virtual private networks and ipsec l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Virtual Private Networks and IPSec PowerPoint Presentation
Download Presentation
Virtual Private Networks and IPSec

Loading in 2 Seconds...

play fullscreen
1 / 32

Virtual Private Networks and IPSec - PowerPoint PPT Presentation


  • 244 Views
  • Uploaded on

Virtual Private Networks and IPSec. ECE 4112. What is a VPN?. VPN Stands for Virtual Private Network A method of ensuring private, secure communication between hosts over an insecure medium using tunneling Usually between geographically separate locations, but doesn’t have to be

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Virtual Private Networks and IPSec' - Patman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is a vpn
What is a VPN?
  • VPN Stands for Virtual Private Network
  • A method of ensuring private, secure communication between hosts over an insecure medium using tunneling
  • Usually between geographically separate locations, but doesn’t have to be
  • Via tunneling and software drivers, computer is logically directly connected to a network that it is not physically a part of

ECE 4112 - Internetwork Security

sidebar what is tunneling
Sidebar: What is tunneling?
  • Putting one type of packet inside another
  • Both parties must be aware of tunnel for it to work
  • Example in next slide - AppleTalk over IP Tunnel

ECE 4112 - Internetwork Security

example appletalk over ip tunnel
Example: AppleTalk over IP Tunnel

ECE 4112 - Internetwork Security

what is a vpn cont
What is a VPN? (cont…)
  • Uses some means of encryption to secure communications
    • IPSec
    • SSH
    • Software could be written to support any type of encryption scheme
  • Two main types of VPNs –
    • Remote-Access
    • Site-to-Site

ECE 4112 - Internetwork Security

what is a vpn cont6
What is a VPN? (cont…)
  • Remote-Access
    • The typical example of this is a dial-up connection from home or for a mobile worker, who needs to connect to secure materials remotely
  • Site-to-Site
    • The typical example of this is a company that has offices in two different geographical locations, and wants to have a secure network connection between the two

ECE 4112 - Internetwork Security

remote access example
Remote-Access Example

ECE 4112 - Internetwork Security

site to site example
Site-to-Site Example

ECE 4112 - Internetwork Security

why use a vpn
Why Use a VPN?
  • Originally designed as inexpensive alternative WAN over leased lines
  • Now mostly used to securely connect computers over the internet
  • Convenient
  • Lot’s of cheap and convenient protocols are insecure (IP, 802.11, etc)
    • Can now communicate securely over these insecure protocols

ECE 4112 - Internetwork Security

why use a vpn cont
Why Use a VPN? (cont…)
  • Example – it can simplify security
    • (what is about to be proposed is not the most secure thing in the world – so don’t raise your hands and tell how you would make it more secure… it’s just an example)
    • Assume simple security policy with IP based access management – for example, an FTP server with site-licensed software on it for employees
    • Before VPN, complicated to allow access to FTP site for telecommuters or traveling employees
      • Train all employees to use SSH tunnel, etc…
    • After VPN, employees offsite can still connect using an internal IP address

ECE 4112 - Internetwork Security

vpn advantages
VPN Advantages
  • Improved Security
  • Consolidation of Scattered Resources
  • Transparency to Users
    • If set up properly
  • Reduced Cost (vs. Leased Lines)

ECE 4112 - Internetwork Security

vpn disadvantages
VPN Disadvantages
  • Time Consuming Setup
  • Possibly Frustrating Troubleshooting
  • Interoperability with other Networks/VPNs
  • Small performance overhead
    • Should be negligible on today’s hardware

ECE 4112 - Internetwork Security

vpn security
VPN Security
  • In academic terms, VPN can provide Confidentiality, Integrity, and Authenticity
  • Security against determined hacker (read: academic attacks) depends largely upon underlying protocols used
  • Assuming security of SSH, IPSec, or other protocol used, should be secure

ECE 4112 - Internetwork Security

how are vpns set up
How are VPNs set up?
  • Many different types of setup
  • Vary in:
    • Amount of hardware used vs. amount of software used
      • All hardware based
      • All software based
      • Mixed
    • Amount of transparency to end-user
      • Does the user even realize that they are using a VPN?

ECE 4112 - Internetwork Security

how are vpns set up cont
How are VPNs set up? (cont…)
  • The following is not an exhaustive list
    • Gateway to gateway
      • Using two VPN aware Gateways
    • End host to gateway
      • End host uses VPN Software
    • End host to end host
      • Both hosts use software
    • End host to concentrator

ECE 4112 - Internetwork Security

how are vpns set up cont16
How are VPNs set up? (cont…)
  • SSH over PPP
  • SSL over PPP
  • Concentrator using IPSec
  • Others (PPTP, L2TP, etc)

ECE 4112 - Internetwork Security

vpn via ssh ppp
VPN via SSH & PPP
  • Point-to-Point Protocol over a Secure Shell connection
  • Establishing a Network Connection
    • Establish an SSH connection
      • VPN Client  VPN Server
    • Each have PPP daemons that will communicate through the SSH connection
    • Viola! A VPN CONNECTION!

ECE 4112 - Internetwork Security

vpn via ssl ppp
VPN via SSL & PPP
  • Point-to-Point Protocol over a Secure Socket Layer connection
  • Secure Socket Layer
    • Built-in support for Host Authentication
    • Certificates

ECE 4112 - Internetwork Security

vpn via ssl ppp cont
VPN via SSL & PPP (cont…)
  • Establishing a Network Connection
    • Initial Handshake for secure communication
    • “Hello” messages establish:
      • SSL Version, support for Cipher suites, and some random data
    • Key is determined separately from handshake
    • SSL Connection Complete!
    • Data transferred over the link

ECE 4112 - Internetwork Security

vpn via concentrator
VPN via Concentrator
  • What is a Concentrator?
    • Concentrator is NOT a gateway or firewall
    • Specialized device that accepts connections from VPN peers
    • Authenticates clients
    • Enforces VPN security policies
    • Takes overhead of VPN management and encryption off of gateways and local hosts

ECE 4112 - Internetwork Security

vpn via concentrator cont
VPN via Concentrator (cont…)
  • Steps to Establish VPN
    • Set up Concentrator (add users, specify authentication mechanisms, set IP address ranges, etc)
    • Install client software
    • Client runs software when wants to be on VPN

ECE 4112 - Internetwork Security

other methods
Other Methods
  • Point-to-Point Tunneling Protocol
    • Microsoft’s Implementation of VPN
    • Data is first encapsulated inside PPP packets
    • PPP packets are then encapsulated in GRE packets and sent over the link
  • PPTP uses two connections
    • One for the data being sent
    • Another for a control channel

ECE 4112 - Internetwork Security

other methods cont
Other Methods (cont…)
  • Any technology can be used
    • Must have hardware or software to support it
  • Another example: L2TP on Gateways
    • Layer 2 Tunneling Protocol
    • Supported by routers
    • If two routers support L2TP, and are properly configured, then VPN is set up between routers
    • Transparent to end user

ECE 4112 - Internetwork Security

intro to ipsec
Intro to IPSec
  • Created to add Authentication, Confidentiality, and Integrity to IP traffic
  • Designed to combat specific shortcomings in IP
  • IPSec is large and implementation is complicated
  • What follows is a high-level overview
  • As will see in lab, need not be used only as VPN technology – can be stand alone

ECE 4112 - Internetwork Security

intro to ipsec cont
Intro to IPSec (cont…)
  • IP Sec ≠ VPN
    • IP Sec is a protocol used in many VPNs
  • Two main modes
    • Transport
    • Tunnel
  • Two main services
    • AH (Authentication Header protocol)
    • ESP (Encapsulating Security Protocol)

ECE 4112 - Internetwork Security

intro to ipsec cont26
Intro to IPSec (cont…)
  • Authentication Header protocol
    • Offers Authenticity and Integrity
    • Uses cryptographic hash
      • Covers entire packet, including static header fields
    • If any part of original message changes, it will be detected
    • Does not encrypt message
    • Can be used to authenticate –
      • Prevents IP Spoofing

ECE 4112 - Internetwork Security

intro to ipsec cont27
Intro to IPSec (cont…)
  • Encapsulating Security Protocol
    • Provides Integrity and Confidentiality
    • Encrypts payload
    • If used in tunnel mode, encrypts original IP header

ECE 4112 - Internetwork Security

intro to ipsec cont28

Real IP Header

IP Options

IPSec Header

Payload (For example, TCP and Payload)

Could be either

ESP Header

Encrypts Over

Or

AH Header

Authenticates Over

Intro to IPSec (cont…)
  • Transport Mode

ECE 4112 - Internetwork Security

intro to ipsec cont29

GW IP Header

IPSec Header

Real IP Header

Payload (For example, TCP and Payload)

Could be either

ESP Header

Encrypts Over

Or

AH Header

Authenticates Over

Intro to IPSec (cont…)
  • Tunnel Mode

ECE 4112 - Internetwork Security

intro to ipsec cont30
Intro to IPSec (cont…)
  • AH and ESP can be used together
    • Tunnel ESP through AH transport packets
  • Want to protect cryptographic keys
  • Internet Key Exchange protocol (IKE)
    • Secure way to exchange session keys based on shared secret
    • Can also use certificates (public key cryptography)

ECE 4112 - Internetwork Security

resources
Resources
  • Books:
    • Building Linux Virtual Private Networks
      • Oleg Kolesnikov, Brian Hatch
    • Linux Server Hacks
      • Rob Flickenger
    • Network Security
      • Charlie Kaufman, Radia Perlman, Mike Speciner

ECE 4112 - Internetwork Security

resources cont
Resources (cont…)
  • Lecture Slides by Wenke Lee (see below)
  • Websites:
    • http://vpn.shmoo.com/
    • http://www.tldp.org/HOWTO/VPN-HOWTO/
    • http://www.onlamp.com/lpt/a/3009
    • http://www.cisco.com/warp/public/471/how_vpn_works.shtml
    • http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_1.ppt
    • http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_2.ppt

ECE 4112 - Internetwork Security