REVIEW OF LITERATURE Joseph Davies & Elliot Lewis (2003) In this paper Cloud Computing is a general term used to describe a new class of network based computing that takes place over the Internet, basically a step on from Utility Computing. In other words, this is a collection/group of integrated and networked hardware, software and Internet infrastructure (called a platform). Cloud computing is an umbrella term used to refer to Internet based development and services. A cloud client consists of computer hardware and/or computer software that relies on cloud computing for application delivery. William Stallings (2005) This paper is to be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when at rest and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider. PLUMMER, D.C. (2005) In this paper Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its
entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud. Charles P. Pfleeger (2006) In this paper a VPN is the extension of a private network that encompasses links across shared or public networks such as the Internet. A VPN enables us to send data between two computers across a shared or public inter network in a manner that emulates the properties of a point-to-point private link. In essence, it makes the remote computer virtually part of the private network by making an encrypted tunnel through the public Internet. The act of configuring and creating a VPN is known as virtual private networking. MEI and L.CHAN (2008) This paper describes tunneling is a method of using an intermediate network infrastructure to transfer data for one network over another network while maintaining privacy and control over the original data. The data to be transferred (the payload) can be the frames (or packets) of another protocol. Instead of sending a frame as the originating node produces it, the tunneling protocol encapsulates the frame in an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate network. SUN, W., ZHANG, K., CHEN, S.-K., ZHANG, X. and LIANG (2007) In this paper PPTP and L2TP depend heavily on the features originally specified for PPP. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames, and then transmits the PPP-encapsulated
packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a NAS. There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data. HARMER, T., WRIGHT, P., CUNNINGHAM, C. and PERROTT, R. (2007) In this paper PPP uses the Link Control Protocol (LCP) to establish, maintain, and terminate the logical point-to-point connection. During Phase 1, basic communication options are selected. For example, authentication protocols are selected, but they are not actually implemented until the user authentication phase (Phase 2). Similarly, during Phase 1, a decision is made as to whether the two peers will negotiate the use of compression and/or encryption. The actual choice of compression and encryption algorithms and other details occurs during Phase 4. In the second phase, the client computer sends the user s qualifications to the remote access server. A secure authentication scheme provides protection against repeat attacks and remote client impression. A replay attack occurs when a third party monitors a successful connection and uses captured packets to play back the remote client s response so that it can gain an authenticated connection. During Phase 2 of PPP link configuration, the NAS collects the authentication data and then validates the data against its own user database or a central authentication database server, such as one maintained by a Windows domain controller, or the authentication data is sent to a RADIUS server.
Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link-establishment phase (Phase 1) to configure protocols used by the remote client. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. Once the four phases of PPP negotiation have been completed, PPP begins to forward data across the tunnel. Each transmitted data packet is wrapped in a PPP header that is removed by the receiving system when it reaches the far destination. If data compression was selected in Phase 1 and negotiated in Phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first and then encrypted. De-encryption and decompression occur once the packets reach the far end of the tunnel. BERNSTEIN, D., LUDVIGSON, E., SANKAR, K., DIAMOND, S. and MORROW (2007) This paper PPTP encapsulates PPP frames in IP datagrams for transmission over an IP inter network, such as the Internet. PPTP can be used for remote access and site-to-site VPN connections. PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed, or both. OHLMAN, B., ERIKSSON, A. and REMBARZ (2008) In this paper L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM networks. When
configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP is documented in RFC 2661. J. Appavoo, V. Uhlig, and A. Waterland (2008) This paper describes Security credentials take the form of either a user name and password or a certificate. If we use the proper authentication security protocol, we can ensure that the confidential portions of the credentials (such as the password or the private key for a certificate) are never sent. Rather, the connecting VPN client provides proof of knowledge of the confidential credentials. LIM, H., BABU, S., CHASE, J. and PAREKH (2009) In this paper authorization security ensures that the VPN client is allowed to make a VPN connection, and can provide a set of connection constraints such as maximum connection time, idle timeout, required authentication method, and so on. This allows for administrators to add extra security to remote-based users. Before the data between a VPN client and VPN server is sent over the VPN connection, it is encrypted using an encryption algorithm and a secret key, which is known only to the VPN client and VPN server. BITTMAN, T.J., AUSTIN, T. (2009) In this paper encryption provides data confidentiality; even if a copy of the packet is captured, it is not readable (except for the IP header) without the knowledge of the secret key. When using PPTP, the encryption is done with a password-based hash algorithm. When using L2TP/IPSec, certificates are used to set up an IPSec encrypted tunnel that all authentication and
authorization processes can take place in. This is one of the advantages to using L2TP/IPSec the entire transaction even before authentication happens occurs in an encrypted state. CEARLEY, D.W., and SMITH D.M. (2009) In this paper when we connect a VPN server to the Internet, the server and your private intranet are now exposed to attack. An Internet based attacker can try to attack the VPN server by flooding it with various types of packets or try to access your intranet by using your VPN server as a router. To combat both of types of attacks, the Internet interface of the VPN server is configured with a series of IP packet filters that only allow VPN traffic. This is different than the internal IP filters that apply to a user s authentication this process makes sure that only authorized conversations will be accepted by the VPN server. This will ensure that Denial-of- Service attacks and internet hacks cannot affect operations. DODDA, R., SMITH, C., and MOORSEL (2009) In this paper user authentication for both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) connections is based on Point-to-Point Protocol (PPP) authentication protocols. Windows Server 2003 and Windows XP support the following PPP authentication protocols: PAP is a simple, clear-text authentication scheme. The NAS requests the user name and password, and PAP returns them in clear text (unencrypted). Obviously, this authentication scheme is not secure because a third party could capture the user s name and password and use it to get subsequent access to the NAS and all of the resources provided by the NAS. PAP provides no protection against replay attacks or remote client impersonation once the user s password is compromised.
GROSSMAN, R. L. (2009) This paper explains that CHAP is an encrypted authentication mechanism that avoids transmission of the actual password on the connection. The NAS sends a challenge, which consists of a session ID and an arbitrary challenge string, to the remote client. The remote client must use the MD5 one-way hashing algorithm to return the user name and a hash of the challenge, session ID, and the client s password. The user name is sent as plain text. CHAP is an improvement over PAP because the clear-text password is not sent over the link. Instead, the password is used to create a hash from the original challenge. SONG, S., RYU, K. and DA SILVA, (2009) According to this paper EAP is a new PPP authentication protocol that allows for an arbitrary authentication method such as smart cards, token cards, or biometrics such as fingerprint scanners or retinal scanners. EAP is an IETF standard extension to PPP that allows for arbitrary authentication mechanisms for the validation of a PPP connection. EAP was designed to allow the dynamic addition of authentication plug-in modules at both the client and server ends of a connection. This allows vendors to supply a new authentication scheme at any time. EAP provides the highest flexibility in authentication uniqueness and variation. KHAJEH-HOSSEINI, A., SOMMERVILLE, I. and SRIRAM (2010) In this paper encryption for PPTP connections is based on the use of MPPE (Microsoft Point to Point Encryption), we must use an authentication protocol that generates MPPE keys as part of the authentication process: MS-CHAP, MS-CHAP v2, or EAP-TLS. The MPPE key is generated using the password in the MS-CHAP algorithms therefore if you are using PPTP it is highly recommended that you apply strong password policies for the users. In the case of
EAP-TLS, the user certificates can be used. EAP-TLS using smart cards or MS-CHAP v2 is highly recommended as they provide mutual authentication and are the most secure methods of exchanging credentials. VISHWANATH, K., GREENBERG, A. and REED (2010) In this paper authentication for L2TP/IPSec connections occurs at two different levels: the computer is authenticated, and then the user is authenticated. This allows for the IPSec tunnel to be established prior to the authentication phase of the connection being made, thus allowing for all communications to happen in an encrypted state. John W. Rittinghouse & James F. Ransome (2010) In this paper authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication. For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized. Usually this is because the Active Directory group that the individual belongs to does not have the right to VPN access of the network. Examples of this can be contractors or part-time employees who should not be accessing information unless they are being monitored by full-time employees. Another example can be with internal implementations for VPN where only members of Human Resources can access information on the protected network. In this case, the connection attempt is denied. In the Windows Server 2003 family, authorization of VPN connections is determined by the dial-in properties on the user account and remote access policies. Judith Hurwitz, Robin Bloor, Marcia Kaufman and Dr. Fern Halper (2011)
In this paper symmetric, or private-key, encryption (also known as conventional encryption) is based on a secret key that is shared by both communicating parties. The sending party uses the secret key as part of the mathematical operation to encrypt (or encipher) plain text to cipher text. The receiving party uses the same secret key to decrypt (or decipher) the cipher text to plain text. Examples of symmetric encryption schemes are the RSA RC4 algorithm, which provides the basis for MPPE, and DES, which is used for IPSec encryption. MATHEW, R. and SPRAETZ (2011) According to this paper with symmetric encryption, both sender and receiver have a shared secret key. The distribution of the secret key must occur (with adequate protection) prior to any encrypted communication. With asymmetric encryption, the sender uses a private key to encrypt or digitally sign messages, while the receiver uses a public key to decipher these messages. The public key can be freely distributed to anyone who needs to receive the encrypted or digitally signed messages. The sender needs to carefully protect the private key only. EAP-TLS is an IETF standard (RFC 2716) for a strong authentication method based on public-key certificates. With EAP-TLS, a client presents a user certificate to the dial-in server, and the server presents a server certificate to the client. The first provides strong user authentication to the server; the second provides assurance that the user has reached the server that he or she expected. Both systems rely on a chain of trusted authorities to verify the validity of the offered certificate. The remote access account lockout feature is used to specify how many times a remote access authentication fails against a valid user account before the user is denied remote access. Remote access account lockout is especially important for remote access VPN connections over
the Internet. Malicious users on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. H. AbdelSalam, K. Maly, R. Mukkamala, M. Zubair, and D. Kaminsky (2011) In this paper the user has access to the network via VPN, that does not mean that the user should have access to every resource on the network while accessing from an unsecured location. Remote access policies that define authorization and connection constraints can be used to specify a set of IP packet filters that are applied per user or group to remote access connections. When the connection is accepted, the packet filters define the types of IP traffic that are allowed from and to the VPN client. This feature can be used for extranet connections.