Your SlideShare is downloading. ×

VPN Revealed


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1.  
  • 2. VPN Revealed Ayman Saeed
  • 3. Agenda
    • Day 1
        • Why and how VPN !!!!
        • IPSEC Cryptosystems .
        • SSL Cryptosystems .
        • SSL VPN Demo .
        • PPTP Cryptosystems.
        • PPTP VPN Demo .
    • Day 2
        • IPSEC VPN Demo.
  • 4.
    • We can use cryptosystems for ensuring the CIA triad for an upper service in two different models :
    • # First model :: Cryptosystems will integrate with services to be a new system ; http is the service , ssl is the cryptosystem and https is the new system .
    • # Second model :: Service independent cryptosystems , the service knows nothing about the cryptosystem that will ensure the CIA triad for the service traffic ; VPN is the model of service independent cryptosystems.
    • So , VPN is used for securing connections between a client and a service this service does not know any thing about this new security features offered to its generated traffic.
        • Why and Where VPN !!!!
  • 5.
    • Regarding VPN implementation , we could have ## site to site ## VPN or # remote access ## VPN ; you can consider site to site VPN when connecting a remote office to its main branch .
    • Remote access VPN can be considered if we have some remote users that needs a temporary access to corporate resources .
  • 6.
    • we can use multiple cryptosystems for implementing VPN . IPSEC , SSL , SSH , PPTP and L2TP with IPSEC can be used for this purpose .
    • Routers and firewalls can act generally as VPN capable devices , we can also have a dedicated device for doing VPN .
    • Cisco has a dedicated IPSEC VPN device ; multiple companies have dedicated SSL VPN device ==>> Juniper , SonicWall , Citrix …… and juniper is considered as the best .
  • 7.
    • IPSEC can operate in two different modes ; transport and tunnel modes.
    • We can use either transport or tunnel mode if we are having a VPN connection established between two hosts ( no VPN gateways ) .
    • We can use only tunnel mode if we are having a VPN connection established between a host and a network or between two different networks with VPN gateways in between .
        • IPSEC Cryptosystem
  • 8.
    • We can use IPSEC for ensuring integrity or both integrity and confidentiality .
    • If we are using IPSEC for integrity then we should operate in AH (Authentication Header ) ; for ensuring both integrity and confidentiality we should operate in ESP (Encapsulating Security Payload ) mode .
    • So , we can operate using IPSEC in these four different modes :
    • 1- AH transport mode .
    • 2-AH tunnel mode .
    • 3-ESP transport mode .
    • 4-ESP tunnel mode .
    • Each of these four modes has its own header structure .
  • 9.  
  • 10.
    • From the previous diagram we can see that we will have a problem when using AH before a natting stage , as the ip header will be hashed with the payload , that will not occur with ESP .
  • 11.
    • We need to trust the entity before starting to communicate with , this trust can be ensured by using either a pre-shared key or a certificate .
    • As we can do encryption ( ESP mode) , then we should have a secret key known by the communicating parties ; this key can be configured manually or automatically generated by using Diffie-Hellman negotiation .
    • IPSEC uses a standalone protocol for implementing Diffie-Hellman , this protocol is known as IKE (Internet Key Exchange ) ; IKE provides more features for IPSEC than only secret key exchange , it can secure the negotiation of algorithms used for encryption and hashing .
    • So , IKE is used for :
    • 1- a secure negotiation of used encryption and hashing algorithms .
    • 2- implementing Diffie-Hellman algorithm for generating secret keys
  • 12.
    • IKE operates over two phases :
    • phase 1: symmetric encryption and hashing algorithms are negotiated between the communicating parties for encrypting and digitally signing the phase2 parameters . A secret key will be generated using Diffie-Hellman for symmetric encryption .
    • phase 2: algorithms that will be actually used for dealing with clear data will be negotiated securely (as a result of phase1) during this phase . Secret key that will be used with symmetric encryption algorithms can be generated using another Diffie-Hellman process or it could be the previously generated one (during phase 1) . Phase 2 negotiated parameters will be saved in a temporary database known as SA (Security Association) .
  • 13.
    • SA contains several negotiated parameters from these parameters :
    • 1- Encryption algorithm and its secret key .
    • 2- Hashing algorithm and its secret key (HMAC) .
    • 3- SA lifetime .
    • SAs are uniquely identified by an SPI (security parameter index) , this is a dedicated field within ESP and AH headers .
  • 14.
        • SSL Cryptosystem
    • SSL offers the full CIA triad for the data , it operates at the application layer , it is famous of binding to specific protocols like http over ssl which equals to https and it is also used for establishing VPN connections .
    • SSL is layered protocol composed of two layers :
      • 1- SSL Handshake Protocol :a layer for handling the connection establishment (authentication and configurations negotiations ) .
      • 2- SSL Record Protocol :a layer for encrypting the data and generating SSL header after the payload .
    • SSL header is very simple :
    • 1- HMAC portion : is a hash of a key, the data, padding, and a sequence number .
    • 2- Padding portion : is used to ensure that the data is a multiple of the block size when a block cipher is used.
    • The next figure will discuss the connection setup .
  • 15.  
  • 16.
        • SSL VPN Demo
    SonicWall SSL-VPN Demo
  • 17.
        • PPTP Cryptosystem
    • PPTP uses PPP that encapsulates IP, IPX, and NetBEUI packets between PPP frames and sends the encapsulated packets by creating a point-to-point link between the sending and receiving computers.
    • PPTP uses PPP features for authentication and encryption , so PPTP cryptosystem is limited to algorithms and protocols that are supported by PPP :
    • 1- PAP , CHAP and MS-CHAP for authentication .
    • 2- MPPE (for Microsoft implementation) for encryption and RC4.
    • PPTP has two types of messages :
    • 1-control messages for establishing and maintaining connections and .
    • 2-data messages for carrying users traffic .
  • 18.
        • Sender Receiver
  • 19.
        • PPTP VPN Demo
    Windows Server 2003 Implementation for site to site and remote access VPNs .
  • 20.
    • سبحانك اللهم وبحمدك أشهد ان لا اله الا انت
    • أستغفرك وأتوب اليك