The Silence of the LANs: Efficient LeakageResilience for IPsec VPNs
Steffen Schulz, Vijay Varadharajan, and Ahmad-Reza Sadeghi
AbstractVirtual Private Networks (VPNs) are increasinglyused to build logically isolated networks. However, existingVPN designs and deployments neglected the problem of trafficanalysis and covert channels. Hence, there are many ways toinfer information from VPN traffic without decrypting it. Manyproposals have been made to mitigate network covert channels,but previous works remained largely theoretical or resulted inprohibitively high padding overhead and performance penalties.
In this work, we (1) analyse the impact of covert channelsin IPsec, (2) present several improved and novel approaches forcovert channel mitigation in IPsec, (3) propose and implement asystem for dynamic performance trade-offs, and (4) implementour design in the Linux IPsec stack and evaluate its performancefor different types of traffic and mitigation policies. At only24% overhead, our prototype enforces tight information-theoreticbounds on information leakage. To encourage further research,we put our prototype code and data in the public domain.
Index TermsIPsec, VPNs, covert channels, performance,trade-off
EDICS: STG-COVC, STG-APPS, NET-ATTP
Virtual Private Networks (VPNs) are popular means forenterprises and organizations to securely connect their networksites over the Internet. Their security is implemented andenforced by VPN gateways that tunnel the transferred datain secure channels, thus logically connecting the remote sitesin an isolated network. Abstracted this way, VPNs are increas-ingly used in scenarios that secure channels were not designedfor: to logically isolate networks, providing networks asa service in virtualized environments like Clouds, TrustedVirtual Domains, or the Future Internet , , . However,what is not considered in these scenarios is the long knownproblem of covert channels.
Covert channels violate the system security policy by usingchannels not intended for information transfer at all , .While there is a large body of research on covert channels, fewworks have considered the practical implementation and per-formance impact of comprehensive covert channel mitigationin modern networks. We believe this topic is important for anumber of reasons, especially in virtual networks and VPNs:
(1) Insider Threat: In contrast to end-to-end secure chan-nels, where the endpoints are implicitly trusted, VPNs are also
Ahmad Sadeghi is director of the System Security Labs and the Intel Col-laborative Research Institute for Secure Computing (ICRI-SC) at TechnischeUniversitat Darmstadt, Germany ([email protected]).
Vijay Varadharajan leads the Information and Networked System Security(INSS) group at Macquarie University, Australia ([email protected]).
Steffen Schulz is PhD student at the System Security Labs, Ruhr-UniversityBochum, Germany, the INSS at Macquarie University, and associated with theICRI-SC at Technische Universitat Darmstadt ([email protected]).
used for logical network isolation and perimeter security en-forcement. In this context, the members of a VPN are often notfully trusted, but instead the trust is reduced to central policyenforcement points, the VPN gateways, which should preventundesired information flows. However, malicious insiders inthe LAN may leak information through the VPN gatewaysusing covert channels, thus circumventing the security policy.Examples of such insiders can be actual humans or stealthmalware, engaging in industrial espionage, leaking realtimefinancial transaction data, or disclosing large amounts of datafrom physically secured institutions (e.g., to Wikileaks).
(2) Traffic Analysis: By analysing traffic patterns and meta-data, it is also possible to infer information about transferreddata without assuming a malicious insider , . Suchpassive Man-in-the-Middle (MITM) scenarios are becom-ing more prevalent with network virtualization, allowing co-located, supposedly isolated systems to analyse each other .To mitigate such attacks, a common approach is to consider themaximum possible information leakage by assuming colludingmalicious insiders. By limiting this information leakage, covertchannel mitigation thus also affects traffic analysis .
(3) Combination with Detection: Although application-layerfirewalls and intrusion detection systems are widely deployed,carefully designed covert channels remain hard to detect ,. In these systems, the adversary chooses a weaker signaland mimics the patterns of regular channel usage. Covert chan-nel mitigation can be useful here to induce noise, forcing theadversary to use a stronger signal and thus facilitate detection.We expect the combination of covert channel mitigation anddetection to allow for less intrusive pattern enforcement andthus significantly reduce the performance penalty.
a) Contributions: This paper provides for the first timean explicit analysis of covert channels in IPSec based VPNsand a comprehensive set of techniques and mechanisms tomitigate them. We identify and categorize the different typesof covert channels and determine their capacity. We developa framework for mitigation of these covert channels anddescribe mechanisms and techniques for high-performancecovert channel mitigation. In particular, we propose an algo-rithm for on-demand adjustment of traffic pattern enforcementthat increases peak network performance while also reducingoverhead during reduced usage. We present a practical instanti-ation of this framework for the Linux IPSec stack and analyseits performance for different kinds of traffic. In contrast toprevious works, which achieve throughput rates in the rangeof modem speed ,  and taunt the performance impact ofproposed mitigation mechanisms , our prototype achieves169 Mbit/s in a 200 Mbit/s VPN link at only 24% overhead.
[email protected]@[email protected]
Unprotected Domain Protected DomainProtected Domain
outbound covert channel
inbound covert channel
Fig. 1. Problem scenario: A VPN with three LAN sites. The adversary aims toexchange information between the MITM and malicious insiders using covertchannels.
b) Outline: After defining the problem of VPN covertchannels in Section II, we discuss efficient covert channelmitigation and performance trade-offs in Section III. An imple-mentation for the Linux IPsec stack is presented and evaluatedin Section IV. We discuss related work in Section V andconclude in Section VI. A detailed discussion of the identifiedcovert channels in IPsec VPNs is provided in Appendix A.
II. PROBLEM SETTING AND ADVERSARY MODEL
In the following we define the problem of covert channelsin VPNs. Note that our definition differs from previous,less explicit considerations, which consider communicationbetween legitimate VPN participants and are better describedas steganographic channels , , . Although we limitourselves to VPNs in state-of-the-art IPsec configuration ,most of our results can be generalized.
A. System Model and Terminology
As illustrated in Figure 1, we consider a VPN comprisingtwo or more Local Area Networks (LANs) that are inter-connected over an insecure Wide Area Network (WAN). In ourscenario, the security goal of the VPN is not only to provide asecure channel (confidentiality, authenticity, integrity) but alsoto confine communication of LAN hosts to the VPN, i.e., toisolate the protected from the unprotected domain. VPNs areincreasingly used for such logical isolation, to create securevirtualized or overlay networks, or simply enforce perimetersecurity in large companies , , . This de-facto securitygoal of isolating the protected from the unprotected domain,and its efficient implementation, is the main focus of this work.
For this purpose, we distinguish legitimate channels thattransfer and protect user data according to the VPN securitypolicy from covert channels that can be used to circumvent thispolicy. Covert channels exist because the legitimate channelacts as a shared resource between the protected and unpro-tected domain, exhibiting certain characteristics that can bemanipulated and measured by different parties. We denotechannels from the protected to unprotected domain and viceversa as outbound and inbound covert channels, respectively.
We measure the security of our system using the Shannoncapacity of the covert channels, i.e., the information theoreticlimit on the amount of information that can be transferred
through them . The covert channel capacity is given inbits per legitimate channel packet (bpp) or, where applicable,in bits per second (bps). The capacity of each covert chan-nel type is denoted as Ctype. The capacities are classifiedas maximum (m) vs. remaining (r) covert channel rate forinbound (in) vs. outbound (out) covert channels. For example,the maximum capacity of the outbound covert channel basedon packet size is denoted as CPktSizem,out , or as C
countermeasures have been applied. The remaining aggregatedinbound and outbound covert channel rates are denoted asCr,in and Cr,out, respectively.
B. Adversary Model
The adversary controls one or more compromised hosts inthe LAN sites as well as an active MITM in the WAN. We referto the LAN hosts controlled by the adversary as (malicious)insiders, regardless of whether they are controlled by actualhumans or malware. The adversarys goal is to establisha communication channel between the MITM and one ormore possibly colluding malicious inside