Download
virtual private network n.
Skip this Video
Loading SlideShow in 5 Seconds..
Virtual Private Network PowerPoint Presentation
Download Presentation
Virtual Private Network

Virtual Private Network

190 Views Download Presentation
Download Presentation

Virtual Private Network

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 4 Virtual Private Network

  2. Objectives • VPN Overview • Tunneling Protocol • Deployment models • Lab Demo Lecturer : Trần Thị Ngọc Hoa

  3. Overview of VPN Lecturer : Trần Thị Ngọc Hoa

  4. VPN Concept • Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network

  5. VPN Deployment Scenarios • Remote Access VPN

  6. VPN Deployment Scenarios • Extranet VPN ( Site to Site, Router to Router )

  7. VPN Deployment Scenarios • Mixed VPN with Firewall

  8. Tunneling • Tunneling is a process of encapsulating a payload protocol into another protocol • Provide a secure path through an untrusted network or an incompatible network. Lecturer : Trần Thị Ngọc Hoa

  9. Tunneling Protocol • GRE • Generic Routing Encapsulation • Cisco Proprietry Tunneling Protocol • PPTP ( with/without MPPE ) • Point to Point Tunneling Protocol • Microsoft proprietry tunneling protocol • L2TP ( with/without IPSec ) • Layer 2 Tunneling Protocol • Created by Cisco and Microsoft Lecturer : Trần Thị Ngọc Hoa

  10. IP Security • IP Security Overview • Algorithms • IPSec Protocols Lecturer : Trần Thị Ngọc Hoa

  11. IP Security Overview • Open standard developed by IETF’s IPSec working group. • Security Architecture for the Internet Prototol • Designed to work at Layers 3 and 4 of the OSI model. • IPSec protects data by providing the following services : • Data Authentication • Data integrity • Data origin authentication between • A pair of gateways • A pair of hosts • A host and its gateway • Relay protection • Encryption • Many different types of algorithm are used in IPSec • 2 primary protocols • AH – Authentication Header - 51 • ESP – Encryption Security Payload - 50 Lecturer : Trần Thị Ngọc Hoa

  12. Encryption Algorithms • Designed for data confidentiality assurance • 2 different methods • Symmetrical • Asymmetrical Lecturer : Trần Thị Ngọc Hoa

  13. Symmetrical Algorithms • DES – Data Encryption Standard • 56 bit key – 64 data bit block • No of Key = 72,000,000,000,000,000 • 3DES • Three phases Encrypt – Decrypt – Encrypt • 168 bit key – 64 data bit block • AES – Advanced Encryption Standard • 128-192-256 bit key Session key Session key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa

  14. Asymmetric Algorithms • 2 different but related keys are required. • RSA -Rivest, Shamir, and Adelman • ElGamal Public key Private key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa

  15. Hashing Algorithms • Hashing algorithms are used for authentication and integrity assurance for data • They are based on some type of one-way hashing function. • SHA • 128 bits output • MD5 • 160 bits output • Collision : 2 different inputs => the same output • SHA is prefered than MD5 Lecturer : Trần Thị Ngọc Hoa

  16. Hashing Example Lecturer : Trần Thị Ngọc Hoa

  17. Key Exchange Problem • Question :How to get the key from one device to the other ? • If the key is sent across an untrusted network, you run the risk of it being sniffed and captured by a hacker. • If you phone the technician at the other end, you run the risk of phone tapping. • Answer :Diffie Hellman Lecturer : Trần Thị Ngọc Hoa

  18. Diffie Hellman Key Exchange • The Diffe-Hellman key exchange is used for automatic secure key exchange of • Symmetrical keys • Other types of keys • Algorithm Description • Step 1 : A and B pour their favourite drink into the glass • Step 2 : A and B pour the same liquid into the glass • Step 3 : A and B exchange their own glass.Then pickup the other liquid and mixed with their own one Lecturer : Trần Thị Ngọc Hoa

  19. IPSec Protocols • AH • Provide • Data integrity • Data authentication • Antireplay protection (optionally) • Not provide any form of encryption to the payload of the packet. • ESP • Provide payload encryption • Provide authentication and integrity Lecturer : Trần Thị Ngọc Hoa

  20. Security Mode • Both ESP and AH can operate in two different modes • Tunnel Mode : • The entire packet is encrypted then encapsulated with a new, unprotected IP header. • Transport Mode : • Default mode • The original IP header is reused with the new packet • The current IP header has been used in the hashing algorithm and therefore cannot be changed from sender to receiver. Lecturer : Trần Thị Ngọc Hoa

  21. Security Associations • A set of policy and key(s) used to protect data before an IPSec tunnel can be created. • Each SA gets a unique 32-bit Security Parameter Index number – SPI – that is sent in every packet pertaining to the specific SA. • The SA keeps track of general information such as the following: • Source IP address • Destination IP address • IPSec protocols used • SPI number • Encryption and authentication algorithms • Key lifetime (sets the amount of time and/or byte count that a key is valid for; the longer the time, the more vulnerable your data is) Lecturer : Trần Thị Ngọc Hoa

  22. Internet Key Exchange • Internet Key Exchange (IKE) is used to establish all the information needed – SA – for a tunnel. • 2 phases • Main mode – IKE Phase 1 • Quick mode – IKE Phase 2 Lecturer : Trần Thị Ngọc Hoa