1 / 73

Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition. Chapter 11 Virtual Private Network (VPN) Concepts. Objectives. Explain basic VPN concepts Describe encapsulation in VPNs Describe encryption in VPNs Describe authentication in VPNs

ericad
Download Presentation

Guide to Network Defense and Countermeasures Third Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Guide to Network Defense and CountermeasuresThird Edition Chapter 11 Virtual Private Network (VPN) Concepts

  2. Objectives • Explain basic VPN concepts • Describe encapsulation in VPNs • Describe encryption in VPNs • Describe authentication in VPNs • Summarize the advantages and disadvantages of VPNs Guide to Network Defense and Countermeasures, Second Edition

  3. Objectives (contd.) • Explain design considerations for a VPN • Describe options for VPN configuration • Explain how to set up VPNs with firewalls • Explain how to adjust packet-filtering rules for VPNs • Describe guidelines for auditing VPNs and VPN policies Guide to Network Defense and Countermeasures, Second Edition

  4. Understanding VPN Concepts • Virtual Private Network (VPN) enables computers to • Communicate securely over insecure channels • Exchange private encrypted messages that others cannot decipher Guide to Network Defense and Countermeasures, Second Edition

  5. What VPNs Are • VPN • Virtual network connection • Uses the Internet to establish a secure connection • Secure tunnel • Extends an organization’s network • Endpoints • Specified computers, users, or network gateways Guide to Network Defense and Countermeasures, Second Edition

  6. Guide to Network Defense and Countermeasures, Second Edition

  7. Why Establish a VPN? • Business incentives driving VPN adoption • VPNs are cost-effective • VPNs provide secure connection for remote users • Contractors • Traveling employees • Partners and suppliers • VPN Components • VPN server or host • Configured to accept connections from clients • VPN client or guest • Endpoints connecting to a VPN Guide to Network Defense and Countermeasures, Second Edition

  8. Why Establish a VPN? (continued) • VPN Components • Tunnel • Connection through which data is sent • VPN protocols • Sets of standardized communication settings • Used to encrypt data sent along the VPN • Types of VPNs • Site-to-site VPN • Gateway-to-gateway VPN • Client-to-site VPN • Remote access VPN Guide to Network Defense and Countermeasures, Second Edition

  9. Why Establish a VPN? (continued) • Hardware versus software VPNs • Hardware-based VPNs • Connect one gateway to another • Routers at each network gateway encrypt and decrypt packets • VPN appliance • Designed to serve as VPN endpoint • Join multiple LANs • Benefits • Scalable • Better security Guide to Network Defense and Countermeasures, Second Edition

  10. Guide to Network Defense and Countermeasures, Second Edition

  11. Guide to Network Defense and Countermeasures, Second Edition

  12. Why Establish a VPN? (continued) • Hardware versus software VPNs (continued) • Software-based VPNs • Integrated with firewalls • Appropriate when participating networks use different routers and firewalls • Benefits • More cost-effective • Offer maximum flexibility Guide to Network Defense and Countermeasures, Second Edition

  13. Guide to Network Defense and Countermeasures, Second Edition

  14. Why Establish a VPN? (continued) • VPN combinations • Combining VPN hardware with software adds layers of network security • One useful combination is a VPN bundled with a firewall • VPNs do not eliminate the need for firewalls • Provide flexibility and versatility Guide to Network Defense and Countermeasures, Second Edition

  15. Why Establish a VPN? (continued) • VPN combinations (continued) • Points to consider when selecting VPNs • Compatibility • Scalability • Security • Cost • Vendor support Guide to Network Defense and Countermeasures, Second Edition

  16. VPN Core Activity 1: Encapsulation • Core set of activities • Encapsulation • Encryption • Authentication • Encapsulation • Encloses a packet within another • That has different IP source and destination • Protects integrity of the data Guide to Network Defense and Countermeasures, Second Edition

  17. Guide to Network Defense and Countermeasures, Second Edition

  18. Understanding Tunneling Protocols • Point-to-Point Tunneling Protocol (PPTP) • Used when you need to dial in to a server with a modem connection • On a computer using an older OS version • Encapsulates TCP/IP packets • Header contains only information needed to route data from the VPN client to the server • Uses Microsoft Point-to-Point Encryption (MPPE) • Encrypt data that passes between the remote computer and the remote access server • L2TP uses IPSec encryption • More secure and widely supported Guide to Network Defense and Countermeasures, Second Edition

  19. Understanding Tunneling Protocols (continued) • Layer 2 Tunneling Protocol (L2TP) • Provides better security through IPSec • IPSec enables L2TP to perform • Authentication • Encapsulation • Encryption Guide to Network Defense and Countermeasures, Second Edition

  20. Guide to Network Defense and Countermeasures, Second Edition

  21. Understanding Tunneling Protocols (continued) • Secure Shell (SSH) • Provides authentication and encryption • Works with UNIX-based systems • Versions for Windows are also available • Uses public-key cryptography • Socks V. 5 • Provides proxy services for applications • That do not usually support proxying • Socks version 5 adds encrypted authentication and support for UDP Guide to Network Defense and Countermeasures, Second Edition

  22. IPSec/IKE • Internet Protocol Security (IPSec) • Set of standard procedures • Developed by the Internet Engineering Task Force (IETF) • Enables secure communications on the Internet • Characteristics • Works at layer 3 • Can encrypt an entire TCP/IP packet • Originally developed for use with IPv6 • Provides authentication of source and destination computers Guide to Network Defense and Countermeasures, Second Edition

  23. IPSec/IKE (continued) • Widely supported • Security Association (SA) • Relationship between two or more entities • Describes how they will use security services to communicate • Used by IPSec to track all the particulars of a communication session • SAs are unidirectional Guide to Network Defense and Countermeasures, Second Edition

  24. IPSec/IKE (continued) • Components • Internet Security Association Key Management Protocol (ISAKMP) • Internet Key Exchange (IKE) • Oakley • IPSecurity Policy Management • IPSec Driver • IPSec core components • Authentication Header (AH) • Encapsulation Security Payload (ESP) Guide to Network Defense and Countermeasures, Second Edition

  25. IPSec/IKE (continued) • Authentication Header (AH) • Provides authentication of TCP/IP packets • Ensures data integrity • Packets are signed with a digital signature • Adds a header calculated by the values in the datagram • Creating a messages digest of the datagram • AH in tunnel mode • Authenticates the entire original header • Places a new header at the front of the original packet • AH in transport mode • Authenticates the payload and the header Guide to Network Defense and Countermeasures, Second Edition

  26. Guide to Network Defense and Countermeasures, Second Edition

  27. Guide to Network Defense and Countermeasures, Second Edition

  28. IPSec/IKE (continued) • Encapsulation Security Payload (ESP) • Provides confidentiality for messages • Encrypts different parts of a TCP/IP packet • ESP in tunnel mode • Encrypts both the header and data part of each packet • Data cannot pass through a firewall using NAT • ESP in transport mode • Encrypts only data portion of the packet • Data can pass through a firewall • IPSec should be configured to work with transport mode Guide to Network Defense and Countermeasures, Second Edition

  29. Guide to Network Defense and Countermeasures, Second Edition

  30. VPN Core Activity 2: Encryption • Encryption • Process of rendering information unreadable by all but the intended recipient • Components • Key • Digital certificate • Certification Authority (CA) • Key exchange methods • Symmetric cryptography • Asymmetric cryptography • Internet Key Exchange • FWZ Guide to Network Defense and Countermeasures, Second Edition

  31. Guide to Network Defense and Countermeasures, Second Edition

  32. Encryption Schemes Used by VPNs • Triple Data Encryption Standard (3DES) • Used by many VPN hardware and software • 3DES is a variation on Data Encryption Standard (DES) • DES is not secure • 3DES is more secure • Three separate 64-bit keys to process data • 3DES requires more computer resources than DES Guide to Network Defense and Countermeasures, Second Edition

  33. Guide to Network Defense and Countermeasures, Second Edition

  34. Encryption Schemes Used by VPNs (continued) • Secure Sockets Layer (SSL) • Developed by Netscape Communications Corporation • Enables Web servers and browsers to exchange encrypted information • Characteristics • Uses public and private key encryption • Uses sockets method of communication • Operates at network layer (layer 3) of the OSI model • Widely used on the Web • Only supports data exchanged by Web-enabled applications • Unlikely to replace IPSec Guide to Network Defense and Countermeasures, Second Edition

  35. Encryption Schemes Used by VPNs (continued) • Secure Sockets Layer (SSL) (continued) • Steps • Client connects to Web server using SSL protocol • Two machines arrange a “handshake” process • Client sends its preferences for encryption method, SSL version number, and a randomly generated number • Server responds with SSL version number, its own cipher preferences, and its digital certificate • Client verifies date and other information on the digital certificate • Client generates and send a “pre-master” code Guide to Network Defense and Countermeasures, Second Edition

  36. Encryption Schemes Used by VPNs (continued) • Secure Sockets Layer (SSL) (continued) • Steps • Server uses its private key to decode pre-master code • Generates a master secret key • Client and server use it to generate session keys • Server and client exchange messages saying handshake is completed • SSL session begins Guide to Network Defense and Countermeasures, Second Edition

  37. VPN Core Activity 3: Authentication • Authentication • Identifying a user or computer as authorized to access and use network resources • Types of authentication methods used in VPNs • IPSec • MS-CHAP • Both computers exchange authentication packets and authenticate one another • VPNs use digital certificates to authenticate users Guide to Network Defense and Countermeasures, Second Edition

  38. Guide to Network Defense and Countermeasures, Second Edition

  39. Advantages and Disadvantages of VPNs Guide to Network Defense and Countermeasures, Second Edition

  40. Designing a VPN • Assess organization’s needs and goals • Type of business • How many employees it has • Infrastructure already in place • Security required • Enforce security on the client side of the VPN tunnel • Most difficult aspect of the design process Guide to Network Defense and Countermeasures, Second Edition

  41. Business Needs • Business processes • Determine how you will implement a VPN strategy • Careful analysis of the existing infrastructure • Helps you integrate the VPN with minimal disruption • VPNs can be classified as site-to-site or client-to-site • Can offer cost-effective, secure connectivity • Legal implications to failing to secure access to a remote network Guide to Network Defense and Countermeasures, Second Edition

  42. Business Needs (continued) • Nature of the business • What does it do? • What product or service does it sell? • Who are its customers? • Cost is usually a key factor • Narrows the choices of hardware and software Guide to Network Defense and Countermeasures, Second Edition

  43. Business Needs (continued) • Nature of the business • A secure VPN design should address: • Secure connectivity • Availability • Authentication • Secure management • Reliability • Scalability • Performance Guide to Network Defense and Countermeasures, Second Edition

  44. Client Security • Several ways to increase VPN client security • Split tunneling • Describes multiple paths • One path goes to the VPN server and is secured • Another unauthorized and unsecured path permits users to connect to the Internet • While still connected to the corporate VPN • Leaves the VPN server and internal LAN vulnerable to attack Guide to Network Defense and Countermeasures, Second Edition

  45. Guide to Network Defense and Countermeasures, Second Edition

  46. Guide to Network Defense and Countermeasures, Second Edition

  47. Client Security (continued) • Planning VPN deployment • Consider the existing infrastructure • Make a network map • Decide on the placement of VPN servers • Research hardware and software to use • Decide whether you need new hardware or software • Sometimes you can reconfigure existing resources to support a VPN • Develop a list of requirements • When you meet a vendor so nothing is overlooked • Follow security policy guidelines Guide to Network Defense and Countermeasures, Second Edition

  48. VPN Topology Configurations • VPN topology • How components in a network are connected physically to one another • Determines how gateways, networks, and clients are related to each other • Corresponds to the basic physical and logical topologies of any network Guide to Network Defense and Countermeasures, Second Edition

  49. VPN Topology Configurations (continued) • Mesh topology • All participants in the VPN have Security Associations (SAs) with one another • Types of mesh arrangements • Full mesh • Every subnetwork is connected to all other subnets in the VPN • Complex to manage • Partial mesh • Any subnet in the VPN may or may not be connected to the other subnets Guide to Network Defense and Countermeasures, Second Edition

  50. Guide to Network Defense and Countermeasures, Second Edition

More Related