Chapter 6 - VPN - Part 1 - Overview

CCNA Advance

Chapter 6 Virtual Private Network - VPN

VPN Concepts

3

VPN Overview

Virtual Private Network (VPN) is defined as network connectivity deployed on a shared infrastructurewith the same policies and security as a private network. A VPN can be between two end systems, or it can be between two or more networks. A VPN can be built using tunnels and encryption. VPNs can occur at any layer of the OSI protocol stack. A VPN is an alternative WAN infrastructure that replaces or augments existing private networks that use leased-line or enterprise-owned Frame Relay or ATM networks.

4

VPN Overview

VPNs provide three critical functions (C-I-A): Confidentiality (encryption): The sender can encrypt the packets before transmitting them across a network. By doing so, no one can access the communication without permission. If intercepted, the communications cannot be read. Data integrity: The receiver can verify that the data was transmitted through the Internet without being altered. Origin authentication: The receiver can authenticate the source of the packet, guaranteeing and certifying the source of the information.

5

Tunneling and Encryption

1. Host A want to send packet to host B, packet will be:10.0.2.3 10.0.1.3 SegmentOthers

IP dest IP source2. Route A can send it out, but no more router in Internet can forward that packet !

Because that IP is Private IP, not Public IP

6

Tunneling and Encryption

3. Our solution ?: Tunneling at Router

10.0.2.3 10.0.1.3 SegmentOthers

IP dest IP source

Original Packet

Tunnel-ed 10.0.2.3 10.0.1.3 SegmentOthers

IP dest IP source

172.30.1.2 172.30.2.2 Others

4. Tunnel-ed packet will be forward in Internet

7

Tunneling and Encryption

Tunnel-ed 10.0.2.3 10.0.1.3 SegmentOthers

IP dest IP source

172.30.1.2 172.30.2.2 Others

5. Tunnel-ed packet is clear-text, can be lack of information anytime6. Our solution ? - encryption

Tunnel-ed 10.0.2.3 10.0.1.3 SegmentOthers

IP dest IP source

172.30.1.2 172.30.2.2 Others

Encrypted data

8

VPN Usage Scenarios

Remote to Access- Client Access- Network Access

Site-to-site- Intranet- Extranet

9

Key VPN Terms

Tunnel: A virtual point-to-point connection used in a network to carry traffic from one protocol encapsulated inside another protocol. For example, encrypted cyphertext carried in an IP packet. Encryption/decryption: Encryption is the process of transforming information content called clear text, or plain text, into a hidden form called cyphertext so that it will not be readable or usable by unauthorized users. Decryption transforms cyphertext back into clear text, or plain text, so that it is accessible for reading or use by authorized users. Ciphertext is created by feeding data into encryption algorithm along with an encryption key (a string of bits that seeds the encryption process).

10

Key VPN Terms

Cryptosystem: A system to accomplish the encryption/decryption, user authentication, hashing, and key-exchange processes. A cryptosystem may use one of several different methods, depending on the policy intended for various user traffic situations. Hashing: A data integrity technology that uses a formula or algorithm to convert a variable length message and shared secret key into a single fixed-length string of digits. The message/key and hash travel the network from source to destination. At the destination the recalculated hash is used to verify that the message and key have not changed while traveling the network. Examples of hashing formulas or algorithms are SHA and MD5.

11

Key VPN Terms

Authentication: The process of identifying a user or process attempting to access a computer system or network connection. Authentication ensures that the individual or process is who he, she, or it claims to be. Authentication does not confer associated access rights. Authorization: The process of giving authenticated individuals or processesaccess to computer system or network connection resources. Key management: A key is information, usually a sequence of random orseemingly random binary digits, used initially to set up and periodically to change the operations performed in a cryptosystem. Key management is the supervision and control of the process whereby keys are generated, stored, protected, transferred, loaded, used, and destroyed.

12

Key VPN Terms

Certificate of Authority (CA) service: A third-party service that is trusted to help secure the communications between network entities or users by creating and assigning digital certificates, such as public-key certificates, for encryption purposes. A CA vouches for the binding between the data security items inthe certificate. Optionally, a CA creates user's encryption keys.

13

Key VPN Terms

IPSec uses three main protocols to create a security framework: Internet Key Exchange (IKE): Provides framework for negotiation of security parameters Establishment of authenticated keys Encapsulating Security Payload (ESP): Provides framework for encrypting, authenticating, and securing of data Authentication Header (AH): Provides framework for authenticating and securing of data

14

IPSec Key Protocols and Elements

Internet Security Association and Key Management Protocol (ISAKMP): Aprotocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of an SA. Note: IKE is synonymous with ISAKMP in Cisco router or PIX Firewallconfigurations. Security Association (SA): A set of policy and key(s) used to protect information. The ISAKMP SA is the shared policy and key(s) used by the negotiating peers in this protocol to protect their communication.

15

Cisco IOS Cryptosystem Overview

16

Data Confidential: Encryption Algorithms

17

Data Confidential: Encryption Algorithms

Symmetrical/secret key encryption.

As-symmetrical/public key encryption.

18

Symmetrical Algorithms

Common Symmetrical algorithms: RC-4. 56 bit Data Encryption Standard (DES). 168 bit 3DES, triple DES. 128 or 256 bit Advanced Encryption Standard (AES). Blowfish. Advantages of Symmetrical algorithms: Speed, fast. Mathematical computations are easy to implement in hardware (small key). Good for large amounts of data. Disadvantage of Symmetrical algorithms Sender and receiver share same passwords. There is the problem of how to share the password (key management).

19

Asymmetrical Algorithms

Common Asymmetrical algorithms: RSA, ElGamal, eliptic curves Advantages of Asymmetrical algorithms: No problems with key management, one key is kept private and the other key is Public and given to anyone that needs to encrypt data. Great for authentication because you are the only one with the private key used to decrypt the data. Can be used for digital signatures, authenticated key exchanges, email or small amounts of data. Based on very hard mathematical equations (large key). Disadvantage of Symmetrical algorithms: Slower in encrypting than symmetrical algorithms

20

Data Integrity Hash Functions

Hash functions are used to provide integrity service. At the local end, the message is sent through a hash algorithm. A hash algorithm is a formula used to convert a variable length message into a single string of digits of a fixed length, called a hash value. One-way hashing algorithm has two advantages: Can not determine original data from the hash value. Fixed-size hash output value makes for a predictable amount of packet overload. Example: MD5 (128 bits output), SHA ( 160 bits output).

Text/file 1

Text/file 2

MD5

acb34hxiq14xs11.

zsaecbd4hxiq14x.

Fixed length

21

Data Integrity and Source Authentication

Validates datagrams by verifying they came from the proper source. The authentication process uses Hashing Message Authentication Code (HMAC) Adds a secret pre-shared key to the hashing process. Example: HMAC-MD5, HMAC-SHA-1

Keys Get Exchanged

23

How Do Keys Get Exchanged

In a VPN network, fast, strong encryption is a must. This is why most implementations use a symmetrical algorithm to do payload encryption. Problem with symmetrical algorithms and hash functions is key management. Manual configuration: Prone to configuration errors Rarely changed Automatic exchange: Uses public connections how to secure the key exchange ? The solution: Diffie-Hellman Key Exchange Algorithm First published public key cryptography standard Solves the key distribution problem through use of public/private key pairs Only public key sent across the network

24

The DH Key Exchange Process

- The Diffie-Hellman public key algorithm states that:- If user A and user B exchange public keys and a calculation

is performed on their individual private key and on the public key of the other peer, the end result of the process is an identical shared key. The shared key will be used to encrypt and decrypt the data.- Security is not an issue with the Diffie-Hellman key exchange. Although someone may know a users public key, the shared secret cannot be generated because the private key never becomes public knowledge.

25

Diffie-Hellman Algorithm Simplified

- Step 1: Rachel chooses her secret colorand adds 1 liter of blue to her paint can.Lauren chooses her secret color red andadds 1.5 liters of red. (secret key)- Step 2: A shared secret color is chosenthat both Rachel and Lauren add 1.1 litersof green to their can. (public key)

- Step 3: The paint cans are exchanged.Rachel adds 1 liter of her original secretcolor blue to the paint can she got fromLauren. Lauren adds her 1.5 liters originalsecret color red to the paint can she gotfrom Rachel. Now both paint cans have the identicalcolors with the same amounts. (shared-key use to encrypt, de-encrypt)

Rachel Lauren

Question ?

Thank you !