VPN presentation

VPN Solutions for Campus

Agenda

• What is a VPN?– Different technologies– Tunnel (IPSec)– WebVPN (SSL)

• Why use VPN services?– Secure channel back to Campus– User benefits

• What VPN services does OIT provide?– Supported technologies and platforms

What is a VPN?

• Virtual Private Network– Secure, private connection thru a public

network– Encryption and tunneling protocols– Requires sending and receiving ends– Gives users ability to access private network

resources– Many different types

What is a VPN? (cont)

• Common VPN Protocols– Point-to-Point Tunneling Protocol (PPTP)

• Designed for client/server connectivity• Point-to-point connection between two computers• Layer 2 on IP only networks

– Layer 2 Tunneling Protocol (L2TP)• Combines functionality of PPTP/L2F• Works over multiple protocols, not just IP

– Internet Protocol Security (IPSec)– Secure Sockets Layer (SSL)

IPSec Overview

• Industry-standard protocol (IETF)– RFC 2401 “Security Architecture for the Internet Protocol”– RFC 2402 “IP Authentication Header”– RFC 2406 “IP Encapsulating Security Payload”– RFC 2409 “The Internet Key Exchange”

• Provides a mechanism for secure data transmission over IP networks

• Ensures confidentiality, integrity, authenticity, and non-repudiated data

• Works at the network layer• Many components – quite complex• Can be used to scale from small to very large networks

IPSec Overview (cont)

• Implements two basic security protocols– Authentication Header (AH)

• Provides authentication of session• Provides integrity

– Encapsulating Security Payload (ESP)• Provides same security as AH• Adds confidentiality through encryption• Most often used in VPN technology


• IPSec can work in one of two modes:– Transport mode

• Payload of the message is protected• Inserts IPSec header behind IP header

– Tunnel mode• Payload and layer 3 header information is

protected• Encapsulated in a new IP packet with a new IP

header


• Implements Internet Key Exchange (IKE) for automatic encryption key generation and exchange between peers

• Security Associations (SA)– Negotiated policy of handling data– Contains authentication and encryption keys,

algorithms, key lifetime, and source IP address– SA for each communication channel– Security Parameter Index (SPI) keeps track of SA

associations


Step 1 IPSec process initiated – Traffic to be encrypted as specified by the IPSec security policy starts the IKE process

Step 2 IKE Phase 1-IKE authenticates IPSec peers and negotiates IKE SAs

Step 3 IKE Phase 2-IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers

Step 4 Data Transfer-Tunnel is built and data is transferred securely

Step 5 IPSec tunnel termination-SAs terminated through deletion or by timing out

Step 1 – Traffic to ServerClient

Server

Step 2 – IKE Phase 1

Step 3 – IKE Phase 2

Step 4 – IPSec Tunnel

SSL Overview

• Secure Sockets Layer• Protects a communication channel• Uses public key encryption• Works at the transport layer/session layer• Provides

– Data encryption– Server authentication– Message integrity– Optional client authentication

SSL Overview (cont)

Step 1 Client Requests Secure Information

Client Server

Step 2 Server Requests Secure Session

Step 3 Client Sends Security Parameters

Step 4 Server Sends Digital Certificate

Step 5 Client Generates Session Key Encrypted with Server’s Public Key

Step 6 Symmetric Key is Used to Encrypt the Data

Why Use a VPN Connection?

• Different types of threats continue to increase - security

• It’s available and supported• You can connect from anywhere and be

ensured you have a secure communication channel back to Campus

• It’s supported across multiple platforms• Extends the Campus network to remote

users

Connection Without VPN

Vulnerable to several security threat agents•Loss of privacy – packet sniffers, clear text•Loss of data integrity – modified transactions•Identity spoofing – impersonations•Difficult to secure

U N I V E R S I T YU N I V E R S I T YU N I V E R S I T YU N I V E R S I T Y

Internet CBN

End User Campus ResourceCampus FW

Secure with VPN

Protected secure communication channel

• Encrypted data prevents exploits

• Provides authentication

• Can connect from anywhere

• Easier to secure at resource side

U N I V E R S I T YU N I V E R S I T Y

InternetCBN

VPN Concentrator

VPN Client

IPSec

Tunnel

What VPN Services Does OIT Offer?

• Network Operations & Services manages the Cisco 3030 Concentrator– Supports 1500 simultaneous tunnels– Uses 3DES with 168 bit key size for

symmetric encryption on IPSec Tunnels– Clientless WebVPN over SSL– Authentication is performed by Campus

RADIUS service– 100Mbps uplink


• Technical Support provides services for client related issues– VPN client operates on Windows, MacOS,

Linux, and Solaris– End user can install the client by visiting

http://www.netcom.utah.edu/computer/vpn/individual.html

– PCF file for group authentication– Installs a driver for the VPN IP stack– This virtual interface is what the world sees

http://www.netcom.utah.edu/computer/vpn/individual.html


• Free service for all faculty, staff, and students• User will receive a global IP address from a pool• Departments have the option of static IP

addresses for their users http://www.netcom.utah.edu/computer/vpn/dept.html– RADIUS server determines IP address assignments– Gives departments the ability to secure resources

based on IP address

http://www.netcom.utah.edu/computer/vpn/dept.html

VPN Demonstration

VPN Demonstration (cont)













Conclusion

• VPN is a secure alternative to an insecure public network

• Utilizes standardized protocols

• Supported technology

• Extends the Campus network to the remote user

• Easier to secure resources

• Free for all faculty, staff, and students

VPN presentation

Documents

vpn demonstration cont

vpn connection

vpn vulnerable

conclusion vpn

vpn solutions

vpn technology

vpn ip stack

ipsec overview cont