Top Banner

of 30

IPSec VPN Slides Final

Apr 06, 2018

Download

Documents

shahrian
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/3/2019 IPSec VPN Slides Final

    1/30

    IPSec and VPNAli Bodden

    Joseph GonyaMiguel Mendez

  • 8/3/2019 IPSec VPN Slides Final

    2/30

    IPSec / VPN Outline

    What is IPSec?IPSec ArchitectureWhat are the Security Properties/Services of IPSec?What are the IPSec Protocol types?An example of IPSec in use.

    What are the security issues concerning IP?What is IPSecs application to VPN?What is VPN?Transport and Tunnel ModesWhat are the two types of VPN?Current status of VPN solution technology versus first generation

    What is the cost effectiveness of implementing a VPN?What are the advantages of an IPSec VPN?What are the disadvantages of an IPSec VPN?Review and Questions

  • 8/3/2019 IPSec VPN Slides Final

    3/30

    What is IPSec?

    IPSec is a set of extensions to the IP protocol family. It provides cryptographic

    security services. These services allow for Authentication, Integrity, Access Control,and Confidentiality. IPSec provides similar services as SSL, but at the network layer,in a way that is completely transparent to your applications, and much more powerful.We say this because your applications do not have to have any knowledge of IPSecto be able to use it. You can use any IP protocol over IPSec. You can createencrypted tunnels (VPNs), or just do encryption between computers. Since you haveso many options, IPSec is rather complex (much more so then SSL!)

    In a logical sense, IPSec works in any of these three ways: Host-to-Host Host-to-Network Network-to-Network

    In every scenario that involves a network, meaning to imply router. As in, Host-to-Router (and this router controls and encrypts traffic for a particular Network.)

    As you can see, IPSec can be used to tunnel traffic for VPN connections. However,its utility reaches beyond VPNs. With a central Internet Key Exchange registry, everymachine on the internet could talk to another one and employ powerful encryptionand authentication!

  • 8/3/2019 IPSec VPN Slides Final

    4/30

    IPSec Architecture

    IPSec Documents:

    The IPSec specification consists of numerous documents.The most important of these, issued in November of 1998,are RFCs 2401, 2402, 2406, and 2408:

    RFC 2401: An overview of a security architecture

    RFC 2402: Description of a packet authentication extensionto IPv4 and IPv6

    RFC 2406: Description of a packet encryption extension toIPv4 and IPv6

    RFC 2406: Specification of key management capabilities

  • 8/3/2019 IPSec VPN Slides Final

    5/30

    The internet protocol, IP, AKA IPv4, does not inherently provide anyprotection to your transferred data. It does not even guarantee that thesender is who he says he is. IPsec tries to remedy this. These services areconsidered distinct, but the IPsec supports them in a uniform manner.

    ConfidentialityEnsure it is hard for anyone but the receiver to understand what data has beencommunicated. For example: ensuring the secrecy of passwords when logging into a

    remote machine over the Internet.

    IntegrityGuarantee that the data does not get changed on the way. If you are on a line carryinginvoicing data you probably want to know that the amounts and account numbers arecorrect and not altered while in-transit.

    Authenticity

    Sign your data so that others can see that it is really you that sent it. It is clearly nice toknow that documents are not forged.

    Replay protectionWe need ways to ensure a datagram is processed only once, regardless of how manytimes it is received. I.e. it should not be possible for an attacker to record a transaction(such as a bank account withdrawal), and then by replaying it verbatim cause the peerto think a new message (withdrawal request) had been received. WARNING: as per the

    standards specification, replay protection is not performed when using manual-keyedIPsec (e.g., when usingipsecadm(8)).

    What are the SecurityProperties/Services of IPSec?

    http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8
  • 8/3/2019 IPSec VPN Slides Final

    6/30

    What are the IPSec Protocol types?First, the IP protocol is the description of how devices on the Internet can addresseach other. Internet Protocol Security (IPSec) adds security functionality to the IP

    protocol. There are four (4) key protocols that collectively form the basis for IPSec:

    IPSec = AH + ESP + IPComp + IKE

    Authentication Header (AH): provides authenticity guarantee for packets by ensuringthe packet was not generated by an impersonator and was not modified in transit;

    Encapsulating Security Payload (ESP): provides a confidential guarantee for data byencrypting packets with algorithms

    IP Payload Compression (IPComp): provides a way to compress packets beforeencryption.

    Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy

    Security of IPSec depends on secret keys, generated by IKE. If the secret keys arecompromised, IPSec is no longer secure. Data encryption is a function of IPSec,made possible by ESP. An encryption algorithm, generated by ESP, is a way ofchanging data so that only the desired recipient knows how to reconstruct it. TripleDES (Data Encryption Standard) is an encryption algorithm that is unbreakable and isthe most popular algorithm because of its strong encryption and number of keys.Encryption allows only the receiver to read what has been sent over the network.

    IPSEC provides the capability to secure tunnels between two network devices suchas two routers.

  • 8/3/2019 IPSec VPN Slides Final

    7/30

    Step 1: Host A sends a TCP/IP packet toHost B.

    The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    8/30

    Step 2: Router A receives the packet and

    adds the ESP:

    The TCP/IP packet looks like this: [ESP][IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    9/30

    Step 3: Router A adds the AH:The TCP/IP packet looks like this: [AH][ESP][IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    10/30

    Step 4: Router A encapsulates the packetinto a new one, and sends it to Router B:

    The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    11/30

    Step 5: Router B receives the

    packet and removes the AH:The TCP/IP packet looks like this: [ESP][IPHDR2][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    12/30

    Step 6: Router B removes the ESP:The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    13/30

    Step 7: Host B receives the original packetsent by Host A:

    The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

    http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html

    http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.htmlhttp://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html
  • 8/3/2019 IPSec VPN Slides Final

    14/30

    What are the most commonSecurity Issues concerning IP?

    The three most serious types of attacks are:

    Packet Sniffing

    IP Spoofing

    Denial-Of-Service

    Other attacks include:

    Eavesdropping Data Modification

    Password Based Attacks

    Man-in-the-Middle Attacks

    Compromised-Key Attacks

    Application-Layer Attacks

  • 8/3/2019 IPSec VPN Slides Final

    15/30

    Packet Sniffing

    A Packet Sniffer is a program running in a network attached device

    that passively receives all data-link layer frames passing by thedevices network interface.

    Packet Sniffers are commonly used to acquire account names andpasswords.

    Packet Sniffing Software is freely available at various WWW sites

    and as commercial products.

  • 8/3/2019 IPSec VPN Slides Final

    16/30

    IP Spoofing

    The intruder creates and transmits packets from the

    outside with a source IP address field containing anaddress of an internal host.

    Used to exploit applications that use simple sourceaddress security, in which packets from specific trusted

    internal hosts are accepted.

  • 8/3/2019 IPSec VPN Slides Final

    17/30

    Denial-Of-Service

    A Denial-Of-Service attackrenders a network, host, orother piece of networkinfrastructure unusable bylegitimate users.

    DoS attacks work by creatingso much work for theinfrastructure under attack thatlegitimate work cannot beperformed. (Resource

    Exhaustion for ex. Disk Space,CPU Cycles, Memory, NetworkBandwidth, and ApplicationResources)

    TCP Three-Way Handshake

    Simple Example: SYN Flood

  • 8/3/2019 IPSec VPN Slides Final

    18/30

    What is a VPN?

    VPNs (Virtual Private Networks) are private, secure connectionsacross a public network (usually the internet) that extend corporatenetworks to remote offices, mobile users, telecommuters, andextranet partners.

    VPNs maintain privacy through the use of tunneling protocols and

    security procedures. VPN tunnels are secured through encryptiontechnology that uses advanced mathematical algorithms to scramblethe data flowing through the VPN.

    POP = Points of Presence

  • 8/3/2019 IPSec VPN Slides Final

    19/30

    Primary functions of a VPN

    Encryption keep data confidential

    Authentication ensure the identities of the two partiescommunicating

    Tunneling safeguard the identities of communicating

    partiesNon-Repudiation ensure data is accurate and in itsoriginal form

    Replay Prevention guard against packets being sent

    over and over again

    Note All of the above features are components of theIP Security Protocol (IPSec) Standard!!!

  • 8/3/2019 IPSec VPN Slides Final

    20/30

    What is IPSecs application to VPN?

    VPNs provide the highest level of security using advanced,standards-based security protocols such as IPSec.

    Use of IPSec with VPNs delivers enhanced network security in aninsecure, network world. IPSec (Internet Protocol Security) is thesecurity protocol most commonly associated with VPN. IPSec isused to transmit high value data securely in a VPN by utilizing Dataprivacy, Data authenticity and integrity, and Non-repudiation.

    In IPSec, all protocols, which sit upon the network layer, areencrypted (once an IPSec tunnel is created) between the twocommunicating parties. TCP, UDP, SNMP, HTTP, POP, AIM,KaZaa etc, are all encrypted regardless of their built in (or lack ofbuilt in) security and encryption.

    The deployment of IPSec VPNs provide a solution that is moresecure, flexible, easy to manage and cost-saving.

  • 8/3/2019 IPSec VPN Slides Final

    21/30

    Transport and Tunnel Modes

    Both AH and ESP support two modes of use:

    Transport Mode

    Tunnel Mode

    Transport Mode provides protection primarily for upper-layer

    protocols. That is transport mode protection extends to the payloadof an IP packet (everything in the packet behind and not includingthe IP header is protected). Typically, transport mode is used forend-to-end communication between two hosts.

    Tunnel Mode provides protection to the entire IP packet

    (everything behind and including the header is protected, requiring anew pseudo IP header). To achieve this, after the AH or ESP fieldsare added to the IP packet, the entire packet plus security fields, istreated as the payload of a new outer IP packet with a new outerIP header. The entire original or inner packet travels through atunnel from one point of an IP network to another. No routers

    along the way are able to examine the inner IP header.

  • 8/3/2019 IPSec VPN Slides Final

    22/30

    Transport and Tunnel Modes

  • 8/3/2019 IPSec VPN Slides Final

    23/30

    How Does a VPN work?

    VPN uses IPSec for transferring secure packets acrossthe network

    IPSec identifies an authorized client/network

    Negotiates an encrypted channel

    Tunnels all network traffic through the encrypted channel

    (authenticating keys).

    The client/network appears to be locally connected

  • 8/3/2019 IPSec VPN Slides Final

    24/30

    How does an IPSec VPN work?

    Two Way authentication using tokens Digital Certificates Heavily Encrypted Access limited to well defined and controlled user base All IP related services supported More suited for internal company use

  • 8/3/2019 IPSec VPN Slides Final

    25/30

    Current status of VPN solutiontechnology versus first generation

  • 8/3/2019 IPSec VPN Slides Final

    26/30

    Cost savings of a VPN

    implementation

    Using the Ciscowebsite calculatora comparison of

    three scenarioswas made toshow the costsaving benefits ofimplementing a

    VPN solution.

    Monthly Cost Savings for Site-to-Site

    VPN

    0

    134055

    678255

    0

    200000

    400000

    600000

    800000

    0 2000 4000 6000

    Number of users

    CostSavings$

    www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/site2site.html

  • 8/3/2019 IPSec VPN Slides Final

    27/30

    Advantages of an IPSec VPNSolution

    Separate private networking solutions are expensive andcannot be updated quickly to adapt to changes in businessrequirements

    The Internet is inexpensive but does not by itself ensureprivacy

    Flexibility in Network Design

    New Application Enablement

    Any-to-Any Connectivity

  • 8/3/2019 IPSec VPN Slides Final

    28/30

    Disadvantages of an IPSec VPNSolution

    Small Packet Issue

    When encrypting small pieces of information, the overheadcaused by the encryption process becomes larger than theactual payload, causing performance degradation. IPSec is not

    immune to this problem.

    Complexity Issues

    IPSec was developed in a committee and has many featuresand options, therefore it is very complicated. The downside is,

    more features means a greater possibility a weakness or holecan be found to compromise security.

    For example, IPSec is weak against certain attacks, such asreplay attacks. Also, in certain cases, IPSec allows encryptionwithout authentication, which could allow an unauthorized

    person to use IPSec for malicious purposes.

  • 8/3/2019 IPSec VPN Slides Final

    29/30

    Question & Answers?

    What is IPSec? IP Security, a set of standards for the internet security; also implementations of

    VPN using the set of standards for internet security.

    What are two properties\services of IPSec? Confidentiality, Integrity, Authentication, Replay Protection

    What are two security issues concerning IP? Packet sniffing, IP spoofing, Denial of Service

    What are the two types of VPNs? Transport and Tunnel

    What are two advantages of an IPSec VPN? Cost savings, Bandwidth savings

    What are two disadvantages of an IPSec VPN? Small packet issue, Complexity issues

  • 8/3/2019 IPSec VPN Slides Final

    30/30

    The End!!!