever other network relay can 'see' all communication between Bob's computer and the proxy server (including the relayed communication to Google). In the latter case, the only difference is that Google's web server is accessed by the proxy server, and not Bob's computer.

Using a VPN service for security / anonymity is similar to using a proxy server. However, in this scenario the VPN is used to protect all communication between Bob's computer and the VPN server. SuperNet Inc's router and other network relays 'see' encrypted communication only.

claws
  • 2,145
  • 5
  • 19
  • 22
Serge
  • 236
  • 2
  • 3