Internet Security Seminar Class CS591 Presentation Topic: VPN
Dec 21, 2015
Virtual Privacy Network
What is VPN?Extension of an enterprise’s private
intranet across a public network byEncrypt the user’s dataValidate the user’s dataAuthenticate the source of the dataEstablish & maintain cryptographic secrets
Virtual Private Network
Why business use VPN?Cost – ISP/NSP vs leased linesSimplified Infrastructure – No modem bankSecured – Encrypted, Authenticated,
Integrally Safe Interoperable – supports multiple protocolsDistributed, Deployable, Scalable
Virtual Private Network
Type of VPN NetworksBranch office connection (Intranet)Business partner/supplier network
ExtranetE-Business
Remote accessMobile IP
Virtual Private Network
How VPN works?Create dedicated link using tunneling
Basic components of a tunnel: A tunnel initiator (TI) A routed network An optional tunnel switch One or more tunnel terminators (TT)
Virtual Private Network
IPSecProposed by CISCO to IETF as standard Initially used by firewall & security productsSecures network or packet processing
layer of the communication model2 choices of security services:
Authentication Header (AH)Encapsulating Security Payload (ESP)
Virtual Private Network
IKEProtocol for Internet Key Exchange
Formerly Internet Security Association & Key Management Protocol (ISAKMP/Oakley)
ISAKMP manages negotiation of securityOakley using Diffie-Hellman establish key
Virtual Private Network
L2FTunneling protocol created by CISCOMechanism for transporting link-layer
frames of higher-layer protocols eg PPPVPDN
NAS – ISPHome Gateway - Corporation
Virtual Private Network
PPTPPoint-to-Point Tunneling Protocol
Developed by Microsoft, 3com, Ascend, ECIEncapsulates PPP packets across IP-
based internetEncryption RSA-RC4
Virtual Private Network
L2TPCombination of PPTP and L2FMake multiple simultaneous tunnel btw ptAllow administrators to dedicate task to
specific tunnels
Virtual Private Network
VPN TechnologyFirewalls Intrusion Detection ToolsAuthentication ServersEncryption & Key Exchange
Virtual Private Network
ImplementationNetworking Connectivity
Intranet or Extranet or Remote Access
Product or Service Provider VPN Gateway Software only (<1.5Mbps connection only) Firewall based Router based
Authentication Methods RADIUS, PKI, X509 (ITU), LDAP
Virtual Private Network
Routers and Firewalls with encryption capability. Pros: Encryption upgrades, if available, can be cost effective. Cons: Mixing vendor solutions can create compatibility issues that
inhibit VPN capability. May not be able to provide PC-to-LAN capability without
additional software support. Could require commitment to vendor's proprietary technology. May not provide multi-protocol support. Installation and configuration can add to network complexity. Encryption processing overhead may reduce performance.
Virtual Private Network
Traditional Remote Access Server (RAS) with VPN add-on. Pros: May allow IT to take advantage of an existing hardware investment. Cons: Traditional Remote Access Servers are not optimized for VPN. VPN add-ons may only be available for some high-end RAS
solutions. May be ISP dependent, requiring the company to adopt the same
RAS VPN vendor as the ISP. May not provide multi-protocol support. May require vendor proprietary software.
Virtual Private Network
NOS/Server-Based VPN Pros: More robust solution for PC-to-LAN access than that
provided by firewalls or routers. Cons: Difficult to set up and manage VPN functionality. Adding VPN services to a network server can impact
performance while decreasing fault tolerance. Dedicating a network server to remote access can be
prohibitively expensive.
Virtual Private Network
VPN Services Pros: Security and performance can be guaranteed for a price. Requires limited corporate support. Cons: IT gives up control to the service provider. May not provide multi-protocol support. May not provide PC-to-LAN access. VPN services may be cost prohibitive.
Virtual Private NetworkDedicated VPN Software Pros: Optimized to create LAN-to-LAN connections via VPN. Dedicated VPN solution creates fault tolerance. Standalone VPN solutions can offer greater performance. Dedicated VPN solutions are generally easier to use and support than solutions originally
designed for non-VPN functions such as firewalls, routers, network servers and traditional remote access servers.
Eliminates the need for costly frame relay circuits, leased lines, etc. Cons: Vendor proprietary software is needed for each server hosting VPN and each remote
client accessing the LAN via VPN. Must invest in a dedicated server for maximum performance. Adding VPN software on an existing, in-use network server decreases fault tolerance and
performance. Many solutions support IP-only VPNs and cannot transport packets from multiple
protocols.
Virtual Private Network
Dedicated VPN Hardware Pros: Easy to install, configure and manage. Saves money by reducing equipment needs at corporate site. Stand-alone solution offers greater performance and fault tolerance because
it is optimized for VPN functionality. Reduces costs of upgrading hardware as remote access technology changes. Reduces costs of upgrading system as the number of users increases. Cons: Some solutions do not support multiple protocols. Some LAN-to-LAN VPN solutions require costly software add-ons to
support remote client PCs. Some solutions require that proprietary software be loaded on the remote
client's PC.
Virtual Private Network
SECURITY STANCE Permit all access initially; administrator
specifically denies individual access according to security policy.
Deny all access initially; administrator specifically permits individual access according to security policy.
Virtual Private Network
Security TechniquesPacket FiltersCircuit-level Gateways Application-level Gateways
Possible Security Breach/Risk from RAUnauthorized Remote Access (RA) ComputerRA computer connected to insecure networkVirus infected RA computer
Virtual Private Network
FAQ Difference between VPN and Firewall? Diifference between VPN and Proxy? Build own VPN or outsource to SP? Important critique? Interoperable? Scalability? Can U trust the internet?
Any other Questions? Virtual Private Networks By Charlie Scott, Paul
Wolfe and Mike Erwin, O'Reilly & Associates, March 1998