Transcript
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
1
Provides secure remote access to individuals and businesses outside your network.
They use the Internet to route LAN traffic from one private network to another
The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
VPN systems do not protect your network—they merely transport data
most modern VPN systems are combined with firewalls in a single device.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
Remote client authenticates itself on the VPN Gateway The client acquire a private IP address with DHCP-over-
IPSec Remote client is now part of the private network
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
solve the problem of direct Internet access to servers through a combination of the following fundamental components:
1. IP encapsulation2. Cryptographic authentication3. Data payload encryption
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions
Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,
standard Windows logon performs cryptographic authentication withoutperforming data payload encryption.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
Remote client authenticates itself on the VPN Gateway The client acquire a private IP address with DHCP-over-
IPSec Remote client is now part of the private network
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.
When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.
Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent—separated from each other by a single router.
But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user
In order for two devices from different vendors to be compatible, they must › support the same authentication and payload
encryption algorithms and › implement them in the same way.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.
In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
cheaper than WANs easier to establish than WANs slower than LANs less reliable Less secure than local LANs and WANs
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
IPSec tunnel mode L2TP PPTP
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
provides mechanisms that can be used to do the following:› Authenticate individual IP packets and guarantee that
they are unmodified.› Encrypt the payload (data) of individual IP packets
between two end systems.› Encapsulate a TCP or UDP socket between two end
systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
IPSec performs these three functions using three independent mechanisms:
Authenticated Headers (AH) to provide authenticity (Integrity)
Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)
Internet Key Exchange (IKE) for exchanging public keys (Authentication)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
Computes checksum of header information of a TCP/IP packet
Encrypts the checksum with the public key of the receiver
Receiver decrypts the checksum with its key Checks the header against the checksum If the computed checksum is different-
› Decryption failed› Header has been modified
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT
ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.
The receiver then decrypts the payload upon receipt and acts accordingly.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.
each machine’s public key had to be installed on the reciprocal machine.
As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.
IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.
Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)
PPP is the protocol used when you dial into the Internet with a modem
it transfers data from your computer to a remote access server at your ISP
ISP forwards the data on to the Internet.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms
Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI
L2TP packets can also be encrypted using IPSec.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)
L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
Microsoft and Cisco both recommend it as their primary method for creating VPNs.
It is not yet supported by most firewall vendors, however,
does not transit network address translators well.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
PPTP was Microsoft’s first attempt at secure remote access for network users
PPTP creates an encrypted PPP session between two TCP/IP hosts.
Unlike L2TP, PPTP operates only over TCP/IP PPTP does not use IPSec to encrypt packets it uses a hash of the user’s Windows NT
password to create a private key between the client and the remote server
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
Use a real firewall› Firewalls make ideal VPN endpoints because they
can route translated packets between private systems.
Secure the base operating system› No VPN solution provides effective security if the
operating system of the machine is not secure
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
Use packet filtering to reject unknown hosts› You should always use packet filtering to reject
connection attempts from every computer except those you’ve specifically set up to connect to your network remotely
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
Compress before you encrypt› properly encrypted data cannot be compressed. › This means that if you want to use compression,
you must compress before you encrypt
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
Secure remote hosts› Consider the case of a home user with more than
one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network.
› Any hacker on the planet could then proxy through the WinGate server directly into your private network.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
top related