VPN Solutions for Campus
VPN Solutions for Campus
Agenda
• What is a VPN?– Different technologies– Tunnel (IPSec)– WebVPN (SSL)
• Why use VPN services?– Secure channel back to Campus– User benefits
• What VPN services does OIT provide?– Supported technologies and platforms
What is a VPN?
• Virtual Private Network– Secure, private connection thru a public
network– Encryption and tunneling protocols– Requires sending and receiving ends– Gives users ability to access private network
resources– Many different types
What is a VPN? (cont)
• Common VPN Protocols– Point-to-Point Tunneling Protocol (PPTP)
• Designed for client/server connectivity• Point-to-point connection between two computers• Layer 2 on IP only networks
– Layer 2 Tunneling Protocol (L2TP)• Combines functionality of PPTP/L2F• Works over multiple protocols, not just IP
– Internet Protocol Security (IPSec)– Secure Sockets Layer (SSL)
IPSec Overview
• Industry-standard protocol (IETF)– RFC 2401 “Security Architecture for the Internet Protocol”– RFC 2402 “IP Authentication Header”– RFC 2406 “IP Encapsulating Security Payload”– RFC 2409 “The Internet Key Exchange”
• Provides a mechanism for secure data transmission over IP networks
• Ensures confidentiality, integrity, authenticity, and non-repudiated data
• Works at the network layer• Many components – quite complex• Can be used to scale from small to very large networks
IPSec Overview (cont)
• Implements two basic security protocols– Authentication Header (AH)
• Provides authentication of session• Provides integrity
– Encapsulating Security Payload (ESP)• Provides same security as AH• Adds confidentiality through encryption• Most often used in VPN technology
IPSec Overview (cont)
• IPSec can work in one of two modes:– Transport mode
• Payload of the message is protected• Inserts IPSec header behind IP header
– Tunnel mode• Payload and layer 3 header information is
protected• Encapsulated in a new IP packet with a new IP
header
IPSec Overview (cont)
• Implements Internet Key Exchange (IKE) for automatic encryption key generation and exchange between peers
• Security Associations (SA)– Negotiated policy of handling data– Contains authentication and encryption keys,
algorithms, key lifetime, and source IP address– SA for each communication channel– Security Parameter Index (SPI) keeps track of SA
associations
IPSec Overview (cont)
Step 1 IPSec process initiated – Traffic to be encrypted as specified by the IPSec security policy starts the IKE process
Step 2 IKE Phase 1-IKE authenticates IPSec peers and negotiates IKE SAs
Step 3 IKE Phase 2-IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers
Step 4 Data Transfer-Tunnel is built and data is transferred securely
Step 5 IPSec tunnel termination-SAs terminated through deletion or by timing out
Step 1 – Traffic to ServerClient
Server
Step 2 – IKE Phase 1
Step 3 – IKE Phase 2
Step 4 – IPSec Tunnel
SSL Overview
• Secure Sockets Layer• Protects a communication channel• Uses public key encryption• Works at the transport layer/session layer• Provides
– Data encryption– Server authentication– Message integrity– Optional client authentication
SSL Overview (cont)
Step 1 Client Requests Secure Information
Client Server
Step 2 Server Requests Secure Session
Step 3 Client Sends Security Parameters
Step 4 Server Sends Digital Certificate
Step 5 Client Generates Session Key Encrypted with Server’s Public Key
Step 6 Symmetric Key is Used to Encrypt the Data
Why Use a VPN Connection?
• Different types of threats continue to increase - security
• It’s available and supported• You can connect from anywhere and be
ensured you have a secure communication channel back to Campus
• It’s supported across multiple platforms• Extends the Campus network to remote
users
Connection Without VPN
Vulnerable to several security threat agents•Loss of privacy – packet sniffers, clear text•Loss of data integrity – modified transactions•Identity spoofing – impersonations•Difficult to secure
U N I V E R S I T YU N I V E R S I T YU N I V E R S I T YU N I V E R S I T Y
Internet CBN
End User Campus ResourceCampus FW
Secure with VPN
Protected secure communication channel
• Encrypted data prevents exploits
• Provides authentication
• Can connect from anywhere
• Easier to secure at resource side
U N I V E R S I T YU N I V E R S I T Y
InternetCBN
VPN Concentrator
VPN Client
IPSec
Tunnel
What VPN Services Does OIT Offer?
• Network Operations & Services manages the Cisco 3030 Concentrator– Supports 1500 simultaneous tunnels– Uses 3DES with 168 bit key size for
symmetric encryption on IPSec Tunnels– Clientless WebVPN over SSL– Authentication is performed by Campus
RADIUS service– 100Mbps uplink
What VPN Services Does OIT Offer?
• Technical Support provides services for client related issues– VPN client operates on Windows, MacOS,
Linux, and Solaris– End user can install the client by visiting
http://www.netcom.utah.edu/computer/vpn/individual.html
– PCF file for group authentication– Installs a driver for the VPN IP stack– This virtual interface is what the world sees
What VPN Services Does OIT Offer?
• Free service for all faculty, staff, and students• User will receive a global IP address from a pool• Departments have the option of static IP
addresses for their users http://www.netcom.utah.edu/computer/vpn/dept.html– RADIUS server determines IP address assignments– Gives departments the ability to secure resources
based on IP address
VPN Demonstration
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
VPN Demonstration (cont)
Conclusion
• VPN is a secure alternative to an insecure public network
• Utilizes standardized protocols
• Supported technology
• Extends the Campus network to the remote user
• Easier to secure resources
• Free for all faculty, staff, and students