Virtual Private Networks
Dec 26, 2015
Virtual Private Networks
Virtual Private Networks (VPNs)
VPN: Virtual Private Network
IPSEC
HighLink’s road map:
Q2: Integrated IPSEC = Integrated VPN
Later phase: HW based IPSEC
VPN - two networking concepts: Virtual networks:
Geographically distributed users and hosts interact and managed as a single “virtual entity”
Virtual Private Networks: Incorporate data protection and trust among hosts in
virtual network
VPN often includes: Tunneling Encryption Authentication
VPNs solve network problems: Security over public and private networks Addressing problems in IP networks
Ideal for Intranet/Extranet, E-commerce, ASPs
VPN - What is it all about ?
What kind of security is provided by VPN ?
Authentication: Who can access your network?
Authorization: What can a user access?
Data protection:
From disclosure
From modification
VPN’s Security
ISO Model
Physical
Data Link
Network
Transport
Application
Session
Presentation
VPN Solutions
L2TP, PPTP
IPSEC
SOCKS, SSL, TLS
S/MIME, SSH
VPNs: Various solutions over 7 layers of ISO model
Internet --> security problems: Many points of eavesdropping Many points of modification
Public networks are also not secure -->VPN may also be needed over:
DSL CATV Leased Lines Frame Relay ISDN Wireless Satellite
Security Problems --> VPN
Companies use “private” addresses due to: Shortage of IP addresses Historic reasons (before Internet)
This causes problems when: Companies want to cooperate Companies connect to Internet
The problem may be solved with: Virtual Private Network (VPN) Network Address Translation (NAT)
IP Addressing Problems --> VPN
IPSEC=IP Security
IPSEC is a standard (RFCs, etc)
IPSEC is a layer 3 tunneling protocol
IPSEC provides: Encapsulation (optional) Encryption (optional) Data origin authentication Data integrity protection (“data has not be changed”) Replay protection (“data is not being sent again by someone who
was eavesdropping” - optional) Cryptographic key management
IPSEC: Layer 3 tunneling protocol
PPTP and L2TP are layer two tunneling protocols:
PPTP=“Point to Point Tunneling Protocol”: It’s an old Microsoft tunneling protocol Has extensions for encryption Was replaced by L2TP
L2TP= a standard for “Layer 2 Tunneling Protocol”:
It doesn’t provide encryption !
PPTP, L2TP: Layer 2 tunneling protocols
IPSEC provides real security features, like encryption in addition to tunneling
IPSEC becomes the leading mean for VPN solutions
L2TP provides a solution for non-IP protocols, like IPX, AppleTalk - it lets them run over the Internet
IPSEC Vs L2TP
AH = Authentication Header Protocol: Authentication Data integrity Replay protection
ESP = Encapsulation Security Protocol: Confidentiality Authentication Data integrity Replay protection
IKE = Internet Key Exchange protocol
IPSEC: Three major components
Transport mode (hardly used): there is no encapsulation The original IP Header is kept - it is neither replaced nor
encrypted Data may be encrypted
Tunnel mode: there is encapsulation There is a new IP header, with a new IP addresses (allowing
old private addresses to be used in the organization…) The old IP header (with old IP addresses) may be encrypted Data may be encrypted
IPSEC: Tunnel Mode and Transport Mode
IPSEC offers a range of algorithms:
Authentication Encryption MD5 DESSHA-1 3-DES (Triple DES)DES RC5
IDEA (& Triple IDEA)BlowfishCASTRC4
IPSEC: A range of encryption and authentication algorithms
Cryptographic Algorithm: a procedure that takes the plaintext data and transforms it into ciphertext in a reversible way
Cryptographic Key: a special piece of data that directs the crypto device to encrypt a message in a distinctive way
Usually the key is a large number
Cryptography
Mr. A encrypts his message to B with their shared secret key
Mr. B decrypts messages from A with the same secret key
Mr. AMr. B
Secret Key (Symmetric) Encryption
The keys must remain secret
The same key is used to encrypt and decrypt
Distributing the keys is hard because they have to be secret
Secrecy of data is related to: The length of the key The secrecy of the keyThe algorithm being used
Secret Key (Symmetric): Some facts
Different keys are used for encryption and for description
Public Key (Asymmetric) Encryption
Mr. B decrypts these messages using his private key
B’s public key
B’s public key
B’s public key
Mr. B
Duck
Mr. A
Mr. C
Public Key (Asymmetric) Encryption
Mr. B replies to messages using each recipients public key
Duck’s public key
A’s public key
C’s public key
Mr. B
Duck
Mr. A
Mr. C
Public Key (Asymmetric) Encryption
The private key must remain secret
The public key is widely distributed (on the WEB?)
Distribution of keys is easy
Public Key Encryption: Some facts
Given the algorithm, the clear text and the cipher text - one cannot determine the secret key
No reliance on algorithm secrecy
Available for analysis
Good Cryptography: Characteristics
AH is used mainly to authenticate packets and also provides anti-replay protection
Authenticate means “Checking integrity”- We know that the packet has not been modified in transport
Authenticate means “Checking identity”- We know that the packet was sent by someone who knows the right secret keys
More About AH Protocol
Some fields in an IP packet are “mutable” - they will not be changed, for example: TOS, TTL fields
The old “protocol field” (like TCP, UDP) is replaced by 51 (AH)
Sequence numbers are used to provide replay protection. Sequence numbers start at 1 and can never repeat
AH Protocol: Some technical issues
ESP is providing confidentiality in addition to: authentication
anti replay protection.
The old “protocol field” (like TCP, UDP) is replaced by 50 (ESP)
More About ESP Protocol
IKE - “Internet Key management and Exchange protocol” is responsible for:
Negotiating protocols, encryption algorithms and keys
Establishing keys
Keeping track of things
IKE was formerly referred as ISAKMP = Internet Security And Key Management Protocol
IPSEC IKE : Some Facts
NAT = Network Address Translation - changes the source address of outbound packets
NAT which does many-to-one is called: NAPT - Network Address Port Translation or PAT - Port
Address Translation
To use NAT, NAPT (or PAT) with IPSEC - you must NAT before you encrypt
Often, when VPN is used - NAT (or PAT) is not used
VPN & NAT
Having IPSEC machine, Firewall and Routers from different vendors cause : Routing problems Security problems Often avoids the use of NAT (PAT) Is complex to install Is difficult to manage Is expensive
HighLink with integrated IPSEC avoids these problems and especially allows the use of NAT with IPSEC (since NAT is done before IPSEC).
Integrated IPSEC in the Router:
Q2 2,000: software based IPSEC implementation in HighLink: AH, ESP, DES, static keys - already implemented (for
DATUS) 3DES and IKE - being added Negotiating with CA - will be added
Second phase: HW based IPSEC implementation in future HighLink (based on R-Core) to allow IPSEC at high speeds
HighLink “NATs” before IPSEC - so it can combine them and use them at the same time
HighLink and VPN
New: VPN (IPSEC: encryption, tunneling)
Integrated firewall: New: QoS based FACS
PAP and CHAP: Authentication Protocols
SNMP community: RO, RW, Super Community
Passwords for Terminal, Telnet, WEB management
HighLink’s Security Mechanisms:
New: VPN - encapsulates with new IP addresses
NAT (PAT) - replaces IP addresses and ports
DHCP server - provides IP addresses
IPCP - gets or provides IP addresses over PPP
Unnumbered IP - saves IP addressees over the WAN
HighLink Handles IP Addresses
New: VPN Firewall
DHCP serverNAT (PAT) device Quality of Service (QoS) device
Router and Bridge
One Box One Management
Easy to install and maintain No conflicts
HighLink - Many products in one case
Cisco 700 - none Cisco 800 - IPSec & L2TP, DES only? Cisco 900 - cable router - IPSec & L2TP, DES only? Cisco 1400 - ADSL router with IPSec & L2TP, DES only? Cisco 1600 - IPSec & L2TP, DES only? Cisco 1700 - HW based IPSec, DES and 3 DES Bay Nautica - none Ascend Pipeline - IPSec Cabletron SSR - L2TP & DES Intel Express - none (discontinued the encryption they had) Motorola Vanguard - none Netgear routers - none
VPN at competing SOHO routers