Privacy issues in virtual private networks
Download
1 / 27

privacy issues in virtual private networks - PowerPoint PPT Presentation


  • 271 Views
  • Updated On :

Privacy Issues in Virtual Private Networks. Tim Strayer BBN Technologies. What is a VPN?. Private network running over shared network infrastructure (Internet) Allows interconnection of different corporate network sites Allows remote users to access the corporate network

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'privacy issues in virtual private networks' - daniel_millan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Privacy issues in virtual private networks l.jpg

Privacy Issues inVirtual Private Networks

Tim Strayer

BBN Technologies


What is a vpn l.jpg
What is a VPN?

  • Private network running over shared network infrastructure (Internet)

    • Allows interconnection of different corporate network sites

    • Allows remote users to access the corporate network

    • Allows controlled access between different corporate networks


Why vpns l.jpg

Remote Site

Private

“Intranet”

Network

Public

Internet

Intranet

Intranet

Intranet

Headquarters

Headquarters

Remote Site

Why VPNs?

Frame Relay

Or

ATM

Or

Dial-Up Service


Vpn rationale l.jpg
VPN Rationale

  • Private Networks

    • Costly

    • Inflexible

    • Multiple Infrastructures

  • Virtual Private Networks

    • Inexpensive

    • Configurable

    • Single Infrastructure


The first vpn l.jpg
The First VPN

  • 1975, BBN delivered the first Private Line Interface (PLI) to the Navy

  • Created secure network communication over the ARPANET

  • Used a proprietary encryption and manual keying system


Vpn technologies l.jpg
VPN Technologies

  • Tunneling

    • Overlay facilitates sharing common infrastructure

    • IPsec, PPTP, L2TP, MPLS

  • Security

    • Authentication: PKI, RADIUS, Smartcard

    • Access Control: Directory Servers, ACLs

    • Data Security: Confidentiality, Integrity

  • Provisioning

    • QoS

    • Traffic Engineering


Island metaphor l.jpg

“Hello!”

SS Encapsulator

“Hello!”

“Hello!”

SS Encapsulator

SS Encapsulator

Island Metaphor

Tunnel

“Hello!”

“Hello!”

“Oh! Hi!

“???”


Tunneling l.jpg

Outer Header

Inner Packet

Trailer

For target network

For transport network

2

2

3

3

4

2

7

3

Ethernet

IP

TCP

FTP

Ethernet

IP

PPP

IP

Tunneling

  • Usually layers are inverted


Tunnels at layer 2 l.jpg

3

3

4

4

2

2

3

3

Tunnels at Layer 2

  • Point-to-Point Tunneling Protocol (PPTP)

    • Integrated into Microsoft DUN and RAS

    • Authentication/encryption provided by PPP

  • Layer 2 Tunneling Protocol (L2TP)

    • Combines PPTP with Cisco L2F

    • Layer 2 tunneling, UDP encapsulation

IP

GREv2

PPP

IP/IPX

IP

UDP

PPP

IP/IPX/IPsec


Ipsec protocol suite l.jpg
IPsec Protocol Suite

  • Data encryption and authentication

    • Two protocols

      • Encapsulating Security Payload (ESP) assures data privacy and party authentication

      • Authentication Header (AH) assures only party authentication

    • Cryptographic key management

      • Works well with Public Key Infrastructure and X.509 Certificates

  • Transport and tunnel modes of operation

  • IPsec VPNs use tunnel mode and ESP


Ipsec tunneling l.jpg

New IP Header

Security Parameter Index

Sequence Number

Authenticated

Encrypted

ESP Trailer

ESP Authentication

IPsec Tunneling

Original IP Header

Original

IP Packet

Original IP Payload


Mpls tunneling l.jpg
MPLS “Tunneling”

  • Multi-Protocol Label Switching

    • High speed switching technology

    • Tunnel any layer

    • Built into edge/core routers and switches

    • No authentication/encryption

Label

IP Header

IP Payload

Original Packet


Ipsec vs mpls l.jpg
IPsec vs. MPLS

  • Two dominant VPN technologies

  • Let’s compare them viz. their approaches to privacy


What is meant by private l.jpg
What is meant by Private?

  • No one can see your stuff

    • Emphasis is on security

    • Confidentiality, integrity, authentication, authorization, access control

  • Carve out a piece of a shared network for your own use

    • Emphasis is on availability

    • Traffic engineering


Evolution of ipsec l.jpg
Evolution of IPsec

  • First defined as a security mode for IPv6

  • “Ported” to IPv4

  • Combines tunneling with security

    • Orthogonal services

  • Complex key management


Evolution of mpls l.jpg
Evolution of MPLS

  • ATM’s VCI/VPI used for cut-through switching

    • Separates routing from forwarding

    • Supports resource allocation

  • MPLS

    • IP cut-through switching using label

    • Routers switch on preestablished label

    • Routers don’t care what’s behind the label

    • Originally proposed to accelerate routing


A protocol looking for a use l.jpg
A Protocol Looking for a Use

  • Fast routing argument lost with new routing technology

    • Switching technology applied to IP header

  • MPLS for traffic engineering

    • “Connection” oriented

    • Stateful – keeps tracks resource allocation and usage

    • RSVP adapted for signaling

  • Hot router selling feature


Mpls vpn security l.jpg
MPLS-VPN Security

  • Label Switch Routers will drop packets that do not belong to the VPN based on label

  • BGP guards against injected routes using MD-5 authentication

  • Note:

    • No data confidentiality

    • Weak authentication

    • BGP is not sufficient to prevent fake routes


Why mpls vpn l.jpg
Why MPLS-VPN?

  • Embed label switching in routers

    • Sell more routers

  • Replace Frame Relay and ATM with something that looks like these services

    • No profit in Frame Relay or ATM anymore

  • Control provisioning at the edge of ISP

    • Sell value added service

  • ISP dependent

    • Keeps customers within provider’s network


Why ipsec vpn l.jpg
Why IPsec-VPN?

  • No changes to core routers

    • Security gateway/tunnel endpoint placed anywhere that is appropriate

  • Separation through obfuscation

    • Real data confidentiality

    • Real authentication

  • Routing protocol agnostic

    • No (more than current) reliance on well-behaved protocols

  • ISP agnostic


Guarding privates l.jpg
Guarding “Privates”

  • What separates a VPN’s traffic from all other traffic?

    • IPsec: data encryption

    • MPLS: different labels, forwarding tables

  • Who is responsible for separation?

    • IPsec:

      • ISPs, but not necessarily

      • Corporate IT group and even individuals

    • MPLS: ISPs


Dichotomy of assumptions l.jpg
Dichotomy of Assumptions

  • IPsec assumes goal is:

    • IP delivery

    • No trust of intermediate systems

  • MPLS assumes goal is:

    • Engineered delivery

    • Trust entities in the middle

  • Begged question: Is leaving security to someone else a good thing?


Which is the right way l.jpg
Which is the Right Way?

  • Depends on what control you are willing to cede to service providers

    • What SLAs you demand

    • What you want to “black box”

  • Depends on what you mean by “private”

    • No one is supposed to use your resources

    • No one is able to see your stuff


Trends in vpns l.jpg
Trends in VPNs

  • IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds

  • Layer 2 tunneled through MPLS

    • Martini Draft

  • Combining MPLS and IPsec

    • IP tunneled through IPsec tunneled through MPLS

    • Best of both worlds


There s more to it l.jpg
There’s more to it

  • Establishing a VPN is much more than just building a set of tunnels between sites

    • Authentication

    • Access Control

    • Data Confidentiality

    • Data Integrity

    • Remote Access


Where does private go l.jpg
Where does “Private” go?

  • Virtual Private Network

    • Makes sense

    • What the designers had in mind

  • Virtual Private Network

    • What happens if you’re not careful


More about me l.jpg
More about me

  • This talk and other information at

    http://www.ir.bbn.com/~strayer


ad