Bachelor Thesis - Secure remote access to a work environment Digital Forensics, 15 credits - DIVA
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Bachelor Thesis
IT-Forensics and Information Security, 180 credits
Secure remote access to a work
environment
Digital Forensics, 15 credits
Halmstad 2020-06-22
Ricardo Bergvall
HALMSTAD
UNIVERSITY
Secure remote access to a work
environment
Ricardo Bergvall
Examiner: Urban Bilstrup
Supervisor: Ross Friel
University of Halmstad
Academy for information technology
IT-Forensic and Information security
Halmstad
June 2021Foreword I would like to thank Ross Friel as he has been my supervisor throughout this process and helped and motivated me to finish my work. Secondly, I'm immensely thankful to have been given the opportunity to do my work together with the company mention in this paper, as it wouldn't be possible without them. Ricardo Bergvall Halmstad 2021-06-11
Abstract
This project is about how free, open-source tools can create reasonable, secure and flexible
remote access solutions for smaller companies with a limited budget.
Secure remote access to a working environment is a solution for its time, as last year Covid-
19 change the working environment for millions of employers and employees. The
importance of secure remote access to a working environment became noticeable as offices
closed down and employers started working from home. Still, the need for secure access to
the company's infrastructure remains. This is where Virtual Private Networks (VPNs) enter
the picture, as it has a broad application scope and is particularly useful for secure remote
access.
My project was subdivided into three parts:
• How to implement secure remote access to a working environment within the
requirements of the chosen company, which are an inexpensive solution with high-
security features.
• Automate the creation and distribution of all the necessary parts that their employees
will need in a VPN structure.
• Research about the future direction regarding VPN and the importance of
cybersecurity to help ensure security preparedness for the company.
The chosen solution was OpenVPN and Google authenticator, together with a written bash
script. It became a solution that was free, flexible, secure and scalable.
But why the need and what about the future?
Research shows that a high percentage of small and medium-sized enterprises are vulnerable
to cyberattacks. It also shows that these companies have the lowest cybersecurity. "It
wouldn't happen to us" is dangerous but, sadly, a typical mindset throughout the S&M
companies. It's primarily because of this S&M's are more exposed than larger companies.
The future of VPN's has become more important than ever before, and it's something that
during Covid-19 has risen in use all over the world, the research and development of VPNs
has accelerated. The research objectives of this project are of high interest to many other
organizations in the same position, and the presented work has helped answer the question:"Where will we stand in a few years regarding secure remote work, cybersecurity and encrypted networks?"
Abbreviations & Acronyms ● VPN – Virtual Private Network ● SSL – Secure Sockets Layer ● TLS – Transport Layer Security ● OSI model – Open System Interconnection Model ● PKI – Public Key Infrastructure ● PAM – Pluggable authentication module ● HTTPS – Hypertext Transfer Protocol Secure ● SSH – Secure Shell Protocol ● MFA – Multi-factor authentication ● RDC – Remote desktop connection
Table of Contents Foreword 4 Abstract 6 Abbreviations & Acronyms 8 Table of Contents 10 1. Introduction 1 1.1 Background to Topic 1 1.2 Purpose and Research Question 2 1.3 Research Objectives 2 1.4 Positioning of research objectives. 3 2. Methodology 5 2.1 Design 5 2.2 Pre-study 5 2.3 Problematize of method 6 2.4 Positioning of Method 7 3. Literature 9 3.1 Virtual Private Network 9 3.2 OpenVPN Community Edition - Open Source 9 3.3 OpenVPN certification authentication 10 3.4 OpenVPN client and server configuration 11 3.5 OpenVPN multi-factor authentication 11 3.6 Multi-Factor authentication - Google Authenticator 11 3.7 Multi-Factor Authentication 11 3.8 Google Authenticator 12 3.9 One-time password 12 3.10 Time-based One-time password 12
3.11 Linux Ubuntu Server 20.04 13
3.12 Shell scripting - bash 13
3.13 Linux commands and programs 13
4. Experimental design 15
5. Results 17
5.1 Setting up a working VPN server with MFA connected. 17
5.2 Automate how to create users, keys, certificate, client configurations and distribute the
files conveniently. 17
5.3 Guide the user to install and set up MFA, install an OpenVPN client, and merge the
keys, certificate, client configurations into the OpenVPN client. 18
6. Discussion 21
7. Conclusion 25
Future Work 26
Reference - Apa 7th Edition 29
Appendix 35
Appendix A 35
Script used for automating the process of creating and distribute all the files. 35
Appendix B 40
Lathund – VPN – Connection 401 1. Introduction 1.1 Background to Topic Having access to companies working environments from home has been an essential part of 2020 and 2021, leading more companies to form a working from home policy. One crucial part of this is the software and technical procedures that the companies and agencies use to connect to the working environment. In this case, the author had come in contact with a small company within the branch of financial tech. They have their employees working from home. To be possible, they have a VPN (Kasperspky, 2021) and Remote desktop protocol (Microsoft, 2020) solutions for their connection to their working environment. They were interested in the authors' subject because their VPN solution was missing some recruitments, which were multi-factor authentication (Al-Absi, Hui, Ibrokhimov, Lee and Sain. 2019) when connecting to the VPN, and automating the process of creating client keys, certifications and configurations. The authors work with the company was setting up a new secure remote access to their working environment with the specific requirements added, using different sources of information to gain knowledge and expertise about the task. The VPN that is used in the thesis project is OpenVPN. OpenVPN is an open-source VPN protocol that uses the OpenSSL library for encryption and authentication. It's widely used and known for its free and inexpensive services (OpenSSL, n.d. & Openvpn, n.d.d). OpenVPN also uses SSL/TLS VPN implementation, one of the three major VPN implementations commonly used (Oskolkov, 2016). Using an SSL/TLS VPN has its advantages and disadvantages. The many benefits match the companies requirements, such as security, inexpensive and flexibility, which Sun (2011) goes over in his research paper. One advantage is how SSL VPN works as a centralized log analyzing tool independently, which is very useful for the system administration (Sun, 2011). One disadvantage is that it has a high threshold of knowledge to configure and set it up (Oskolkov, 2016).
2
Digital multi-factor authentication is something that is widely used for different software and
applications. It is the second layer of security over the authentication of using username and
password, which easily could be compromised (Al-Absi, Hui, Ibrokhimov, Lee and Sain.
2019). MFA will be implemented combined with the VPN as extended security.
1.2 Purpose and Research Question
This project aims to make a good solution for the company and gain experience, knowledge
about the subject, and the working process. There is also the purpose of creating a more
general research report about the subject. For example, give insight into how to make a
functional and economical solution for smaller companies that may not have the same
resources as larger companies.
A question that permeates part of the paper and the research object is:
"Where will we stand in a few years regarding secure remote work, cybersecurity and
encrypted networks?"
1.3 Research Objectives
The research objectives are based on the assignment given by the employer, which are:
• How to implement secure remote access to a working environment within the
requirements of the chosen company, which are an inexpensive solution with high-
security features.
• Automate the creation and distribution of all the necessary parts that employees will
need in a VPN structure.
• Research about the future direction regarding VPN and the importance of
cybersecurity to help ensure security preparedness for the company.
To reach an inexpensive solution, the author will try to use free open-sources software as
prior. The security features that need to be in place are already in areas that are the standard
community solution for OpenVPN with a certificate authority (Russel, 2019). The addition3
will be multi-factor authentication, which is chosen within the best practice scope (Moore,
2017). The research objectives regarding the range of the solution will be:
• Fifty possible connections at the same time.
• The VPN server will be located on a physical server.
• Three administrations-accounts linked to the server with two specifics for system
administrators.
Research object focusing on automation and distribution will include a manual for the
employers on how to implement the necessary VPN structure and a working automate
solution in the form of a bash script.
Elements that could negatively affect the research objects could be the lack of
generalizations. The authors' objects are in line with one specific company and their request.
They dictate how the solution will be formed, and it will be created around how their
infrastructure is built. Thereby the solution could be too unique for other companies to use.
However, the authors' goal is to make a more general solution, making it essential that even
though it's a project with a specific company, it has to conclude generalized questions and
answers.
1.4 Positioning of research objectives.
The future of VPN's is quite interesting, and it's something that during the Covid-19 has risen
in use over the world, the research and development of virtual private networks has
accelerated. The research objectives regarding the subject are very actual and something that
many are speculating about: "Where will we stand in a few years regarding secure remote
work, cybersecurity and encrypted networks?" (Slattery, 2020).
Why the need for a VPN, and why has it been a surge in its use? Last year, Verizon (2019)
reported that 43% of small companies had been a subject of a cyberattack. A successful
cyberattack could cost the company around 200.000 dollars, which would be a disaster for a
smaller company. That's why cybersecurity is essential, and VPN is a reasonably cheap but
high-security tool that could be used to protect against cyber threats. Especially now, when
people are working from home and accessing, transferring essential information from the
local company server, the need for end-to-end encryption is necessary so certain data can't be4 access by a hostile part. Using VPN also gives the employer access to the company's assets without the company have to lower the security on their structure to provide the employers with access (Gargiulo, 2020).
5
2. Methodology
2.1 Design
The present study is a thesis project built on the guidelines and manual that the KTH Royal
Institute of Technology (2015) uses. The company's demands and requirements also
influence it.
The project will be done in three major stages (KTH, 2020):
● Pre-study.
● Practical laboratory work.
● Final report and evaluation.
2.2 Pre-study
The pre-study will include data collection, methodology and evaluation and be part of the
final report (KTH, 2016).
It will be done before the practical part of the project and work as a guideline through out the
process.
Data Collection
The data collection was handled in two steps: a literature investigation regarding the giving
subject and an agile approach with a supervisor at the company.
The agile approach was scheduled meeting every week and an open-door policy. At the
meetings, the author presented the results and how the process was going (Zelkowitz, 2004).
The open-door approach was based on asking the supervisor question about the company, its
environment and how they would like the solution to be designed, etc. He would get an
answer back to me at his earliest convenience. This set-up heavily influenced the authors
work because working as an consultant could be problematic if there is no open dialogue with
the company, but this wasn't the case. The meeting we had every week was well structured,
the result of last week work was displayed and explained, it included how the author decided6 between different alternatives, the difficulties and what plan was for the following week. If there were any question on their part, it was on these meetings they asked them. Literature investigation was mainly focused on research about OpenVPN servers, multi- factor authentication and articles and videos going through the process of setting up a VPN server (OpenVPN, n.d.a). I was using IEEE Xplore (n.d.) as the primary database for my research, and my main keywords were "secure remote-access", "virtual private network servers", "multi-factor authentication", "OpenVPN", "cyber-threats" and "encryption". Laboratory work The laboratory work through this process was done remotely through their remote access. It gave me access to their laboratory server, which had Ubuntu 20.04 OS installed. I had full admin access throughout this whole process. The software that the companies used for their remote solution was OpenVPN which made it natural for me to use it. It also intertwined with the requirements of an inexpensive solution. The author started working two hours each day with separate research work on his own. I had good contact with my supervisor at the company. The working process was done step-by- step, with research, implementation and testing to reach the goal. 2.3 Problematize of method The methodology for the thesis project was done as a working assignment for a company. Thereby the methodology is sort of differently from a literature bachelor thesis and could thereby make the final report lack reliable sources. Since the VPN setup is very different from a situation to another, the references for the setup are mainly based on guides from "Youtube", various forums, and the VPN software companies own websites. A big part of the final report is the position of the thesis against other papers and research. Due to the difference in the work process, the report could miss credibility gained through sources. The agile meeting and open-door policy are beneficial, but it could be a problem if the help were too much. Furthermore, it would lower the project's credibility, as it is crucial to remember that this is the company for which the author creates a solution and not the other
7 way around. Finally, the meetings could also seem like a problem if they gave no insight and instead just wasted time. The author also had a situation with the laboratory work. In foresight, it was a suitable methodology with a promising approach for the implementation, but it was based on a high level of knowledge about Linux OS systems. Therefore, it could have been a big problem, which could have slowed down the process dramatically because gaining the necessary knowledge about a new OS system could take time. 2.4 Positioning of Method The authors' methods for the thesis project is based on the guidelines from KTH (2020). They have a good reputation and credibility. The author chose to follow their guides because there were no other universities with the same volume of information regarding the subject. The project uses qualitative data collection as a method to gather and present data (Kablr, 2016). It's used as part of the experimental method to give a baseline of information that the laboratory work can rely on (Kablr, 2016). The laboratory work also relied on trial and error, especially when the author was scripting. Trial and error is a well-known method for beginners, as described by Edwards, S. H. (2004), as it is easy to adapt, particularly when scripting and programming. Bratha et al. (2020) cover how to implement an IPsec VPN as part of their VPN project. They describe how they use a qualitative methodology with an experimental design. The method is similar to the authors' approach for this project, gathering information to form a structure which later is used in the experimental part. "Testing and Evaluation" is a section in their research paper that can be compared with the authors' laboratory work.
8
9 3. Literature 3.1 Virtual Private Network The information we transmit between point a to b can be "overheard" by hostile actors on the open internet. Private information and internet habits can be logged and tracked. VPN can hinder this, it has a wide variety of functions to cope with internet security and privacy, and one of them, which is covered in this project, is how it can create a tunnel from point a to b. Or to put it another way, a reliable data transmission channel that encrypts your information from a local network to the exit point, which in this case would be the office network. It keeps the transmission secure through various authentications processes and communication protocols (Guixin, Y., Hongzhuo, Q., and Zhiyong, L. 2013). The pictures display a VPN network architecture, and this is how it could look when you connect to your company infrastructure. The VPN client exists on your computer. Figure 1. VPN network topological 3.2 OpenVPN Community Edition - Open Source OpenVPN community edition is the VPN daemon (background computer process) that was used in this project. It's an open-source SSL VPN. SSL is one of three significant standards in secure access to the internet. OpenVPN uses SSL/TLS protocol which operates over either layer two or three in the OSI model (Qing, 2009 & OpenVPN, 2016).
10 OpenVPN is known for its cost-effectiveness and customizes friendly environment, which is why the author chose to use it for the project because it follows the demands from the company. Significant options that were used from the software's large variety were certification authentication and multi-factor authentication (OpenVPN, 2016). 3.3 OpenVPN certification authentication Certification authentication is based on PKI (public key infrastructure). PKI is used for public-key encryption management, and it's widespread and some examples where it is used (SSH Academy, n.d): Web Browser Security - HTTPS Email Encryption - X.509 certification SSH - Remote connection Its primary purpose is to secure the identity of a user or device for secure establishment. OpenVPN CA uses four certificates/keys, one who is public, one private for the VPN server and one private for each client that uses the services and one to sign the rest of the keys and certifications. It is also viable to add an extra static key for a TLS-auth directive between the server and the client (OpenVPN n,d,g & OpenVPN, n.d.d). OpenVPN uses these keys/certificates to verify the validation of each user and devices connected through the SSL connections. If the verification fails, the server won't establish a connection to the client. These keys and certificates are generated by pre-built shell scripts that OpenVPN provides when downloading the VPN daemon to the ubuntu server (OpenVPN, n.d.d). The keys used in the OpenVPN CA are RSA keys, and it's viable through the scripts to configure the size of the RSA keys from 1024 - 4096bits. Nowadays, it is good practice to use 2048-bits keys (Singh, 1999).
11 3.4 OpenVPN client and server configuration How the VPN server operates and interacts with the clients is decided in the configuration files, and it's also where the security measures are stated. The client configuration files work similarly. It determines how the client will interact with the VPN server. Configurations and how they are formed is very individually based on how the user wants their server to be set up. The author of this project had a guide written by Mark Drake (2018) as an inspiration for the VPN server setup, thereby are many configurations based on it. However, the configurations are mostly standardized except for the part where multi-factor authentication is implemented. 3.5 OpenVPN multi-factor authentication The settings and configuration that made multi-factor authentication available on the VPN server are based on the Google Authenticator PAM module (Github, 2020). An open-source project with the goal to integrate a PAM module with ssh, OpenVPN etc. A PAM module can use Google authenticator, which gives the user the ability to validate themselves (Github, 2020). 3.6 Multi-Factor authentication - Google Authenticator Multi-factor authentication is a function to strengthen the security measures which already are in place. It functions as an extra step in the user login phase, and it can be some form of additional code that needs to be written in before the user is successfully authenticated. It can also be biometric authentication (NIST, 2020). It's very diverse, but the MFA in the focus of this project is Google Authenticator, and it uses a time-based one-time password (TOTP) algorithm that is working through an application that Google LLC owns (Barret, 2018). 3.7 Multi-Factor Authentication The MFA is built on the requirements that it has at least two or more of the factors listed below (NIST, 2020): ● A password or a pre-decided question that only the user can answer.
12
● A physical attachment to a thing that the user can use to verify and authenticate
themselves. It could be a card reader, a mobile device or a bank card.
● A biometric authenticator, which could be a fingerprint, iris scan and facial
recognition, to simplify it, a thing that is a unique part of the user and can be used to
verify the authentication of a user.
These factors can be combined in different ways, but they are all a part of the MFA function,
and you need at least two of these factors together to count as an MFA security aspect.
3.8 Google Authenticator
Google authenticators are an MFA that Google LLC owns. It can be found on the Google
play store or Apple store (Google Play, 2020). It can be used on different devices which can
run the application. The devices on which the user have installed it are called a "Trusted
device", and the registration of a specific service is locked to the trusted devices (Gilsenan,
2018). So, for example, if you register the OpenVPN server to be bound to your google
authenticator on your smartphone, you won't be able to log into your Google account and use
the MFA on your smart-tablet.
3.9 One-time password
One-time passwords are often used together with a multi-factor authenticator. The password
that the authenticators generate, which the user later uses together with a username and
password, is the extra step to verify their validity. The one-time password can be generated in
many different ways and is often time-based, which means that they change after a certain
amount of time (Gilsenan, 2018).
3.10 Time-based One-time password
Time-based OTP is called time-based one-time passwords and is commonly used with an
MFA generator. TOTP is one of the algorithms that google authenticator uses. TOTP is
thereby used within this project.
The TOTP is often called "tokens", and in this case, the token is standardized to be valid for
30-seconds before a new token is available (Openvpn, n.d.e). The solutions which the13
OpenVPN server uses also have an addition, the token before and after the active token are
also valid for use. It leaves the user with a window of one point thirty minutes to validate
themselves with the first generated token. It's for compensating for different errors that could
occur with time-sync between client and server. This setting is in place for this project's VPN
server, and it can be changed for a more significant gap if one minute and thirty seconds
aren't enough (Github, 2020).
3.11 Linux Ubuntu Server 20.04
Ubuntu is a Linux based operating system. It's free to use and built as an open-source
software where idés from users and the community helps it develop (Ubuntu Community,
n.d). The difference between an Ubuntu server and an Ubuntu desktop is slim. They share the
same core kernel. The difference between them is how they are set up, which pre-installed
packages and configuration there are. One main thing, for example, is that Ubuntu desktops
are pre-installed with GUI, and Ubuntu server isn't. The choice between them depends on
how you will use them, for a server or a desktop (Cawley, 2021).
3.12 Shell scripting - bash
Shell scripting UNIX/Linux based programs which are used for control, modify, execute
different programs and files etc. It is used as a terminal interpreter programming language
that is very useful when working and developing in a Linux environment (Barners, 2018).
The author of this project uses bourne again shell (bash), a type of shell script. It's used to
automating the process of creating users, keys, documents and distributing.
Shell scripting is a programming language, so it has the abilities to use functions, variables,
operators etc. Therefore, it is highly effective to use it together with commands and programs
to run and execute it inside the script (Hiwarale, 2019).
3.13 Linux commands and programs
The commands and programs which are used in the authors' script are:
● echo - To output information about the scripts process and which functions are
executing, and why.14
● cd - To make sure that commands and programs are executed in the correct folders
and directory.
● cp - To copy and rename specific files before moving them into a username based
folder for later use and documenting.
● grep - To find certain lines inside files and pipe them out to a new file.
● rm - To remove specific files created by the script but are not necessary to keep after
certain lines and information has been extracted from them.
● mkdir - To create a folder with the name based on the arguments used with the script.
Here is where the files which are created through the script, stored.
● useradd - To add a user on the server with no login privileged. The user is later
connected with Google Authenticator.
● su - To run specific commands and programs as a root user.
● google authenticator - To create an MFA user connected to the ubuntu server and
google authenticator.
● replace - To change certain lines with the arguments that are used with the script.
● mutt - To send an email with an attachment to user/clients.
To gain knowledge about these commands/programs, I used manpage, which is pre-installed
on the Ubuntu server and works as a manual to explain all the commands and programs used
in a Linux environment (Ubuntu Manuals, 2019).
The program and commands often have many extra arguments linked to them to change how
they interact and execute. There are many ways to use commands and programs in a Linux
environment. Above is how the author for this project chose to use the commands and
programs.15
4. Experimental design
Recreating my project is very important as the solution would be generalized and used by
whoever needs it. Therefore, the author will go over step-by-step how it was done and refer to
other instances in the paper.
1. The author updated the physical server to begin with, which had Ubuntu 18.04
installed, but after the update had 20.04 as it was the LTS version when the project
was completed (3.11 Linux Ubuntu Server 20.04, page 13). So it's essential to have
your IT structure up to date.
2. The author downloaded the OpenVPN and researched how to implement it on a
Ubuntu-based server (3.2 OpenVPN Community Edition - Open Source, page 9)
3. During the installation of the OpenVPN server, different configurations need to be
configured and set (3.2 OpenVPN Community Edition - Open Source, page 9 & 5.1
Setting up a working VPN server with MFA connected. page 17). Also, the
company's local firewall was configured to accept the OpenVPN ip address range at
this stage. It is essential to know the office network architecture when you configure
the firewall to distribute access to different areas of the office network.
4. The next step was to create keys for both the server and clients based on the
assignment (3.3 OpenVPN certification authentication, page 10). The author also
installed the necessary OpenVPN client on its computer with the required
configuration files and keys, certifications. It's important to have your keys up to date;
2048-bit sizes are now standard.
5. The author tests the solution and sees if it works to establish a connection to the office
network from the authors' computer, which is connected to another network. If you
cannot connect, you will have to troubleshoot and maybe redo some of the steps
above. It's crucial that you make sure that it works on different computers and
networks and you have access to all the necessary assets you should.16 6. Read up on how the Google authenticator PAM module work (3.5 OpenVPN multi- factor authentication, page 11 & 3.8 Google Authenticator, page 12). 7. Install Google authenticator and PAM module, read and followed the guide linked in result part (5.1 Setting up a working VPN server with MFA connected., page 17). It's vital that the PAM configured file is set up correctly. 8. Confirm that the Google authenticator works together with the OpenVPN server before the next step. 9. The next step will be to automate the process, to be able to do this, the author will use different Linux commands and programs through a written bash script (3.12 Shell scripting - bash, page 13 & 33.13 Linux commands and programs, page 13). 10. The author's script can be seen in the Appendix A. The functions and programs it contains can be found here: 5.2 Automate how to create users, keys, certificate, client configurations and distribute the files conveniently., page 17 & 3.13 Linux commands and programs, page 13. The script automates the creation of users for Google authenticator, creating employers OpenVPN clients keys, certification and configurations files. Also, it distributes all of the critical files to the employers mail together with an instruction document. It is important to change the directory and file location based on your server structure in the script and that you have full root access before executing the script. 11. The last step is to create an instruction document that is added to the mail that the employer receives. It's important to create a step-by-step user-friendly instruction document because it will save a lot of time during the roll-out of the new solution (Lathund – VPN – Connection, page 40). 12. Receive feedback from the employees on what they taught about the roll-out. Make adjustments based on their inputs.
17 5. Results This project goal was to set up a working VPN server with the configurations and security measures that the company demanded. This includes: 5.1 Setting up a working VPN server with MFA connected. This part of the project was done on the company's Linux ubuntu server. The author used Mark Drakes (2018) guide for the setup of the VPN server. For the MFA set-up, the author used Egon Brauns (2017) guide as it was recommended by Openvpn (n.d.f). It was a success, and any issues that occurred were primarily based on that the guides were outdated. The cost of the solution was slim as there was no external cost because OpenVPN community edition and Google Authenticator are free, open-source software. The internal cost was the authors' workings hours which combine overall was around 40 hours, and except that no additional hosting cost was needed. The timeframe of this specific operation was approximately fifteen hours. The time was separated into two different objectives: the set-up of the VPN server and integration with the companies IT structure (firewalls, servers) and the implementation of Google authenticator. Some issues that occurred were the same as with the OpenVPN set up, that some guides regarding the implementation of Google Authenticator were outdated. The writing of different configuration should be phrasal differently depending on which version of Ubuntu server and OpenVPN server are in use. 5.2 Automate how to create users, keys, certificate, client configurations and distribute the files conveniently. This process was the most challenging one as it depended on bash scripting, which was difficult as the author didn't have much expertise in that area. My code: see Appendix A. Some part of the code is inspired from Egon Brauns (2017) guide. The code consist of five functions:
18 send mail () - This function uses mutt to send all the files which are created by the script to the clients' mail. change-vars () - This function is to create a client personalized configuration file that is later used to create the clients' certificate and keys. generate_keys () - This function is used to create personalized keys and certificates linked to the client, which is stated in the arguments used together with the script. generate_mfa () - This function is to create a user with no login rights and later connect the user with google authenticator and create the MFA login. This includes making a QR code that the client, later on, will use to set up the MFA on their trusted device. main () - This function is used to run the other functions in the correct order and create the client configuration file. The cost of this object was none except working hours as it was based on bash scripting, and the codes were salvage and created by the author. This part took around sixteen hours to complete, and it was complicated as the author knowledge of scripting were low. The issues that occur were mainly errors in the code, which were the cause of insufficient expertise from the author side. 5.3 Guide the user to install and set up MFA, install an OpenVPN client, and merge the keys, certificate, client configurations into the OpenVPN client. The author created an instructional manual called a "Lathund" view Appendix B. It was made with the intent of easily instruct employers on how to implement the new OpenVPN configurations files and to set up their own Google authenticator.
19 It contains three significant steps with a small introduction text, which explained why they need to read the "Lathund" and what it contains. The "Lathund" was tested and approved by my supervisor before added to the files, which were pushed out to the employers. There was no cost in this part of the project except workings hours, and the time counted in hours were around three hours. No issues occurred during this part, and it was a success.
20
21 6. Discussion The project was to find a working solution for the company. It was a success, but it's essential to break it down and discuss why I made the choices I did regarding the different parts of the solution. The research and preparation were primarily to gather information about which reliable VPN and MFA were affordable and compatible with each other. This research could have been more meticulous, but as I explain in the method part, the company already uses OpenVPN for their VPN solution, and it was thereby a choice from my side to try to use it for my project. It also corresponded with the information I already had found, which were that OpenVPN was an inexpensive solution with a reliable history and a standard solution for many people and companies. There where thereby much information about the VPN, how to set it up, which security features it had, and how users could set the specific solution they wanted. It filled the requirements for the companies demands, and that was why I chose it. I could have done more research, but the inexpensive part of the demand made it a bit narrower to found other suitable solution. I had the same thinking when I was investigating which MFA I would choose, and because OpenVPN themselves recommended Google authenticator as a solution for their product, it became an easy choice. Google authenticator has a few flaws, but it is free, easy to use, and a well-known MFA authenticator. There were no other reliable alternatives that were as integrated with OpenVPN. The chooses were based on my experience, expertise and research. It follows the demands, and the software products are well known and secure. It was with well-thought consideration that I made the choices I did. However, suppose the companies want to have third-party companies handle their remote access and use software that is not so widespread. In that case, it could be another situation as it could be safer to use software that has a more closed system and configurations. However, the insight into how the data and configurations are being handled would be lost. It could be seen as a security risk because it is always good to know how important information regarding the company is addressed and stored. It's to weigh security over cost and efficiency. I think it was the right choice to use an open- source software, but it is vital to have a knowledgeable person overlooking and setting it up. Otherwise, it could be a security risk if they don't know what they are doing. Primarily
22 because of false security, false security could occur when the users think something is safe but, in reality, is not, which could make the user take unnecessary risks and eventually expose themself. If a VPN server isn't correctly set up, it could mean that the encryption is low because it's using outdated keys, certifications. It could also be that the VPN client has no authentication, and thereby, anyone who knows about the VPN server could connect as long they have some information about the IP address and domain name. It's essential to set it up correctly and maintain it, update the software and the system it operates on. Secure remote work is here to stay even if Covid-19 disappears as many companies and employees have adapted. Many employees and employers have realized that working remotely increases flexibility and is very practical. For example, Spotify has publicly stated that their employees, even post-pandemic, will have the possibility to choose if they want to work from home or the office. They are not alone, as it is understandable that companies would rather have personnel working from remote, privately funded locations instead of paying for large, expensive offices spaces (Markander, 2021). Our work environment will not look the same post-Covid-19, and it's not only the companies that want to keep remote work. The possibility of working from everywhere has given the employees newfound freedom and ability to change the work environment around their life puzzle and the other way around. However, we are not talking about a 100% remote workforce and no offices at all. Global, we are talking about half of the employees working from home, and it differs somewhat from country to country. Cisco covers this in their report, and they are also covering how cybersecurity is gaining importance, especially when remote work is on the increase. So how will we do remote work in the future? Many companies will increase their VPN capacity combined with the MFA, but cloud services/platforms also increase traffic and use. The main concerns are lack of employee awareness and education regarding cybersecurity, so policies regarding remote work can also be seen increasing (Cisco, 2020). It is understandable that education and policy will become more important as employees working from home can be a significant threat for the companies as the security an office and professionally run IT environment gives one disappears. The policies on how we behave and act regarding security in a workplace are diminishing as we work remotely, our guard is wavering. Also, the security that the office infrastructure provides is weakened, which
23 increases the importance of secure remote access and the education and awareness of employees in maintaining this security when they work from home. From an ethical standpoint, VPN is controversial. It is a very positive software that makes life easier for people to watch movies from different Netflix zones and helps people censored by their states to voice themselves. But, unfortunately, it can be used by criminals to hide their location when they are breaking the law online and even when "normal" people are "pirate" movies from sites. So VPN by itself is not an illegal product, but it can be used to do unlawful activitves online, making it a mean to an end. VPN is a part of the bigger picture regarding cybersecurity for enterprises. As seen in the article written by Micheal Gargiulo (2020), larger enterprises have the awareness and money for high-security protection. At the same time, smaller and medium companies are weaker on that point, primarily because of the mindset that "it wouldn't happen to us". A perspective that could harm the enterprise as it is wrong, small and medium companies have the highest risk of encountering a cyberattack, as they mostly lack the proper security measure and tools. The attacks are usually data breach, destruction or holding the companies assets hostages (Alahmari, 2020). For example, some of the most infamous attacks have been on hospitals over the world. The attacker held whole system hostage and asked for a ransom in exchange for giving the systems back. It is a very effective way to attack a vital infrastructure and more common than we know of, and it happens all over the world. Ransomeware is only one of the attacks that smaller or medium companies need to be aware of, and it could cost a lot to get a company back if an attacker takes hold of it (Newman, 2020). The future of cybersecurity is hard to predict as it a fluent and depending on how technology advances evolve. Still, one thing regarding VPN and end-to-end encryption that we know are on the horizons is quantum computers. Quantum computer has the ability calculating algorithms differently from traditional techniques. We know from before that RSA encryption builds its security on the premise that no mathematics algorithm can calculate large prime numbers efficiently enough. Quantum computing will change that, or Shor's algorithm will. Shor's algorithm was developed in the nineties and is using quantum computers for its calculating and development. Its purpose is to basically approach primal
24 factorization differently and hopefully be efficient enough to break larger primal numbers. We aren't there right now, and we don't know exactly when it will be, but maybe in the future, RSA encryption will go extinct over it. You always need to be updated on how cybersecurity is developing to protect yourself or your company.
25 7. Conclusion It was a challenging task with a high threshold of knowledge in different fields, but the result was good. The project was a success, and the company was satisfied with the solution. It's important to have secure remote access to a working environment if you are a company with employees working from home. There are alternatives for this, and the option that I go over in this project is a free, open-source solution. It has its pros and cons, but if you are a smaller company with a limited budget for security, OpenVPN is a solution for you. It has the capacity and security, but as I went over in the Discussion part, it has a high threshold of knowledge to configure, maintain and setting it up. But an open-source product is also a product with capacitive to be at the forefront of its branch development. The project consists of the following research objects: How to implement secure remote access to a working environment within the requirements of the chosen company, which are an inexpensive solution with high- security features. The software I used as part of the solution were OpenVPN and Google authenticator, as they matched the criteria which I was given from the company. OpenVPN is a well-documented VPN service, making it easier to find information on setting it up and integrated with an MFA. Google authenticator become the choice for MFA as it was the preferred MFA recommended to use together with OpenVPN. Booth theses software are highly scalable and customizable, which made it possible to have high-security features. Creating this solution took around fifteen hours, and the only cost was staffing as there were no external costs. Automate the creation and distribution of all the necessary parts that employees will need in a VPN structure. Automating and distributing the solution of creating new clients for employers and guiding them through the implementation was challenging. It was done through a medium-level bash script that used internal commands and software (see Appendix A). The script consists of five functions that work together to automate and distribute the creation of keys, certificates,
26 configuration files, and a user connected with Google authenticator. In addition, the solution included an instructions manual that guided the employees on implementing all the necessary files and using the VPN client (see Appendix B). The distribution of the solution was a success as there was no negative feedback from the employers and employees during the roll- out. Research about the future direction regarding VPN and the importance of cybersecurity to help ensure security preparedness for the company. Secure remote work won't disappear post-Covid 19, as many employers and employees see the benefits of having the possibility to work out of the office. Secure VPN solutions will thereby be a vital part of the companies IT structure from now on. It is a positive trend as it increases the overall security for a reasonably low cost which benefits S&M companies as they may lack the money and awareness for high-security protection. The increased security for S&M companies is vital, as the mindset "it won't happen to us" and the lack of cybersecurity makes them an easy target for "hackers". The conclusion is that VPN is here to stay. Still, the question is for how long, as the VPN within this project's scope heavily relies on RSA encryption, which may lose its usefulness as quantum computing evolves. But as I wrote before, the future of cybersecurity is hard to predict as it a fluent and dependent on the technological advances that may or may not occur in the future. Still, it will always stay current and essential, so it's important to be aware of cybersecurity's latest news and discoveries. Future Work I would approach future work and development of the solution mainly based on how the OpenVPN server could be optimized with further security aspects. Firstly I would create centralized access control on the VPN server. It would be based on ip address range segregating combined with classes. So, for example, if employers get an ip address from the VPN server between a specific range, it would be very easy to control what they get access to by administrating the local firewall on the office network. As it is not necessary for employers working with support to have access to the servers which devs are working on. Even tho is already protected now with different authentication such as password, id-card,
27 MFA etc. The most secure would be that no authorized employers wouldn't have the possibility to connect to certain areas of the company's structure (OpenVPN, n.d.h). Another thing would be to improve the Google Authenticator PAM module with the addition of a static password combined with the google authenticator TOTP token. It is possible even though the OpenVPN client GUI doesn't support two separate authentication windows. The solution would be a static password before the google authenticator token, as an example: password123token. An extra static password to a TOTP could be redundant, but if possible, there should be analyzed as an additional option if the company thinks it's necessary (Github, 2019). Figure 2. VPN password123token GUI
28
29 Reference - Apa 7th Edition Al-Absi, A. A., Hui, K. L., Ibrokhimov, S., Lee, H. J., & Sain, M. (2019). Multi-Factor Authentication in Cyber Physical System: A State of Art Survey. 2019 21st International Conference on Advanced Communication Technology (ICACT), 279-284. 10.23919/ICACT.2019.8701960 Alahmari, A., & Duncan, B. (2020). Cybersecurity Risk Management in Small and Medium- Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 10.1109/CyberSA49311.2020.9139638 Barrett, B. (22 july 2018). How to Secure Your Accounts With Better Two-Factor Authentication. https://www.wired.com/story/two-factor-authentication-apps-authy-google- authenticator/ Barnes, R. (30 august 2018). What is Shell Script? https://www.tutorialspoint.com/what-is- shell-script Braun, E. (20 september 2017). Using Google Authenticator MFA with OpenVPN on Ubuntu 16.04. https://egonbraun.medium.com/using-google-authenticator-mfa-with-openvpn-on- ubuntu-16-04-774e4acc2852 Bratha, A., Haiduwa, T., Hashiyana, V., Ouma, K. F., & Suresha, N. (2020). Design and Implementation of an IPSec Virtual Private Network: A Case Study at the University of Namibia. 2020 IST-Africa Conference (IST-Africa). ISBN: 978-1-905824-65-6 Cisco. (2020). Future of secure remote work report. https://www.cisco.com/c/dam/en/us/products/collateral/security/secure-remote-worker- solution/future-of-secure-remote-work-report.pdf Cawley, C. (12 march 2021). Ubuntu Desktop vs. Ubuntu Server: What's the Difference? https://www.makeuseof.com/tag/difference-ubuntu-desktop-ubuntu-server/
30 Drake, M. (24 may 2018). How To Set Up an OpenVPN Server on Ubuntu 18.04. https://www.digitalocean.com/community/tutorials/how-to-setup-an-openvpn-server-on- ubuntu-18-04 Easwaramoorthy, M., & Zarinapoush, F. Interviewing for research. (2016). http://sectorsource.ca/sites/default/files/resources/files/tipsheet6_interviewing_for_research_e n_0.pdf Edwards. S. H. (2004). Using software testing to move students from trial-and-error to reflection-in-action. 35th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2004, 10.1145/1028174.971312 Hiwarale, U. (7 september 2019). Bash Scripting: Everything you need to know about Bash- shell programming. https://medium.com/sysf/bash-scripting-everything-you-need-to-know- about-bash-shell-programming-cd08595f2fba Gargiulo, M. (7 january 2020). Why have VPNs becomes so important to corporations? https://www.forbes.com/sites/forbestechcouncil/2020/01/07/why-have-vpns-become-so- important-to-corporations/?sh=7b4d7747462c Google Play. (12 may 2020). Google Authenticator. Collected 2020-04-03 from https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en &gl=US Guixin, Y., Hongzhuo, Q., & Zhiyong, L. (2013). Research of A VPN secure networking model. 2013 2nd International Conference on Measurement, Information and Control, 567- 569. 10.1109/MIC.2013.6758028 Github. (22 february 2021). Google Authenticator PAM module Collected 2020-04-03 from https://github.com/google/google-authenticator-libpam Github. (8 november 2019). OpenVPN OTP Authentication support. Collected 2020-05-15 from https://github.com/evgeny-gridasov/openvpn-otp
31 Gilsenan, C. (5 april 2018). TOTP: (way) more secure than SMS, but more annoying than Push. https://www.allthingsauth.com/2018/04/05/totp-way-more-secure-than-sms-but-more- annoying-than-push/ Qing, L. & Yaping, L. (2009). Analysis and Comparison of Several Algorithms in SSL/TLS Handshake Protocol. 2009 International Conference on Information Technology and Computer Science, 613-617. 10.1109/ITCS.2009.307 Markander, M. (15 february 2021). Nu ska anställda på Spotify få jobba var de vill. Collected 2020-06-08 https://computersweden.idg.se/2.2683/1.746962/spotify-distansarbete Microsoft. (2020). Understanding the Remote Desktop Protocol (RDP). https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote- desktop-protocol Moore, P. (17 september 2017). Best practices for Multi-Factor Authentication (MFA). https://www.centrify.com/blog/mfa-best-practices/ OpenSSL. (n.d.). Welcome to OpenSSL! https://www.openssl.org/ OpenVPN. (n.d.a). Quick Start Guide. Collected 2020-05-15 https://openvpn.net/quick-start- guide/ OpenVPN. (n.d.b) Installing OpenVPN Access Server On A Linux System. Collected 2020- 05-15 https://openvpn.net/vpn-server-resources/installing-openvpn-access-server-on-a-linux- system/ OpenVPN. (n.d.c). Setting up your own Certificate Authority (CA). Collected 2020-05-15 https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/ OpenVPN. (n.d.d). What is OpenVPN? Collected 2020-05-15 https://openvpn.net/faq/what- is-openvpn/
32 OpenVPN. (n.d.e) Google Authenticator Multi-Factor Authentication. Collected 2020-05-15 https://openvpn.net/vpn-server-resources/google-authenticator-multi-factor-authentication/ OpenVPN. (n.d.f). Comparing OpenVPN Access Server with OpenVPN Community Edition. Collected 2020-05-15 https://openvpn.net/open-source-vs-openvpn-access-server/ OpenVPN. (n.d.g). Hardening OpenVPN Security. Collected 2020-05-15 https://openvpn.net/community-resources/hardening-openvpn-security/ OpenVPN (n.d.h). Configuring client-specific rules and access policies. Collected 2020-05- 15 https://openvpn.net/community-resources/configuring-client-specific-rules-and-access- policies/ OpenVPN. (2016). Overview of Openvpn. https://community.openvpn.net/openvpn/wiki/OverviewOfOpenvpn?__cf_chl_jschl_tk__=b7 38d89f3b9187ac56c2a53ab92f4cac247ea5ed-1618333348-0- AavykwqWz0m6bpJm0c4hT71_VywU8T_EnDShQEX87puYE3BvuBlxEGhEy6Cqm_rJtX C0xeM_T2rto2ccr_BOsRWIXbKWz3GEHYaRTozMob5MOGAIh2Nl6dwPbm- 7Fdl592gUZz1T70JZ--mt233-sVtLYoodgCmSKZVQda-BIQrgwrdajTx6GJjAC1SUXoryU- PtH0s61ssk462-x0K-0CAFnEGtnjv_zaLCXGoW_OC9jlNIuhsyRG_74Nm81B0q- VyrDTRbjUjQsMxCAmZ7Z52aj_3dQCu0PX0DXSM3dYu0L8H- BEkrMvyYgjSAvQhKzzwacKsYPG_B2giTOQ85E1o8U3S0RoB7Ls5T9WHmabRGd8bE3u JaHBLRWc8u8onby54KQrcju3wILRz-JnPnyj2SZ763tTaAthjQB6abpJnV Oskolkov, I. (10 march 2016). VPN implementations and their peculiarities. https://www.kaspersky.com/blog/vpn-implementations/11531/ IEEE Xplore. (n.d.). Advancing Technology for Humanity. https://ieeexplore-ieee- org.ezproxy.bib.hh.se/Xplore/home.jsp Kablr, S. M. S. (2016). Basic Guidelines for Research: An Introductory Approach for All Disciplines (1th ed). Book Zone Publication
33 Kaspersky. (2021). What is VPN? How It Works, Types of VPN. https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn KTH Royal Institute of Technology. (2015). Vad är ett examensarbete. https://www.kth.se/social/group/examensarbete-vid-cs/page/subtest/ KTH Royal Institute of Technology. (19 august 2020). Arbetsgång. https://www.kth.se/social/group/examensarbete-vid-cs/page/arbetsgang/ KTH Royal Institute of Technology. (15 february 2016). Förstudie https://www.kth.se/social/group/examensarbete-vid-cs/page/litteraturstudier/ National Institute of Standards and Technology. (2020). National Institute of Standards and Technology. NIST Special Publication 800-63B. https://pages.nist.gov/800-63-3/sp800- 63b.html#sec5 Newman, L, H. (29 october 2020). Ransomware Hits Dozens of Hospitals in an Unprecedented Wave. https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/ Russel, A. (23 july 2019). What Is a Certificate Authority (CA)? https://www.ssl.com/faqs/what-is-a-certificate-authority/ Slattery, T. (july 2020). The future of VPNs in a post-pandemic world. https://searchnetworking.techtarget.com/tip/The-future-of-VPNs-in-a-post-pandemic-world Singh, S. (1999). The Code Book. Fourth Estate Limited. ISBN 1-85702-889-9 Sun, S. H. (2011) The advantages and the implementation of SSL VPN. 2011 IEEE 2nd International Conference on Software Engineering and Service Science. 548-551. 10.1109/ICSESS.2011.5982375 SSH Academy. (n.d) What is PKI (Public Key Infrastructure)? https://www.ssh.com/academy/pki
34 Ubuntu Community. (n.d). Mission - To bring free software to the widest audience. https://ubuntu.com/community/mission Ubuntu manuals. (2019). 20.04 LTS focals. http://manpages.ubuntu.com/manpages/focal/ Wallen, J. (10 december 2020). Ubuntu Server: A cheat sheet. https://www.techrepublic.com/article/ubuntu-server-the-smart-persons-guide/ Zelkowiz, M. (2004). Advances in Computers: Advances in software Engineering. ELSEVIER Ltd. ISBN 0-12-012162-X Verzion. (2019). 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf Figure 1. From Guixin, Y., Hongzhuo, Q., & Zhiyong, L. (2013). Research of A VPN secure networking model. 2013 2nd International Conference on Measurement, Information and Control, 567-569. 10.1109/MIC.2013.6758028
You can also read
