Mobile employees on the go are very familiar with VPN clients. A VPN client establishes an encrypted communication channel between a mobile user in a hotel room, a coffee shop or a customer location and enterprise applications. It protects data in transit from prying eyes, especially when traversing unsecured networks like public Wi-Fi hotspots. VPNs often come integrated with enterprise firewalls and are a staple of virtually all enterprise security architectures.
VPN 'Anonymizers' are on the rise
VPN has gained a shadier reputation in recent years. Specific implementations of VPNs for consumers provides not only an encrypted communication channel but also an effective way to hide the source IP address of the end user.
Why is the IP address important?
IP addresses can be used as a key to GEO-IP location services that can pinpoint the exact location of the user. We see such services in action when Google, for example, presents a localized search page based on the location of the user.
This 'anonymization' capability has multiple implications. It could be a way to fight government censorship of content for its citizens (within a specific country). It can also protect the downloading of pirated copies of media such as music albums or movies. Another 'popular' use is bypassing the restrictions placed by content service providers, like Netflix or Pandora, on content consumption in markets where they don't officially serve or where their content license doesn't apply.
Encrypted communication channels could also form the basis for data exfiltration, especially as they work hard to evade detection.
The VPN 'Cat and Mouse' Game
We are witnessing a continuous battle between the 'VPN providers' and the 'monitoring tools'. As some organizations are trying to either detect VPN services or block VPN users, the VPN providers are becoming stealthier with their various evasion techniques.
During a traffic analysis conducted at Cato Networks research lab, we found two interesting tactics used by several VPN solutions:
1. Various VPNs use SSL encryption but analyzing their traffic shows they have different characteristics.
Figure 1, below, shows SSL traffic where the server name in the SNI header matches the server certificate’s subject. Figure-2 shows TOR browser traffic where there’s no match at all, and the subject and issuer names are meaningless.
Figure 1: Standard SSL, Server Name Match
Figure 2: Server Name Mismatch with TOR
Figure 3, below, is a disturbing example of SSL traffic we’ve seen in the wild. In this case, as the SSL server’s certificate is pretending to be Microsoft Windows Update certificate.
Figure 3: Fake Microsoft Windows Update
Examination of the certificate shows that it is self-signed and not signed by Microsoft at all. Apparently, the VPN provider created his own certificate with similar details to Microsoft and their Certificate Authority. That way, their SSL handshake traffic looks similar to MS Windows Update’s (See issuer-name: www.update.microsoft.com, common-name: Microsoft Update Secure Server CA 1).
2. QUIC Protocol
The QUIC protocol was designed at Google and implemented in Google Chrome in 2013. Figure 4, below, shows a VPN client using QUIC traffic for tunneling. Since it's massively used by the Google Chrome browser, this protocol gains more credibility as a legitimate application and the VPN providers are taking advantage of this opportunity.
Figure 4: QUIC protocol used by VPN Anonymizer to mask as 'Google traffic'
QUIC uses UDP over port 443, and because this protocol is mainly associated with Google Chrome, IT organizations may allow this type of traffic. However, this protocol can also be used by any other app, as well as malware trying to exfiltrate data. Hence, organizations should treat this traffic as they would 'TCP traffic' , and it should be fully inspected, as well.
Consumer VPN services are adopting evasive techniques against detection. It is very likely they will enable a new class of enterprise threats. Malware can use the VPN client as a node in a VPN network that provides anonymization capabilities or act as part of a botnet in a DDoS attack. Furthermore, malicious insiders can use these protocols to present a 'legitimate profile' while attempting to exfiltrate data. As this is an endless cat and mouse game, security vendors will have to adopt a more holistic approach to monitor WAN and Internet-bound traffic at multiple layers to detect malicious activities and reduce the risk of a data breach.