Vpn 2


Published on


Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 11 43 43 Encryption is the masking of secret or sensitive information such that only an authorized party may view (or decrypt) it
  • 15
  • 13 49 49 What is encrypted with the public key can only be decrypted with the private key. Anyone can encrypt with someone’s private key but only the intended recipient can decrypt What is encrypted with the private key can only be decrypted with the public key. Only the holder of the private key can encrypt, anyone can decrypt—proof of signature.
  • 16 45 45 Diffie-Hellman Key Generation By exchanging numbers in the clear, two entities can determine a new unique number known only to them Result is a shared secret Neither party can alone control value Neither party knows—no needs to know—private key of other
  • 17 Diffie-Hellmann exchange is based upon the concept of modular exponentiation. The prime p denotes a galois field. The numbers are HUGE—e.g,. 1024 bits
  • 18 46 46 D-H exchange is in fact two exponentiations One exponentiation produces a “public value”. Private value is a random (but very large) number Public numbers are exchanged and another exponentiation is performed. Each party derives the same shared secret Susceptible to man-in-the-middle attack
  • Vpn 2

    1. 1. Virtual Private Networks Fred Baker
    2. 2. What is a VPN Public networks are used to move information between trusted network segments using shared facilities like frame relay or atm A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the Internet
    3. 3. Why?
    4. 4. HomeNet to the office.
    5. 5. VPN Types
    6. 6. VPN Implementations
    7. 7. VPN as your Intranet
    8. 8. What a VPN needs <ul><li>VPNs must be encrypted </li></ul><ul><ul><li>so no one can read it </li></ul></ul><ul><li>VPNs must be authenticated </li></ul><ul><li>No one outside the VPN can alter the VPN </li></ul><ul><li>All parties to the VPN must agree on the security properties </li></ul>
    9. 9. VPN Components
    10. 10. Parts of a VPN
    11. 11. VPN works via crypto/Encapsulation
    12. 12. Encryption and Decryption Clear-Text Clear-Text Cipher Text 8vyaleh31&d ktu.dtrw8743 $Fie*nP093h Encryption Bob Is a Fink Bob Is a Fink Decryption
    13. 13. Basic Crypto – Keys are key
    14. 14. 2 Kinds Key Systems
    15. 15. Symmetric Key Algorithms <ul><li>DES—56-bit key </li></ul><ul><li>Triple-DES—encrypt, decrypt, encrypt, using either two or three 56-bit keys </li></ul><ul><li>IDEA—128-bit key </li></ul><ul><li>Blowfish—variable-length key, up to 448 bits </li></ul>
    16. 16. Public Key Encryption Example <ul><li>Alice wants to send Bob encrypted data </li></ul><ul><ul><li>Alice gets Bob’s public key </li></ul></ul><ul><ul><li>Alice encrypts the data with Bob’s public key </li></ul></ul><ul><ul><li>Alice sends the encrypted data to Bob </li></ul></ul><ul><li>Bob decrypts the data with his private key </li></ul>Message Alice Bob Encrypted Message Message Bob’s Public Key Bob’s Private Key Decrypt Encryption
    17. 17. PKI vs Symmetric Key <ul><li>PKI easier as you don’t have to manage keys on a per user basis </li></ul><ul><li>But MUCH more compute intensive (up to 1000 times faster) </li></ul><ul><li>Many systems do a combination I.e. PGP </li></ul><ul><ul><li>Use PKI to send a symmetric key </li></ul></ul><ul><ul><li>Then use the symmetric key to crypto the data </li></ul></ul>
    18. 18. Using Crypto in real life
    19. 19. PKI to send Private Keys
    20. 20. PKI Certs a way to authenticate
    21. 21. Prove the user cert Certificates of authority
    22. 22. Digital Signature to verify data not changed in transit
    23. 23. PKI the full picture
    24. 24. Where you do Crypto
    25. 25. Technologies
    26. 26. Application Layer: SSL
    27. 27. Transport Layer: IPSEC <ul><li>A standard </li></ul><ul><li>is composed of: </li></ul><ul><ul><li>Diffie-Huffman key exchange </li></ul></ul><ul><ul><li>PKI for the DH exchanges </li></ul></ul><ul><ul><li>DES and other bulk encryption </li></ul></ul><ul><ul><li>Hash to authenticate packets </li></ul></ul><ul><ul><li>Digital Certificates to validate keys </li></ul></ul>
    28. 28. Transport Layer: IPSEC VPNs 3 parts
    29. 29. Tunnel vs Transport <ul><li>Transport </li></ul><ul><ul><li>Implemented by the end point systems </li></ul></ul><ul><ul><li>Real address to real address </li></ul></ul><ul><ul><li>Cannot ‘go through’ other networks </li></ul></ul><ul><li>Tunnel </li></ul><ul><ul><li>Encapsulation of the original IP packet in another packet </li></ul></ul><ul><ul><li>Can ‘go through’ other networks </li></ul></ul><ul><ul><li>End systems need not support this </li></ul></ul><ul><ul><li>Often PC to a box on the ‘inside’ </li></ul></ul>
    30. 30. Diffie-Hellman Key Exchange (1976) <ul><li>By openly exchanging non-secret numbers, two people can compute a unique shared secret number known only to them </li></ul>
    31. 31. Modular Exponentiation <ul><li>Generator, g </li></ul><ul><li>Modulus (prime), p </li></ul><ul><li>Y = g X mod p </li></ul>2 ^ 237276162930753723 mod 79927397984597926572651 Both g and p Are Shared and Well-Known
    32. 32. Diffie-Hellman Public Key Exchange Private Value, X A Public Value, Y A Private Value, X B Public Value, Y B (shared secret) Alice Bob Y B mod p = g mod p = Y A mod p X B X A X B Y A Y B X A Y B = g mod p X B Y A = g mod p X A
    33. 33. Security Association is the agreement on how to secure
    34. 34. create the ISAKMP SA (Internet Security Association Key Management Protocol)
    35. 35. IPSEC Key Exchange (IKE)
    36. 36. IKE allows scale as I do not need to hard code passwords for each pair
    37. 37. Link Layer: L2TP for VPDN (Vir Pvt Dial Net)
    38. 38. PPTP: Free from Microsoft
    39. 39. PPTP: Security
    40. 40. VPN Comparisons
    41. 41. So why have a private network: QOS not fully cooked <ul><li>Very dependent on your ISP </li></ul><ul><li>Real hard to do across ISPs </li></ul><ul><li>So no guarantee of performance </li></ul>
    42. 42. Other Issues
    43. 43. Like Nat
    44. 44. Wireless: a new big driver, WAS (Work At Starbucks)
    45. 45. Many security protocols, depends on deployer
    46. 46. VPN means I don’t care how you connect
    47. 47. Example
    48. 48. So what could be wrong? <ul><li>VPN clients hit the network stack </li></ul><ul><li>May not play well with personal firewalls </li></ul><ul><li>Or other software </li></ul><ul><li>May not need full access to the target network just encrypted access </li></ul>
    49. 49. One answer: clientless VPN <ul><li>Use SSL as the transport protocol to an appliance </li></ul><ul><li>Can add NT authentication to the appliance </li></ul><ul><li>Clientless mode: Use web enabled applications over the Internet, the appliance SSLifies web sites </li></ul><ul><li>Java Applet: Use an downloadable applet to send traffic over SSL, get more support for applications. </li></ul><ul><li>Can work well if you want to have encrypted web based apps without redoing the application </li></ul><ul><ul><li>to use SSL you need certs and have to change EVERY link to HTTPs </li></ul></ul><ul><ul><li>Also big hit on the server cpu </li></ul></ul>
    50. 50. Summary: VPNs <ul><li>Very big in the work access space </li></ul><ul><ul><li>Exploit High speed </li></ul></ul><ul><li>Wireless </li></ul><ul><ul><li>in the office </li></ul></ul><ul><ul><li>public ‘hot spots’ like Borders </li></ul></ul><ul><li>Replaces direct dial into the work network </li></ul><ul><li>Replace dedicated Business partners </li></ul><ul><li>May replace the corporate WAN </li></ul>