Download to read offline
![Point-to-Point Tunneling Protocol (PPTP)
Mainly implemented and used (
طبقت
و
استخدمت
) by Microsoft [RFC
2637]
– Extension (
امتداد
) of PPP.
– Easy to use and to implement (
سهولة
االستخدام
و
التطبيق
) .
Allows tunnelling (
حفر
نفق
) of PPP datagrams between PPTP
Client (
عميل
) , and PPTP server (
خادم
) , يقوم
بفصل NAS الموجود
في PPP الى
– PPTP Access Concentrator (PAC)
Network access device supporting PPTP
– PPTP Network Server (PNS)
Corporate (VPN) gateway.
Authentication
– Uses PPP authentication.
Encryption
– MPPE (Microsoft Point-to-point encryption).
Many sessions multiplexed on a single tunnel.
(
عدة
جلسات
على
نفق
وحيد
)](https://image.slidesharecdn.com/random-240630172432-1335a493/85/Introduction-to-Virtual-Private-Network-VPN-ppt-26-320.jpg)
![Layer 2 Forwarding Protocol (L2F)
Developed (
تم
ت
طو
ي
ر
ه
بواسطة
) by Cisco [RFC 2341]
L2F provides tunneling between an ISP’s dial-up
server and the network. User connects to the ISP
using PPP.
The PPP frames are then encapsulated inside an
L2F frame which is then forwarded to a router for
transmission across the Internet.
Authentication
– Like PPTP, Uses PPP authentication.
Encryption
– does not provide any data encryption.
ال
ُدّزوُي
ّأي
تشفير
بيانات
) )
Allows multiple tunnels and multiple connections
on tunnel (
أنفاق
متعددة
و
جلسات
متعددة
لكل
نفق
)](https://image.slidesharecdn.com/random-240630172432-1335a493/85/Introduction-to-Virtual-Private-Network-VPN-ppt-32-320.jpg)
![Layer 2 Tunneling Protocol (L2TP)
Combines best features of L2F and PPTP تدمج
أفضل
ميزات
) )
– Developed by IETF [RFC 2661]
Allows tunnelling of PPP datagrams between L2TP Client, and
L2TP server , يقوم
بفصل NAS الموجود
في PPP الى
– L2TP Access Concentrator (LAC)
Network access device supporting L2TP
– L2TP Network Server (LNS)
Corporate (VPN) Gateway
Allows multiple tunnels with multiple sessions inside every
tunnel (
أنفاق
متعددة
و
جلسات
متعددة
لكل
نفق
)
CPE based deployment mode by including LAC functionalities
within user terminal
Commonly used with IPSec -> L2TP/IPSec](https://image.slidesharecdn.com/random-240630172432-1335a493/85/Introduction-to-Virtual-Private-Network-VPN-ppt-34-320.jpg)
More Related Content
Similar to Introduction to Virtual Private Network (VPN).ppt
Introduction to Virtual Private Network (VPN).ppt
- 1. Higher industry institute PostGraduate Programme اإلفتراضية الخاصة الشبكة VPN by Ahmed joha
- 2.
- 3. الخاصة الشبكة و آمناتصال موثوق . خاصة خطوط تأجير إلى يحتاج ألنه عالية تكلفة . ِ موقع 1 خاص خط موقع 2
- 4.
- 5. أنواع VPNs Remote AccessVPN ( االتصال بعد عن ) – وصول إمكانية يوفر المستخدمين الداخ الشبكة إلى لية لل مكان أي من مؤسسة . – ت قليل تكلفة اتص وخاصة الهاتف طريق عن االتصال االت الطويلة المسافات . Internet Corporate Site Remote User
- 6. أنواع VPNs Remote AccessVPN ( االتصال عن بعد ) Site-to-Site VPN ( موقع الى موقع ) – يوفر إمكانية ربط فروع المؤسسة مع بعضها البعض . – ت قليل تكلفة االتصال عن طريق الخطوط الخاصة المؤجرة . Corporate Site Branch Office Internet
- 7. أنواع VPNs Remote AccessVPN ( االتصال عن بعد ) Site-to-Site VPN ( موقع الى موقع ) Extranet VPN – الوصول من والعمالء الشركاء يمكن بيانات بعض الى المؤسسة شبكة . – ت قليل والعمليات الصفقات تكلفة . Corporate Site Internet Partner Supplier
- 8. أنواع VPNs Remote AccessVPN ( لتداول عن دْعُب ) Site-to-Site VPN ( موقع الى موقع ) Extranet VPN ( شبكة المعلومات المساعدة ) Client/Server VPN ) عميل / خادم ) – ميْحَت ُإتصاالت ُداخلية ُاسةّسح – ُأشْنَت أكثر الهجمات ضمن المؤسسة Internet LAN clients Database Server LAN clients with sensitive data
- 9. مميزات VPNs المخفضة الكلفة – والمؤجرةالخاصة الخطوط كلفة تخفيض – الطويلة المسافة مكالمات تخفيض – ِاألجهزة تكلفة تفيض ( المودم مصرف Modem Bank / CSU / DSUS ) – ُالتقنية المساعدة تكلفة تخفيض أكثر مرونة – اإلنترنت خدمة دّمزو قيمة من الرفع – ّدةدالمتع اإلتصال أنواع استعمال ( cable, DSL, T1, T3 ) أكثر توسع – بسرعة جدد مستخدمين و َةجديد َعمواق إضافة – الطلب يةبْلَتل السعة تقنين
- 10. VPN احتياجات المستخدم منقُّقالتح – الوصو حدود ُدّدحُيو المستعمل هوية من َقّقحُتي ْنَأ ُبجَي إن بي في الشبكة الى َل – ومتىا المستخدم عليها يطلع ان يجب التي المعلومات تبين َسجالت يحدد . عنوان إدارة – ّصالخا الشبكة على المستخدم َعنوان َ صّصخُي ْنَأ ُبجَي إن بي في العناوين ّبأن ُمنْضَيو ة ةّصخا قىْبَت . البيانات تشفير – ب للقراءة صالحة غير تتبقى ْأن يجب ةّمالعا الشبكة داخل المنقولة البيانات للزبائن النسبة الشبكة على لينّمخو الغير . المفتاح إدارة – والخ لعميل التشفير َحمفاتي َ نعشُيو َدّلوُي ْنَأ ُبجَي إن بي في ادم . النظام ّددمتع دعم – المستخ البروتوكوالت ةَجَلاَعُم على قادر َُونكَي ْنَأ ُبجَي إن بي في ةّمالعا الشبكة داخل دمة . اإلنترنت بروتوكول تتضمن هذه ( بي آي ) وهكذا ، .
- 11. Tunneling ش بيانات لنقلالوسيطة الشبكة داخل نفق رْفَح أخرى بكة المنقولة البيانات ( وَأ ال حمولة ) ُوكَت ْنَأ ُمكنُي َإطارات َن ( وَأ مَزُر ) اآلخر النظام ْنم . Transit Internetwork Tunnel Endpoints Payload Payload Tunneled Payload Transit Internetwork Header Tunnel
- 12.
- 13.
- 14. Voluntary tunnels Dial AccessProvider VPN Service e c s A c s Server Dial Access Server Client Host PPP access protocol Tunnel
- 15. Compulsory Tunnels(اإللزامية )األنفاق الوسيطةالشبكة الى الوصول خادم قبل من يبدأ النفق حفر NAS وَأ Router – على النفق دعم برامج تتطلب NAS وَأ Router زبون ّأي عَم ُلمْعَي NAS نفسها نفق َطريقة َمعْدَي ْنَأ ُبجَي ل شفاف يكون النفق routers الوسيطة النفق خادم ةَرَطْيَس َتْحَت ُالشبكة ُلخْدَت فقط النفق خالل تمر ُنكْمُي المستخدم بيانات باإلنترنت اإلتصال إمكانية – مسبقا فةَّرَعُمال بالوسائل َُونكَي ْنَأ ُبجَي – أكثر تحكم أكثر – راقبُي ْنَأ ُنكْمُي
- 17. Tunneling Protocols GenericRouting Encapsulation (GRE), as defined in RFCs 1701/1702, is used by a wide variety of tunneling protocols The Point-to-Point Tunneling Protocol (PPTP), created by Microsoft and Ascend Communications, is an extension of Point-to-Point protocol (PPP) for Windows and Netware client/server environments. Layer-2 Forwarding (L2F) is a tunneling protocol created by Cisco Systems. The Layer-2 Tunneling Protocol (L2TP) is proposed standard to combine best features of L2F and PPTP. IPsec supports tunneling with or without encryption.
- 18. Why So ManyVPN Solutions? For some companies, a VPN is a substitute for remote-access servers. For others, a VPN may consist of traffic over the Internet between protected LANs. The protocols that have been developed for VPNs reflect this dichotomy. PPTP, L2F and L2TP are largely aimed at dialup VPNs IPSec's main focus has been LAN-to-LAN solutions.
- 19. PPP (Point toPoint Protocol ) Flag- indicates beginning or end of frame (b^01111110). Address- contains standard broadcast address. Control- calls for transmission in user data. Protocol-identifier for encapsulated protocol in information field. Information-datagram for protocol. FCS-Frame Check Sequence.
- 20. PPP (Point toPoint Protocol ) Layer-2 frame format موضح به frame delimitation ( بداية ونهاية اإلطار ) و error detection ( كشف الخطأ ) . PPP َمّمُص سالْإلر البيانات عبر dial-up ( الطلب الهاتفي ) أو dedicated point-to-point connections ( الخط المخصص ) Link Control protocol (LCP) : – Connection establishment ( تأسيس اإلتصال ) ، test ( إختبار ) ، negotiation ( مفاوضات ) و release إنهاء اإلتصال . Network Control Protocols (NCPs) : – negotiate network layer options ( ا لتفاوض على خيارات طبقة الشبكة ) بطريقة مستقلة عن نوع طبقة الشبكة المستخدمة . – NCP مختلف لكل طبقة شبكة يتم دعمها .
- 21. PPP (Point toPoint Protocol ) Authentication protocols: Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Extensible Authentication Protocol (EAP) Encryption protocols: Encryption Control Protocol (ECP) for negotiation PPP DES Encryption Protocol (DESE) PPP Triple DES Encryption Protocol (3DESE)
- 22. PPP (Point toPoint Protocol ) PPP PPP Encapsulation IP, IPX Payload PSTN (POTS / ISDN) IP, IPX Payload Private Network Public Switched Telephone Network Remote Client Remote Access Server
- 23. GRE (Generic RoutingEncapsulation)
- 24. GRE (Generic RoutingEncapsulation) يقوم هذا البروتوكول بعملية تغليف أي بروتوكول بما في ذلك IP داخل IP Protocol
- 25. Point-to-Point Tunneling Protocol(PPTP) PAC
- 26. Point-to-Point Tunneling Protocol(PPTP) Mainly implemented and used ( طبقت و استخدمت ) by Microsoft [RFC 2637] – Extension ( امتداد ) of PPP. – Easy to use and to implement ( سهولة االستخدام و التطبيق ) . Allows tunnelling ( حفر نفق ) of PPP datagrams between PPTP Client ( عميل ) , and PPTP server ( خادم ) , يقوم بفصل NAS الموجود في PPP الى – PPTP Access Concentrator (PAC) Network access device supporting PPTP – PPTP Network Server (PNS) Corporate (VPN) gateway. Authentication – Uses PPP authentication. Encryption – MPPE (Microsoft Point-to-point encryption). Many sessions multiplexed on a single tunnel. ( عدة جلسات على نفق وحيد )
- 27.
- 28.
- 29. Point-to-Point Tunneling Protocol(PPTP) IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN PPP over PSTN PPP IP, IPX Payload PSTN Layer 2 IP GRE PPP IP, IPX Payload Layer 3
- 30. Point-to-Point Tunneling Protocol(PPTP) Secure communication created using PPTP typically involves three processes. Each requires successful completion of the previous process. ( خطوات االتصال الناجح ) PPP Connection – A PPTP client uses PPP to connect to an ISP by using a standard telephone line or ISDN line. ( يقوم العميل بإنشاء إتصال الى مزود خدمة االنترنت ) PPTP Control Connection – Using the connection to the Internet established by the PPP protocol, the PPTP protocol creates a control connection from the PPTP client to a PPTP server on the Internet. This connection uses TCP and is a called a PPTP tunnel. ( باستخدام االتصال بمزود الخدمة يتم حفر النفق ) PPTP Data Tunneling – PPTP creates IP datagrams containing encrypted PPP packets which are sent through PPTP tunnel to the PPTP server. ( تغليف البيانات المشفرة و ارسالها عبر النفق الى الخادم ) – The PPTP server disassembles the IP datagrams and decrypts the PPP packets, and then routes the decrypted packets to the private network. ( عند نهاية النفق تتم ازالة الغالف و فك الشفرة عن البيانات المرسلة وتسييرها الى المستقبل )
- 31. Layer 2 ForwardingProtocol (L2F) IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN PPP over PSTN PPP IP, IPX Payload PSTN Layer 2 IP UDP Port 1701 over IP UDP L2F PPP IP, IPX Payload Layer 3
- 32. Layer 2 ForwardingProtocol (L2F) Developed ( تم ت طو ي ر ه بواسطة ) by Cisco [RFC 2341] L2F provides tunneling between an ISP’s dial-up server and the network. User connects to the ISP using PPP. The PPP frames are then encapsulated inside an L2F frame which is then forwarded to a router for transmission across the Internet. Authentication – Like PPTP, Uses PPP authentication. Encryption – does not provide any data encryption. ال ُدّزوُي ّأي تشفير بيانات ) ) Allows multiple tunnels and multiple connections on tunnel ( أنفاق متعددة و جلسات متعددة لكل نفق )
- 33. Layer 2 TunnelingProtocol (L2TP)
- 34. Layer 2 TunnelingProtocol (L2TP) Combines best features of L2F and PPTP تدمج أفضل ميزات ) ) – Developed by IETF [RFC 2661] Allows tunnelling of PPP datagrams between L2TP Client, and L2TP server , يقوم بفصل NAS الموجود في PPP الى – L2TP Access Concentrator (LAC) Network access device supporting L2TP – L2TP Network Server (LNS) Corporate (VPN) Gateway Allows multiple tunnels with multiple sessions inside every tunnel ( أنفاق متعددة و جلسات متعددة لكل نفق ) CPE based deployment mode by including LAC functionalities within user terminal Commonly used with IPSec -> L2TP/IPSec
- 35. Layer 2 TunnelingProtocol (L2TP)
- 36. Layer 2 TunnelingProtocol (L2TP) IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN PPP over PSTN PPP IP, IPX Payload PSTN Layer 2 IP UDP Port 1701 over IP UDP L2TP PPP IP, IPX Payload Layer 3
- 37. Internet Protocol Security(IPSec) Internet Protocol Security (IPSEC) is a framework ( إطار عمل ) to provide secured communication ( إتصال آمن ) for IP. This IETF framework is defined in a suite of RFCs. It does not specify the authentication and encryption protocol to use. This makes it flexible ( مرن ) and able to support new authentication and encryption methods as they are developed. IPSEC provide a new sub-layer just above ( طبقة جديدة فوق ) IP, layer 3 of OSI model. This has 2 main advantages: – Layer 3 is the lowest layer in the OSI model that provides end-to- end connectivity between 2 nodes. That means that the end-to- end communication is secured, you do not need to provide security service at each link in the path. ( اتصال آمن من عقدة الى عقدة ) – The security services are totally transparent to upper layers. Specifically, TCP and UDP can transparently use these services. This also means that all applications that use TCP or UDP as transport mechanism can now have their communication secured without any changes. Can we think of some applications that can benefit from that? ( خدمات االمن شفافة للطبقات العليا – التطبيقات تستفيد من هذه الميزة )
- 38. IPSEC IETF Documents RFC 2401 – Architecture RFC 2411 – Roadmap RFC 2402 – Authentication Header (AH) RFC 2406 – Encapsulating Security Payload (ESP) RFC 1828 – IP Authentication using MD5 RFC 2412 – Oakley key determination RFC 2408 – ISAKMP (Internet Security Association and Key Management Protocol) RFC 2409 – IKE – Internet Key Exchange RFC 2104 – HMAC – Hashing for Message Authentication
- 39. IPSec: Network LayerSecurity IPSec = AH + ESP + IPcomp + IKE Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Compression Sets up keys and algorithms for AH and ESP AH and ESP rely on ( تعتمد على ) an existing security association – Idea: parties must share a set of secret keys and agree on each other’s IP addresses and crypto algorithms ( االطراف تشترك في مجموعة من المفاتيح السرية و تتفق على العناوين وخوارزميات التشفير ) Internet Key Exchange (IKE) – Goal: establish security association for AH and ESP – If IKE is broken ( إختراق ) , AH and ESP provide no protection!
- 40. IPSec Architecture IPSecis defined by the following sets of specifications: – Protocol modes. Transport and tunnel mode – Authentication header protocol (AH) – Encapsulated security protocol (ESP) – Internet Key Exchange (IKE) – Security Associations (SA) – Encryption algorithms
- 41. IPSec Modes Transportmode – End-to-end security between two hosts Typically, client to gateway (e.g., PC to remote host) – Requires IPSec support at each host
- 42. IPSec Modes TunnelMode Gateway-to-gateway security – Internal traffic behind gateways not protected – Typical application: virtual private network (VPN) Only requires IPSec support at gateways
- 43. Transport mode vsTunnel mode Transport mode – secures packet payload and leaves IP header unchanged Tunnel mode – encapsulates both IP header and payload into IPSec packets IP header (real dest) IPSec header TCP/UDP header + data IP header (gateway) IPSec header TCP/UDP header + data IP header (real dest)
- 44. Authentication Header (AH) Provides integrity and origin authentication Authenticates portions of the IP header Anti-replay service (to counter denial of service) No confidentiality Next header (TCP) Payload length Reserved Security parameters index (SPI) Sequence number ICV: Integrity Check Value (HMAC of IP header, AH, TCP payload) Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload
- 45. Authentication Header (AH) IPHDR IP Payload New IP HDR AH HDR IP HDR IP Payload Tunnel Mode authenticated IP HDR AH HDR IP Payload Transport Mode authenticated
- 46. Encapsulating Security Payload(ESP) Adds new header and trailer fields to packet Confidentiality and integrity for payload Optionally provides authentication Identifies security association (shared keys and algorithms) Anti-replay TCP segment (transport mode) or entire IP packet (tunnel mode) Pad to block size for cipher, also hide actual payload length Type of payload HMAC-based Integrity Check Value (similar to AH)
- 47. Encapsulating Security Payload(ESP) IP HDR IP Payload Transport Mode IP HDR ESP HDR IP Payload ESP Trailer ESP Auth encrypted authenticated Tunnel Mode New IP HDR ESP HDR IP HDR IP Payload ESP Trailer ESP Auth encrypted authenticated
- 48. Internet Key Exchange(IKE) IKE protocol is a key exchange and management system , which provide secure key distribution services between parties wishing to communicate over an untrusted network. ( نظام تبادل وإدارة المفاتيح السرية يوفر توزيع آمن للمفاتيح بين االطراف المتصلة على شبكة غير آمنة ) IKE is a hybrid ( هجين ) protocol composed of features from – Internet Security Association and Key Management Protocol (ISAKMP) framework – Oakley Key Exchange – Secure Key Exchange Mechanism (SKEME). IKE is general purpose security exchange protocol Supports: – Policy negotiation ( السياسات على التفاوض ) – Establishment of authenticated keying material ( إنشاء ) for security associations. These facilities can be used for negotiating VPN links, as well as for providing remote users with secure access to a host or network.
- 49. Security Association (SA) SA is one way relationship between sender and receiver that defines a security relationship ( عالقة إتجاه واحد بين المرسل و المستقبل تعرف االتصال اآلمن بين الطرفين ) – Authentication and encryption algorithms ( التشفير و التحقق خوارزميات ) – Key exchange mechanisms ( المفاتيح تبادل آليات ) – And other rules for secure communications ( اآلمن لالتصال أخرى قواعد ) It is uniquely identified by three parameters ( يتم تمييزها بالتالي ) – Security Parameter Index (SPI)- 32 bit identifier – IP Destination Address – Security Protocol Identifier Security associations are negotiated at least once per session – possibly more often for additional security ( التفاوض مرة واحدة على االقل لكل جلسة , من المحتمل أكثر لألمن اإلضافي ) Bi-directional communication requires ( ا ال تصال ثنائي االتجاه يحتاج الى ) two security Associations.
- 50. Security Association Database(SAD) SAD defines parameters associated ( المرتبطة ) with each SA. Parameters include – Sequence number counter – Sequence number overflow – Anti-replay window – AH information – ESP information – Lifetime of SA – IPSec Protocol mode – Path MTU
- 51. Security Policy Database(SPD) SPD defines the way in which IPSec services are applied to IP traffic. ( يعرف الطريقة التي تطبق بها خدمات األمن على البيانات العابرة ) Each SPD entry ( دخول ) is defined by selectors which are used to map ( توجيه ) outgoing packet to SA. – Destination IP address – Source IP address – Transport layer protocol – IPSec protocol – Source/destination port number – UserID (if available to the IPSEC software) – TOS or DiffServ SPI of SA is obtained ( يتم الحصول عليه ) and IPSec processing done accordingly ( وفقا لذلك ) . if packet does not match any SPD condition ( التتوافق ) – Drop the packet – Transmit it in clear Provides very flexible way of applying IPSec services to IP traffic.
- 52. SA Establishment Phase 1- IKE SA is established Cookie exchange(الكوكي )تبادل Protects responder by requesting that initiator submits valid cookie before value exchange and Diffie-Hellman key exchange ( ميَْحي المستجيب القيمة تبادل قبل َحصحي كوكي ُمّدقُي البادئ ّبأن بَلَطبال وتبادل المفاتيح ) Valid cookie: computed and verified by the responder Need cookie exchange Value exchange(القيم )تبادل Establishes a shared secret key (مشترك سري مفتاح )انشاء Uses Diffie-Hellman key exchange ( المفتاح تبادل طريقة )استخدام Negotiate parameters Result: shared, un-authenticated secret key Authentication exchange(التحقق )تبادل Keys and SA are authenticated Methods: preshared keys, DSS, RSA digital signature, encrypted nonce with RSA
- 53. SA Establishment Phase 2- IPSec SA is established IKE SA is used to establish ( يستخدم النشاء ) IPsec SA between communicating peers ( النظائر )المتصلة Quick mode exchange ( نمط التبادل السريع ) Negotiate ()مفاوضات IPsec SA under the protection of ( تحت حماية ) IKE SA Keys derived from IKE secret state
- 54. Plain IPSec Outgoing Packets:SAD Selects SA Network A Network B Network C SA #1 SAD Selector SA <A,B,*,*,*> #1 <A,C,*.*.*> #2 SPD Selector Action <A,B,*,*,*> Encrypt <A,C,*.*.*> Encrypt <A,*,*,*,*> Drop A -> B A -> B A -> B
- 55. Plain IPSec Incoming Packets:SAD Checks SA Network A Network B Network C SA #1 SAD Selector SA <A,B,*,*,*> #1 <A,C,*.*.*> #2 C->A Let’s Spoof C C->A Packets from SA#1 Should match <A,B,*,*,*> Drop !
- 56. Plain IPSec Incoming Packets:SPD Checks Network A Network B Network C SPD Selector Action <A,B,*,*,*> Encrypt <A,C,*.*.*> Encrypt <A,*,*,*,*> Drop Let’s Spoof C Packets <A,C,*,*,*> should be encrypted Drop !
- 57. Plain IPSec Preventing TrafficInjection Network A Network B Network C SPD Selector Action <A,B,*,*,*> Encrypt <A,C,*.*.*> Encrypt <A,*,*,*,*> Drop No spoofing, I’m D Packets <A,*,*,*,*> must be dropped !
- 58. Encryption Explained Usedto convert data to a secret code for transmission over an untrusted network ُلعمَتسُي حويلَتل البيانات إلى رم و ز سري لإلرسال على ش بكة غير منةَتْؤُم Encryption Algorithm “The cow jumped over the moon” “4hsd4e3mjvd3sd a1d38esdf2w4d” Clear Text Encrypted Text
- 59. What are Keys? A series of numbers and letters… سلسلة من األعداد و ال حروف …used in conjunction with an encryption algorithm… تستعمل باإلرتباط مع َخوارزمية تشفير …to turn plain text into encrypted text and back into plain text حويلَتل ّنص عادي إلى ّصَن رّفمش و بالعكس The longer the key, the stronger the encryption المفتاح االطول يعطي تشفير أقوى
- 60. Symmetric Encryption المتناظرالتشفير Same key used to encrypt and decrypt message نفس المفتاح يستخدم للتشفير و لفك التشفير Faster than asymmetric encryption أسرع ْنم التشفير الال رناظَتُم Used by IPSec to encrypt actual message data IPsec يستخدم لتشفير البيانات الفعلية من فبل Examples: DES, 3DES, RC5, Rijndael Shared Secret Key
- 61. Asymmetric Encryption الالمتناظرالتشفير Different keys used to encrypt and decrypt message (One public, one private) مفاتيح مختلفة للتشفير و لفك التشفير ( واحد عام و آخر خاص ) Provides non-repudiation of message or message integrity يوفر سالمة البيانات Examples include RSA, DSA, SHA-1, MD-5 Alice Public Key Encrypt Alice Private Key Decrypt Bob Alice
- 62. Key Management المفتاحادارة A mechanism for distributing keys either manually or automatically آلية وزيعَتل المفاتيح اّمأ اايدوي وَأ آلي اا Includes: – Key generation توليد المفتاح – Certification الشهادة – Distribution التوزيع – Revocation االلغاء
- 63. Key Management المفتاحادارة Shared Secret سر مشترك – Simplest method; does not scale – Two sites share key out-of-band (over telephone, mail, etc) Public Key Infrastructure – Provides method of issuing and managing public/private keys for large deployments Internet Key Exchange – Automates the exchange of keys for scalability and efficiency
- 64. VPN Classification تصنيف Customer Premise Equipment (CPE based VPNs) are implemented within customer premise equipment, where a customer can create their own VPN across an Internet connection without any specific knowledge or cooperation from the service provider. مملوكة للعميل حيث ينشي العميل اتصال خاص افتراضي خالل انترنت بدون أي معرفة او تعاون معين من مزود الخدمة Provider provisioned VPN do not require the deployment of any CPE devices beyond basic internet access. All VPN services and equipment are provided by the service provider’s core infrastructure. مملوكة لمزود الخدمة حيث أن ّلُك الخدمات و األ جهزة مزودة بالبنية التحتية لمزود الخدمة
- 65. Comparison of CPEBased Protocols Security Issues
- 66. Comparison of CPEBased Protocols Vulnerabilities
- 67. Comparison of CPEBased Protocols Routed Desktop Protocols
- 68. Comparison of CPEBased Protocols OSI reference model
- 69. Comparison of CPEBased Protocols Performance: throughput and Latency. L2TP utilizes more command and control messages. So throughput may be less than PPTP. But it performs better in high latency network because it uses UDP for its control packets PPTP uses TCP for control packets and also uses less control message which makes it high throughput protocol but makes is vulnerable to high latency network. IPSec uses lot of security related overhead which degrades the performance from both throughput and latency prospective.