Complete discription about VPN By Vikram Singh Rathroe

1. Virtual Private Network
(VPN)
Presented By:-Presented By:-
ASI/Tech. Vikram Singh RathoreASI/Tech. Vikram Singh Rathore
CRPF.CRPF.

2. Virtual Private Network
(VPN)

3. What is a VPN?
 Virtual Private Network is aVirtual Private Network is a
type of private network thattype of private network that
uses public network, such asuses public network, such as
the Internet, instead of leasedthe Internet, instead of leased
lines to communicate.lines to communicate.
 A VPN includes authenticationA VPN includes authentication
and encryption to protect dataand encryption to protect data
integrity and confidentialityintegrity and confidentiality
VPN
VPN
InternetInternet

4. Four Critical Functions
 AuthenticationAuthentication – validates that the data was– validates that the data was
sent from the sender.sent from the sender.
 Access controlAccess control – limiting unauthorized users– limiting unauthorized users
from accessing the network.from accessing the network.
 ConfidentialityConfidentiality – preventing the data to be– preventing the data to be
read or copied as the data is beingread or copied as the data is being
transported.transported.
 Data IntegrityData Integrity – ensuring that the data has– ensuring that the data has
not been alterednot been altered

5. Private Networks vs.
Virtual Private Networks
 Employees can access the network (Intranet) fromEmployees can access the network (Intranet) from
remote locations.remote locations.
 Secured networks.Secured networks.
 The Internet is used as the backbone for VPNsThe Internet is used as the backbone for VPNs
 Saves cost tremendously from reduction ofSaves cost tremendously from reduction of
equipment and maintenance costs.equipment and maintenance costs.
 ScalabilityScalability

6. Types of VPNs
 Remote Access VPNRemote Access VPN

Provides access toProvides access to
internal corporateinternal corporate
network over thenetwork over the
Internet.Internet.

Reduces longReduces long
distance, modemdistance, modem
bank, and technicalbank, and technical
support costs.support costs.
InternetInternet
Corporate
Site

7. Remote user VPN

8. Types of VPNs
 Remote Access VPNRemote Access VPN
 Site-to-Site VPNSite-to-Site VPN

Connects multipleConnects multiple
offices over Internetoffices over Internet

ReducesReduces
dependencies ondependencies on
frame relay andframe relay and
leased linesleased lines
InternetInternet
Branch
Office
Corporate
Site

9. Site to Site VPN

10. Types of VPNs
 Remote Access VPNRemote Access VPN
 Site-to-Site VPNSite-to-Site VPN

Extranet VPNExtranet VPN

Provides businessProvides business
partners access topartners access to
critical informationcritical information
(leads, sales tools,(leads, sales tools,
etc)etc)

Reduces transactionReduces transaction
and operational costsand operational costs
Corporate
Site
InternetInternet
Partner #1
Partner #2

11. Types of VPNs
 Remote Access VPNRemote Access VPN
 Site-to-Site VPNSite-to-Site VPN

Extranet VPNExtranet VPN

Intranet VPN:Intranet VPN:
Links corporateLinks corporate
headquarters, remoteheadquarters, remote
offices, and branchoffices, and branch
offices over a sharedoffices over a shared
infrastructure usinginfrastructure using
dedicated connections.dedicated connections.
InternetInternet
LAN
clients
Database
Server
LAN clients with
sensitive data

12. Brief Overview of How it Works
 Two connections – one is made to theTwo connections – one is made to the
Internet and the second is made to theInternet and the second is made to the
VPN.VPN.
 Datagrams – contains data, destinationDatagrams – contains data, destination
and source information.and source information.
 Firewalls – VPNs allow authorizedFirewalls – VPNs allow authorized
users to pass through the firewalls.users to pass through the firewalls.
 Protocols – protocols create the VPNProtocols – protocols create the VPN
tunnels.tunnels.

13. How security is maintain
 The endpoints of VPN uses someThe endpoints of VPN uses some
standard mechanisms for establishedstandard mechanisms for established
identification and authorisation.identification and authorisation.
 And for data communication both of theAnd for data communication both of the
endpoints use some common methodsendpoints use some common methods
of encryption protocol like PPTP, L2TPof encryption protocol like PPTP, L2TP
& IPSec.& IPSec.

14. Tunneling
A virtual point-to-point connectionA virtual point-to-point connection
made through a public network. It transportsmade through a public network. It transports
encapsulated datagrams.encapsulated datagrams.
Encrypted Inner Datagram
Datagram Header Outer Datagram Data Area
Original Datagram
Data Encapsulation

15. Three Protocols used in VPN
 PPTP -- Point-to-Point TunnelingPPTP -- Point-to-Point Tunneling
ProtocolProtocol
 L2TP -- Layer 2 Tunneling ProtocolL2TP -- Layer 2 Tunneling Protocol
 IPsec -- Internet Protocol SecurityIPsec -- Internet Protocol Security

16. Protocol
L2TP :- Layer 2 tunneling protocolL2TP :- Layer 2 tunneling protocol
PPTP :- Point to point tunneling protocolPPTP :- Point to point tunneling protocol
((both are works on OSI layer 2 and by the encapsulation of packetboth are works on OSI layer 2 and by the encapsulation of packet
with in another, this allows you to hide the original packet fromwith in another, this allows you to hide the original packet from
view or change the nature of transport)view or change the nature of transport)
IPsec :- Internet protocol securityIPsec :- Internet protocol security
(works on layer 3 of OSI model)(works on layer 3 of OSI model)

17. Point-to-Point Tunneling
Protocol (PPTP)
 Layer 2 remote access VPN distributed with Windows productLayer 2 remote access VPN distributed with Windows product
familyfamily

Addition to Point-to-Point Protocol (PPP)Addition to Point-to-Point Protocol (PPP)

Allows multiple Layer 3 ProtocolsAllows multiple Layer 3 Protocols
 Uses proprietary authentication and encryptionUses proprietary authentication and encryption
 Limited user management and scalabilityLimited user management and scalability
Internet
Remote PPTP Client
ISP Remote Access
Switch
PPTP RAS Server
Corporate Network

18. Layer 2 Tunneling Protocol
(L2TP)
 Layer 2 remote access VPN protocolLayer 2 remote access VPN protocol

Combines and extends PPTP and L2F (CiscoCombines and extends PPTP and L2F (Cisco
supported protocol)supported protocol)

Weak authentication and encryptionWeak authentication and encryption

Addition to Point-to-Point Protocol (PPP)Addition to Point-to-Point Protocol (PPP)

Must be combined with IPSec for enterprise-levelMust be combined with IPSec for enterprise-level
securitysecurity
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network

19. Internet Protocol Security
(IPSec)
 Layer 3 protocol for remote access,Layer 3 protocol for remote access,
intranet, and extranet VPNsintranet, and extranet VPNs

Internet standard for VPNsInternet standard for VPNs

Provides flexible encryption and messageProvides flexible encryption and message
authentication/integrityauthentication/integrity

20. Encryption
 Used to convert data to a secret codeUsed to convert data to a secret code
for transmission over an trustedfor transmission over an trusted
networknetwork
Encryption
Algorithm
“The cow jumped
over the moon”
“4hsd4e3mjvd3sd
a1d38esdf2w4d”
Clear TextClear Text Encrypted TextEncrypted Text

21. Symmetric Encryption
 Same key used to encrypt and decryptSame key used to encrypt and decrypt
messagemessage
 Faster than asymmetric encryptionFaster than asymmetric encryption
 Used by IPSec to encrypt actual messageUsed by IPSec to encrypt actual message
datadata
 Examples: RSA, DES, 3DES, RC5Examples: RSA, DES, 3DES, RC5
Shared Secret KeyShared Secret Key

22. Asymmetric Encryption
 Different keys used to encrypt and decryptDifferent keys used to encrypt and decrypt
message (One public, one private)message (One public, one private)
 Provides non-repudiation of message orProvides non-repudiation of message or
message integritymessage integrity
 Examples include DSA, SHA-1, MD-5Examples include DSA, SHA-1, MD-5
Alice Public KeyAlice Public Key
EncryptEncrypt
Alice Private KeyAlice Private Key
DecryptDecrypt
BobBob AliceAlice

23.  Eliminating the need for expensive long-Eliminating the need for expensive long-
distance leased linesdistance leased lines
 Reducing the long-distance telephoneReducing the long-distance telephone
charges for remote access.charges for remote access.
 Transferring the support burden to the serviceTransferring the support burden to the service
providersproviders
 Operational costsOperational costs
Advantages: Cost Savings

24.  Flexibility of growthFlexibility of growth
 Efficiency with broadband technologyEfficiency with broadband technology
Advantages: Scalability

25. VPNs require an in-depth understanding ofVPNs require an in-depth understanding of
public network security issues and properpublic network security issues and proper
deployment of precautionsdeployment of precautions
Availability and performance depends on factorsAvailability and performance depends on factors
largely outside of their controllargely outside of their control
VPNs need to accommodate protocols otherVPNs need to accommodate protocols other
than IP and existing internal network technologythan IP and existing internal network technology
Disadvantages of VPN

26. Industries That May Use a VPN
 Healthcare:: enables the transferring of confidentialenables the transferring of confidential
patient information within the medical facilities &patient information within the medical facilities &
health care providerhealth care provider
 Manufacturing:: allow suppliers to view inventory &allow suppliers to view inventory &
allow clients to purchase online safelyallow clients to purchase online safely
 Retail:: able to securely transfer sales data orable to securely transfer sales data or
customer info between stores & the headquarterscustomer info between stores & the headquarters
 Banking/Financial:: enables account information toenables account information to
be transferred safely within departments & branchesbe transferred safely within departments & branches
 General Business:: communication between remotecommunication between remote
employees can be securely exchangedemployees can be securely exchanged

27. RSA SecurID

28. 03/19/18
Agenda
 IntroductionIntroduction
 ComponentsComponents

TokensTokens

ServerServer

AlgorithmAlgorithm
 WeaknessesWeaknesses
 ComparisonComparison
 ConclusionConclusion

29. RSA SecurID – the standard for ThreeRSA SecurID – the standard for Three
scientist last namescientist last name
RIVEST SHAMIR ADLEMANRIVEST SHAMIR ADLEMAN
1.1. RON RIVESTRON RIVEST
2.2. ADI SHAMIRADI SHAMIR
3.3. LEONARD ADLEMANLEONARD ADLEMAN

30. 03/19/18
Components of the SecurID®
System
 TokensTokens
 Authentication ServerAuthentication Server
 AlgorithmAlgorithm

31. PASSCODE = +PIN TOKENCODE
Two-factor Authentication
with RSA SecurID
PIN TOKENCODE
Login: GLAU
Passcode: 2468234836
Token code:
Changes every 60
seconds
Unique seed
Internal battery
Clock
synchronized to
UCT / GMT

32. User enters
Passcode
(PIN + token code)
UserUser
Authenticated!Authenticated!
Authentication
Manager
Authentication
Agent
Calculates
passcode
RSA SecurID Authentication
Solution

33. RSA SecurID
Time Synchronous Two-Factor Authentication
RSA
Authentication
Manager
RAS,
VPN,
Web Server,
WAP
etc.
RSA
Authentication
Agent
SeedTime
Algorithm
SeedTime
032848032848
Algorithm
Same SeedSame Seed
Same TimeSame Time

34. 03/19/18
Components of the SecurID®
System
 Authentication ServerAuthentication Server

Maintains database of user assignedMaintains database of user assigned
tokenstokens

Generates pass code following the sameGenerates pass code following the same
algorithm as the tokenalgorithm as the token

Seed – similar to symmetric keySeed – similar to symmetric key

35. 03/19/18
Components of the SecurID®
System
 AlgorithmAlgorithm

Brainard’s Hashing AlgorithmBrainard’s Hashing Algorithm

AES Hashing AlgorithmAES Hashing Algorithm

36. 03/19/18
Comparison to Password
Systems
 Password systems are built-in, noPassword systems are built-in, no
additional implementation cost?additional implementation cost?

Administration CostsAdministration Costs

Security CostsSecurity Costs
 SecurIDSecurID

No need to regularly change passwordsNo need to regularly change passwords

No changes as long as tokensNo changes as long as tokens
uncompromised (and hash function)uncompromised (and hash function)

37. Thanks for your attentionThanks for your attention