Virtual private networks

2,636 views
2,513 views

Published on

A detailed presentation about Virtual private networks

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,636
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
255
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Virtual private networks

  1. 2. By. P. Victer Paul Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit.... http://free-computerscience-ebooks.blogspot.com/ http://recent-computer-technology.blogspot.com/ http://computertechnologiesebooks.blogspot.com/ Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog.
  2. 3. <ul><li>VPNs can be used to secure communications through the public Internet. </li></ul><ul><li>VPNs are often installed by organizations to provide remote access to a secure organizational network, or to connect two network locations together using an insecure network to carry the traffic. </li></ul><ul><li>A VPN does not need to have explicit security features such as authentication or traffic encryption. For example, a network service provider could use VPNs to separate the traffic of multiple customers over an underlying network. </li></ul><ul><li>VPNs such as Tor can be used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television . </li></ul>
  3. 6. <ul><li>In the protocols they use to tunnel the traffic over the underlying network; </li></ul><ul><li>By the location of tunnel termination, such as the customer edge or network provider edge; </li></ul><ul><li>Whether they offer site-to-site or remote access connectivity; </li></ul><ul><li>In the levels of security provided; </li></ul><ul><li>By the OSI layer which they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity. </li></ul>
  4. 7. <ul><li>Secure VPNs explicitly provide mechanisms for authentication of the tunnel endpoints during tunnel setup, and encryption of the traffic in transit. </li></ul><ul><li>Often secure VPNs are used to protect traffic when using the Internet as the underlying backbone, but equally they may be used in any environment when the security level of the underlying network differs from the traffic within the VPN. </li></ul>
  5. 8. <ul><li>Secure VPNs may be implemented by organizations wishing to provide remote access facilities to their employees or by organizations wishing to connect multiple networks together securely using the Internet to carry the traffic. </li></ul><ul><li>A common use for secure VPNs is in remote access scenarios, where VPN client software on an end user system is used to connect to a remote office network securely. </li></ul><ul><li>Secure VPN protocols include L2TP (with IPsec ), SSL/TLS VPN (with SSL/TLS ) or PPTP (with MPPE ). </li></ul>
  6. 9. <ul><li>Trusted VPNs are commonly created by carriers and large organizations and are used for traffic segmentation on large core networks. They often provide quality of service guarantees and other carrier-grade features. </li></ul><ul><li>Trusted VPNs may be implemented by network carriers wishing to multiplex multiple customer connections transparently over an existing core network or by large organizations wishing to segregate traffic flows from each other in the network. Trusted VPN protocols include MPLS , ATM or Frame Relay . </li></ul><ul><li>Trusted VPNs differ from secure VPNs in that they do not provide security features such as data confidentiality through encryption. Secure VPNs however do not offer the level of control of the data flows that a trusted VPN can provide such as bandwidth guarantees or routing. </li></ul>
  7. 10. <ul><li>Security </li></ul><ul><li>Address Translation </li></ul><ul><li>Performance: Throughput, Load balancing (round-robin DNS), fragmentation </li></ul><ul><li>Bandwidth Management: RSVP (Resource Reservation </li></ul><ul><li>Protocol) </li></ul><ul><li>Availability: Good performance at all times </li></ul><ul><li>Scalability: Number of locations/Users </li></ul><ul><li>Interoperability: Among vendors, Internet Service Providers </li></ul><ul><li>(ISPs), customers (for extranets) ⇒ Standards Compatibility, With firewall </li></ul>
  8. 11. <ul><li>Compression: Reduces bandwidth requirements </li></ul><ul><li>Manageability: SNMP (Simple Network Management Protocol), Browser based, Java based, centralized/distributed </li></ul><ul><li>Accounting, Auditing, and Alarming </li></ul><ul><li>Protocol Support: IP, non-IP (IPX) </li></ul><ul><li>Platform and O/S support: Windows, UNIX, MacOS, HP/Sun/Intel </li></ul><ul><li>Installation: Changes to desktop or backbone only </li></ul><ul><li>Legal: Exportability, Foreign Govt Restrictions, </li></ul><ul><li>Key Management Infrastructure (KMI) initiative </li></ul><ul><li>⇒ Need key recovery </li></ul>
  9. 12. <ul><li>IPsec (Internet Protocol Security) - A standards-based security protocol developed originally for IPv6 , where support is mandatory, but also widely used with IPv4 . </li></ul><ul><li>For VPNs L2TP is commonly used over IPsec. </li></ul><ul><li>Transport Layer Security (SSL/TLS) is used either for tunneling an entire network's traffic ( SSL/TLS VPN ) </li></ul><ul><li>SSL has been the foundation by a number of vendors to provide remote access VPN capabilities. </li></ul><ul><li>SSL-based VPNs may be vulnerable to denial-of-service attacks mounted against their TCP connections because latter are inherently unauthenticated. </li></ul>
  10. 13. <ul><li>Datagram Transport Layer Security (DTLS), used by Cisco for a next generation VPN product called Cisco AnyConnect VPN . DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS </li></ul><ul><li>Microsoft Point-to-Point Encryption (MPPE) by Microsoft is used with their PPTP . Several compatible implementations on other platforms also exist. </li></ul><ul><li>Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an SSL 3.0 channel. </li></ul>
  11. 14. <ul><li>MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark &quot;MPVPN “ . </li></ul><ul><li>SSH VPN -- OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). This feature (option -w) should not be confused with port forwarding (option -L). </li></ul><ul><li>OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication. </li></ul>
  12. 15. <ul><li>Tunnel endpoints are required to authenticate themselves before secure VPN tunnels can be established. </li></ul><ul><li>End user created tunnels, such as remote access VPNs may use passwords , biometrics , two-factor authentication or other cryptographic methods. </li></ul><ul><li>For network-to-network tunnels, passwords or digital certificates are often used, as the key must be permanently stored and not require manual intervention for the tunnel to be established automatically. </li></ul>
  13. 16. <ul><li>Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. Multiprotocol Label Switching (MPLS) functionality blurs the L2-L3 identity. </li></ul><ul><ul><li>Customer edge device. (CE) </li></ul></ul><ul><ul><li>Provider edge device (PE) </li></ul></ul><ul><ul><li>Provider device (P) </li></ul></ul>
  14. 17. <ul><li>Customer edge device (CE) </li></ul><ul><li>In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it. </li></ul><ul><li>Provider edge device (PE) </li></ul><ul><li>A PE is a device or set of devices, at the edge of the provider network, which provides the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state. </li></ul>
  15. 18. <ul><li>Provider device (P) </li></ul><ul><li>A P device operates inside the provider's core network, and does not directly interface to any customer endpoint. </li></ul><ul><li>It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. </li></ul><ul><li>Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider. </li></ul>
  16. 28. <ul><li>GRE: Generic Routing Encaptulation (RFC 1701/2) </li></ul><ul><li>PPTP: Point-to-point Tunneling Protocol </li></ul><ul><li>2TP: Layer 2 Tunneling protocol </li></ul><ul><li>IPsec: Secure IP </li></ul><ul><li>MPLS: Multiprotocol Label Switching </li></ul>
  17. 32. <ul><li>Layer 2 Tunneling Protocol </li></ul><ul><li>L2F = Layer 2 Forwarding (From CISCO) </li></ul><ul><li>L2TP = L2F + PPTP Combines the best features of L2F and PPTP </li></ul><ul><li>Easy upgrade from L2F or PPTP </li></ul><ul><li>Allows PPP frames to be sent over non-IP (Frame relay, ATM) networks also (PPTP works on IP only) </li></ul><ul><li>Allows multiple (different QoS) tunnels between the same end-points. Better header compression. Supports flow control </li></ul>
  18. 34. <ul><li>Universal Transport Interface (UTI) is a pre-standard effort for transporting L2 frames. </li></ul><ul><li>L2TPv3 extends UTI and includes it as one of many supported encapsulations. </li></ul><ul><li>L2TPv3 has a control plane using reliable control </li></ul><ul><li>connection for establishment, teardown and </li></ul><ul><li>maintenance of individual sessions. </li></ul>
  19. 36. <ul><li>Allows virtual circuits in IP Networks </li></ul><ul><li>Each packet has a virtual circuit number called ‘label’ </li></ul><ul><li>Label determines the packet’s queuing and forwarding </li></ul><ul><li>Circuits are called Label Switched Paths (LSPs) </li></ul><ul><li>LSP’s have to be set up before use </li></ul><ul><li>Allows traffic engineering </li></ul>
  20. 39. <ul><li>Unsolicited: Topology driven ⇒ Routing protocols exchange labels with routing information. </li></ul><ul><li>Many existing routing protocols are being extended:BGP, OSPF </li></ul><ul><li>On-Demand: </li></ul><ul><li>⇒ Label assigned when requested, </li></ul><ul><li>e.g., when a packet arrives ⇒ latency </li></ul><ul><li>Label Distribution Protocol called LDP </li></ul><ul><li>RSVP has been extended to allow label request and response </li></ul>
  21. 42. <ul><li>VPN allows secure communication on the Internet </li></ul><ul><li>Three types: WAN, Access, Extranet </li></ul><ul><li>Key issues: address translation, security, performance </li></ul><ul><li>Layer 2 (PPTP, L2TP), Layer 3 (IPSec) </li></ul><ul><li>QoS is still an issue ⇒ MPLS </li></ul>
  22. 43. <ul><li>FIREWALL </li></ul>
  23. 44. <ul><li>Aspects of Security </li></ul><ul><ul><li>Data accessibility - contents accessible </li></ul></ul><ul><ul><li>Data integrity - contents remain unchanged </li></ul></ul><ul><ul><li>Data confidentiality - contents not revealed </li></ul></ul><ul><li>AAA </li></ul><ul><ul><li>Authentication - You are who you say you are </li></ul></ul><ul><ul><li>Authorization - Access control </li></ul></ul><ul><ul><li>Accountability- Who is responsible for tracking access to data </li></ul></ul>
  24. 46. <ul><li>Scrambling of message such that only intended receiver can unscramble them </li></ul><ul><ul><li>Encrypting function - produces encrypted message </li></ul></ul><ul><ul><li>Decrypting function - extracts original message </li></ul></ul><ul><ul><li>Encryption key - parameter that controls encryption/decryption </li></ul></ul>
  25. 47. <ul><li>Secret Key Encryption </li></ul><ul><ul><li>Sender and receiver share secret key </li></ul></ul><ul><ul><li>Encrypted_Message = encrypt(K, Message) </li></ul></ul><ul><ul><li>Message = decrypt(K, Encrypted_Message) </li></ul></ul><ul><ul><li>Example: Encrypt = division </li></ul></ul><ul><ul><li>433 = 48 R 1 (using divisor of 9) </li></ul></ul>
  26. 48. <ul><li>Previous scheme requires shared secret K </li></ul><ul><li>If K is discovered, security is compromised </li></ul><ul><li>Public key encryption uses two keys: </li></ul><ul><ul><li>Private key - kept secret by user </li></ul></ul><ul><ul><li>Public key - published by user </li></ul></ul><ul><li>Message encrypted with public key can be decrypted only with private key, and vice-versa </li></ul>
  27. 49. <ul><li>Encrypted_Message = decrypt(Public_Key, encrypt(Private_key, Message) </li></ul><ul><li>Message = decrypt(Private_Key, encrypt(Public_Key,Message) </li></ul>
  28. 50. <ul><li>Goal - guarantee that message must have originated with certain entity </li></ul><ul><li>Encrypted_Message = encrypt(Private_Key, Message) </li></ul><ul><li>Message = decrypt(Public_Key, Encrypted_Message) </li></ul><ul><li>=> Authentic </li></ul>
  29. 51. <ul><li>User 1 to User2: </li></ul><ul><li>Encrypted_Message = encrypt(Public_key2, encrypt(Private_key1, Message) </li></ul><ul><li>Message = decrypt(Public_key1, decrypt (Private_key2,Encrypted_Message) </li></ul><ul><li>=> Authentic and Private </li></ul>
  30. 52. <ul><li>Bastion Host </li></ul><ul><li>DMZ (demilitarized zone) </li></ul><ul><li>Perimeter network </li></ul>
  31. 53. <ul><li>A bastion host is a computer that is fully exposed to attack </li></ul><ul><li>The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router </li></ul><ul><li>Firewalls and routers can be considered bastion hosts </li></ul><ul><li>Other types of bastion hosts include web, mail, DNS, and FTP servers, Proxy servers </li></ul>
  32. 54. <ul><li>DMZ (demilitarized zone) is a computer host or small network inserted as a &quot;neutral zone&quot; between a company's private network and the outside public network. </li></ul><ul><li>It prevents outside users from getting direct access to a server that has company data </li></ul>
  33. 55. <ul><li>A small, single-segment network between a firewall and the Internet for services that the organization wants to make publicly accessible to the Internet without exposing the network as a whole </li></ul><ul><li>If someone breaks into a bastion host on the perimeter net, he'll be able to snoop only on traffic on that net </li></ul><ul><li>Also known as ‘stub network’ </li></ul>
  34. 56. <ul><li>Can configure packet forwarding devices - esp. routers – to drop certain packets </li></ul><ul><li>Example: Only email gets in/out </li></ul><ul><li>problem: Filter is accessible to outside world </li></ul>
  35. 59. <ul><li>Proxy servers take users' requests and forward them to real servers </li></ul><ul><li>Take server’s responses and forwards them to users </li></ul><ul><li>Enforce site security policy = > may refuse certain requests </li></ul><ul><li>Transparency is the major benefit of proxy services </li></ul><ul><li>Also known as application-level gateways </li></ul>
  36. 64. <ul><li>Can’t protect against malicious insiders </li></ul><ul><li>can’t protect against connections that do not go through it, </li></ul><ul><ul><li>e.g. dial up </li></ul></ul><ul><li>Can’t protect against completely new threats </li></ul><ul><li>Can’t protect against viruses </li></ul>
  37. 65. <ul><li>Security is a problem because Internet is not owned by one entity </li></ul><ul><li>Encryption and digital signatures can provide confidentiality and secure identification </li></ul><ul><li>Organizations can use firewalls to prevent unauthorized access </li></ul>

×