VPN Revealed  Ayman Saeed
Agenda <ul><li>Day 1 </li></ul><ul><ul><ul><li>Why and how VPN !!!!  </li></ul></ul></ul><ul><ul><ul><li>IPSEC Cryptosyste...
<ul><li>We can use cryptosystems for ensuring the CIA triad for an upper service in two different models : </li></ul><ul><...
<ul><li>Regarding VPN implementation , we could have ## site to site ## VPN or # remote access ## VPN ; you can consider s...
<ul><li>we can use multiple cryptosystems for implementing VPN . IPSEC , SSL , SSH , PPTP and L2TP with IPSEC can be used ...
<ul><li>IPSEC can operate in two different modes ; transport and tunnel modes. </li></ul><ul><li>We can use either transpo...
<ul><li>We can use IPSEC for ensuring integrity or both integrity and confidentiality . </li></ul><ul><li>If we are using ...
 
<ul><li>From the previous diagram we can see that we will have a problem when using AH before a natting stage , as the ip ...
<ul><li>We need to trust the entity before starting to communicate with , this trust can be ensured by using either a pre-...
<ul><li>IKE operates over two phases : </li></ul><ul><li>phase 1: symmetric encryption and hashing algorithms are  negotia...
<ul><li>SA contains several negotiated parameters from these parameters : </li></ul><ul><li>1- Encryption algorithm and it...
<ul><ul><ul><li>SSL Cryptosystem </li></ul></ul></ul><ul><li>SSL offers the full CIA triad for the data , it operates at t...
 
<ul><ul><ul><li>SSL VPN Demo </li></ul></ul></ul>SonicWall SSL-VPN Demo
<ul><ul><ul><li>PPTP Cryptosystem </li></ul></ul></ul><ul><li>PPTP uses PPP that encapsulates IP, IPX, and NetBEUI packets...
<ul><ul><ul><li>Sender Receiver </li></ul></ul></ul>
<ul><ul><ul><li>PPTP VPN Demo </li></ul></ul></ul>Windows Server 2003 Implementation for site to site and remote access VP...
<ul><li>سبحانك اللهم وبحمدك أشهد ان لا اله الا انت </li></ul><ul><li>أستغفرك وأتوب اليك </li></ul>
Upcoming SlideShare
Loading in …5
×

VPN Revealed

955 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
955
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VPN Revealed

  1. 2. VPN Revealed Ayman Saeed
  2. 3. Agenda <ul><li>Day 1 </li></ul><ul><ul><ul><li>Why and how VPN !!!! </li></ul></ul></ul><ul><ul><ul><li>IPSEC Cryptosystems . </li></ul></ul></ul><ul><ul><ul><li>SSL Cryptosystems . </li></ul></ul></ul><ul><ul><ul><li>SSL VPN Demo . </li></ul></ul></ul><ul><ul><ul><li>PPTP Cryptosystems. </li></ul></ul></ul><ul><ul><ul><li>PPTP VPN Demo . </li></ul></ul></ul><ul><li>Day 2 </li></ul><ul><ul><ul><li>IPSEC VPN Demo. </li></ul></ul></ul>
  3. 4. <ul><li>We can use cryptosystems for ensuring the CIA triad for an upper service in two different models : </li></ul><ul><li># First model :: Cryptosystems will integrate with services to be a new system ; http is the service , ssl is the cryptosystem and https is the new system . </li></ul><ul><li># Second model :: Service independent cryptosystems , the service knows nothing about the cryptosystem that will ensure the CIA triad for the service traffic ; VPN is the model of service independent cryptosystems. </li></ul><ul><li>So , VPN is used for securing connections between a client and a service this service does not know any thing about this new security features offered to its generated traffic. </li></ul><ul><ul><ul><li>Why and Where VPN !!!! </li></ul></ul></ul>
  4. 5. <ul><li>Regarding VPN implementation , we could have ## site to site ## VPN or # remote access ## VPN ; you can consider site to site VPN when connecting a remote office to its main branch . </li></ul><ul><li>Remote access VPN can be considered if we have some remote users that needs a temporary access to corporate resources . </li></ul>
  5. 6. <ul><li>we can use multiple cryptosystems for implementing VPN . IPSEC , SSL , SSH , PPTP and L2TP with IPSEC can be used for this purpose . </li></ul><ul><li>Routers and firewalls can act generally as VPN capable devices , we can also have a dedicated device for doing VPN . </li></ul><ul><li>Cisco has a dedicated IPSEC VPN device ; multiple companies have dedicated SSL VPN device ==>> Juniper , SonicWall , Citrix …… and juniper is considered as the best . </li></ul>
  6. 7. <ul><li>IPSEC can operate in two different modes ; transport and tunnel modes. </li></ul><ul><li>We can use either transport or tunnel mode if we are having a VPN connection established between two hosts ( no VPN gateways ) . </li></ul><ul><li>We can use only tunnel mode if we are having a VPN connection established between a host and a network or between two different networks with VPN gateways in between . </li></ul><ul><ul><ul><li>IPSEC Cryptosystem </li></ul></ul></ul>
  7. 8. <ul><li>We can use IPSEC for ensuring integrity or both integrity and confidentiality . </li></ul><ul><li>If we are using IPSEC for integrity then we should operate in AH (Authentication Header ) ; for ensuring both integrity and confidentiality we should operate in ESP (Encapsulating Security Payload ) mode . </li></ul><ul><li>So , we can operate using IPSEC in these four different modes : </li></ul><ul><li>1- AH transport mode . </li></ul><ul><li>2-AH tunnel mode . </li></ul><ul><li>3-ESP transport mode . </li></ul><ul><li>4-ESP tunnel mode . </li></ul><ul><li>Each of these four modes has its own header structure . </li></ul>
  8. 10. <ul><li>From the previous diagram we can see that we will have a problem when using AH before a natting stage , as the ip header will be hashed with the payload , that will not occur with ESP . </li></ul>
  9. 11. <ul><li>We need to trust the entity before starting to communicate with , this trust can be ensured by using either a pre-shared key or a certificate . </li></ul><ul><li>As we can do encryption ( ESP mode) , then we should have a secret key known by the communicating parties ; this key can be configured manually or automatically generated by using Diffie-Hellman negotiation . </li></ul><ul><li>IPSEC uses a standalone protocol for implementing Diffie-Hellman , this protocol is known as IKE (Internet Key Exchange ) ; IKE provides more features for IPSEC than only secret key exchange , it can secure the negotiation of algorithms used for encryption and hashing . </li></ul><ul><li>So , IKE is used for : </li></ul><ul><li>1- a secure negotiation of used encryption and hashing algorithms . </li></ul><ul><li>2- implementing Diffie-Hellman algorithm for generating secret keys </li></ul>
  10. 12. <ul><li>IKE operates over two phases : </li></ul><ul><li>phase 1: symmetric encryption and hashing algorithms are negotiated between the communicating parties for encrypting and digitally signing the phase2 parameters . A secret key will be generated using Diffie-Hellman for symmetric encryption . </li></ul><ul><li>phase 2: algorithms that will be actually used for dealing with clear data will be negotiated securely (as a result of phase1) during this phase . Secret key that will be used with symmetric encryption algorithms can be generated using another Diffie-Hellman process or it could be the previously generated one (during phase 1) . Phase 2 negotiated parameters will be saved in a temporary database known as SA (Security Association) . </li></ul>
  11. 13. <ul><li>SA contains several negotiated parameters from these parameters : </li></ul><ul><li>1- Encryption algorithm and its secret key . </li></ul><ul><li>2- Hashing algorithm and its secret key (HMAC) . </li></ul><ul><li>3- SA lifetime . </li></ul><ul><li>SAs are uniquely identified by an SPI (security parameter index) , this is a dedicated field within ESP and AH headers . </li></ul>
  12. 14. <ul><ul><ul><li>SSL Cryptosystem </li></ul></ul></ul><ul><li>SSL offers the full CIA triad for the data , it operates at the application layer , it is famous of binding to specific protocols like http over ssl which equals to https and it is also used for establishing VPN connections . </li></ul><ul><li>SSL is layered protocol composed of two layers : </li></ul><ul><ul><li>1- SSL Handshake Protocol :a layer for handling the connection establishment (authentication and configurations negotiations ) . </li></ul></ul><ul><ul><li>2- SSL Record Protocol :a layer for encrypting the data and generating SSL header after the payload . </li></ul></ul><ul><li>SSL header is very simple : </li></ul><ul><li>1- HMAC portion : is a hash of a key, the data, padding, and a sequence number . </li></ul><ul><li>2- Padding portion : is used to ensure that the data is a multiple of the block size when a block cipher is used. </li></ul><ul><li>The next figure will discuss the connection setup . </li></ul>
  13. 16. <ul><ul><ul><li>SSL VPN Demo </li></ul></ul></ul>SonicWall SSL-VPN Demo
  14. 17. <ul><ul><ul><li>PPTP Cryptosystem </li></ul></ul></ul><ul><li>PPTP uses PPP that encapsulates IP, IPX, and NetBEUI packets between PPP frames and sends the encapsulated packets by creating a point-to-point link between the sending and receiving computers. </li></ul><ul><li>PPTP uses PPP features for authentication and encryption , so PPTP cryptosystem is limited to algorithms and protocols that are supported by PPP : </li></ul><ul><li>1- PAP , CHAP and MS-CHAP for authentication . </li></ul><ul><li>2- MPPE (for Microsoft implementation) for encryption and RC4. </li></ul><ul><li>PPTP has two types of messages : </li></ul><ul><li>1-control messages for establishing and maintaining connections and . </li></ul><ul><li>2-data messages for carrying users traffic . </li></ul>
  15. 18. <ul><ul><ul><li>Sender Receiver </li></ul></ul></ul>
  16. 19. <ul><ul><ul><li>PPTP VPN Demo </li></ul></ul></ul>Windows Server 2003 Implementation for site to site and remote access VPNs .
  17. 20. <ul><li>سبحانك اللهم وبحمدك أشهد ان لا اله الا انت </li></ul><ul><li>أستغفرك وأتوب اليك </li></ul>

×