DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL (TS//SI) Efforts Against Virtual Private Networks Bear Fruit FROM: VPN Working Group Chair, NAC (SSG2) and SIGINT Communications Run Date: 03/23/2006 (TS//SI) The Network Analysis Center has been working on VPNs for over three years -- and now a number of high-potential VPNs have been identified and decrypted. (TS//SI) Organizations around the world want the best of both worlds. On the one hand, they want to be able to communicate among themselves via a private, secure network. On the other, they want to communicate with coworkers who may be located far away, and to do so economically, which means using public networks. How can they have their cake and eat it, too? The solution for many is a virtual private network, or VPN. Although VPNs pose special challenges for SIGINT collection and processing, we've recently had notable success in exploiting these communications. (U) How a VPN Works (In Brief) (U//FOUO) Although a VPN rides on a public network, it maintains privacy for its users by creating a "tunnel" through which their data can pass securely. As described in a Yakima Research Station tutorial : "(U) A "tunnel" is constructed by establishing an authenticated connection between two gateway devices, usually either gateway routers or firewall appliances or both... Packets that do not originate from the gateway devices and do not contain packets of the private network protocol are not permitted through the gateways. (U) For the connection between the gateways to be considered secure, the gateways must be able to authenticate themselves to each other, denying access to any device that cannot authenticate correctly. While not required, the private network packets can be encrypted for further security." (U//FOUO) Graphic courtesy of NSA VPN Working Group (TS//SI) Success in Exploiting VPNs for SIGINT (TS//SI) The Network Analysis Center (NAC) has been focusing on VPN SIGINT Development (SIGDev) for over three years now, and the investment is paying off! By working with NSA's extended enterprise for collection, and with various SIGINT product lines and the Office of Target Pursuit (S311), we have identified several important targets using VPNs. What are the results? Recently, NSA has decrypted a number of interesting targets (thanks to decryption capabilities engineered by Network Security Products (S31213)) deemed by product lines to have high potential as sources of intelligence: Iraqi Ministry of Defense and Ministry of Interior Iraqi State Controlled Internet Service (SCIS) airline reservation services: Iran Air Paraguayan SABRE Aeroflot Russian Galileo Al Jazeera Broadcasting internal communications

(TS//SI) Decrypted traffic has been provided to the product lines and is being evaluated for intelligence content. Hundreds of additional VPN links have also been identified and are being investigated. (TS//SI) Work is underway at Cryptologic Centers as well. During a VPN Bootcamp held at the NSA-Georgia in early December, SIGDev analysts at Ft Gordon found a VPN target of interest within Iraqi networks already being worked there. (U) How to Get Involved (U//FOUO) If your target may be using VPNs, take some time to learn more. VPN Bootcamps will be held at NSA-Hawaii in May and at NSAW in June (watch for future announcements). In addition, NSA and the Second Party Partners will meet for a VPN Conference at Cheltenham in October, and a VPN Working Group meets regularly. Please join in the collaboration. (U//FOUO) For more information, visit the NAC VPN Webpage or contact . "(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid comms)." DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108