1 / 35

Wireless VPN

Wireless VPN. HemaKumar Rangineni Zafer Banaganapalle. Introduction VPN Types Elements of VPN Advantages Tunneling Protocols Architecture Wireless VPN. IPSec VPN SSL VPN Comparison Conclusions References Questions Thank you. Contents. Introduction.

inigo
Download Presentation

Wireless VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless VPN HemaKumar Rangineni Zafer Banaganapalle

  2. Introduction VPN Types Elements of VPN Advantages Tunneling Protocols Architecture Wireless VPN IPSec VPN SSL VPN Comparison Conclusions References Questions Thank you Contents

  3. Introduction • A virtual private network is a private network running over a shared public infrastructure like the Internet. • Used to • interconnect various geographically separated sites, • connect remote users back to a home network, • allow controlled access between different corporate networks • constructed from protocols and technologies that run over a shared network Continued…

  4. Introduction … • A virtual private network is a private network running over a shared public infrastructure like the Internet. Image source : 3Com

  5. Technologies include A tunneling protocol like, IPsec, Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), or Multi-Protocol Label Switching (MPLS) An authentication mechanism, provided by PKI, RADIUS, or Smartcards An access control mechanism, provided by Directory Servers and ACLs Data security technologies like, encryption Data provisioning techniques, like quality of service (QoS) and traffic engineering Introduction …

  6. VPN Types • Remote-access • single remote network device to intranet • Site-to-site connect multiple fixed sites over a public network • Intranet -based • Extranet-based

  7. Elements of VPN

  8. Advantage • Using special tunneling protocols and complex encryption procedures, • data integrity and privacy is achieved • Seems like a dedicated point-to-point connection. • And, because these operations occur over a public network, • VPNs can cost significantly less to implement than privately owned or leased services.

  9. Tunneling Protocols • Provide a way to overlay a virtual network over a physical one • by building tunnels, or special connections, • between various points in the physical network • Three types of VPN Protocols used for tunnelling • PPTP (Point-to-Point Tunnelling Protocol) • L2TP (Layer 2 tunnelling Protocol) • IPSec (Internet Protocol Security)

  10. PPP Header PPP Payload IP Header Media Header GRE Header PPTP • PPTP tunnelling uses two packet types • Control Packets • Strictly for status enquiry and signalling information • Uses TCP (Connection-oriented) • Data Packets • Uses PPP with GREv2 • GRE gives PPTP the flexibility of handling protocols other than IP, such as NetBEUI and IPX.

  11. User Data UDP Header IP Header L2TP Header IP Header PPP L2TP • Like PPTP, L2TP is strictly a tunnelling Protocol • L2TP is a standards based combination of two proprietary Layer 2 tunnel protocols • Cisco’s Layer 2 Forwarding (L2F) • PPTP • L2TP combines the control and data channels. • L2TP runs over UDP • Faster and Leaner • L2TP is more “Firewall Friendly” than PPTP since you do not have to support GRE.

  12. IPSec Transport protocols Transport layer (TCP, UDP) Routing through network IPSec Network layer (IP) Link layer L2TP/ PPTP Link protocols, physical Infrastructure Physical layer • Open, Standards based, Network layer security protocol. • Aimed at protecting IP Datagrams • Robust mechanisms for Authentication and Encryption • Can protect whole datagram or just Upper-layer protocol (Transport or Tunnel Mode)

  13. Network-Level Architecture Simplified Diagram of VPN WLAN

  14. Wireless VPN

  15. Wireless VPN

  16. IPSec • What is IPSec? • IPSec is a set of open standards and protocols • for creating and maintaining secure communications over IP networks. • IPSec VPNs use these standards and protocols • to ensure the privacy and integrity of data transmission and • communications across public networks like the Internet.

  17. IPSec security services Standards for a range of services to address security risks • Confidentiality. • Encryption protects the privacy of communications even if they are intercepted. • Access control. • Access to IPSec VPN private communications is restricted to authorized users. • Authentication. • Authentication verifies the source of received data (data origin authentication), and confirms that the original IP packet was not modified in transit (connectionless data integrity). • Rejection of replayed packets. • An anti-replay service counters a replay attack based on an attacker's intercepting a series of packets and then replaying them. • Limited traffic flow confidentiality. • Inner IP headers can be encrypted to conceal the identities of the traffic source and destination (beyond the security gateways).

  18. IPSec

  19. How IPSec works • Before two devices can establish an IPSec VPN tunnel • must agree on the security parameters :security association (SA). • The SA specifies the authentication and encryption algorithms, the encryption keys • The Internet Key Exchange (IKE) protocol : • needed for secure communication through an IPSec VPN. • In the negotiation process, • one IPSec endpoint acts as an initiator and the other as a responder. • The initiator offers the set of authentication, encryption and other parameters that it is ready to use with the other endpoint. • The responder tries to match this list against its own list of supported techniques. If there is any overlap, it responds with the common subset.

  20. How IPSec workscontinued…. • The initiator chooses one combination of techniques from the responder and they proceed with the negotiated setting. • IKE negotiation has two phases: • Phase 1 allows two security gateways to authenticate each other and establish communication parameters. • At the end of Phase 1, a Phase 1 Security Association (IKE SA) is established. • Phase 2 allows two security gateways to agree on IPSec communications parameters. • At the end of Phase 2, an IPSec SA is established.

  21. IPSec

  22. How IPSec workscontinued…. • IPSec uses two protocols to establish security services • Authentication Header (AH) and • Provides connectionless data integrity and data origin authentication • Includes a cryptographic checksum over the entire packet • The receiver uses this checksum to verify that the packet has not been tampered with. • Encapsulating Security Payload (ESP). • Provides confidentiality for IP traffic through encryption. • Current standard IPSec encryption algorithms include the • Triple Data Encryption Standard (3DES), and the • Advanced Encryption Standard (AES). • Also provides authentication and anti-replay capabilities. • Unlike AH, the authentication services of ESP do not protect the IP header of the packet. • Most IPSec VPN implementations today use ESP. • AH and ESP may be used separately or together. • use depends on the IPSec mode: • Transport mode or Tunnel mode. • Client-to-LAN connections typically use Transport mode, • while LAN-to-LAN connections typically use Tunnel mode.

  23. Benefits of IPSec VPN technology • Tremendous savings over the cost of a private WAN connection, leased lines, or long distance phone charges. • IPSec VPNs can also increase an organization's productivity. • An organization can grant restricted network access • to business partners, customers, or vendors, • dramatically increasing the efficiency and • speed of business-tobusiness communications • Home-office workers, telecommuters, and in-the-field sales and service workers can access the corporate network resources securely and economically with IPSec VPN remote access through the public Internet. • Global, economical access to an organization's network extends the organization's reach to markets formerly too remote or small to target or service profitably.

  24. IPSec VPN Challenges • Implementations' compliance with standards to ensure correctness and interoperability. • Performance and scalability must be constantly upgraded and verified to satisfy the growing needs of the IPSec VPN industry. • The IETF is in the process of updating some of the protocols used with IPSec VPNs (for instance, a newer version of IKE - called IKEv2). • These present new and ongoing challenges to the IPSec community.

  25. SSL VPN

  26. What is an SSL VPN? • SSL is a commonly used protocol for managing the security of a message transmission on the Internet. • SSL works by using a public key to encrypt data that is transferred over the SSL connection. • SSL is a higher-layer security protocol, sitting closer to the application. • This close connection provide the granular access control that remote access and extranet VPNs require. • An SSL VPN uses SSL and proxies to provide authorized and secure access for end-users to HTTP, client/server, and file sharing resources. • Adding proxy technology to SSL offers companies greater security, because it prevents users from making a direct connection into a secured network. • SSL VPNs deliver user-level authentication, ensuring that only authorized users have access to the specific resources as allowed by the company’s security policy.

  27. Benefits of SSL VPN • Clientless access • Without the burden of configuring, managing, and supporting complex IPSec clients for each user, • SSL VPNs are easier and less expensive to support, and • they’re faster to deploy than IPSec VPNs. • SSL VPNs use any Web browser as the client, providing clientless access that increases the number of points from which employees, partners, and customers can access network data. • Users can access Web applications, client/server applications, and enterprise file shares. • Without a traditional IPSec client, users gain true freedom and anywhere access to the resources they need. • Clientless access also simplifies configuration and management for IT administrators—which means fewer support calls. • Anywhere access • SSL VPNs enable users to access more applications from a broad range of devices and environments • And SSL VPNs work over broadband networks, too. • SSL VPNs can seamlessly traverse network address translation (NAT), firewalls, and proxy servers.

  28. Benefits of SSL VPN(continued …) • Increased security • End-user access to any given resource is restricted unless authorized, a vastly different approach from that of IPSec VPNs. • This technology provides a secure, proxied connection that reduces risk • because users never have a direct network connection to the resources they are authorized to access. • proxies hide the internal domain name system (DNS) namespace, • providing an extra level of protection for your network. • SSL VPNs detect personal firewalls and applications and perform other client-integrity checks. • ensures that only authenticated users can gain access by checking privileges against an LDAP-enabled database, a RADIUS server, an NT domain, a UNIX user name/password database, RSA SecurID ACE servers, and others. • provides a high degree of granular access. • ability to enforce policy based upon the level of trust

  29. Drawbacks of SSL VPN • concerned that SSL VPN is not as secure as an IPSec VPN, the most common security protocol for dial-up and broadband remote access. • IPSec software is installed on employee computers and it creates a full network connection. • With regard to security, if you drill down to the details of IPSec and SSL VPN, they are much the same, just implemented differently. The technology in SSL VPN is just as secure as IPSec VPN is. However, because of the way it is deployed, SSL VPN can be less secure. • By providing users access from any location over any device, corporations are taking the risk that computers or devices utilised may have security risks that the IT department is unaware of. With SSL VPN, you have two unknowns—the user and the device. • However, with strong two-factor authentication, security problems can be mitigated.

  30. Comparison

  31. Best of IPSec-VPN and SSL-VPN • In spite of the drawbacks of each, both technologies have their purpose. • Since IPSec can be used to secure network connections and SSL is focused on application layer traffic, • IPSec is well suited for business needs that require broad and persistent, site-to-site, network layer connections. • SSL, on the other hand, is well suited for applications where the system needs to connect individuals to applications and resources.

  32. Conclusion • With IPSec VPN technology, • the public Internet can serve as the backbone of an organization's communications infrastructure, • enabling the organization to realize significant savings and productivity gains. • Successful only if the impact of IPSec on network performance is managed. • Affects network throughput and adds latencies that can disrupt networked applications. • must also conform to standards, • to ensure that IPSec network elements and applications interoperate

  33. Questions • Why is SSL-VPN preferable for Mobile Devices ? • What are the scalability issues for IPSec-VPN? • What makes use of VPN essential in wireless networks ?

  34. References • Comparing Secure Remote Access Options:IPSec VPNs vs. SSL VPNs – Aventail White Paper • http://www.expresscomputeronline.com/20040216/opinion02.shtml • http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss21_art83,00.html • www.vpnc.org • Wireless Network Security -802.11, Bluetooth and Handheld Devices

  35. Thank you

More Related