- 1. Virtual Private Networksand IPSec ECE 4112
2. What is a VPN?
- VPN Stands for Virtual Private Network
- A method of ensuring private, secure communication between
hosts over an insecure medium usingtunneling
- Usually between geographically separate locations, but doesnt
have to be
- Via tunneling and software drivers, computer is logically
directly connected to a network that it is not physically a part
of
3. Sidebar: What is tunneling?
- Putting one type of packet inside another
- Both parties must be aware of tunnel for it to work
- Example in next slide - AppleTalk over IP Tunnel
4. Example: AppleTalk over IP Tunnel 5. What is a VPN?
(cont)
- Uses some means of encryption to secure communications
-
- Software could be written to support any type of encryption
scheme
6. What is a VPN? (cont)
-
- The typical example of this is a dial-up connection from home
or for a mobile worker, who needs to connect to secure materials
remotely
-
- The typical example of this is a company that has offices in
two different geographical locations, and wants to have a secure
network connection between the two
7. Remote-Access Example 8. Site-to-Site Example 9. Why Use a
VPN?
- Originally designed as inexpensive alternative WAN over leased
lines
- Now mostly used to securely connect computers over the
internet
- Lots of cheap and convenient protocols are insecure (IP,
802.11, etc)
-
- Can now communicate securely over these insecure protocols
10. Why Use a VPN? (cont)
- Example it can simplify security
-
- (what is about to be proposed is not the most secure thing in
the world so dont raise your hands and tell how you would make it
more secure its just an example)
-
- Assume simple security policy with IP based access management
for example, an FTP server with site-licensed software on it for
employees
-
- Before VPN, complicated to allow access to FTP site for
telecommuters or traveling employees
-
-
- Train all employees to use SSH tunnel, etc
-
- After VPN, employees offsite can still connect using an
internal IP address
11. VPN Advantages
- Consolidation of Scattered Resources
- Reduced Cost (vs. Leased Lines)
12. VPN Disadvantages
- Possibly Frustrating Troubleshooting
- Interoperability with other Networks/VPNs
- Small performance overhead
-
- Should be negligible on todays hardware
13. VPN Security
- In academic terms, VPN can provide Confidentiality, Integrity,
and Authenticity
- Security against determined hacker (read: academic attacks)
depends largely upon underlying protocols used
- Assuming security of SSH, IPSec, or other protocol used, should
be secure
14. How are VPNs set up?
- Many different types of setup
-
- Amount of hardware used vs. amount of software used
-
- Amount of transparency to end-user
-
-
- Does the user even realize that they are using a VPN?
15. How are VPNs set up? (cont)
- The following is not an exhaustive list
-
-
- Using two VPN aware Gateways
-
-
- End host uses VPN Software
16. How are VPNs set up? (cont)
17. VPN via SSH & PPP
- Point-to-Point Protocol over a Secure Shell connection
- Establishing a Network Connection
-
- Establish an SSH connection
-
- Each have PPP daemons that will communicate through the SSH
connection
18. VPN via SSL & PPP
- Point-to-Point Protocol over a Secure Socket Layer
connection
-
- Built-in support for Host Authentication
19. VPN via SSL & PPP (cont)
- Establishing a Network Connection
-
- Initial Handshake for secure communication
-
- Hello messages establish:
-
-
- SSL Version, support for Cipher suites, and some random
data
-
- Key is determined separately from handshake
-
- Data transferred over the link
20. VPN via Concentrator
-
- Concentrator is NOT a gateway or firewall
-
- Specialized device that accepts connections from VPN peers
-
- Enforces VPN security policies
-
- Takes overhead of VPN management and encryption off of gateways
and local hosts
21. VPN via Concentrator (cont)
-
- Set up Concentrator (add users, specify authentication
mechanisms, set IP address ranges, etc)
-
- Client runs software when wants to be on VPN
22. Other Methods
- Point-to-Point Tunneling Protocol
-
- Microsofts Implementation of VPN
-
- Data is first encapsulated inside PPP packets
-
- PPP packets are then encapsulated in GRE packets and sent over
the link
- PPTP uses two connections
-
- One for the data being sent
-
- Another for a control channel
23. Other Methods (cont)
- Any technology can be used
-
- Must have hardware or software to support it
- Another example: L2TP on Gateways
-
- Layer 2 Tunneling Protocol
-
- If two routers support L2TP, and are properly configured, then
VPN is set up between routers
24. Intro to IPSec
- Created to add Authentication, Confidentiality, and Integrity
to IP traffic
- Designed to combat specific shortcomings in IP
- IPSec is large and implementation is complicated
- What follows is a high-level overview
- As will see in lab, need not be used only as VPN technology can
be stand alone
25. Intro to IPSec (cont)
-
- IP Sec is a protocol used in many VPNs
-
- AH (Authentication Header protocol)
-
- ESP (Encapsulating Security Protocol)
26. Intro to IPSec (cont)
- Authentication Header protocol
-
- Offers Authenticity and Integrity
-
-
- Covers entire packet, including static header fields
-
- If any part of original message changes, it will be
detected
-
- Can be used to authenticate
27. Intro to IPSec (cont)
- Encapsulating Security Protocol
-
- Provides Integrity and Confidentiality
-
- If used in tunnel mode, encrypts original IP header
28. Intro to IPSec (cont)
Or Real IP Header IP Options IPSec Header Payload (For example,
TCP and Payload) ESP Header Could be either AH Header Authenticates
Over Encrypts Over 29. Intro to IPSec (cont)
Or GW IP Header IPSec Header Real IP Header Payload (For
example, TCP and Payload) ESP Header Could be either AH Header
Authenticates Over Encrypts Over 30. Intro to IPSec (cont)
- AH and ESP can be used together
-
- Tunnel ESP through AH transport packets
- Want to protect cryptographic keys
- Internet Key Exchange protocol (IKE)
-
- Secure way to exchange session keys based on shared secret
-
- Can also use certificates (public key cryptography)
31. Resources
-
- Building Linux Virtual Private Networks
-
-
- Oleg Kolesnikov, Brian Hatch
-
-
- Charlie Kaufman, Radia Perlman, Mike Speciner
32. Resources (cont)
- Lecture Slides by Wenke Lee (see below)
-
- http://www.tldp.org/HOWTO/VPN-HOWTO/
-
- http://www.onlamp.com/lpt/a/3009
-
- http://www.cisco.com/warp/public/471/how_vpn_works.shtml
-
-
http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_1.ppt
-
-
http://www.cc.gatech.edu/classes/AY2004/cs4803_fall/ipsec_2.ppt