overview n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Overview PowerPoint Presentation
Download Presentation
Overview

Loading in 2 Seconds...

play fullscreen
1 / 30

Overview - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Overview. VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls. VPN - Definition. VPNs (Virtual Private Networks) allow secure data transmission over insecure connection.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Overview' - kamana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • VPN
  • VPN requirements
  • Encryption
  • VPN-Types
  • Protocols
  • VPN and Firewalls

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn definition
VPN - Definition
  • VPNs (Virtual Private Networks) allow secure data transmission over insecure connection.
  • VPNs connect computer and/or networks (on various locations) to a common network by use of public communication structures.

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn scheme

Internet

VPN Scheme

LAN

LAN

VPN-Tunnel

VPN

VPN

Client

Client

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn terms
VPN - terms
  • Virtual, due to the usage of a public communication infrastructure there is no permanent physical connection but a logical one. If there are some data to transmit then the bandwith is occupied and data is transmitted according the routing information.
  • Private, because only valid users should have access to the network respectively the data. Additionally all data have to be transmitted confidential.

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn requirements
VPN requirements
  • Data security must ensure ConfidentialityIntegrityAuthentication
  • Quality of ServiceGuarantees availability of connectivitySupport of all applications
  • Additional requirementsReasonable administration effortEffectiveness and extendibility

Computer Net Lab/Praktikum Datenverarbeitung 2

confidentiality
Confidentiality
  • means that no unauthorized person, who got illegal access to data, is able to read respectively understand data.
  • Is realized by encryption. The data are coded by an encryption algorithm and an encryption key. Only owner of the appropriate decryption key are able to decrypt the coded data.

Computer Net Lab/Praktikum Datenverarbeitung 2

integrity
Integrity
  • means that no data has been changed/manipulated during transmission.
  • is realised by checksum of transferred data. By use of a mathematical function a checksum is build over the data which has to be transmitted. This checksum is unique. The checksum together with the data is sent to the recipient.

Computer Net Lab/Praktikum Datenverarbeitung 2

a uthentication
Authentication
  • means that a recipient of a message is able to ensure that he got the message from the right person and not from a person who pretend to be the right one.
  • is realized by use of digital signatures. Digital signatures are like a „normal“ signature in a document which unambiguously identifies the author.

Computer Net Lab/Praktikum Datenverarbeitung 2

symmetric encryption
Symmetric Encryption
  • Each communication partner has the same key
  • N (N-1)/2 keys, for N communication partner which communicate pair wise
  • High effort for Key maintenance
  • Key length with 128 Bit are said to be sure, typical values 40,56,128
  • Fast Method
  • DES, Triple DES, Blowfish

Computer Net Lab/Praktikum Datenverarbeitung 2

asymmetric encryption
Asymmetric Encryption
  • Distinction between private (my) and public keys (for others)
  • Communication with N participants means N public keys
  • Key length higher than symetric keystypical length: 512,1024,2048
  • Slower than symmetric encryption
  • Example: PGP, RSA

Computer Net Lab/Praktikum Datenverarbeitung 2

tunnel
Tunnel
  • Tunneling means the embedding of a complete data package (header and payload) within the payload segment of an other protocol in the same protocol level. Advantage: Data can be coded/encrypted

Orig IP Hdr

TCP Hdr

Data

New IP Hdr

Orig IP Hdr

TCP Hdr

Data

Computer Net Lab/Praktikum Datenverarbeitung 2

end to end constellation

Internet

End-to-End Constellation

Computer 1

Computer 2

Computer Net Lab/Praktikum Datenverarbeitung 2

end to site constellation

Internet

End-to-Site Constellation

Dial-up

mobilecomputer

ISP

Intranet

ISP

VPN

Gateway

Dial-up

mobilecomputer

Computer Net Lab/Praktikum Datenverarbeitung 2

site to site constellation

Internet

Site-to-Site Constellation

Intranet 1

Intranet 2

VPN

Gateway 1

VPN

Gateway 2

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn types
VPN-Types

Application-Layer encryption

Application-level(Layer 5-7)

Network-Layer encryption

Transport-/network level(Layer 3-4)

Link-/physical level(Layer 1-2)

Link-Layerencryption

Link-Layerencryption

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn and iso osi layer
VPN and ISO/OSI Layer

Application

SSH, Kerberos, Virusscans, Content Screening, IPSEC (IKE)…

Transport

SSL, Socks V5, TLS

Network

IPSEC (AH, ESP),Paket Filtering, NAT

Link

Tunneling Protocols (L2TP,PPTP, L2F), CHAP, PAP,…

Computer Net Lab/Praktikum Datenverarbeitung 2

pptp protocol

IP-

Header

GRE (IP 47)

Header

PPP

Header

PPP Payload

PPTP-Protocol
  • Point To Point Tunneling, widespread because simple
  • Layer-2 Protocol
  • Only user authentification => Security = Password
  • Set up of communication:
  • PPP connection with user –Authentification
  • Link and control (TCP Port 1723)
  • Tunnel:

IP-Adresses Client+Server, => NAT and dynam. IP-Adresses ok

opt. with MPPE (RC4) encrypted

Computer Net Lab/Praktikum Datenverarbeitung 2

pptp protocol 2
PPTP-Protocol 2

Computer Net Lab/Praktikum Datenverarbeitung 2

ipsec 1
IPSec 1
  • Internet Protocol Security is a protocol family
  • Allows encryption and integrity check
    • integrity check (Authentication Header Protocol):
    • encryption (Encapsulating Security Payload Protocol):
  • Open for enhancements, encryption method is not fixed
    • Authentification: Diffie-Hellmann key exchange
    • confidentiality: Triple,-DES, IDEA, Blowfish
    • Integrity by use of Hash building: MD5 und SHA
  • Two mode of operation modes
    • Tunnel mode protects address information and payload
    • Transport mode protects only payload

Computer Net Lab/Praktikum Datenverarbeitung 2

ipsec ah
IPSec AH

AH allows only check of integrity

Original packet:

Orig IP Hdr

TCP Hdr

Data

Tunnel

mode:

New IP Hdr

AH Header

Orig IP Hdr

TCP Hdr

Data

Transportmode:

Orig IP Hdr

AH Header

TCP Hdr

Data

Computer Net Lab/Praktikum Datenverarbeitung 2

ipsec esp

New IP Hdr

ESP Hdr

Orig

ESP Trailer

ESP Auth

IPSec ESP

ESP allows encryption

Original packet:

Orig IP Hdr

TCP Hdr

Data

Tunnel

mode:

Transportmode:

Orig IP Hdr

ESP Hdr

TCP Hdr

Data

ESP Trailer

ESP Auth

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn and firewall
VPN and Firewall
  • Idea of the FirewallThe Firewall is the only connection to the Internet. All other computers (even the VPN-Gateway) are located behind the Firewall.
  • ProblemThe firewall ist not able to analyze the data because they are encrypted.

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn behind firewall

Internet

VPN behind Firewall

LAN

(branch office)

LAN

(center)

VPN-Gateway

decryptedData

VPN

Firewall

VPN Client

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn and firewall together

Internet

VPN and Firewall together

LAN

(center)

Firewall andVPN-Gateway

LAN

(branch office)

decryptedDaten

VPN

VPN Client

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn gateway in dmz

Internet

VPN Gateway in DMZ

LAN

(branch office)

LAN

(center)

VPN-Gateway

DMZ

decryptedData

VPN

Internet

VPN client

inner Firewall

outer Firewall

Computer Net Lab/Praktikum Datenverarbeitung 2

slide26

Internet

NAT
  • Nat = Network Adress Translation
  • Allows through mapping the assignment of official IP-Addresses to private one. Therefore it is possible to gain access to the internet with private IP-Addresses.

Sender-IP

192.168.0.10

New Sender-IP

134.91.90.70

Webbrowser

New Target-IP

192.168.0.10

Target-IP

134.91.90.70

NAT

Computer Net Lab/Praktikum Datenverarbeitung 2

slide27
IP
  • It carries the transport protocols TCP and UDP.
  • It builds IP-Packages out of the data which have to be transmitted.
  • It adds additional information, the IP-Header. It contains source and destination address.

Computer Net Lab/Praktikum Datenverarbeitung 2

slide28
TCP
  • TCP (Transmission Control Protocol) confirms every received data package.
  • TCP repeats each data package until its receiving is confirmed.
  • TCP is reliable, that means the transmission is guaranteed.

Computer Net Lab/Praktikum Datenverarbeitung 2

ip forwarding
IP-Forwarding

VPNGateway

Firewall

private, local Net

IP-Paket withtarget: 192.168.1.1

IP-Forwarding

IP-Paket withTarget: 134.91.90.70

Port 1723 or Gre-Protocol 47

Computer Net Lab/Praktikum Datenverarbeitung 2

vpn practical training

Internet

Firewall

Firewall

VPN-Gateway

VPN-Gateway

private, local net

private, local net

=Tunnel

VPN-Practical training

Computer Net Lab/Praktikum Datenverarbeitung 2