The document discusses the importance and functionality of Virtual Private Networks (VPNs), emphasizing their ability to securely connect geographically separated offices and mobile users over public networks. It outlines the benefits of VPNs, including improved security, cost reduction, and simplified network topology, while detailing the characteristics and different types of VPNs, such as trusted, secure, and hybrid. Additionally, it covers VPN protocols, encapsulation methods, and various technologies supported for implementing VPNs, particularly in Linux environments.

1. VPNVPN
Copyright by Hacking Feder
Powered by LJ Projects

2. WHY VPN?
• Geographically separate offices need to
communicate.
• Collaboration
• Mobile users
• One Network
•

3. TRADITIONAL CONNECTIVITY

4. VPN
• Allows a trusted network to communicate
to another trusted network over un-trusted
public network.
• Used to extend an enterprise’s internal
private network.

5. VPN
•Definition:
Network of virtual circuits that carries
private traffic through public or shared
networks such as the Internet or those
provided by network service providers.

6. VPN

7. VPN-BENEFITS
• Extends geographical connectivity,
• Improves Security
• Reduces operational costs versus a
traditional WAN
•Improves productivity.

8. VPN-BENEFITS
• Simplifies network topology.
• Provides global networking opportunities.
• Reduces transit time and transportation
costs for remote users.

9. VPN-CHARACTERISTICS
• Traffic is encrypted
• Remote site is authenticated
• Multiple protocol support,
• Connection is point to point.

10. TUNNELLING
Tunnel – a means of forwarding data
across a network from one node to another,
as if two nodes were directly connected.
How it is achieved?
Encapsulation / Encapsulating the Data

11. Encrypted Inner Datagram
Datagram Header Outer Datagram Data Area
Original Datagram
TUNNELLING

12. ENCAPSULATION
• Extra header is added to the data sent
by the transmitting end of the tunnel.
• Data is forwarded by intermediate
nodes based on the outer header
without looking at the contents of the
original packet.

13. ENCAPSULATION
So technically…
VPN is a group of one or more secure
IP tunnel.

14. FOUR CRITICAL FUNCTIONS
Authentication – validates that the data
was sent from the sender.
Access control – limiting unauthorized
users from accessing the network.
Confidentiality – preventing the data to
be read or copied as the data is being
transported.
Data Integrity – ensuring that the data
has not been altered

15. VPN PROTOCOLS
PPTP - Point-to-Point Tunneling Protocol
L2TP - Layer 2 Tunneling Protocol
IPsec - Internet Protocol Security
SOCKS - is not used as much as the ones
above

16. VPN ENCAPSULATION

17. TYPES OF VPN
• Trusted VPN
• Secure VPN
• Hybrid VPN

18. REQUIREMENTS – SECURE VPN
• All traffic on the secure VPN must be
encrypted and authenticated.
• The security property of the VPN must be
agreed to by all parties in the VPN.
• No one outside the VPN can affect the
security property of the VPN.

19. REQUIREMENTS – TRUSTED VPN
• No one other than the trusted VPN provider
can affect the creation or modification of a
path in the VPN.
•No one other than the trusted VPN provider
can change data, inject data, or delete data
on a path in the VPN.

20. REQUIREMENTS – TRUSTED VPN
•The routing and addressing used in a trusted
VPN must be established before the VPN is
created.

21. REQUIREMENTS – HYBRID VPN
• The address boundaries of the secure VPN
within the trusted VPN must be extremely
clear.
• The admin should be able to say which one
is secure VPN, when there is a Hybrid VPN
setup.

22. TECHNOLOGIES SUPPORTED – SVPN
• IPSec with Encryption
• Either tunnel or transport modes.
• Security association can be set up either
manually or using IKE with either
certificates or pre-shared secrets.
• IPSec inside of L2TP
•SSL 3.0 or TLS with encryption.
•TLS – RFC 3193

23. IPSec RFC
• IKEv1
• 2401, 2406, 2407, and 2409
•IKEv2
• 4301, 4303, 4306, 4307, and 4308

24. TECHNOLOGIES SUPPORTED – TVPN
• Mainly classified into:
• Layer 2 VPN, and
• Layer 3 VPN

25. TECHNOLOGIES SUPPORTED – TVPN
• Layer 2 VPN
• ATM Circuits
• Frame Relay Circuits, and
• Transport of Layer 2 frames over MPLS.

26. TECHNOLOGIES SUPPORTED – TVPN
• Layer 3 VPN
• MPLS with constrained distribution of
routing information through BGP. (RFC
4364).

27. TECHNOLOGIES SUPPORTED – HVPN
• Any supported secure VPN technologies
running over any supported trusted VPN
technology.

28. VPN IN LINUX
• IPSec –
• Standard developed by International
Engineering Task Force – IETF
• Linux includes IPSec support – Linux 2.6
kernel.
• Offer administrative interface – ipsec-
tools

29. VPN IN LINUX
•PPP over OpenSSH
• Method & not a tool.
• With the existing tools, you can configure
a PPP interface to use SSH to encrypt all
data that goes across the PPP interface.
• Poor performance when compared to
other.

30. VPN IN LINUX
•OpenVPN
• www.openvpn.net
• Can create a tunnel to remote systems
over public networks with encryption and
authentication features.
• yum install openvpn

31. VPN IN LINUX
• openswan
• www.openswan.org
• An implementation of IPSec that was
originally based on code from the
FreeS/WAN project. (www.freeswan.org).
• yum install openswan

32. VPN IN LINUX
• Crypto IP Encapsulation (CIPE)
• IP Packets are routed across selected IP
interfaces as encrypted UDP packets.
• Easy to setup
• Less overhead than PPP over OpenSSH
• Means better performance.
• Drawback – Since not a standard
implementation, not available on all distro

33. UNDERSTANDING IPSec
•IPSec consists of two primary protocols:
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)

34. UNDERSTANDING IPSec
/etc/protocols
•AH = 51
•ESP = 50

35. UNDERSTANDING IPSec
•IPSec Mode
•Tunnel Mode
•Transport Mode

36. UNDERSTANDING IPSec
Tunnel Mode
•Entire IP datagram is encapsulated into
the new IP datagram by IPSec.
•Protects both data and the control
information.

37. UNDERSTANDING IPSec
Transport Mode
• Only the data (payload) is encrypted.
• To do this, IPSec inserts its own header
between the IP header and the protocol
header for the upper layer.

38. UNDERSTANDING IPSec
Transport Mode
AH
IP Header -> AH Header -> TCP Header + Payload
ESP
IP Header -> ESP -> TCP HEader + Payload
=================================================
Tunnel Mode
AH
IP Header -> AH Header -> Original IP Header -> TCP Header + Payload
ESP
IP Header -> ESP -> IP Header + TCP Header + Payload

39. UNDERSTANDING IPSec

40. AH-Tunnel

41. UNDERSTANDING IPSec

42. UNDERSTANDING IPSec

43. UNDERSTANDING IPSec

44. UNDERSTANDING IPSec
•Review – Features of VPN
• Authentication,
• Encryption
•For authentication and exchange of
symmetric keys, IPSec uses the Internet Key
Exchange – IKE protocol.

45. UNDERSTANDING IPSec
•At the beginning of communication, IKE:
•Authenticates the peer computer,
•Negotiates security associations,
•Choose secret symmetric keys (using
Diffie Hellmann key exchange)

46. UNDERSTANDING IPSec
• Result/
•Security Association - SA
•The SA made is stored in Security
Association Database – SAD.

47. UNDERSTANDING IPSec
• SA consists of:
• information about the communications
endpoints – eg public IP address.
• whether AH or ESP are being used with
IPSec, and
• The secret key / algorithm being used.

48. UNDERSTANDING IPSec
•HMAC – Hash Message Authentication
Codes
• Send through the Protocol Header
• Message Authentication Code
• Calculated using a specific algorithm
involving cryptographic hash function in
combination with a secret key.

49. UNDERSTANDING IPSec
HMAC offers the following advantages:
• Data Integrity –
The HMAC created using the hash
algorithm, secret key and data in the IP
datagram can be checked at the receiver
end by reversing the order.
• Data privacy
Datagrams are encrypted using symmetric
encryption algorithms.

50. IPSec – DoS Attack
• Recording and replaying sequence of
packets can cause denial of service attacks.
• IPSec combats this type of attacks
• Accepts only packets that are within a
“sliding window” of sequence numbers or
higher.
• Packets using older sequence numbers are
dropped.