VPN Guide to Network Defense and countermeasures

Guide to Network Defense and
Countermeasures
Third Edition
Chapter 11
Virtual Private Network (VPN) Concepts

Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Explain basic VPN concepts
• Describe encapsulation in VPNs
• Describe encryption in VPNs
• Describe authentication in VPNs
• Summarize the advantages and disadvantages of
VPNs

Objectives (contd.)
• Explain design considerations for a VPN
• Describe options for VPN configuration
• Explain how to set up VPNs with firewalls
• Explain how to adjust packet-filtering rules for VPNs
• Describe guidelines for auditing VPNs and VPN
policies

Understanding VPN Concepts
• Virtual Private Network (VPN) enables computers to
– Communicate securely over insecure channels
– Exchange private encrypted messages that others
cannot decipher

What VPNs Are
• VPN
– Virtual network connection
– Uses the Internet to establish a secure connection
• Secure tunnel
– Extends an organization’s network
• Endpoints
– Specified computers, users, or network gateways

Why Establish a VPN?
• Business incentives driving VPN adoption
– VPNs are cost-effective
– VPNs provide secure connection for remote users
• Contractors
• Traveling employees
• Partners and suppliers
• VPN Components
– VPN server or host
• Configured to accept connections from clients
– VPN client or guest
• Endpoints connecting to a VPN

Why Establish a VPN? (continued)
• VPN Components
– Tunnel
• Connection through which data is sent
– VPN protocols
• Sets of standardized communication settings
• Used to encrypt data sent along the VPN
– Types of VPNs
• Site-to-site VPN
– Gateway-to-gateway VPN
• Client-to-site VPN
– Remote access VPN

• Hardware versus software VPNs
– Hardware-based VPNs
• Connect one gateway to another
• Routers at each network gateway encrypt and decrypt
packets
• VPN appliance
– Designed to serve as VPN endpoint
– Join multiple LANs
• Benefits
– Scalable
– Better security

• Hardware versus software VPNs (continued)
– Software-based VPNs
• Integrated with firewalls
• Appropriate when participating networks use different
routers and firewalls
• Benefits
– More cost-effective
– Offer maximum flexibility

• VPN combinations
– Combining VPN hardware with software adds layers
of network security
– One useful combination is a VPN bundled with a
firewall
– VPNs do not eliminate the need for firewalls
– Provide flexibility and versatility

• VPN combinations (continued)
– Points to consider when selecting VPNs
• Compatibility
• Scalability
• Security
• Cost
• Vendor support

VPN Core Activity 1: Encapsulation
• Core set of activities
– Encapsulation
– Encryption
– Authentication
• Encapsulation
– Encloses a packet within another
• That has different IP source and destination
– Protects integrity of the data

Understanding Tunneling Protocols
• Point-to-Point Tunneling Protocol (PPTP)
– Used when you need to dial in to a server with a
modem connection
• On a computer using an older OS version
– Encapsulates TCP/IP packets
– Header contains only information needed to route
data from the VPN client to the server
– Uses Microsoft Point-to-Point Encryption (MPPE)
• Encrypt data that passes between the remote computer
and the remote access server
– L2TP uses IPSec encryption
• More secure and widely supported

(continued)
• Layer 2 Tunneling Protocol (L2TP)
– Provides better security through IPSec
– IPSec enables L2TP to perform
• Authentication
• Encapsulation
• Encryption

(continued)
• Secure Shell (SSH)
– Provides authentication and encryption
– Works with UNIX-based systems
• Versions for Windows are also available
– Uses public-key cryptography
• Socks V. 5
– Provides proxy services for applications
• That do not usually support proxying
– Socks version 5 adds encrypted authentication and
support for UDP

IPSec/IKE
• Internet Protocol Security (IPSec)
– Set of standard procedures
– Developed by the Internet Engineering Task Force
(IETF)
– Enables secure communications on the Internet
• Characteristics
– Works at layer 3
– Can encrypt an entire TCP/IP packet
– Originally developed for use with IPv6
– Provides authentication of source and destination
computers

IPSec/IKE (continued)
• Widely supported
• Security Association (SA)
– Relationship between two or more entities
– Describes how they will use security services to
communicate
– Used by IPSec to track all the particulars of a
communication session
– SAs are unidirectional

• Components
– Internet Security Association Key Management
Protocol (ISAKMP)
– Internet Key Exchange (IKE)
– Oakley
– IPSecurity Policy Management
– IPSec Driver
• IPSec core components
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)

• Authentication Header (AH)
– Provides authentication of TCP/IP packets
– Ensures data integrity
– Packets are signed with a digital signature
– Adds a header calculated by the values in the
datagram
• Creating a messages digest of the datagram
– AH in tunnel mode
• Authenticates the entire original header
• Places a new header at the front of the original packet
– AH in transport mode
• Authenticates the payload and the header

• Encapsulation Security Payload (ESP)
– Provides confidentiality for messages
– Encrypts different parts of a TCP/IP packet
– ESP in tunnel mode
• Encrypts both the header and data part of each packet
• Data cannot pass through a firewall using NAT
– ESP in transport mode
• Encrypts only data portion of the packet
• Data can pass through a firewall
– IPSec should be configured to work with transport
mode

VPN Core Activity 2: Encryption
• Encryption
– Process of rendering information unreadable by all
but the intended recipient
– Components
• Key
• Digital certificate
• Certification Authority (CA)
– Key exchange methods
• Symmetric cryptography
• Asymmetric cryptography
• Internet Key Exchange
• FWZ

Encryption Schemes Used by VPNs
• Triple Data Encryption Standard (3DES)
– Used by many VPN hardware and software
– 3DES is a variation on Data Encryption Standard
(DES)
– DES is not secure
– 3DES is more secure
• Three separate 64-bit keys to process data
– 3DES requires more computer resources than DES

(continued)
• Secure Sockets Layer (SSL)
– Developed by Netscape Communications Corporation
– Enables Web servers and browsers to exchange
encrypted information
– Characteristics
• Uses public and private key encryption
• Uses sockets method of communication
• Operates at network layer (layer 3) of the OSI model
– Widely used on the Web
• Only supports data exchanged by Web-enabled
applications
• Unlikely to replace IPSec

(continued)
• Secure Sockets Layer (SSL) (continued)
– Steps
• Client connects to Web server using SSL protocol
• Two machines arrange a “handshake” process
– Client sends its preferences for encryption method,
SSL version number, and a randomly generated
number
• Server responds with SSL version number, its own
cipher preferences, and its digital certificate
• Client verifies date and other information on the digital
certificate
– Client generates and send a “pre-master” code

(continued)
• Secure Sockets Layer (SSL) (continued)
– Steps
• Server uses its private key to decode pre-master code
– Generates a master secret key
– Client and server use it to generate session keys
• Server and client exchange messages saying
handshake is completed
• SSL session begins

VPN Core Activity 3: Authentication
• Authentication
– Identifying a user or computer as authorized to
access and use network resources
– Types of authentication methods used in VPNs
• IPSec
• MS-CHAP
– Both computers exchange authentication packets
and authenticate one another
– VPNs use digital certificates to authenticate users

Advantages and Disadvantages of
VPNs

Designing a VPN
• Assess organization’s needs and goals
– Type of business
– How many employees it has
– Infrastructure already in place
– Security required
• Enforce security on the client side of the VPN tunnel
– Most difficult aspect of the design process

Business Needs
• Business processes
– Determine how you will implement a VPN strategy
• Careful analysis of the existing infrastructure
– Helps you integrate the VPN with minimal disruption
• VPNs can be classified as site-to-site or client-to-site
– Can offer cost-effective, secure connectivity
• Legal implications to failing to secure access to a
remote network

Business Needs (continued)
• Nature of the business
– What does it do?
– What product or service does it sell?
– Who are its customers?
– Cost is usually a key factor
• Narrows the choices of hardware and software

Business Needs (continued)
• Nature of the business
– A secure VPN design should address:
• Secure connectivity
• Availability
• Authentication
• Secure management
• Reliability
• Scalability
• Performance

Client Security
• Several ways to increase VPN client security
• Split tunneling
– Describes multiple paths
– One path goes to the VPN server and is secured
– Another unauthorized and unsecured path permits
users to connect to the Internet
• While still connected to the corporate VPN
– Leaves the VPN server and internal LAN vulnerable
to attack

Client Security (continued)
• Planning VPN deployment
– Consider the existing infrastructure
• Make a network map
– Decide on the placement of VPN servers
– Research hardware and software to use
• Decide whether you need new hardware or software
• Sometimes you can reconfigure existing resources to
support a VPN
– Develop a list of requirements
• When you meet a vendor so nothing is overlooked
– Follow security policy guidelines

VPN Topology Configurations
• VPN topology
– How components in a network are connected
physically to one another
– Determines how gateways, networks, and clients are
related to each other
– Corresponds to the basic physical and logical
topologies of any network

(continued)
• Mesh topology
– All participants in the VPN have Security Associations
(SAs) with one another
– Types of mesh arrangements
• Full mesh
– Every subnetwork is connected to all other subnets
in the VPN
– Complex to manage
• Partial mesh
– Any subnet in the VPN may or may not be
connected to the other subnets

(continued)
• Star topology
– Also known as a hub-and-spoke configuration
– VPN gateway is the hub
– Networks that participate in the VPN are called rim
subnetworks
– Separate SAs are made between the hubs of each
rim subnetwork in the star configuration
– Central VPN router is at organization’s central office
– Any LANs or computers that want to participate need
to connect only to the central server

(continued)
• Hybrid topology
– Combines two different network topologies
– Central core uses a mesh topology
• Mesh topologies tend to operate more efficiently
– Branch offices can be connected using a star
topology
– Benefits from strengths of each topology
• Scalability (of the star topology)
• Speed (of the mesh configuration)

Using VPNs with Firewalls
• VPNs do not reduce the need for a firewall
– Always use a firewall as part of VPN security design
• Install VPN software on the firewall itself
– Firewall allows outbound access to the Internet
– Firewall prevents inbound access from the Internet
– VPN service encrypts traffic to remote clients or
networks

Using VPNs with Firewalls (continued)
• Install VPN software on the firewall itself
– Advantages
• Control all network access security from one server
• Fewer computers to manage
• Use the same tools for VPN and firewall
– Disadvantages
• Single point of failure
• Must configure routes carefully
• Internet access and VPN traffic compete for resources
on the server

• Set up VPN parallel to your firewall inside the DMZ
– Advantages
• No need to modify firewall settings to support VPN
traffic
• Configuration scales more easily
• Can deal with congested servers
– Disadvantages
• VPN server is connected directly to the Internet
• If VPN server becomes compromised, attacker will
have direct access to your internal network
• Cost of supporting a VPN increases with new servers

• Set up VPN server behind the firewall connected to
the internal network
– Advantages
• VPN server is completely protected from the Internet
• Firewall is the only device controlling access
• VPN traffic restrictions are configured on VPN server
– Disadvantages
• VPN traffic must travel through the firewall
• Firewall must handle VPN traffic
• Firewall might not know what to do with IP protocols
other than ICMP, TCP, and UDP

Adjusting Packet-Filtering Rules for
VPNs
• Perimeter firewall filters packets VPN sends or
receives
• Packet filtering is based on header fields of inbound
and outbound packets
• IP packet header fields used by packet filtering
– Source address
– Destination address
– Protocol identifier
• You can conduct packet filtering based on any or all
of these header fields

PPTP Filters
• PPTP
– First widely supported VPN protocol
– Supports legacy authentication methods
– Does not require PKI
– Might be only option when VPN connections pass
through NAT
– PPTP uses two protocols
• TCP
• GRE

L2TP and IPSec Filters
• Need to set up rules that permit IPSec traffic
– IKE uses protocol ID 171 and UDP on port 500
– ESP uses protocol ID 50
– AH uses protocol ID 51

Auditing VPNs and VPN Policies
• Auditing needed to make sure organizations have a
well-define VPN policy
• Access policies define standards for connecting to
the organization’s network
– Must be integrated with the security policy
• Policies should be defined for different levels of
restrictions
• VPN endpoints are as vulnerable as internal network
computers
– Endpoints should also use antivirus software and
personal firewalls

Auditing VPNs and VPN Policies
(continued)
• Test each client that will connect to your LAN
– Helps prevent network threats
• You can standardize VPN client for remote users
• Third-party solutions
– Cisco Secure VPN Client
– Nokia VPN Client
– SonicWALL VPN Client
• Verify everything is working according to your
policies

Summary
• Business nature helps determine your VPN
requirements
• Decide placement of VPN servers
– Research hardware and software to use
• Establish a VPN domain
• VPN configurations
– Single entry point configurations
– Multiple entry point configurations
• VPNs need to be used with firewalls

Summary (continued)
• Adjust packet-filtering rules
– To allow PPTP, L2TP, and IPSec traffic
• Auditing VPNs and VPN policies
– After you have installed and configured your VPN
• Work with a knowledgeable remote user
– Helps determine a baseline for future auditing, testing,
and troubleshooting

Summary
• VPNs do not make use of dedicated leased lines
• VPNs send data through a secure tunnel that leads
from one endpoint to another
• VPNs keep critical business communications private
and secure
• VPN components
– VPN servers
– VPN clients
– Protocols

Summary (continued)
• VPN types
– Site-to-site
– Client-to-site
• Encapsulation encloses one packet within another
– Conceals the original information
• VPN protocols
– Secure Shell (SSH)
– Socks version 5
– Point-to-Point Tunneling Protocol (PPTP)
– Layer 2 Tunneling Protocol (L2TP)

Summary (continued)
• IPSec/IKE
• Encryption makes the contents of the packet
unreadable
• Authentication ensures participating computers are
authorized users
– Kerberos: strong authentication system
• VPN advantages
– High level of security at low cost
• VPN disadvantages
– Can introduce serious security risks

VPN Guide to Network Defense and countermeasures

Recommended

Recommended

More Related Content

Similar to VPN Guide to Network Defense and countermeasures

Similar to VPN Guide to Network Defense and countermeasures (20)

More from AliAlwesabi

More from AliAlwesabi (18)

Recently uploaded

Recently uploaded (20)

VPN Guide to Network Defense and countermeasures