Chapter 19 VPN and NAT. Nelson Azadian Victor Seletskiy Pavel Dikhtyar. VPN Overview. Why we need Virtual Private Networks. What a Virtual Private Network consists of. What a Virtual Private Network does. How a Virtual Private Network does what it does. Pro’s and Con’s of VPN’s.
Leased Lines are connection based, rather than packet switch based, lines which a phone company or internet service provider will lease to an individual or corporation.
Due to their connection based nature leased lines are guaranteed to remain private.
Unfortunately, leased lines are expensive and for many companies out of their budget.What Will Work
Shift - 3 Cipher.
There are two common VPN implementations:
Tunneling requires three different protocols:
IPsec = AH + ESP + IPcomp + IKE
Provides message integrity and privacy using DES or EAS
It also includes anti-replay mechanism.
AH and ESP needs shared secret key between peers. IKE defines an automatic means of negotiation and authentication for security associations (SA). Security associations are security policies defined for communication between two or more entities
Question: What does the client need to have?
Compared to IPSec, SSL is an application level transport protocol that transmits data over a standard TCP port (typically TCP port 443). IPSec provides application-transparent communication over layer 3, IP, network traffic while SSL was designed to encrypt application traffic.
Only designated people /computers are allowed access by IPSec, while SSL allows access from everywhere (e.g. internet kiosks). Information can be left behind (intentionally or unintentionally)
IPSec requires client software, while SSL needs only Standard Web browser
First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.
IPSec connectivity can be adversely affected by firewalls or other devices between the client and gateway (i.e. firewall or NAT devices) while SSL operates transparently across NAT, proxy, and most firewalls (most firewalls allow SSL traffic)
SSL provides limited control over information access and client environment; good for accessing less-sensitive information
VPN must protect internal information and prevent any direct connection between a trusted server or client and an un-trusted host. It gives improved security because without knowing the true IP address of a host, it is harder for an intruder to attack that machine.
SSL & IPSec and other VPN's use two general communication schemes to ensure private network security:
The application gateway acts as an intermediary between the two endpoints. When a client issues a request from the untrusted network, a connection is established with the application gateway. The proxy determines if the request is valid and then sends a new request on behalf of the client to the destination. By using this method, a direct connection is never made from the trusted network to the untrusted network and the request appears to have originated from the application gateway.