L4 vpn

Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh

1

Provides secure remote access to individuals and businesses outside your network.

They use the Internet to route LAN traffic from one private network to another

The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications

Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2

VPN systems do not protect your network—they merely transport data

most modern VPN systems are combined with firewalls in a single device.




Remote client authenticates itself on the VPN Gateway The client acquire a private IP address with DHCP-over-

IPSec Remote client is now part of the private network



solve the problem of direct Internet access to servers through a combination of the following fundamental components:

1. IP encapsulation2. Cryptographic authentication3. Data payload encryption


Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions

Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,

standard Windows logon performs cryptographic authentication withoutperforming data payload encryption.


Remote client authenticates itself on the VPN Gateway The client acquire a private IP address with DHCP-over-

IPSec Remote client is now part of the private network


An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.

When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.

Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet.


IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent—separated from each other by a single router.

But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation.



The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network.


used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user

In order for two devices from different vendors to be compatible, they must › support the same authentication and payload

encryption algorithms and › implement them in the same way.


used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.

In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted


Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information


cheaper than WANs easier to establish than WANs slower than LANs less reliable Less secure than local LANs and WANs


IPSec tunnel mode L2TP PPTP


IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications.


provides mechanisms that can be used to do the following:› Authenticate individual IP packets and guarantee that

they are unmodified.› Encrypt the payload (data) of individual IP packets

between two end systems.› Encapsulate a TCP or UDP socket between two end

systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking.


IPSec performs these three functions using three independent mechanisms:

Authenticated Headers (AH) to provide authenticity (Integrity)

Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)

Internet Key Exchange (IKE) for exchanging public keys (Authentication)


Computes checksum of header information of a TCP/IP packet

Encrypts the checksum with the public key of the receiver

Receiver decrypts the checksum with its key Checks the header against the checksum If the computed checksum is different-

› Decryption failed› Header has been modified


Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT

ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec.


With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.

The receiver then decrypts the payload upon receipt and acts accordingly.


In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.

each machine’s public key had to be installed on the reciprocal machine.

As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic


Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.

IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.

Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.


Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)

PPP is the protocol used when you dial into the Internet with a modem

it transfers data from your computer to a remote access server at your ISP

ISP forwards the data on to the Internet.


Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms

Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI

L2TP packets can also be encrypted using IPSec.


it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)

L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling


Microsoft and Cisco both recommend it as their primary method for creating VPNs.

It is not yet supported by most firewall vendors, however,

does not transit network address translators well.


PPTP was Microsoft’s first attempt at secure remote access for network users

PPTP creates an encrypted PPP session between two TCP/IP hosts.

Unlike L2TP, PPTP operates only over TCP/IP PPTP does not use IPSec to encrypt packets it uses a hash of the user’s Windows NT

password to create a private key between the client and the remote server


Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN


Use a real firewall› Firewalls make ideal VPN endpoints because they

can route translated packets between private systems.

Secure the base operating system› No VPN solution provides effective security if the

operating system of the machine is not secure


Use packet filtering to reject unknown hosts› You should always use packet filtering to reject

connection attempts from every computer except those you’ve specifically set up to connect to your network remotely


Compress before you encrypt› properly encrypted data cannot be compressed. › This means that if you want to use compression,

you must compress before you encrypt


Secure remote hosts› Consider the case of a home user with more than

one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network.

› Any hacker on the planet could then proxy through the WinGate server directly into your private network.


L4 vpn

Technology

bangladeshrushdi

bangladeshremote

private networkrushdi

private ip

data payload

rushdi shams

public key

ip packet