How to encrypt traffic. DNSCrypt - DNS traffic encryption for the paranoid. Disadvantages of Using a VPN

Traffic encryption at the operating system level, IPSec and OpenVPN technologies, ESP, AH, ISAKMP, Oakley protocols, IPSec advantages, built-in rules, IP Security Monitor

A more reliable way is to encrypt the traffic that is transmitted over the network. This can be done at two levels:

Application level - when data encrypted by the application itself, For example, mail client, Web server, database server, etc. Some of these types of encryption will be discussed in the corresponding modules;

traffic encryption at the operating system level. It often happens that encryption cannot be applied at the application level (for example, if it was not provided for by the developers). In this situation, the best way out is to use encryption using the operating system. Typically, this encryption method is completely transparent to applications and does not interfere with their normal operation. The two most common means of encrypting traffic at the operating system level are IPSec and OpenVPN.

Both tools are implementations of open standards and can be used on both Windows and *nix. It is very convenient that the tools for working with IPSec are built into Windows (2000/XP/2003 only) and you don’t need to install anything to use them (just configure them).

In this course we will only cover issues related to IPSec.

IPSec is formally defined as a set of standards that are used to verify, authenticate, and encrypt data at the IP packet level. IPSec uses two protocols simultaneously: ESP (Encapsulating Security Payload), responsible for encrypting traffic and AH (Authentification Header), which is responsible for applying to traffic digital signature. Moreover, unlike many other encryption protocols (for example, SSL), in IPSec encryption is performed even before authentication, which dramatically increases the reliability of this protocol. For authentication, IPSec uses the Internet Key Exchange (IKE) protocol suite, which includes two protocols: ISAKMP (Internet Security Association and Key Management Protocol) and Oakley Key Determination Protocol. These protocols “negotiate” between two computers that are about to communicate using IPSec, and then generate a final result and pass it along with the key to the IPSec driver. In sniffers, only ISAKMP/Oakley packets are visible; the ESP and AH information embedded in them (and especially the data) are no longer visible.

The advantages of IPSec include:

· full transparency for applications, network devices(for example, routers), drivers network adapters etc. From an application point of view - yes normal transmission data over the network, from the point of view of network devices - ordinary ISAKMP/Oakley application protocol packets are transmitted over the network, which do not require anything special;

· high degree of integration with the Windows domain. In fact, in the very simple mode(using Kerberos authentication) you just need to enable IPSec on your computer - all authentication will be done using the Kerberos service on the domain controller. In special cases, you can use certificates - they already need to be installed manually. Both of these methods are incompatible with IPSec implementations under *nix - for collaboration These computers with IPSec in Windows 2003 will have to use a preshared key. On Windows 98 and ME (not on Windows 95), you can install L2TP/IPSec VPN Client to use IPSec, but in this case you will encounter two restrictions:

o IPSec can only be used for VPN connections (not for regular network connections);

o when configuring IPSec, you cannot use Kerberos authentication (only certificates or preshared key).

The same restrictions apply to Windows NT 4.0.

· protection against substitution of the subject of the connection (in the Microsoft implementation, mutual authentication of both the client and the server is required), a unique packet counter - protection against replay attack (when packets caught by a sniffer are used to re-establish a connection, this time on behalf of another system), very effective and a productive way to check the digital signature of packages (packets that fail verification are immediately discarded);

· high performance. As a rule, in local network encryption using IPSec is virtually invisible. If you need higher performance, then you have at your disposal a variety of network cards with hardware IPSec accelerators (usually less than 100 USD).

· high controllability. IPSec allows it to be applied selectively - for example, only to traffic certain computers, or certain applications etc. Such rules are configured using IPSec policies and can be done centrally.

IPSec does not encrypt some service traffic. For example, Kerberos protocol traffic, any broadcast and multicast traffic, etc. are not encrypted.

IPSec can be configured in different ways. On graphic screen This is most conveniently done using the IPsec MMC console (it is built into many other consoles, for example, the Group Policy Editing Console). If you launch this console manually from the MMC, you will have four options: edit local policy, policy remote computer, group policy of your own or someone else's domain. It must be remembered that if a conflict arises between local politics security and domain-level security policy, the domain-level security policy takes precedence.

A total of three are at your disposal in advance ready-made templates IPSec policy (as well as the ability to create your own):

· Client (RespondOnly) is a minimum use of IPSec policy. It includes a single rule (this is a special Default Response rule), the meaning of which is simple: if this computer is accessed via IPSec, it will respond via IPSec. In other situations, IPSec will not be used.

· Server (RequestSecurity)- increased use of IPSec. It includes three rules: the Default Response rule we already know, unhindered passage of unencrypted ICMP traffic, and an (optional) IPSec request for all other IPSec traffic. If the counterparty does not support IPSec, then data transfer will be carried out without encryption.

· SecureServer (RequireSecurity)- the most demanding policy from a security point of view. It contains the same Default Response Rule and ICMP pass, but for all other traffic IPSec will be requested without fail. If the counterparty does not support IPSec, the connection will be denied.

All three predefined policies use a Kerberos-based key generation protocol, so you need to be very careful. For example, if you have applied the Secure Server policy on only one computer, and you have not enabled IPSec on the domain controller, then that computer will not be able to obtain a certificate from the domain controller and will not be able to communicate with any computers on the network at all.

For maximum flexibility, you can create your own IPSec policy, for example, if you only need to encrypt traffic from one application or only from certain computers. At your disposal is the ability to specify the IP address of the sending and receiving computer, protocol type, port number, as well as additional features, for example, the use of certificates, preshared key, encryption methods to be used, tunneling parameters, etc.

To apply any of the security policies, you must context menu select Assign for it (then you can cancel it in the same way). By default, none of the policies are assigned, which means the computer cannot work with IPSec at all.

From command line IPSec can be managed using NETSH (in Windows 2000, you could use a special Resource Kit utility ipsecpol.exe for this purpose, which no longer works in Windows 2003).

You can monitor IPSec connections either using a sniffer (you will simply see that some activity is happening), or using a special MMC IP Security Monitor console, which shows statistics on IPSec connections. It combines data into three containers:

· Active Policy- shows which policy is assigned to present moment and additional information about this policy. If you have a policy conflict, you can look into this container, or you can use the standard RSOP - Resultant Set of Policy;

· MainMode- statistics of the Oakley Main Mode operating mode (when keys need to be created from scratch);

· QuickMode- statistics of the Oakley Quick Mode operation mode, when the keys are outdated, but the information necessary to generate the key is already available. In this case, it is enough to simply update the key. Key reuse is prohibited in IPSec.

It is also possible to configure IPSec diagnostic logging through the registry (more on this in the Microsoft knowledge base).

Everyone talks about confidentiality of information and sometimes even demands to ensure it. But few people think about where such demands lead us? On the one hand - yes, privacy, the secret of personal life, the secret of correspondence... All this is granted to us by the Constitution and seems to be an inalienable right. Hence the growth in the volume of encrypted traffic on the Internet, according to the latest Cisco research.

The increase in this indicator is positively influenced by the introduction of encryption into various standards (for example, PCI DSS) and best practices that many organizations and service providers are beginning to follow. For example:

• providers of mobile content and services that have implemented encryption by default,
• video hosting and browser settings that enable encryption by default,
• storage services and backup data online.

But there is another side to encryption. Firstly, it creates the illusion of security when all attention is paid to encryption in the data transmission channel, but the encryption of data in the places where it is stored (the same data processing centers) is completely forgotten. In many recent data breaches, attackers stole valuable data while it was being stored rather than in transit. But this is not the only problem with encryption.

Attackers also began to actively use it, hiding their activities from monitoring or simply using encryption for evil purposes (the same cryptographers TeslaCrypt or CryptoWall). It becomes very difficult to control such flows of information, but encryption will not fail either from the point of view of information security or from the point of view of attackers. Therefore, it is so important to use additional mechanisms for analyzing network traffic, which allows you to monitor related parameters without plunging into the contents of the communications themselves - Netflow, domains and IP addresses and the dates of their birth, the reputation of interacting nodes and other metadata. It is also important not to forget about integrated security, which should not be “out of the box”, as is often the case, but be built into the network equipment, operating systems, databases, servers, workstations, etc. In this case, working with encrypted traffic will be more efficient than trying to redirect it somewhere for decryption.

There is also a third side to the use of encryption. Out of nowhere we have a state with its requirements to ensure national security, protection from terrorists and extremists, etc. undoubtedly important issues. Let's take, for example, the latest initiative of our authorities, which I wrote about the other day. Intelligence agencies and other interested parties essentially admit their inability to installed elements SORM solve the problems facing them. SORM, traditionally focused on regular voice communications, coped well with this task, since encryption was never used in a regular telephone network, but in a mobile network it can easily be done at the operator level mobile communications(voice is encrypted only from the telephone to the base station).

Tellingly, Snowden’s “revelations” are precisely a demonstration of the third way to combat encryption, which the US intelligence services have taken. It would never even occur to anyone to ban something in the most democratic country. Demanding that Facebook, Twitter, and Microsoft publicly renounce the confidentiality of key deposits is pointless (again, democracy gets in the way). There is only one thing left to do - to develop technologies for the secret collection of information, as well as to force Internet companies to share information on secret decisions of a secret court.

Russia has now also come close to this dilemma, which the United States faced 20 years ago, starting the Clipper, Capstone and Skipjack project. We have chosen the second path for now, since the first one is very odious (and most importantly, terrorists and extremists will not care about this ban anyway), and the third one works poorly and is not scalable (just remember how Twitter, Google and Facebook “sent "Roskomnadzor with its requests regarding blocking of accounts that publish information that is unflattering for the Russian authorities).

This is the story we get with encryption. And what its ending will be is still unclear...

Let’s learn the basics of “anonymity” on the Internet.

The article will help you decide whether you specifically need a VPN and choose a provider, and will also tell you about the pitfalls of this technology and alternatives to it.

This material is simply a story about VPNs with an overview of providers, intended for general development and solving small everyday problems. It won’t teach you how to achieve complete anonymity on the Internet and 100% traffic privacy.

What is a VPN?

Virtual Private Network(virtual private network) is a network of devices that is created on top of another and within which, thanks to encryption technologies, secure channels are created for data exchange.

The VPN server manages user accounts on this network and serves as an entry point to the Internet for them. Encrypted traffic is transmitted through it.

Below we will talk about providers that provide access to VPN servers in different countries. But first, let's figure out why this is necessary?

Benefits of Using a VPN

1. Change of “address”

In what cases does a law-abiding Russian need a different IP?

2. Protection from small evil spirits

A VPN provider will not save you from persecution by the authorities, but it will protect you from:

• An office network administrator who collects incriminating evidence against you or simply likes to read other people’s letters;
• Schoolchildren who indulge in listening to the traffic of a public WiFi point.

Disadvantages of Using a VPN

Speed

Internet access speed when using a VPN provider may be lower than without it. First of all, this applies to free VPNs. In addition, it can be unstable: depending on the time of day or location of the selected server.

Technical problems

The VPN provider may experience outages. Especially if it is small and little known.

The most common problem: the VPN disconnected and did not tell anyone anything. Necessary trace to ensure that your connection is blocked in case of problems with the server.

Otherwise, it could be like this: you write angry comments on your roommate’s articles, but the VPN quietly turns off and the real IP appears in the admin panel, you missed it, and your neighbor noticed and is preparing a plan for revenge.

Imaginary anonymity

Information about your traffic is shared with a third party. VPN providers are often asked in interviews: “Do you store logs?” They answer: “No, no, of course not!” But no one believes them. And there are reasons for this.

IN license agreements many VPN providers openly write that the user does not have the right to violate copyrights, run hacker programs, send spam and in case of violation, his account is blocked without returning funds. Example: ExpressVPN Term of Service. From this it follows that the user's actions on the network are controlled.

And some fast VPN providers, for example Astrill, require SMS confirmation for activation account(does not work for Russian numbers). Do you want to hide your IP and encrypt traffic? Ok, but leave your number just in case.

And the questionnaires when registering accounts are sometimes annoying with unnecessary questions. For example, why does a VPN provider need postal code person? Sending packages for the New Year?

The user's identity is also May be identified by bank cards(or through wallets of payment systems through which funds are replenished virtual cards). Some VPN providers lure users by accepting cryptocurrencies as payment. This is a plus for anonymity.

Choosing a VPN service

VPN providers are a dime a dozen. After all, this is a profitable business with a low entry barrier. If you ask such a question on a forum, service owners will come running and bombard you with their advertising.

To help you choose, the website bestvpn.com was created, where ratings and reviews of VPN providers are published.

Let's briefly talk about the best VPN services (according to bestvpn.com) that have an application for iOS.

ExpressVPN

96 cities in 78 countries. 30-day money-back guarantee in case of service interruptions. There are applications for OS X, Windows, iOS and Android. You can work with 5 devices simultaneously.

Price: from $9.99 to $12.95 per month (depending on payment period).

Private Internet Access

25 countries. There are applications for OS X, Windows, project website.

Price: from $2.50 to $6.95 per month (depending on payment period).

IP Vanish VPN

More than 60 countries. There are VPN clients for iOS, Android, Windows, Mac, Ubuntu, Chromebooks and routers. It is possible to work with several devices at once.

Optimistic paranoids

A very interesting marketing ploy. They propose to run encrypted traffic not through one, but through two or three servers.

My opinion on this matter is this: if a VPN is needed only to hide which country you are from, then it does not make sense. But if there really is something to hide, then what’s the point of transmitting it through three other people’s servers at once?

Alternatives

Own OpenVPN server

Tor

Traffic in Tor networks transmitted through several independent servers in different parts of the world in encrypted form. This makes it difficult to determine the user's original IP address. But the cautionary tale of Ross Ulbricht (owner of Silk Road) reminds us that American intelligence agencies are capable of many things.

Pros:

• For free;
• Access to the onion network (“darknet”). There are a number of sites that are only accessible from Tor Browser. These are theirs search engines(Grams), shops, libraries, cryptocurrency exchanges, systems contextual advertising, Onion Wiki. But for a law-abiding Russian there is nothing interesting on this network.

Cons:

• Slow speed.

What does Roskomnadzor think?

Department employees are extremely dissatisfied with the fact that Russians strive for anonymity on the Internet. Recently, a spokesman for Roskomnadzor called Tor users “social scum,” and the agency itself advocates banning anonymizers. But Russians do not listen to such opinions. Egor Minin (founder of RuTracker) claims that half of the users of his resource know how to bypass blocking.

SoftEnter VPN Client program.

In connection with the real threat of expanding the punitive functions of the Anti-Piracy Law and the possible beginning of transferring its effect to ordinary users, namely, the possible introduction of fines for downloading pirated content (movies, music programs, and so on), I continue to introduce visitors to my sites with information on how to avoid these fines, that is, how to download from the Internet ANONYMOUSLY. Previously, I showed how to download anonymously from direct links and torrents. In this article we will look at one of the ways to encrypt all Internet traffic. Encrypting all Internet traffic will allow you to become completely anonymous on the Internet by changing your IP address to a third-party one. After changing your IP address using the application proposed in this article, no outsider will be able to find out which sites you visited or what you downloaded, and your Internet traffic in the torrent client will also be encrypted.
We are talking about an application called SoftEnter VPN Client. This is a client program for communicating with a service called VPN Gate.
The VPN Gate service is an experimental project of the Graduate School of the University of Tsukuba (Japan). The idea of ​​the project is to organize by volunteers a public public network of VPN tunnels, which are created using a special software, and are provided free of charge for public use. Anyone can connect to them.
Private public VPN networks Gate is provided by ordinary people, not companies, and even the hypothetical possibility of receiving logs (the history of sites you visited and download history) at the request of the competent authorities is excluded. The VPN Gate service was created to enable citizens of countries where certain sites are blocked to visit them freely and anonymously, but the service can also be used to download the content you need without fear of unpleasant consequences.
Setting up the SoftEnter VPN Client program is not difficult at all. Now I'll show you how to do it.

First, download from the developer’s website using the link archive with installation file SoftEnter VPN Client software.

By the way, information for those who have already used universal instant German glue Nano Kleber and for those who are not yet familiar with our product, our glue has changed dramatically.
Naturally in better side. Firstly, it has changed appearance packaging and bottles of glue. Secondly, the volume of bottles has increased by a third! Now the weight of the bottle is 31.5 grams, the bottle with welding granulate is 25 grams.
And most importantly, the quality of the glue itself has been improved. Due to numerous requests from customers, the glue has become thicker. This allows you to work with it without rushing before compressing (gluing). Preparation time has been doubled! However, its price remained the same.
You can learn more about Nano Kleber glue on our official website here. You can also order it there. Delivery - throughout Russia.

After downloading the archive, unpack the folder with the installation file to your desktop.

Open it and start installing the SoftEnter VPN Client software.

After installing the SoftEnter VPN Client software, we put it into operation.

Select one of the VPN servers and connect to it.

After connecting to the selected VPN server all your Internet traffic will be transferred through third party server, reliably hiding your activities on the Internet.

You can easily find out that you are connected to the VPN server of your choice by visiting one of the IP address checking services. They are not difficult to find. In the search bar of any search engine, for example, in Yandex, write the search phrase “ip check”.

Disabling your VPN connection is easy. After installing the SoftEnter VPN Client software, a special icon will appear in the tray. Click on it right click mouse and in the context menu that pops up, select the bottom line to disable the program.

As you can see, it’s not at all difficult to encrypt all your Internet traffic using the SoftEnter VPN Client program and the VPN Gate service.
In the near future, we will continue to study the topic of encrypting Internet traffic and consider another way to encrypt traffic using VPN services, directly, without using third party applications, but only by changing the Internet connection settings.

The share of encrypted traffic in the total volume of transmitted and received data is constantly increasing. Enhanced protection of user messages is becoming a standard for instant messengers, the number of Internet resources with hyperlinks starting with “https” is growing, VPN connections are becoming popular - all this complicates or makes it impossible to analyze information in traffic that will need to be stored in accordance with the law.

According to working group Expert Council under the Government of the Russian Federation, currently in the networks of telecom operators the share of encrypted traffic is approaching 50 percent. Since there is no reason to prevent this share from growing, we can expect it to increase to 90 percent over the next three years.

On February 17, Deputy Prime Minister Arkady Dvorkovich, who oversees the preparation of by-laws for the Yarovaya package in the government, will hold a meeting at which the Ministry of Telecom and Mass Communications will have to outline how and by what means operators will have to comply with the requirements of the law. Dvorkovich should be provided with an estimate of financial costs, and the Minister of Communications Nikiforov will inform about the readiness of by-laws that the Government of the Russian Federation needs to adopt.

It can be expected that the main part of the meeting will be taken up by a discussion of those issues that not only telecom operators, but also intelligence agencies will have to face during the implementation process. According to Abyzov, Minister of Open Government and head of the expert working group, amendments to the current anti-terrorism legislation included in the Yarovaya package should help prevent crimes and increase the efficiency of investigations.

With each passing day, the likelihood increases that the operators will not have time to implement everything properly by the deadline required by law. The lack of adopted by-laws does not allow them to plan future costs; the size and “breakdown” over time are unclear, what sources will have to be used, and how these costs will affect the profitability of the business.

There is still no information about the composition of software and technical means, which telecom operators can use, how and when they will be certified and approved for use on communication networks. It will take time to make decisions on how to integrate additional equipment, what infrastructure will be required. The final storage scheme is unknown: all issues will be handled entirely by the operators or Rostec will still be involved ().

There are “minor” but specific questions for individual operators. For example, mobile operators would like to know what to do with the traffic of roaming subscribers.

Taking into account the nature of the information to be stored, additional orders, instructions and clarifications are required, containing requirements for the protection of information, describing the procedure for access and access to it. Responsibility in the event of a “leak” must be determined (the topic of “responsibility” for some reason is almost not discussed by the public).

Everyone is waiting for answers to these many questions from the Ministry of Industry and Trade and the Ministry of Telecom and Mass Communications - these departments must prepare drafts of several legal acts and send them to the Government of the Russian Federation. There is a feeling that it is unlikely that the traffic storage system will be implemented by July 1, 2018. I assume that the failure to implement the “Yarovaya package” could seriously “backfire” on the Minister of Communications.

In the first messages that appeared on the Internet on the news feeds of Interfax, RIA Novosti, etc., there was no specifics. Dvorkovich's press secretary sparsely informed: " A meeting was held on the law, the priorities and procedure for finalizing by-laws were discussed, as well as possible adjustments to the law if it was impossible to reflect the agreed position in the resolution".

Journalists tried to ask participants about the course of the discussion. What became known:

1. About increasing tariffs. Someone present at the meeting said that Deputy Prime Minister Arkady Dvorkovich appealed to operators (representatives of some companies were present at the meeting - MTS, MegaFon, VimpelCom, Yandex) with a request not to get carried away with increasing tariffs for services and suggested keep price increases within the limits of current inflation. I don’t know what he heard in response, but numerous estimates of the volume of costs for the implementation of the “Yarovaya package” and the limited time when this money will have to be spent do not fit into the economics of all telecommunications companies. Consequences: at a minimum, the development of networks will stop for several years and it will be necessary to reduce operating costs, which will lead to a decrease. quality of services. At the very least, it will be easier to close down the business right away, without the “if I survive or not survive” experiments.

As I already wrote, a more or less accurate financial assessment could be obtained as part of the launch of a pilot project.

2. About what to store and what not to store. Officials understand that it will not be possible to store all traffic. That’s not all, there is good news for providers: if the “retelling” of one of the participants is accurate, then at the first stage they may be required to store only voice call and SMS traffic, excluding the storage of data traffic. The “retelling” of another participant is different (and perhaps I was in a hurry to please providers): we discussed the storage periods for voice call traffic and text (SMS) messages, operators cellular communication We would like to reduce these deadlines. It is confirmed that the issue of data traffic was discussed separately. But it seems that the discussion was only about reducing storage time and the volume of stored traffic.

That is, what and how to do with data traffic - uncertainty remains, you need to wait new versions bills that the Ministry of Telecom and Mass Communications will have to prepare.

3. How to implement a storage system. The FSB proposes to expand the “ring buffer” during the implementation of the “Yarovaya package”. Operators are not against it, believing that this path may be less expensive than creating a new complete traffic storage system. It turned out along the way that the FSB does not support Rostec’s idea of ​​a single information repository, since the intelligence services would like to do without an intermediate link in the form of Rostec between them and telecom operators. In addition, as I already wrote, the current version of the law (aka the “Yarovaya package”) obliges telecom operators and only them to collect, record and store subscriber traffic. Since the “implementation” of Rostec means the need for changes in the law, this path, including the consideration and adoption of amendments in the State Duma, can “eat up” a lot of time.