Virtual private networks

By. P. Victer Paul

Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit....

http://free-computerscience-ebooks.blogspot.com/

http://recent-computer-technology.blogspot.com/

http://computertechnologiesebooks.blogspot.com/

Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog.

VPNs can be used to secure communications through the public Internet.

VPNs are often installed by organizations to provide remote access to a secure organizational network, or to connect two network locations together using an insecure network to carry the traffic.

A VPN does not need to have explicit security features such as authentication or traffic encryption. For example, a network service provider could use VPNs to separate the traffic of multiple customers over an underlying network.

VPNs such as Tor can be used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television.

In the protocols they use to tunnel the traffic over the underlying network;

By the location of tunnel termination, such as the customer edge or network provider edge;

Whether they offer site-to-site or remote access connectivity;

In the levels of security provided; By the OSI layer which they present to the connecting

network, such as Layer 2 circuits or Layer 3 network connectivity.

Secure VPNs explicitly provide mechanisms for authentication of the tunnel endpoints during tunnel setup, and encryption of the traffic in transit.

Often secure VPNs are used to protect traffic when using the Internet as the underlying backbone, but equally they may be used in any environment when the security level of the underlying network differs from the traffic within the VPN.

Secure VPNs may be implemented by organizations wishing to provide remote access facilities to their employees or by organizations wishing to connect multiple networks together securely using the Internet to carry the traffic.

A common use for secure VPNs is in remote access scenarios, where VPN client software on an end user system is used to connect to a remote office network securely.

Secure VPN protocols include L2TP (with IPsec), SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).

Trusted VPNs are commonly created by carriers and large organizations and are used for traffic segmentation on large core networks. They often provide quality of service guarantees and other carrier-grade features.

Trusted VPNs may be implemented by network carriers wishing to multiplex multiple customer connections transparently over an existing core network or by large organizations wishing to segregate traffic flows from each other in the network. Trusted VPN protocols include MPLS, ATM or Frame Relay.

Trusted VPNs differ from secure VPNs in that they do not provide security features such as data confidentiality through encryption. Secure VPNs however do not offer the level of control of the data flows that a trusted VPN can provide such as bandwidth guarantees or routing.

Security Address Translation Performance: Throughput, Load balancing (round-robin

DNS), fragmentation Bandwidth Management: RSVP (Resource Reservation Protocol) Availability: Good performance at all times Scalability: Number of locations/Users Interoperability: Among vendors, Internet Service Providers (ISPs), customers (for extranets) Standards Compatibility, ⇒

With firewall

Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management

Protocol), Browser based, Java based, centralized/distributed

Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,

HP/Sun/Intel Installation: Changes to desktop or backbone only Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery

IPsec (Internet Protocol Security) - A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4.

For VPNs L2TP is commonly used over IPsec. Transport Layer Security (SSL/TLS) is used either for

tunneling an entire network's traffic (SSL/TLS VPN) SSL has been the foundation by a number of vendors to

provide remote access VPN capabilities. SSL-based VPNs may be vulnerable to

denial-of-service attacks mounted against their TCP connections because latter are inherently unauthenticated.

Datagram Transport Layer Security (DTLS), used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS

Microsoft Point-to-Point Encryption (MPPE) by Microsoft is used with their PPTP. Several compatible implementations on other platforms also exist.

Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an SSL 3.0 channel.

MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN“.

SSH VPN -- OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). This feature (option -w) should not be confused with port forwarding (option -L).

OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.

Tunnel endpoints are required to authenticate themselves before secure VPN tunnels can be established.

End user created tunnels, such as remote access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods.

For network-to-network tunnels, passwords or digital certificates are often used, as the key must be permanently stored and not require manual intervention for the tunnel to be established automatically.

Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. Multiprotocol Label Switching (MPLS) functionality blurs the L2-L3 identity.◦Customer edge device. (CE)◦ Provider edge device (PE)◦ Provider device (P)

Customer edge device (CE) In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.

Provider edge device (PE) A PE is a device or set of devices, at the edge of the provider network, which provides the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state.

Provider device (P) A P device operates inside the provider's core network, and

does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-

operated tunnels that belong to different customers' PPVPNs.

Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.

GRE: Generic Routing Encaptulation (RFC 1701/2) PPTP: Point-to-point Tunneling Protocol 2TP: Layer 2 Tunneling protocol IPsec: Secure IP MPLS: Multiprotocol Label Switching

Layer 2 Tunneling Protocol L2F = Layer 2 Forwarding (From CISCO) L2TP = L2F + PPTP Combines the best features of

L2F and PPTP Easy upgrade from L2F or PPTP Allows PPP frames to be sent over non-IP (Frame

relay, ATM) networks also (PPTP works on IP only) Allows multiple (different QoS) tunnels between the

same end-points. Better header compression. Supports flow control

Universal Transport Interface (UTI) is a pre-standard effort for transporting L2 frames.

L2TPv3 extends UTI and includes it as one of many supported encapsulations.

L2TPv3 has a control plane using reliable control connection for establishment, teardown and maintenance of individual sessions.

Allows virtual circuits in IP Networks Each packet has a virtual circuit number called ‘label’ Label determines the packet’s queuing and forwarding Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use Allows traffic engineering

Unsolicited: Topology driven Routing protocols ⇒exchange labels with routing information.

Many existing routing protocols are being extended:BGP, OSPF

On-Demand: ⇒ Label assigned when requested,

e.g., when a packet arrives latency⇒ Label Distribution Protocol called LDP RSVP has been extended to allow label request and

response

VPN allows secure communication on the Internet Three types: WAN, Access, Extranet Key issues: address translation, security, performance Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue MPLS⇒

FIREWALL

Aspects of Security◦Data accessibility - contents accessible◦Data integrity - contents remain unchanged◦Data confidentiality - contents not revealed

AAA◦Authentication - You are who you say you are◦Authorization - Access control◦Accountability- Who is responsible for tracking access to

data

Scrambling of message such that only intended receiver can unscramble them◦Encrypting function - produces encrypted message◦Decrypting function - extracts original message◦Encryption key - parameter that controls

encryption/decryption

Secret Key Encryption◦ Sender and receiver share secret key◦ Encrypted_Message = encrypt(K, Message)◦Message = decrypt(K, Encrypted_Message)◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)

Previous scheme requires shared secret K If K is discovered, security is compromised Public key encryption uses two keys:◦Private key - kept secret by user◦Public key - published by user

Message encrypted with public key can be decrypted only with private key, and vice-versa

Encrypted_Message = decrypt(Public_Key, encrypt(Private_key, Message)

Message = decrypt(Private_Key, encrypt(Public_Key,Message)

Goal - guarantee that message must have originated with certain entity

Encrypted_Message = encrypt(Private_Key, Message) Message = decrypt(Public_Key, Encrypted_Message) => Authentic

User 1 to User2: Encrypted_Message = encrypt(Public_key2,

encrypt(Private_key1, Message) Message = decrypt(Public_key1, decrypt

(Private_key2,Encrypted_Message) => Authentic and Private

Bastion Host DMZ (demilitarized zone) Perimeter network

A bastion host is a computer that is fully exposed to attack

The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router

Firewalls and routers can be considered bastion hosts Other types of bastion hosts include web, mail, DNS,

and FTP servers, Proxy servers

DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network.

It prevents outside users from getting direct access to a server that has company data

A small, single-segment network between a firewall and the Internet for services that the organization wants to make publicly accessible to the Internet without exposing the network as a whole

If someone breaks into a bastion host on the perimeter net, he'll be able to snoop only on traffic on that net

Also known as ‘stub network’

Can configure packet forwarding devices - esp. routers – to drop certain packets

Example: Only email gets in/out problem: Filter is accessible to outside world

Proxy servers take users' requests and forward them to real servers

Take server’s responses and forwards them to users Enforce site security policy = > may refuse certain

requests Transparency is the major benefit of proxy services Also known as application-level gateways

Can’t protect against malicious insiders can’t protect against connections that do not go through

it,◦ e.g. dial up

Can’t protect against completely new threats Can’t protect against viruses

Security is a problem because Internet is not owned by one entity

Encryption and digital signatures can provide confidentiality and secure identification

Organizations can use firewalls to prevent unauthorized access