Top Banner

Click here to load reader

of 50

Virtual Private Networks Fred Baker. What is a VPN Public networks are used to move information between trusted network segments using shared facilities

Mar 27, 2015



  • Slide 1

Virtual Private Networks Fred Baker Slide 2 What is a VPN Public networks are used to move information between trusted network segments using shared facilities like frame relay or atm A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the Internet Slide 3 Why? Slide 4 HomeNet to the office. Slide 5 VPN Types Slide 6 VPN Implementations Slide 7 VPN as your Intranet Slide 8 What a VPN needs VPNs must be encrypted so no one can read it VPNs must be authenticated No one outside the VPN can alter the VPN All parties to the VPN must agree on the security properties Slide 9 VPN Components Slide 10 Parts of a VPN Slide 11 VPN works via crypto/Encapsulation Slide 12 Encryption Encryption and Decryption Clear-Text Cipher Text Bob Is a Fink 8vyaleh31&d ktu.dtrw8743 $Fie*nP093h Bob Is a Fink Decryption Slide 13 Basic Crypto Keys are key Slide 14 2 Kinds Key Systems Slide 15 Symmetric Key Algorithms DES56-bit key Triple-DESencrypt, decrypt, encrypt, using either two or three 56-bit keys IDEA128-bit key Blowfishvariable-length key, up to 448 bits Slide 16 Public Key Encryption Example Message AliceBob Encrypted Message Bobs Public Key Bobs Private Key Decrypt Alice wants to send Bob encrypted data Alice gets Bobs public key Alice encrypts the data with Bobs public key Alice sends the encrypted data to Bob Bob decrypts the data with his private key Encryption Slide 17 PKI vs Symmetric Key PKI easier as you dont have to manage keys on a per user basis But MUCH more compute intensive (up to 1000 times faster) Many systems do a combination I.e. PGP Use PKI to send a symmetric key Then use the symmetric key to crypto the data Slide 18 Using Crypto in real life Slide 19 PKI to send Private Keys Slide 20 PKI Certs a way to authenticate Slide 21 Prove the user cert Certificates of authority Slide 22 Digital Signature to verify data not changed in transit Slide 23 PKI the full picture Slide 24 Where you do Crypto Slide 25 Technologies Slide 26 Application Layer: SSL Slide 27 Transport Layer: IPSEC A standard is composed of: Diffie-Huffman key exchange PKI for the DH exchanges DES and other bulk encryption Hash to authenticate packets Digital Certificates to validate keys Slide 28 Transport Layer: IPSEC VPNs 3 parts Slide 29 Tunnel vs Transport Transport Implemented by the end point systems Real address to real address Cannot go through other networks Tunnel Encapsulation of the original IP packet in another packet Can go through other networks End systems need not support this Often PC to a box on the inside Slide 30 Diffie-Hellman Key Exchange (1976) By openly exchanging non- secret numbers, two people can compute a unique shared secret number known only to them Slide 31 Modular Exponentiation gGenerator, g pModulus (prime), p Yg X pY = g X mod p 2237276162930753723 79927397984597926572651 2^237276162930753723 mod 79927397984597926572651 g p Both g and p Are Shared and Well-Known Slide 32 Diffie-Hellman Public Key Exchange X A Private Value, X A Y A Public Value, Y A X B Private Value, X B Y B Public Value, Y B (shared secret) AliceBob Y B Y A Y B mod p = g mod p = Y A mod p XB XB XB XB XA XBXA XBXA XBXA XB YAYAYAYA YBYBYBYB Y B Y B = g mod p XBXBXBXB Y A Y A =g mod p XAXAXAXA XA XA XA XA Slide 33 Security Association is the agreement on how to secure Slide 34 create the ISAKMP SA (Internet Security Association Key Management Protocol) Slide 35 IPSEC Key Exchange (IKE) Slide 36 IKE allows scale as I do not need to hard code passwords for each pair Slide 37 Link Layer: L2TP for VPDN (Vir Pvt Dial Net) Slide 38 PPTP: Free from Microsoft Slide 39 PPTP: Security Slide 40 VPN Comparisons Slide 41 So why have a private network: QOS not fully cooked Very dependent on your ISP Real hard to do across ISPs So no guarantee of performance Slide 42 Other Issues Slide 43 Like Nat Slide 44 Wireless: a new big driver, WAS (Work At Starbucks) Slide 45 Many security protocols, depends on deployer Slide 46 VPN means I dont care how you connect Slide 47 Example Slide 48 So what could be wrong? VPN clients hit the network stack May not play well with personal firewalls Or other software May not need full access to the target network just encrypted access Slide 49 One answer: clientless VPN Use SSL as the transport protocol to an appliance Can add NT authentication to the appliance Clientless mode: Use web enabled applications over the Internet, the appliance SSLifies web sites Java Applet: Use an downloadable applet to send traffic over SSL, get more support for applications. Can work well if you want to have encrypted web based apps without redoing the application to use SSL you need certs and have to change EVERY link to HTTPs Also big hit on the server cpu Slide 50 Summary: VPNs Very big in the work access space Exploit High speed Wireless in the office public hot spots like Borders Replaces direct dial into the work network Replace dedicated Business partners May replace the corporate WAN