privacy issues in virtual private networks
Download
Skip this Video
Download Presentation
Privacy Issues in Virtual Private Networks

Loading in 2 Seconds...

play fullscreen
1 / 27

privacy issues in virtual private networks - PowerPoint PPT Presentation


  • 273 Views
  • Uploaded on

Privacy Issues in Virtual Private Networks. Tim Strayer BBN Technologies. What is a VPN?. Private network running over shared network infrastructure (Internet) Allows interconnection of different corporate network sites Allows remote users to access the corporate network

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'privacy issues in virtual private networks' - daniel_millan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is a vpn
What is a VPN?
  • Private network running over shared network infrastructure (Internet)
    • Allows interconnection of different corporate network sites
    • Allows remote users to access the corporate network
    • Allows controlled access between different corporate networks
why vpns

Remote Site

Private

“Intranet”

Network

Public

Internet

Intranet

Intranet

Intranet

Headquarters

Headquarters

Remote Site

Why VPNs?

Frame Relay

Or

ATM

Or

Dial-Up Service

vpn rationale
VPN Rationale
  • Private Networks
    • Costly
    • Inflexible
    • Multiple Infrastructures
  • Virtual Private Networks
    • Inexpensive
    • Configurable
    • Single Infrastructure
the first vpn
The First VPN
  • 1975, BBN delivered the first Private Line Interface (PLI) to the Navy
  • Created secure network communication over the ARPANET
  • Used a proprietary encryption and manual keying system
vpn technologies
VPN Technologies
  • Tunneling
    • Overlay facilitates sharing common infrastructure
    • IPsec, PPTP, L2TP, MPLS
  • Security
    • Authentication: PKI, RADIUS, Smartcard
    • Access Control: Directory Servers, ACLs
    • Data Security: Confidentiality, Integrity
  • Provisioning
    • QoS
    • Traffic Engineering
island metaphor

“Hello!”

SS Encapsulator

“Hello!”

“Hello!”

SS Encapsulator

SS Encapsulator

Island Metaphor

Tunnel

“Hello!”

“Hello!”

“Oh! Hi!

“???”

tunneling

Outer Header

Inner Packet

Trailer

For target network

For transport network

2

2

3

3

4

2

7

3

Ethernet

IP

TCP

FTP

Ethernet

IP

PPP

IP

Tunneling
  • Usually layers are inverted
tunnels at layer 2

3

3

4

4

2

2

3

3

Tunnels at Layer 2
  • Point-to-Point Tunneling Protocol (PPTP)
    • Integrated into Microsoft DUN and RAS
    • Authentication/encryption provided by PPP
  • Layer 2 Tunneling Protocol (L2TP)
    • Combines PPTP with Cisco L2F
    • Layer 2 tunneling, UDP encapsulation

IP

GREv2

PPP

IP/IPX

IP

UDP

PPP

IP/IPX/IPsec

ipsec protocol suite
IPsec Protocol Suite
  • Data encryption and authentication
    • Two protocols
      • Encapsulating Security Payload (ESP) assures data privacy and party authentication
      • Authentication Header (AH) assures only party authentication
    • Cryptographic key management
      • Works well with Public Key Infrastructure and X.509 Certificates
  • Transport and tunnel modes of operation
  • IPsec VPNs use tunnel mode and ESP
ipsec tunneling

New IP Header

Security Parameter Index

Sequence Number

Authenticated

Encrypted

ESP Trailer

ESP Authentication

IPsec Tunneling

Original IP Header

Original

IP Packet

Original IP Payload

mpls tunneling
MPLS “Tunneling”
  • Multi-Protocol Label Switching
    • High speed switching technology
    • Tunnel any layer
    • Built into edge/core routers and switches
    • No authentication/encryption

Label

IP Header

IP Payload

Original Packet

ipsec vs mpls
IPsec vs. MPLS
  • Two dominant VPN technologies
  • Let’s compare them viz. their approaches to privacy
what is meant by private
What is meant by Private?
  • No one can see your stuff
    • Emphasis is on security
    • Confidentiality, integrity, authentication, authorization, access control
  • Carve out a piece of a shared network for your own use
    • Emphasis is on availability
    • Traffic engineering
evolution of ipsec
Evolution of IPsec
  • First defined as a security mode for IPv6
  • “Ported” to IPv4
  • Combines tunneling with security
    • Orthogonal services
  • Complex key management
evolution of mpls
Evolution of MPLS
  • ATM’s VCI/VPI used for cut-through switching
    • Separates routing from forwarding
    • Supports resource allocation
  • MPLS
    • IP cut-through switching using label
    • Routers switch on preestablished label
    • Routers don’t care what’s behind the label
    • Originally proposed to accelerate routing
a protocol looking for a use
A Protocol Looking for a Use
  • Fast routing argument lost with new routing technology
    • Switching technology applied to IP header
  • MPLS for traffic engineering
    • “Connection” oriented
    • Stateful – keeps tracks resource allocation and usage
    • RSVP adapted for signaling
  • Hot router selling feature
mpls vpn security
MPLS-VPN Security
  • Label Switch Routers will drop packets that do not belong to the VPN based on label
  • BGP guards against injected routes using MD-5 authentication
  • Note:
    • No data confidentiality
    • Weak authentication
    • BGP is not sufficient to prevent fake routes
why mpls vpn
Why MPLS-VPN?
  • Embed label switching in routers
    • Sell more routers
  • Replace Frame Relay and ATM with something that looks like these services
    • No profit in Frame Relay or ATM anymore
  • Control provisioning at the edge of ISP
    • Sell value added service
  • ISP dependent
    • Keeps customers within provider’s network
why ipsec vpn
Why IPsec-VPN?
  • No changes to core routers
    • Security gateway/tunnel endpoint placed anywhere that is appropriate
  • Separation through obfuscation
    • Real data confidentiality
    • Real authentication
  • Routing protocol agnostic
    • No (more than current) reliance on well-behaved protocols
  • ISP agnostic
guarding privates
Guarding “Privates”
  • What separates a VPN’s traffic from all other traffic?
    • IPsec: data encryption
    • MPLS: different labels, forwarding tables
  • Who is responsible for separation?
    • IPsec:
      • ISPs, but not necessarily
      • Corporate IT group and even individuals
    • MPLS: ISPs
dichotomy of assumptions
Dichotomy of Assumptions
  • IPsec assumes goal is:
    • IP delivery
    • No trust of intermediate systems
  • MPLS assumes goal is:
    • Engineered delivery
    • Trust entities in the middle
  • Begged question: Is leaving security to someone else a good thing?
which is the right way
Which is the Right Way?
  • Depends on what control you are willing to cede to service providers
    • What SLAs you demand
    • What you want to “black box”
  • Depends on what you mean by “private”
    • No one is supposed to use your resources
    • No one is able to see your stuff
trends in vpns
Trends in VPNs
  • IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds
  • Layer 2 tunneled through MPLS
    • Martini Draft
  • Combining MPLS and IPsec
    • IP tunneled through IPsec tunneled through MPLS
    • Best of both worlds
there s more to it
There’s more to it
  • Establishing a VPN is much more than just building a set of tunnels between sites
    • Authentication
    • Access Control
    • Data Confidentiality
    • Data Integrity
    • Remote Access
where does private go
Where does “Private” go?
  • Virtual Private Network
    • Makes sense
    • What the designers had in mind
  • Virtual Private Network
    • What happens if you’re not careful
more about me
More about me
  • This talk and other information at

http://www.ir.bbn.com/~strayer

ad