vpn technology advances and challenges n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
VPN Technology Advances And Challenges PowerPoint Presentation
Download Presentation
VPN Technology Advances And Challenges

Loading in 2 Seconds...

play fullscreen
1 / 91

VPN Technology Advances And Challenges - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

VPN Technology Advances And Challenges. LILISH M SAKI Lmsaki@scu.edu Santa Clara University COEN 329 Winter 2002. AGENDA. Introduction VPN overview and benefits Technology behind VPN VPN tunneling protocols IPsec VPN Implementation details Implementation alternatives

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VPN Technology Advances And Challenges' - iokina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vpn technology advances and challenges

VPN Technology Advances And Challenges

LILISH M SAKI

Lmsaki@scu.edu

Santa Clara University

COEN 329

Winter 2002

agenda
AGENDA
  • Introduction
  • VPN overview and benefits
  • Technology behind VPN
  • VPN tunneling protocols
  • IPsec VPN Implementation details
  • Implementation alternatives
  • Future challenges
  • Conclusion

SCU - Lilish M Saki - Winter 2002

introduction to vpn
Introduction to VPN
  • Earlier organizations used to build WAN - now called intranets, through dedicated leased lines/ATM/frame relay to connect their different branches and offices.
  • In addition, some organizations selectively open their WAN access to partners to provide extranet services.
    • Proves costly for many organization to support these kind of intranet/extranet architecture.

SCU - Lilish M Saki - Winter 2002

introduction to vpn contd
Introduction to VPN (Contd.)
  • Also for mobile workers to log in to a dial-up intranet, he/she must call into a company's remote access server using either a 1-800 number or a remote number.
    • Incurs long distance telephone charges. Virtual private network (VPNs) utilize public network, like internet, to carry private communications safely and inexpensively.  .
  • Very useful for many organizations looking to both expand their networking capabilities and reduce their costs.

SCU - Lilish M Saki - Winter 2002

introduction to vpn contd1
Introduction to VPN (Contd.)
  • Telecommuters and those who travel often might find VPNs to be a more convenient way to stay "plugged in" to the corporate intranet.
  • A VPN can support the same intranet/extranet services as a traditional WAN, but VPNs are most popular for their support of secure remote access service.

SCU - Lilish M Saki - Winter 2002

vpn overview
VPN Overview

Local ISP

LAN

VPN Tunnel

Remote user

Secure VPN Connection

Dedicated link to ISP

Company’s Authentication server

Public Network

SCU - Lilish M Saki - Winter 2002

vpn overview contd
VPN Overview (Contd.)
  • The diagram above illustrates a VPN remote access solution. A remote user (client) wants to log into the company LAN.
  • The VPN client uses local ISP to connect into the authentication server of his company.
  • The server authenticates the client, upon which he can now communicate with the company network just as securely over the public network as if it resided on the internal LAN.

SCU - Lilish M Saki - Winter 2002

vpn overview contd1
VPN Overview (Contd.)
  • A small remote office can also be connected this way, which does not have permanent connection to corporate intranet. In this case, remote’s office’s server establishes VPN connection with the corporate server.
  • In the above process of establishing connection, a VPN tunnel is created between the remote user and the authentication server through internet.

SCU - Lilish M Saki - Winter 2002

vpn overview tunneling
VPN Overview - Tunneling
  • Tunneling is needed because internet, though cost-effective, basically is public shared network and its not suitable in its natural state for secure transactions or private communications.
  • In tunneling instead of sending a frame as it is produced by the originating node, the tunneling protocol encapsulates a data packet within a normal IP packet for forwarding over an IP-based network and routed between tunnel endpoints.

SCU - Lilish M Saki - Winter 2002

common uses of vpns
Common uses of VPNs
  • There are three main uses of VPN:
    • Intranet VPNs:Allow private networks to be extended across the internet or other public network service in a secure way. Intranet VPNs are sometimes referred to as site-to-site or LAN-to-LAN VPNs.
    • Extranet VPNs: Allow secure connections with business partners, suppliers and customers for the purpose of e-commerce. Extranet VPNs are an extension of intranet VPNs with the addition of firewalls to protect the internal network.

SCU - Lilish M Saki - Winter 2002

common uses of vpns contd
Common uses of VPNs (Contd.)
  • Remote access VPNs: Allows individual dial-up users to connect to a central site across the internet or other public network service in a secure way. Remote access VPNs are sometimes referred to as dial VPNs.
  • Secure Intranets Internally: Intranets can also utilize VPN technology to implement controlled access to individual subnets on the private network. In this mode, VPN clients connect to a VPN server that acts as a gateway to computers behind it on the subnet.

SCU - Lilish M Saki - Winter 2002

common uses of vpns1
Common Uses of VPNs

Three uses of VPN are shown in the following diagram

SCU - Lilish M Saki - Winter 2002

vpn benefits
VPN Benefits
  • Low cost.
    • Eliminates the need for expensive long-distance leased lines.
      • With VPNs, an organization needs only a relatively short dedicated connection to the service provider.
      • This connection could be a local leased line (much less expensive), or it could be a local broadband connection such as DSL service.

SCU - Lilish M Saki - Winter 2002

vpn benefits contd
VPN Benefits (Contd.)
  • Dial-in VPNs reduces costs by lessening the need for long-distance telephone charges for remote access.
  • Lower costs through offloading of the support burden. With VPNs, the service provider rather than the organization must support dial-up access for example.

SCU - Lilish M Saki - Winter 2002

vpn benefits contd1
VPN Benefits (Contd.)
  • Scalability:
    • The cost to an organization of traditional leased lines may be reasonable initially but can increase exponentially as the organization grows.
      • Four branch offices require six lines for full connectivity, five offices require ten lines, and so on.

SCU - Lilish M Saki - Winter 2002

vpn benefits contd2
VPN Benefits (Contd.)
  • In a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the internet avoid this problem by simply tapping into the geographically-distributed access already available.
    • Due to the ubiquitous nature of ISP services, it is possible to link even the most remote users or branch offices into the network.

SCU - Lilish M Saki - Winter 2002

basic vpn requirements
Basic VPN requirements
  • At a minimum, a VPN solution should provide all of the following:
    • User Authentication: The solution must verify a user's identity and restrict VPN access to authorized users. In addition, the solution must provide audit and accounting records to show who accessed what information and when.
    • Address Management: The solution must assign a client's address on the private net, and must ensure that private addresses are kept private.

SCU - Lilish M Saki - Winter 2002

basic vpn requirements1
Basic VPN Requirements
  • Data Encryption: Data carried on the public network must be rendered unreadable to unauthorized clients on the network.
  • Key Management: The solution must generate and refresh encryption keys for the client and server.

SCU - Lilish M Saki - Winter 2002

basic vpn requirements2
Basic VPN Requirements
  • Multiprotocol Support: The solution must be able to handle common protocols used in the public network. These include Internet Protocol (IP), Internet Packet Exchange (IPX), and so on.
  • security negotiation and complex filtering.

SCU - Lilish M Saki - Winter 2002

basic vpn requirements contd
Basic VPN Requirements (Contd.)
    • Management:Client-based software should be as transparent as possible. VPN carriers will require new management tools in order to simplify the configuration and monitoring of a corporate customer's VPN.
  • Further emerging requirements like QoS, CoS, etc., will be discussed later on.

SCU - Lilish M Saki - Winter 2002

technology behind vpn
Technology behind VPN
  • A VPN is essentially a software technique to route private traffic on public internet.
  • Three functions form basis of VPN.
    • Packet encapsulation - “Tunneling.”
    • Encryption.
    • Authentication.
  • Scope of Encapsulation and Encryption.
    • Next slide shows layout of IP header.
    • Each part of IP packet has security exposures if sent in “clear” over the internet.

SCU - Lilish M Saki - Winter 2002

technology behind vpn1
Technology behind VPN
  • The threats mentioned below, requires us to encrypt the entire packet when sending packets over internet.

IP Packet and security threats.

IP Header

Other header

Userdata

Passwords, userID, credit card info, all other data

Src. And dest. Address, other information

Information useful to hackers

SCU - Lilish M Saki - Winter 2002

encryption concepts
Encryption Concepts
  • Privacy of the information sent over VPN is ensured by encryption.
  • Encryption is a technique of scrambling (into cipher text) and unscrambling information (back to clear text ).

SCU - Lilish M Saki - Winter 2002

encryption concepts1
Encryption Concepts
  • Asymmetric public key cryptography normally used for encryption and decryption.
  • Encryption Algorithms.
    • DES (56 bit key length).
    • 3DES (168 bit key length).
    • AES (Advanced Encryption standard) newest algorithms supporting.

SCU - Lilish M Saki - Winter 2002

authentication concepts
Authentication Concepts
  • Authentication basically answers following question.
    • “Are you really who you say you are ?”
  • There are two types of authentication: User/System Authentication and Data Authentication.
  • User/System Authentication:
    • Verifying that the person or system is indeed the one who claims to be.
    • A Common technique is to send a “challenge” to other side by sending a random number.

SCU - Lilish M Saki - Winter 2002

authentication concepts contd
Authentication Concepts (Contd.)
  • The challenged side returns a value by encrypting the random number using key only known to challenged side.
  • The challenger decrypts the returned value, and if it matched original number, challenged party is termed as authentic.

SCU - Lilish M Saki - Winter 2002

authentication concepts contd1
Authentication Concepts (Contd.)
  • Data Authentication:
    • This verifies that the packet has not be altered during its trip over the internet.
    • A typical technique done before encryption is that the sender calculate a number ,called a hash, based on data content and append it to the data packet.
    • Receiver decrypts the packets, calculates the hash independently and compared this receiver calculated hash with the hash appended to the data.
    • If both hash do not match, data has been altered and receiver rejects it.

SCU - Lilish M Saki - Winter 2002

tunneling basics
Tunneling Basics
  • Encrypting IP header is not enough since intermediate routers would not be able to read destination address.
  • Tunneling protocol encapsulates the frame in an additional header.

SCU - Lilish M Saki - Winter 2002

tunneling basics1
Tunneling Basics
  • The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork.
  • Tunneling includes this entire process (encapsulation, transmission, and de-capsulation of packets.

SCU - Lilish M Saki - Winter 2002

tunneling basics2
Tunneling Basics

Tunnel End Points

Tunnel

Tunneled Payload

Payload

Tunneling

SCU - Lilish M Saki - Winter 2002

tunneling basics contd
Tunneling Basics (Contd.)
  • The logical path through which the encapsulated packets travel through the internetwork is called a tunnel.
  • Once the encapsulated frames reach their destination on the internetwork, the frame is un-encapsulated and forwarded to its final destination.

SCU - Lilish M Saki - Winter 2002

tunneling basics contd1
Tunneling Basics (Contd.)
  • Tunneling technology can be based on either a Layer 2 or Layer 3 tunneling protocol.
    • Layer 2 Tunneling protocols: PPTP, L2TP, L2TF.
    • Layer 3 Tunneling Protocols: IP over IP and IPSec (Tunnel Mode).
  • The next slide shows the comparison table of features that each of above protocol support and then individual protocols are discussed.

SCU - Lilish M Saki - Winter 2002

tunneling protocols features comparison
Tunneling Protocols – Features Comparison

SCU - Lilish M Saki - Winter 2002

tunneling protocols comparison
Tunneling Protocols Comparison
  • Each of above features is critical in determining the implementation of various VPN protocols.
  • IPSec is gaining more and more support from vendors because of its security, however issues like user authentication and multi-protocol support are still there and work is going on to resolve this issues.
  • PPTP and L2TP lacks machine and packet authentication as standard which makes this protocols vulnerable and much less secure than IPSec.

SCU - Lilish M Saki - Winter 2002

appropriate protocol use
Appropriate Protocol Use

SCU - Lilish M Saki - Winter 2002

**X denotes it supports

tunneling protocols pptp
Tunneling Protocols – PPTP
  • PPTP protocol is built on the top of PPP and TCP/IP.
  • PPTP tunneling makes use of two basic packet types – data packets and control packets.
  • PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission over an IP internetwork, such as the Internet.

SCU - Lilish M Saki - Winter 2002

tunneling protocols pptp1
Tunneling Protocols – PPTP
  • Control packets are used for status inquiry and signaling information and is sent over TCP connection.
  • Data portion is sent using PPP encapsulated in Generic Routing Encapsulation (GRE) V2 protocol.
  • GRE protocol allows for encapsulation for arbitrary data packets within arbitrary transport protocol.
    • Such as IPX, NetBEUI, TCP.

SCU - Lilish M Saki - Winter 2002

tunneling protocols pptp contd
Tunneling Protocols – PPTP (Contd.)

The PPTP Standard

MediaHeader

IP Header

GRE Header

PPP Header

User DATA

What is GRE ?

Delivery Protocol

GRE Header

Payload Protocol

Information (x -octets)

SCU - Lilish M Saki - Winter 2002

pptp security
PPTP Security
  • Security of PPTP has been enhanced to support RAS (Remote access server) which supports MS-CHAP, RSA RC 4 encryption.
  • It does not intrinsically include any encryption and authentication mechanisms.
  • There is no packet authentication and in general it is much weaker then IPSec and thus much more susceptible to attack.

SCU - Lilish M Saki - Winter 2002

tunneling protocols l2tp
Tunneling Protocols – L2TP
  • L2TP is standards based combination of two proprietary Layer 2 tunneling approaches.
  • It combines best parts of Microsoft’s PPTP and Cisco’s L2F.
  • Main difference between L2TP and PPTP is that L2TP combines data and control channels and runs over UDP as opposed to TCP.
    • More firewall friendly than PPTP since UDP is faster and also two channels are combined.

SCU - Lilish M Saki - Winter 2002

tunneling protocols l2tp1
Tunneling Protocols – L2TP
    • Crucial advantage on extranet VPN applications.
  • L2TP supports non-Internet based VPNs including frame relay, ATM, and Sonet.
  • In L2TP PPP connection is tunneled using IP between LAC-LNS pair.
    • LAC: L2TP access concentrator.
    • LNS : L2TP Network server.

SCU - Lilish M Saki - Winter 2002

l2tp encapsulation
L2TP Encapsulation

The L2TP Standard

Mediaheader

IP Header

UDP header

L2TP Header

PPP Header

User Data

SCU - Lilish M Saki - Winter 2002

l2tp security
L2TP Security
  • L2TP doesn’t intrinsically include encryption support.
  • However, secure functionality of IPSec can be used to secure the L2TP tunnel.
  • L2TP is more suitable for multiprotocol support and remote access VPN.

SCU - Lilish M Saki - Winter 2002

tunneling protocols ipsec
Tunneling Protocols - IPSec
  • IPSec is open standard layer 3 security protocol that protect IP datagrams.
  • IPSec has many components (including some still in development), but they boil down to just two main functions: authentication and encryption.
  • It Provides robust, extensible mechanism in which to provide security to IP and upper layer protocols like UDP and TCP.

SCU - Lilish M Saki - Winter 2002

tunneling protocols ipsec contd
Tunneling Protocols – IPSec (Contd.)
  • It protects IP datagrams by specifying the traffic to protect, how the traffic is protected, and to whom the traffic is sent.
  • IPsec can protect IP datagrams between hosts, network security gateways (firewalls, routers), and between hosts and security gateways.

SCU - Lilish M Saki - Winter 2002

ipsec security features
IPSec security features
  • Data origin authentication: Ensures that received data is same as sent data and that recipient knows who sent that data.
  • Data integrity: Ensures that data is transmitted without alteration.
  • Relay protection : It offers partial sequence integrity.
  • Data Confidentiality: It ensures that no one can read the sent data, possible by using the encryption algorithms.

SCU - Lilish M Saki - Winter 2002

ipsec components
IPSec Components
  • IPSec provides following components.
    • Encapsulating Security Payload (ESP): Provides data origin authentication, relay protection, data integrity and data confidentiality.
    • Authentication Header (AH): Provides data origin authentication, relay protection, data integrity.
    • Internet Key Exchange (IKE): Provides key management and security association (SA) management.

SCU - Lilish M Saki - Winter 2002

encapsulating security payload esp
Encapsulating Security Payload (ESP)
  • ESP provides authentication, integrity, confidentiality which protects against data tampering and message content protection.
    • IPSec provides open framework for standard algorithms like MD5, SHA.
  • ESP also provides encryption services in IPSec.
    • Encryption/Decryption allows the sender and authorized receiver to read the data.

SCU - Lilish M Saki - Winter 2002

encapsulating security payload esp contd
Encapsulating Security Payload (ESP) Contd.
  • ESP also has option called ESP authentication.
    • Provide authentication and integrity to IP payload not to the IP header.
  • The ESP header is inserted into the packet between the IP header and any subsequent packet contents.
  • ESP does not encrypt the ESP header and the ESP authentication.

SCU - Lilish M Saki - Winter 2002

esp format
ESP format

Original Packet

IP Header

TCP

Data

Packet with ESP

ESP Authentication

IP Header

ESPHeader

ESPTrailer

Data

TCP

Encrypted

Authenticated

SCU - Lilish M Saki - Winter 2002

authentication header ah
Authentication Header (AH)
  • AH provides authentication and integrity, which protects against data tampering using the same algorithms as ESP.
  • One drawback of AH is that is does not protect data’s confidentiality.
    • If data is intercepted and only AH is used, the message contents can be read.
  • For the added protection in certain cases, both AH and ESP can be used.

SCU - Lilish M Saki - Winter 2002

authentication header ah contd
Authentication Header (AH) Contd.
  • These two protocols can be used alone or combined depending on type of application required and security needed.
  • One subtle difference explaining why AH is preferred over ESP is the scope of coverage of authentication.
    • AH authentication includes IP header information while ESP does not include that.
  • The authentication header is inserted between the IP header and any subsequent packet contents.

SCU - Lilish M Saki - Winter 2002

ah format
AH format

Original Packet

IP Header

TCP

Data

Packet with IPSec AH

IP Header

Data

AH

TCP

Authenticated

SCU - Lilish M Saki - Winter 2002

ipsec modes
IPSec Modes
  • There are two modes of IPSec - Transport and Tunnel mode.
  • Transport mode protects upper layer protocols.
  • Tunnel mode protects entire IP Datagrams.
  • In Transport mode, an IPSec header is inserted between IP header and the upper layer protocol header.

SCU - Lilish M Saki - Winter 2002

ipsec modes contd
IPSec Modes (Contd.)
  • In Tunnel mode, the entire IP packet to be protected is encapsulated in another IP datagram and the IPSec header is inserted between the outer and inner IP headers.
  • Both AH and ESP can be operate in either tunnel mode or transport mode.
  • Next four slides show two modes of IPSec and its implementations under ESP and AH.

SCU - Lilish M Saki - Winter 2002

ipsec modes contd1
IPSec Modes (Contd.)

Two Modes of IPSec

SourceA

Destination B

Internet

Security Gateway2

Security Gateway1

Tunnel Mode

Transport Mode

SCU - Lilish M Saki - Winter 2002

esp transport mode
ESP Transport Mode

IPSec ESP Transport Mode

1- Authenticated

2- Encrypted

Original IP Header

Original Packet

TCP

Data

Tunnel Mode Packet

STD. IP Header

ESP header

Optional ESP authentication

TCP

Data

ESP Trailer

Security Parameter Index (SPI )

ESP Header

1

Sequence number

TCP & data

Payload – Variable size

2

ESP Trailer

Padding

Pad len

Next Hdr

Authentication data

SCU - Lilish M Saki - Winter 2002

esp tunnel mode
ESP Tunnel Mode

IPSec ESP Tunnel Mode

1- Authenticated

2- Encrypted

Original IP Header

Original Packet

TCP

Data

Tunnel Mode Packet

New IP Header

ESP header

Original IP Header

Optional ESP authentication

TCP

Data

ESP Trailer

Security Parameter Index (SPI )

ESP Header

1

Sequence number

IP Hdr, TCP & data

Payload – Variable size

2

Padding

ESP Trailer

Pad len

Next Hdr

Authentication data

SCU - Lilish M Saki - Winter 2002

ah transport tunnel mode
AH Transport/Tunnel Mode

AH Transport/Tunnel Mode

Orig IP Header

Original Packet

TCP

Data

Transport mode packet

Orig IP Header

AH

TCP

Data

Tunnel Mode Packet

New IP Header

Orig IP Header

AH

TCP

Data

Next Header

Payload len

Reserved

Security Parameter Index (SPI )

Sequence number

Authentication data

SCU - Lilish M Saki - Winter 2002

identity and ipsec access control
Identity and IPSec Access Control
  • In LAN- to-LAN and remote access VPNs it is important that devices are identified in a secure and manageable way.
  • In remote access VPN device authentication as well as user authentication occurs.
  • Device authentication uses either a pre-shared key or digital certificate to provide identity of the device.
    • Preshared key management is done through Internet key exchange (IKE) protocol.

SCU - Lilish M Saki - Winter 2002

ipsec security association
IPSec Security association
  • IPSec introduces the concept of Security association (SA).
  • An SA is a logical connection between two devices transferring data.
  • An SA provides data protection for unidirectional traffic by using defined IPSec protocols.

SCU - Lilish M Saki - Winter 2002

ipsec security association contd
IPSec Security association (Contd.)
  • An IPSec tunnel typically consists of two Unidirectional SAs, which together provide a protected full duplex data channel.
  • An SA allows an enterprise to control exactly what resources may communicate securely according to security policy.
  • Enterprise can select multiple SAs to enable multiple secure VPNs to support different departments and different business partners.

SCU - Lilish M Saki - Winter 2002

ipsec security association contd1
IPSec Security association (Contd.)
  • SA can be constructed manually or dynamically via IKE.
  • When created dynamically SA have lifetime associated with them that is negotiated between IPSec peers by the key management protocol.
  • The IPSec SA specifies:
    • The mode and keys for AH authentication algorithm.
    • The mode and keys for ESP encryption algorithm.

SCU - Lilish M Saki - Winter 2002

ipsec security association contd2
IPSec Security association (Contd.)
  • The protocol, algorithm and key used to authenticate VPN communication.
  • The protocol, algorithm and key used to encrypt VPN communication.
  • The presence and size of any cryptographic synchronization to be used.
  • The change interval of keys.
  • The time to live of keys.
  • The time to live of SA itself.
  • The SA source address.

SCU - Lilish M Saki - Winter 2002

ipsec architecture
IPSec Architecture

IPSec Architecture

AH Protocol

ESP Protocol

Authentication Algorithm

Encryption Algorithm

Domain of Interpretation (DOI) specifies a SA

Key Management

SCU - Lilish M Saki - Winter 2002

internet key exchange ike
Internet Key Exchange (IKE)
  • IKE establishes shared security parameters and authentication keys between the IPSec peers, including all information in SA.
  • Operates under framework defined by ISAKMP (Internet security association and key management protocol).
  • IKE has two phases, phase one and phase two.
  • Phase one:
    • Is designed to exchange “master secret”. Its cryptographic operations are very processor intensive.
    • Master secret is used to derive keys.

SCU - Lilish M Saki - Winter 2002

ike contd
IKE (Contd.)
    • Phase one does not establish any SAs of the keys for protecting the user data.
    • Phase one operations are performed infrequently, and single phase negotiation can support Phase 2 exchanges.
  • Phase two:
    • Phase two exchanges negotiate the SAs and the encryption keys that will be be used to protect user data.
    • Phase 2 negotiations occurs more frequently that phase one negotiations typically every few minutes so that hackers do not have time to break the encryption keys.

SCU - Lilish M Saki - Winter 2002

two phase of ike
Two phase of IKE

Two Phases of IKE

IPSec Node

IPSec Node

IPSec Node

IPSec Node

Phase 1

Establishing Secure channel IKE SA

Phase 2

Negotiate General Purpose SAs

SCU - Lilish M Saki - Winter 2002

l2tp with ipsec transport mode
L2TP with IPSec (Transport Mode)
  • Integrating L2TP with IPSec offers the ability to L2TP as the tunneling protocol but secure the data using IPSec.
  • Using L2TP gives increased manageability with user authentication for client to LAN connection and multiprotocol support.
  • Interoperability with vendors is better that just IPSec alone.
  • One drawback is that it will not pass through NAT.

SCU - Lilish M Saki - Winter 2002

authentication within ipsec
Authentication within IPSec
  • In small fixed VPN, IPSec authentication can rely on shared secrets.
  • Devices are configured to share secret data upon which data encryption is based.
  • This authentication is practical for only small VPNs with few links to multiple nodes.
  • To ensure scalability and best possible security, the VPN solution can be integrated with a Certificate Authority (CA) in Public key infrastructure (PKI).

SCU - Lilish M Saki - Winter 2002

authentication within ipsec contd
Authentication within IPSec (Contd.)
  • PKI provides a standard, secure and scalable means of verifying user and system identities on a network.
  • The CA is responsible for issuing and maintaining digital certificates for users of VPNs as well as for VPN devices themselves.
  • With a CA, scaling is much easier when using PKI on the VPN, because for each new user or device, simply a new certificate is issued.
  • Keys can be easily managed, updated and backed up from a central location.

SCU - Lilish M Saki - Winter 2002

user device authentication with digital certificates
User/Device Authentication with Digital Certificates
  • A digital certificate contains:
    • Serial number of the certificate
    • Issuer algorithm information
    • Valid to/from date
    • User public key information
    • Signature of issuing authority (CA)

0000123

SHA, DH, 3837829 …

1/1/93 to 12/31/98

Alice Smith, Acme Corp

DH, 3813710 ...

Acme Corporation, Security Dept.

SHA, DH, 2393702347 ...

SCU - Lilish M Saki - Winter 2002

authenticating ipsec vpn with radius
Authenticating IPSec VPN with RADIUS
  • IPSec as proposed doesn’t include user authentication
    • Many vendors include in their VPN products with the RADIUS (Remote Authentication Dial-In User Service ) authenticating mechanisms
  • RADIUS coordinates authentication and authorization information between a network access server (VPN switch) and a central authentication and authorization server (RADIUS Server)

SCU - Lilish M Saki - Winter 2002

vpn implementation alternatives
VPN Implementation alternatives
  • There are many VPN solutions available they cover a range of price-performance, of capacity and of installation and configuration complexity.
  • Following are four categories in which they can be divided.
    • Traditional or legacy VPN products.
    • Outsourced VPNs.
    • Low end VPNs/firewall products.
    • Point and click VPN Services.

SCU - Lilish M Saki - Winter 2002

implementation alternatives traditional or legacy vpns
Implementation alternatives- Traditional or legacy VPNs
  • Traditional or legacy VPN products:
    • Most first generation VPN products fall into this category.
    • VPN function is typically add-on to router, to a LAN switch or to firewall.
      • Often leads to hardware upgrade supporting it.
    • Optimized for large businesses.
    • Legacy VPN products category includes PC based software solutions targeted at smaller users.
    • These VPN solutions need significant expertise to design, install, operate and support.

SCU - Lilish M Saki - Winter 2002

implementation alternatives outsourced vpns
Implementation alternatives- Outsourced VPNs
  • Outsourced VPNs: There are two subcategories.

a)VPN service from ISP or NSP:

    • With a managed service offering complete solution from installation to technical support is provided.
    • Important issue here is availability of managed service in all geographical location where customer wants to deploy VPN.

SCU - Lilish M Saki - Winter 2002

implementation alternatives outsourced vpns contd
Implementation alternatives- Outsourced VPNs (Contd.)

b) Managed VPN Service from a Reseller/Solution Provider:

  • Solution providers package services from multiple service provider to provide solution covering all geographical region.
  • Cost, availability and technical support are issues here.
  • More flexibility that ISP/NSP solution.

SCU - Lilish M Saki - Winter 2002

implementation alternatives low end vpns firewall appliances
Implementation Alternatives – Low End VPNs/Firewall appliances
  • Low end firewall VPN devices:
    • These are designed for small to medium size enterprise and are purpose built (dedicated to VPN gateway function ).
    • May use PC processors or specialize processors.
    • They may include co-processors for offloading the encryption function to a separate chip.
    • These appliances may include additional functions like firewall, increasing their complexity.
    • Simpler then router, Firewall-based VPN hence generally less prone to problems and easier to diagnose.

SCU - Lilish M Saki - Winter 2002

implementation alternatives point and click services
Implementation Alternatives – Point and click services.
  • Point and Click Services:
    • This solution is independent of ISP and allows customers to use their existing hardware.
    • Key feature of this solution is that customer does not have to get involved in designing, configuring and supporting the VPN.
    • Customer logs onto service provider web site and registers key information about each site that is to be part of VPN(such as site name and IP address).
    • Solution provider’s NOC then automatically creates appropriate VPN configurations based on user provided information and configures user’s VPN Gateways and monitors it.

SCU - Lilish M Saki - Winter 2002

vpn future challenges
VPN – Future Challenges
  • Quality of Service (QoS), will become the next goals for VPNs.
  • The Internet is an inherently "best effort" delivery system. While powerful for connectivity, it lacks the consistent and assured performance required for the effective delivery of business applications.
  • The biggest drawback to traditional QoS is its inability to prioritize encrypted packets, making it virtually unusable in VPN environments.

SCU - Lilish M Saki - Winter 2002

vpn future challenges1
VPN – Future Challenges
  • Traditional QoS relies on the use of individual IP packet fields to differentiate and prioritize packets.
  • IPSec and other encryption technologies protect data by making most of the IP packet fields unreadable.
  • Encryption leaves only three fields available for packet differentiation, IP source address, IP destination address, and protocol.

SCU - Lilish M Saki - Winter 2002

vpn future challenges contd
VPN – Future Challenges (Contd.)
  • Differentiating on the basis of source IP address and destination IP address is not viable solution.
    • Source IP address can dynamically be different each time.
    • Destination IP address can be just VPN gateway.
  • VPN deployments require a new approach to QoS which can beat above problem.

SCU - Lilish M Saki - Winter 2002

limitations of traditional qos devices for vpns
Limitations of Traditional QoS devices for VPNs

SCU - Lilish M Saki - Winter 2002

future challenges qos for vpn
Future Challenges – QoS for VPN
  • Some approaches have been proposed by vendors like Cisco and more recently Centrisoft Corporation.
  • These efforts aim in controlling traffic at the application level prior to IPSec packet encryption to avoid the issue of having to prioritize encrypted packets.
  • Centerwise implements QoS via a distributed architecture that provides control at the source of traffic—the user desktop.

SCU - Lilish M Saki - Winter 2002

future challenges qos for vpn1
Future Challenges – QoS for VPN

Centrisoft approach

SCU - Lilish M Saki - Winter 2002

future challenges contd
Future Challenges (Contd.)
  • Instead of looking at individual packets, it attempts to control the flow of applications at the desktop, where traffic originates.
  • Cisco proposes QoS solution for VPN based on packet classification before encryption.
  • Once packets are classified the next step is to "mark" or "color" packets with a unique identification to ensure that this classification is respected end to end.
  • This can be done via the IP ToS field in the header of an IP datagram.

SCU - Lilish M Saki - Winter 2002

future challenges contd1
Future Challenges (Contd.)
  • QoS is still not fully implemented for IP and work is still going on. QoS for VPN will be one of the key requirements and development is still going on to support fully.
  • Need for Traffic Classification, Policing / Shaping, Bandwidth Allocation, and Congestion Avoidance are all somewhat related to QoS.
  • Other challenges include security of VPNs, though many secure mechanisms are available, properly applying them and managing is must.

SCU - Lilish M Saki - Winter 2002

future challenges contd2
Future Challenges (Contd.)
  • Emerging technologies is Virtual private routing services (VPRS) which promises to greatly benefit customer since it will provide bridging and routing capabilities, VLANs, directory services and bandwidth critical applications.
  • Focus will fall more and more on delivering quality of service (QoS) and class of service (CoS) over IP networks as part of a VPN.
  • As voice and data services merge into one (voice over IP, IP fax), new network services are being developed to offer the QoS/CoS required for data, telephony and fax.

SCU - Lilish M Saki - Winter 2002

conclusion
Conclusion
  • Different VPN protocols have their own advantages and disadvantages.
  • Of all VPN protocols IPSec provides strongest security and is best suitable for any gateway-to-gateway scenario.However, IPSec doesn’t feature user authentication and have multiprotocol support.
    • IETF IPSec remote access working group (IPSRA) is working on to make IPSec interoperable with legacy devices and in general wider support.

SCU - Lilish M Saki - Winter 2002

conclusion1
Conclusion
  • PPTP and L2TP provide multiprotocol support and have user authentication but they security is weaker that IPSec and also they lack machine authentication.
  • Until, all the problems for common solution are ironed out a single protocol cannot fulfill every customer’s requirement.
  • VPN technology will continue to evolve and benefit us in coming years. With future support for QoS/CoS and integration with other technologies like VoIP and multimedia, true potential of VPN capabilities will be realized.

SCU - Lilish M Saki - Winter 2002

references
References
  • RFC 2401 “Security architecture for Internet Protocol.
  • RFC 2402 “ IP Authentication Header.”
  • RFC 2406 “ IP Encapsulating Security Payload.”
  • RFC 2409 “Internet Key Exchange IKE.”
  • RFC 2411 “ IP Security document roadmap.”
  • www.enterasys.com White paper - “Virtual Private network a technology overview.”
  • www.cisco.com White paper “SAFE VPN an IPSec Virtual private network in depth”.
  • www.networkcomputing.com “Authenticating VPNs with RADIUS.
  • www.centricitysoftware.com White paper “A QoS breakthrough for VPN.”
  • www.techguide.com Technology guide- “A practical guide to right VPN solution.”
  • www.cid.alcatel.com White paper - “PKI and VPN enabling security in increasingly networked world.
  • www.smartpipes.com White paper - “IPSec-based VPNs.”
  • www.3com.com “Virtual private networks – Internet based VPNs.”
  • www.getesuite.com “VPN tunneling basics.”
  • www.cisco.com White paper “Quality of Service for virtual private networks.”

SCU - Lilish M Saki - Winter 2002