VPN – Technologies and Solutions CS158B Network Management


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

VPN – Technologies and Solutions CS158B Network Management

  1. 1. VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui
  2. 2. Virtual Private Network (VPN) <ul><li>a private network constructed within a public network infrastructure, such as the global Internet </li></ul><ul><li>two categories of VPNs </li></ul><ul><ul><li>A remote access VPN enables remotely located employees to communicate with a central location. </li></ul></ul><ul><ul><li>Site-to-site VPN interconnects two private networks via a public network such as the Internet </li></ul></ul>
  3. 3. Protocols used by VPN <ul><li>Point-to-Point-Tunneling Protocol (PPTP) </li></ul><ul><li>simple VPN technology based on point-to-point protocol </li></ul><ul><li>supports multiple encapsulation, authentication, and encryption. </li></ul><ul><li>Layer 2 Tunneling Protocol (L2TP) </li></ul><ul><li>combination of PPTP and Layer 2 Forwarding (L2F) </li></ul><ul><li>Two types of L2TP </li></ul><ul><ul><li>L2TP Access Concentrator (LAC) </li></ul></ul><ul><ul><li>L2TP Network Server (LNS) </li></ul></ul><ul><li>Internet Protocol Security (IPSec) </li></ul><ul><li>framework for protecting the confidentiality and integrity of data in transit </li></ul><ul><li>A common use of IPSec is the construction of a VPN </li></ul>
  4. 4. IPSec Protocols <ul><li>IPSec defines new set of headers to be added to IP datagrams </li></ul><ul><li>ESP - Confidentiality, data integrity, and data source authentication. (frc2406) </li></ul><ul><li>AH - Data integrity, source authentication (frc2402) </li></ul>ESP Trailer Protected Data ESP Header IP Header Protected Data AH Header IP Header
  5. 5. IPSec Modes <ul><li>Transport Mode </li></ul><ul><li>Protect upper-layer protocol, endpints exposed </li></ul><ul><li>IPSec header insert between IP header and upper layer protocol header </li></ul><ul><li>Tunnel Mode </li></ul><ul><li>Entire IP Packet is protected, become payload of new packet </li></ul><ul><li>IPSec header is inserted between the outer and inner IP header. </li></ul><ul><li>Used by gateway for VPN, perform encryption on behalf of host </li></ul><ul><li>IPSec SA </li></ul><ul><li>Relationship between entities on how to communicate securely. </li></ul><ul><li>Unidirectional, two for each pair, one from A to B, and B to A </li></ul><ul><li>Identified by a SPI, destination addr, security protocol identifier </li></ul>
  6. 6. IPSec Phases <ul><li>SPD </li></ul><ul><li>Security Policy Database maintains IPSec Policy </li></ul><ul><li>Each entry defines the traffic to be protected, how to protect </li></ul><ul><li>Three actions on traffic match: discard, bypass and protect </li></ul><ul><li>IP traffic mapped to IPSec policy by selector </li></ul><ul><li>IKE </li></ul><ul><li>Establish security parameters, authentication (SAs) between IPSec peers </li></ul><ul><li>IKE SAs defines the way in which two peers communicate, which algorithm to use to encrypt IKE traffic, how to authenticate the remote peers. </li></ul><ul><li>SPD instruct IKE what to establish, IKE establish IPSec SAs based on its own policy settings </li></ul><ul><li>Phase 1 communication </li></ul><ul><li>Identify the peers. </li></ul><ul><li>Create IKE SAs by authentication and key exchange </li></ul><ul><li>One side offers a set of algorithm, other side accept or reject. Derive key material to use for IPSec with AH, ESP or both </li></ul><ul><li>Phase 2 communication </li></ul><ul><li>IPSec SAs negotiations are under protection of IKE SAs created in phase 1 </li></ul><ul><li>IPSec shared key derived by using Diffie-Hellman or refresh shared secret. </li></ul>
  7. 7. VPN Solutions <ul><li>Access VPN </li></ul><ul><ul><li>offers remote access to a company’s Intranet or Extranet. Example: employees who are on business trip or in home office </li></ul></ul><ul><li>Intranet VPN </li></ul><ul><ul><li>offers the Intranet connection. Example: Branch offices </li></ul></ul><ul><li>Extranet VPN </li></ul><ul><ul><li>offers the Extranet connection. Example: Business partners, customers </li></ul></ul>
  8. 8. VPN Solutions – Benefits <ul><li>Access VPN </li></ul><ul><li>Economical: Internet access Vs. long distance dialup </li></ul><ul><li>Secure </li></ul><ul><li>Intranet VPN </li></ul><ul><li>Economical: ISP Vs. dedicated connection </li></ul><ul><li>Flexible: topological design, new office </li></ul><ul><li>Reliable: Redundant ISP </li></ul><ul><li>Secure </li></ul><ul><li>Extranet VPN </li></ul><ul><li>Same as Intranet VPN </li></ul><ul><li>Management, Authentication and authorization </li></ul>
  9. 9. VPN Example
  10. 10. VPN Example - Extranet VPN
  11. 11. Conclusion <ul><li>Cheaper and Secure, Go for it! </li></ul>
  12. 12. Q & A <ul><li>Any questions? </li></ul>