Lecture 11 Virtual Private Networks (Power Point)

2,305 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,305
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
116
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Lecture 11 Virtual Private Networks (Power Point)

  1. 1. Virtual Private Networks and IPSec ECE 4112
  2. 2. What is a VPN? <ul><li>VPN Stands for Virtual Private Network </li></ul><ul><li>A method of ensuring private, secure communication between hosts over an insecure medium using tunneling </li></ul><ul><li>Usually between geographically separate locations, but doesn’t have to be </li></ul><ul><li>Via tunneling and software drivers, computer is logically directly connected to a network that it is not physically a part of </li></ul>
  3. 3. Sidebar: What is tunneling? <ul><li>Putting one type of packet inside another </li></ul><ul><li>Both parties must be aware of tunnel for it to work </li></ul><ul><li>Example in next slide - AppleTalk over IP Tunnel </li></ul>
  4. 4. Example: AppleTalk over IP Tunnel
  5. 5. What is a VPN? (cont…) <ul><li>Uses some means of encryption to secure communications </li></ul><ul><ul><li>IPSec </li></ul></ul><ul><ul><li>SSH </li></ul></ul><ul><ul><li>Software could be written to support any type of encryption scheme </li></ul></ul><ul><li>Two main types of VPNs – </li></ul><ul><ul><li>Remote-Access </li></ul></ul><ul><ul><li>Site-to-Site </li></ul></ul>
  6. 6. What is a VPN? (cont…) <ul><li>Remote-Access </li></ul><ul><ul><li>The typical example of this is a dial-up connection from home or for a mobile worker, who needs to connect to secure materials remotely </li></ul></ul><ul><li>Site-to-Site </li></ul><ul><ul><li>The typical example of this is a company that has offices in two different geographical locations, and wants to have a secure network connection between the two </li></ul></ul>
  7. 7. Remote-Access Example
  8. 8. Site-to-Site Example
  9. 9. Why Use a VPN? <ul><li>Originally designed as inexpensive alternative WAN over leased lines </li></ul><ul><li>Now mostly used to securely connect computers over the internet </li></ul><ul><li>Convenient </li></ul><ul><li>Lot’s of cheap and convenient protocols are insecure (IP, 802.11, etc) </li></ul><ul><ul><li>Can now communicate securely over these insecure protocols </li></ul></ul>
  10. 10. Why Use a VPN? (cont…) <ul><li>Example – it can simplify security </li></ul><ul><ul><li>(what is about to be proposed is not the most secure thing in the world – so don’t raise your hands and tell how you would make it more secure… it’s just an example) </li></ul></ul><ul><ul><li>Assume simple security policy with IP based access management – for example, an FTP server with site-licensed software on it for employees </li></ul></ul><ul><ul><li>Before VPN, complicated to allow access to FTP site for telecommuters or traveling employees </li></ul></ul><ul><ul><ul><li>Train all employees to use SSH tunnel, etc… </li></ul></ul></ul><ul><ul><li>After VPN, employees offsite can still connect using an internal IP address </li></ul></ul>
  11. 11. VPN Advantages <ul><li>Improved Security </li></ul><ul><li>Consolidation of Scattered Resources </li></ul><ul><li>Transparency to Users </li></ul><ul><ul><li>If set up properly </li></ul></ul><ul><li>Reduced Cost (vs. Leased Lines) </li></ul>
  12. 12. VPN Disadvantages <ul><li>Time Consuming Setup </li></ul><ul><li>Possibly Frustrating Troubleshooting </li></ul><ul><li>Interoperability with other Networks/VPNs </li></ul><ul><li>Small performance overhead </li></ul><ul><ul><li>Should be negligible on today’s hardware </li></ul></ul>
  13. 13. VPN Security <ul><li>In academic terms, VPN can provide Confidentiality, Integrity, and Authenticity </li></ul><ul><li>Security against determined hacker (read: academic attacks) depends largely upon underlying protocols used </li></ul><ul><li>Assuming security of SSH, IPSec, or other protocol used, should be secure </li></ul>
  14. 14. How are VPNs set up? <ul><li>Many different types of setup </li></ul><ul><li>Vary in: </li></ul><ul><ul><li>Amount of hardware used vs. amount of software used </li></ul></ul><ul><ul><ul><li>All hardware based </li></ul></ul></ul><ul><ul><ul><li>All software based </li></ul></ul></ul><ul><ul><ul><li>Mixed </li></ul></ul></ul><ul><ul><li>Amount of transparency to end-user </li></ul></ul><ul><ul><ul><li>Does the user even realize that they are using a VPN? </li></ul></ul></ul>
  15. 15. How are VPNs set up? (cont…) <ul><li>The following is not an exhaustive list </li></ul><ul><ul><li>Gateway to gateway </li></ul></ul><ul><ul><ul><li>Using two VPN aware Gateways </li></ul></ul></ul><ul><ul><li>End host to gateway </li></ul></ul><ul><ul><ul><li>End host uses VPN Software </li></ul></ul></ul><ul><ul><li>End host to end host </li></ul></ul><ul><ul><ul><li>Both hosts use software </li></ul></ul></ul><ul><ul><li>End host to concentrator </li></ul></ul>
  16. 16. How are VPNs set up? (cont…) <ul><li>SSH over PPP </li></ul><ul><li>SSL over PPP </li></ul><ul><li>Concentrator using IPSec </li></ul><ul><li>Others (PPTP, L2TP, etc) </li></ul>
  17. 17. VPN via SSH & PPP <ul><li>Point-to-Point Protocol over a Secure Shell connection </li></ul><ul><li>Establishing a Network Connection </li></ul><ul><ul><li>Establish an SSH connection </li></ul></ul><ul><ul><ul><li>VPN Client  VPN Server </li></ul></ul></ul><ul><ul><li>Each have PPP daemons that will communicate through the SSH connection </li></ul></ul><ul><ul><li>Viola! A VPN CONNECTION! </li></ul></ul>
  18. 18. VPN via SSL & PPP <ul><li>Point-to-Point Protocol over a Secure Socket Layer connection </li></ul><ul><li>Secure Socket Layer </li></ul><ul><ul><li>Built-in support for Host Authentication </li></ul></ul><ul><ul><li>Certificates </li></ul></ul>
  19. 19. VPN via SSL & PPP (cont…) <ul><li>Establishing a Network Connection </li></ul><ul><ul><li>Initial Handshake for secure communication </li></ul></ul><ul><ul><li>“Hello” messages establish: </li></ul></ul><ul><ul><ul><li>SSL Version, support for Cipher suites, and some random data </li></ul></ul></ul><ul><ul><li>Key is determined separately from handshake </li></ul></ul><ul><ul><li>SSL Connection Complete! </li></ul></ul><ul><ul><li>Data transferred over the link </li></ul></ul>
  20. 20. VPN via Concentrator <ul><li>What is a Concentrator? </li></ul><ul><ul><li>Concentrator is NOT a gateway or firewall </li></ul></ul><ul><ul><li>Specialized device that accepts connections from VPN peers </li></ul></ul><ul><ul><li>Authenticates clients </li></ul></ul><ul><ul><li>Enforces VPN security policies </li></ul></ul><ul><ul><li>Takes overhead of VPN management and encryption off of gateways and local hosts </li></ul></ul>
  21. 21. VPN via Concentrator (cont…) <ul><li>Steps to Establish VPN </li></ul><ul><ul><li>Set up Concentrator (add users, specify authentication mechanisms, set IP address ranges, etc) </li></ul></ul><ul><ul><li>Install client software </li></ul></ul><ul><ul><li>Client runs software when wants to be on VPN </li></ul></ul>
  22. 22. Other Methods <ul><li>Point-to-Point Tunneling Protocol </li></ul><ul><ul><li>Microsoft’s Implementation of VPN </li></ul></ul><ul><ul><li>Data is first encapsulated inside PPP packets </li></ul></ul><ul><ul><li>PPP packets are then encapsulated in GRE packets and sent over the link </li></ul></ul><ul><li>PPTP uses two connections </li></ul><ul><ul><li>One for the data being sent </li></ul></ul><ul><ul><li>Another for a control channel </li></ul></ul>
  23. 23. Other Methods (cont…) <ul><li>Any technology can be used </li></ul><ul><ul><li>Must have hardware or software to support it </li></ul></ul><ul><li>Another example: L2TP on Gateways </li></ul><ul><ul><li>Layer 2 Tunneling Protocol </li></ul></ul><ul><ul><li>Supported by routers </li></ul></ul><ul><ul><li>If two routers support L2TP, and are properly configured, then VPN is set up between routers </li></ul></ul><ul><ul><li>Transparent to end user </li></ul></ul>
  24. 24. Intro to IPSec <ul><li>Created to add Authentication, Confidentiality, and Integrity to IP traffic </li></ul><ul><li>Designed to combat specific shortcomings in IP </li></ul><ul><li>IPSec is large and implementation is complicated </li></ul><ul><li>What follows is a high-level overview </li></ul><ul><li>As will see in lab, need not be used only as VPN technology – can be stand alone </li></ul>
  25. 25. Intro to IPSec (cont…) <ul><li>IP Sec ≠ VPN </li></ul><ul><ul><li>IP Sec is a protocol used in many VPNs </li></ul></ul><ul><li>Two main modes </li></ul><ul><ul><li>Transport </li></ul></ul><ul><ul><li>Tunnel </li></ul></ul><ul><li>Two main services </li></ul><ul><ul><li>AH (Authentication Header protocol) </li></ul></ul><ul><ul><li>ESP (Encapsulating Security Protocol) </li></ul></ul>
  26. 26. Intro to IPSec (cont…) <ul><li>Authentication Header protocol </li></ul><ul><ul><li>Offers Authenticity and Integrity </li></ul></ul><ul><ul><li>Uses cryptographic hash </li></ul></ul><ul><ul><ul><li>Covers entire packet, including static header fields </li></ul></ul></ul><ul><ul><li>If any part of original message changes, it will be detected </li></ul></ul><ul><ul><li>Does not encrypt message </li></ul></ul><ul><ul><li>Can be used to authenticate – </li></ul></ul><ul><ul><ul><li>Prevents IP Spoofing </li></ul></ul></ul>
  27. 27. Intro to IPSec (cont…) <ul><li>Encapsulating Security Protocol </li></ul><ul><ul><li>Provides Integrity and Confidentiality </li></ul></ul><ul><ul><li>Encrypts payload </li></ul></ul><ul><ul><li>If used in tunnel mode, encrypts original IP header </li></ul></ul>
  28. 28. Intro to IPSec (cont…) <ul><li>Transport Mode </li></ul>Or Real IP Header IP Options IPSec Header Payload (For example, TCP and Payload) ESP Header Could be either AH Header Authenticates Over Encrypts Over
  29. 29. Intro to IPSec (cont…) <ul><li>Tunnel Mode </li></ul>Or GW IP Header IPSec Header Real IP Header Payload (For example, TCP and Payload) ESP Header Could be either AH Header Authenticates Over Encrypts Over
  30. 30. Intro to IPSec (cont…) <ul><li>AH and ESP can be used together </li></ul><ul><ul><li>Tunnel ESP through AH transport packets </li></ul></ul><ul><li>Want to protect cryptographic keys </li></ul><ul><li>Internet Key Exchange protocol (IKE) </li></ul><ul><ul><li>Secure way to exchange session keys based on shared secret </li></ul></ul><ul><ul><li>Can also use certificates (public key cryptography) </li></ul></ul>
  31. 31. Resources <ul><li>Books: </li></ul><ul><ul><li>Building Linux Virtual Private Networks </li></ul></ul><ul><ul><ul><li>Oleg Kolesnikov, Brian Hatch </li></ul></ul></ul><ul><ul><li>Linux Server Hacks </li></ul></ul><ul><ul><ul><li>Rob Flickenger </li></ul></ul></ul><ul><ul><li>Network Security </li></ul></ul><ul><ul><ul><li>Charlie Kaufman, Radia Perlman, Mike Speciner </li></ul></ul></ul>
  32. 32. Resources (cont…) <ul><li>Lecture Slides by Wenke Lee (see below) </li></ul><ul><li>Websites: </li></ul><ul><ul><li>http://vpn.shmoo.com/ </li></ul></ul><ul><ul><li>http://www.tldp.org/HOWTO/VPN-HOWTO/ </li></ul></ul><ul><ul><li>http://www.onlamp.com/lpt/a/3009 </li></ul></ul><ul><ul><li>http://www.cisco.com/warp/public/471/how_vpn_works.shtml </li></ul></ul><ul><ul><li>http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_1.ppt </li></ul></ul><ul><ul><li>http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_2.ppt </li></ul></ul>

×