Secure VPNs for Trusted Computing Environments
Steffen Schulz and Ahmad-Reza Sadeghi
Book Series Lecture Notes in Computer Science
Publisher Springer Berlin / Heidelberg
ISSN 0302-9743 (Print) 1611-3349 (Online) Volume
Volume 5471/2009
Book Trusted Computing
DOI 10.1007/978-3-642-00587-9
Copyright 2009
ISBN 978-3-642-00586-2
DOI 10.1007/978-3-642-00587-9_13
Pages 197-216
Subject Collection Computer Science
SpringerLink Date Wednesday, February 18, 2009

Abstract

Virtual Private Networks are a popular mechanism for building complex
network infrastructures.  Such infrastructures are usually accompanied
by strict administrative restrictions on all VPN endpoints to protect
the perimeter of the VPN. However, enforcement of such restrictions
becomes difficult if these endpoints are personal computers used for
remote VPN access. Commonly employed measures like anti-virus or
software agents fail to defend against unanticipated attacks.  The
Trusted Computing Group invested significant work into platforms that
are capable of secure integrity reporting. However, trusted boot and
remote attestation also require a redesign of critical software
components to achieve their full potential.  In this work, we design
and implement a VPN architecture for trusted platforms. We solve the
conflict between security and flexibility by implementing a
self-contained VPN service that resides in an isolated area, outside
the operating system environment visible to the user. We develop a
hardened version of the IPsec architecture and protocols by addressing
known security issues and reducing the overall complexity of IPsec and
IKEv2. The resulting prototype provides access control and secure
channels for arbitrary local compartments and is also compatible with
typical IPsec configurations. We expect our focus on security and
reduced complexity to result in much more stable and thus also more
trustworthy software.