VPN presentation

2,952 views
2,900 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,952
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
342
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

VPN presentation

  1. 1. VPN Solutions for Campus
  2. 2. Agenda <ul><li>What is a VPN? </li></ul><ul><ul><li>Different technologies </li></ul></ul><ul><ul><li>Tunnel (IPSec) </li></ul></ul><ul><ul><li>WebVPN (SSL) </li></ul></ul><ul><li>Why use VPN services? </li></ul><ul><ul><li>Secure channel back to Campus </li></ul></ul><ul><ul><li>User benefits </li></ul></ul><ul><li>What VPN services does OIT provide? </li></ul><ul><ul><li>Supported technologies and platforms </li></ul></ul>
  3. 3. What is a VPN? <ul><li>Virtual Private Network </li></ul><ul><ul><li>Secure, private connection thru a public network </li></ul></ul><ul><ul><li>Encryption and tunneling protocols </li></ul></ul><ul><ul><li>Requires sending and receiving ends </li></ul></ul><ul><ul><li>Gives users ability to access private network resources </li></ul></ul><ul><ul><li>Many different types </li></ul></ul>
  4. 4. What is a VPN? (cont) <ul><li>Common VPN Protocols </li></ul><ul><ul><li>Point-to-Point Tunneling Protocol (PPTP) </li></ul></ul><ul><ul><ul><li>Designed for client/server connectivity </li></ul></ul></ul><ul><ul><ul><li>Point-to-point connection between two computers </li></ul></ul></ul><ul><ul><ul><li>Layer 2 on IP only networks </li></ul></ul></ul><ul><ul><li>Layer 2 Tunneling Protocol (L2TP) </li></ul></ul><ul><ul><ul><li>Combines functionality of PPTP/L2F </li></ul></ul></ul><ul><ul><ul><li>Works over multiple protocols, not just IP </li></ul></ul></ul><ul><ul><li>Internet Protocol Security (IPSec) </li></ul></ul><ul><ul><li>Secure Sockets Layer (SSL) </li></ul></ul>
  5. 5. IPSec Overview <ul><li>Industry-standard protocol (IETF) </li></ul><ul><ul><li>RFC 2401 “Security Architecture for the Internet Protocol” </li></ul></ul><ul><ul><li>RFC 2402 “IP Authentication Header” </li></ul></ul><ul><ul><li>RFC 2406 “IP Encapsulating Security Payload” </li></ul></ul><ul><ul><li>RFC 2409 “The Internet Key Exchange” </li></ul></ul><ul><li>Provides a mechanism for secure data transmission over IP networks </li></ul><ul><li>Ensures confidentiality, integrity, authenticity, and non-repudiated data </li></ul><ul><li>Works at the network layer </li></ul><ul><li>Many components – quite complex </li></ul><ul><li>Can be used to scale from small to very large networks </li></ul>
  6. 6. IPSec Overview (cont) <ul><li>Implements two basic security protocols </li></ul><ul><ul><li>Authentication Header (AH) </li></ul></ul><ul><ul><ul><li>Provides authentication of session </li></ul></ul></ul><ul><ul><ul><li>Provides integrity </li></ul></ul></ul><ul><ul><li>Encapsulating Security Payload (ESP) </li></ul></ul><ul><ul><ul><li>Provides same security as AH </li></ul></ul></ul><ul><ul><ul><li>Adds confidentiality through encryption </li></ul></ul></ul><ul><ul><ul><li>Most often used in VPN technology </li></ul></ul></ul>
  7. 7. IPSec Overview (cont) <ul><li>IPSec can work in one of two modes: </li></ul><ul><ul><li>Transport mode </li></ul></ul><ul><ul><ul><li>Payload of the message is protected </li></ul></ul></ul><ul><ul><ul><li>Inserts IPSec header behind IP header </li></ul></ul></ul><ul><ul><li>Tunnel mode </li></ul></ul><ul><ul><ul><li>Payload and layer 3 header information is protected </li></ul></ul></ul><ul><ul><ul><li>Encapsulated in a new IP packet with a new IP header </li></ul></ul></ul>
  8. 8. IPSec Overview (cont) <ul><li>Implements Internet Key Exchange (IKE) for automatic encryption key generation and exchange between peers </li></ul><ul><li>Security Associations (SA) </li></ul><ul><ul><li>Negotiated policy of handling data </li></ul></ul><ul><ul><li>Contains authentication and encryption keys, algorithms, key lifetime, and source IP address </li></ul></ul><ul><ul><li>SA for each communication channel </li></ul></ul><ul><ul><li>Security Parameter Index (SPI) keeps track of SA associations </li></ul></ul>
  9. 9. IPSec Overview (cont) Step 1 IPSec process initiated – Traffic to be encrypted as specified by the IPSec security policy starts the IKE process Step 2 IKE Phase 1-IKE authenticates IPSec peers and negotiates IKE SAs Step 3 IKE Phase 2-IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers Step 4 Data Transfer-Tunnel is built and data is transferred securely Step 5 IPSec tunnel termination-SAs terminated through deletion or by timing out
  10. 10. SSL Overview <ul><li>Secure Sockets Layer </li></ul><ul><li>Protects a communication channel </li></ul><ul><li>Uses public key encryption </li></ul><ul><li>Works at the transport layer/session layer </li></ul><ul><li>Provides </li></ul><ul><ul><li>Data encryption </li></ul></ul><ul><ul><li>Server authentication </li></ul></ul><ul><ul><li>Message integrity </li></ul></ul><ul><ul><li>Optional client authentication </li></ul></ul>
  11. 11. SSL Overview (cont)
  12. 12. Why Use a VPN Connection? <ul><li>Different types of threats continue to increase - security </li></ul><ul><li>It’s available and supported </li></ul><ul><li>You can connect from anywhere and be ensured you have a secure communication channel back to Campus </li></ul><ul><li>It’s supported across multiple platforms </li></ul><ul><li>Extends the Campus network to remote users </li></ul>
  13. 13. Connection Without VPN <ul><li>Vulnerable to several security threat agents </li></ul><ul><li>Loss of privacy – packet sniffers, clear text </li></ul><ul><li>Loss of data integrity – modified transactions </li></ul><ul><li>Identity spoofing – impersonations </li></ul><ul><li>Difficult to secure </li></ul>
  14. 14. Secure with VPN <ul><li>Protected secure communication channel </li></ul><ul><li>Encrypted data prevents exploits </li></ul><ul><li>Provides authentication </li></ul><ul><li>Can connect from anywhere </li></ul><ul><li>Easier to secure at resource side </li></ul>
  15. 15. What VPN Services Does OIT Offer? <ul><li>Network Operations & Services manages the Cisco 3030 Concentrator </li></ul><ul><ul><li>Supports 1500 simultaneous tunnels </li></ul></ul><ul><ul><li>Uses 3DES with 168 bit key size for symmetric encryption on IPSec Tunnels </li></ul></ul><ul><ul><li>Clientless WebVPN over SSL </li></ul></ul><ul><ul><li>Authentication is performed by Campus RADIUS service </li></ul></ul><ul><ul><li>100Mbps uplink </li></ul></ul>
  16. 16. What VPN Services Does OIT Offer? <ul><li>Technical Support provides services for client related issues </li></ul><ul><ul><li>VPN client operates on Windows, MacOS, Linux, and Solaris </li></ul></ul><ul><ul><li>End user can install the client by visiting http://www.netcom.utah.edu/computer/vpn/individual.html </li></ul></ul><ul><ul><li>PCF file for group authentication </li></ul></ul><ul><ul><li>Installs a driver for the VPN IP stack </li></ul></ul><ul><ul><li>This virtual interface is what the world sees </li></ul></ul>
  17. 17. What VPN Services Does OIT Offer? <ul><li>Free service for all faculty, staff, and students </li></ul><ul><li>User will receive a global IP address from a pool </li></ul><ul><li>Departments have the option of static IP addresses for their users http://www.netcom.utah.edu/computer/vpn/dept.html </li></ul><ul><ul><li>RADIUS server determines IP address assignments </li></ul></ul><ul><ul><li>Gives departments the ability to secure resources based on IP address </li></ul></ul>
  18. 18. VPN Demonstration
  19. 19. VPN Demonstration (cont)
  20. 20. VPN Demonstration (cont)
  21. 21. VPN Demonstration (cont)
  22. 22. VPN Demonstration (cont)
  23. 23. VPN Demonstration (cont)
  24. 24. VPN Demonstration (cont)
  25. 25. VPN Demonstration (cont)
  26. 26. VPN Demonstration (cont)
  27. 27. VPN Demonstration (cont)
  28. 28. VPN Demonstration (cont)
  29. 29. VPN Demonstration (cont)
  30. 30. VPN Demonstration (cont)
  31. 31. VPN Demonstration (cont)
  32. 32. Conclusion <ul><li>VPN is a secure alternative to an insecure public network </li></ul><ul><li>Utilizes standardized protocols </li></ul><ul><li>Supported technology </li></ul><ul><li>Extends the Campus network to the remote user </li></ul><ul><li>Easier to secure resources </li></ul><ul><li>Free for all faculty, staff, and students </li></ul>

×