L4 vpn

340 views
259 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
340
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

L4 vpn

  1. 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  2. 2.  Provides secure remote access to individuals and businesses outside your network.  They use the Internet to route LAN traffic from one private network to another  The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  3. 3.  VPN systems do not protect your network—they merely transport data  most modern VPN systems are combined with firewalls in a single device. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  4. 4. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  5. 5. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  6. 6.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  7. 7. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  8. 8.  solve the problem of direct Internet access to servers through a combination of the following fundamental components: 1. IP encapsulation 2. Cryptographic authentication 3. Data payload encryption Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  9. 9.  Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions  Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,  standard Windows logon performs cryptographic authentication withoutperforming data payload encryption. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  10. 10.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  11. 11.  An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.  When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.  Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  12. 12.  IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent— separated from each other by a single router.  But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  13. 13. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  14. 14.  The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  15. 15.  used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user  In order for two devices from different vendors to be compatible, they must › support the same authentication and payload encryption algorithms and › implement them in the same way. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  16. 16.  used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.  In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  17. 17.  Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  18. 18.  cheaper than WANs  easier to establish than WANs  slower than LANs  less reliable  Less secure than local LANs and WANs Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  19. 19.  IPSec tunnel mode  L2TP  PPTP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  20. 20.  IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  21. 21.  provides mechanisms that can be used to do the following: › Authenticate individual IP packets and guarantee that they are unmodified. › Encrypt the payload (data) of individual IP packets between two end systems. › Encapsulate a TCP or UDP socket between two end systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  22. 22.  IPSec performs these three functions using three independent mechanisms:  Authenticated Headers (AH) to provide authenticity (Integrity)  Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)  Internet Key Exchange (IKE) for exchanging public keys (Authentication) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  23. 23.  Computes checksum of header information of a TCP/IP packet  Encrypts the checksum with the public key of the receiver  Receiver decrypts the checksum with its key  Checks the header against the checksum  If the computed checksum is different- › Decryption failed › Header has been modified Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  24. 24.  Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT  ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  25. 25.  With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.  The receiver then decrypts the payload upon receipt and acts accordingly. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  26. 26.  In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.  each machine’s public key had to be installed on the reciprocal machine.  As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  27. 27.  Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.  IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.  Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  28. 28.  Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)  PPP is the protocol used when you dial into the Internet with a modem  it transfers data from your computer to a remote access server at your ISP  ISP forwards the data on to the Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  29. 29.  Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms  Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI  L2TP packets can also be encrypted using IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  30. 30.  it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)  L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
  31. 31.  Microsoft and Cisco both recommend it as their primary method for creating VPNs.  It is not yet supported by most firewall vendors, however,  does not transit network address translators well. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
  32. 32.  PPTP was Microsoft’s first attempt at secure remote access for network users  PPTP creates an encrypted PPP session between two TCP/IP hosts.  Unlike L2TP, PPTP operates only over TCP/IP  PPTP does not use IPSec to encrypt packets  it uses a hash of the user’s Windows NT password to create a private key between the client and the remote server Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
  33. 33.  Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
  34. 34.  Use a real firewall › Firewalls make ideal VPN endpoints because they can route translated packets between private systems.  Secure the base operating system › No VPN solution provides effective security if the operating system of the machine is not secure Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
  35. 35.  Use packet filtering to reject unknown hosts › You should always use packet filtering to reject connection attempts from every computer except those you’ve specifically set up to connect to your network remotely Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
  36. 36.  Compress before you encrypt › properly encrypted data cannot be compressed. › This means that if you want to use compression, you must compress before you encrypt Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
  37. 37.  Secure remote hosts › Consider the case of a home user with more than one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network. › Any hacker on the planet could then proxy through the WinGate server directly into your private network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37

×