VPNs VPNs IETF developing IETF developing IPsec IPsec security security standards standards • IP security IP security • At the internet layer At the internet layer • Protects all messages at the Protects all messages at the transport and application layers transport and application layers IPsec TCP UDP E-Mail, WWW, Database, etc.
17
Embed
VPNs IETF developing IPsec security standards IP securityIP security At the internet layerAt the internet layer Protects all messages at the transport.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
standardsstandards• IP securityIP security• At the internet layerAt the internet layer• Protects all messages at the transport Protects all messages at the transport
and application layersand application layers
IPsec
TCP UDP
E-Mail, WWW, Database, etc.
VPNsVPNs IPsec Transport ModeIPsec Transport Mode
• End-to-end security for hostsEnd-to-end security for hosts
LocalNetwork
Internet LocalNetwork
Secure Communication
VPNsVPNs IPsec Tunnel ModeIPsec Tunnel Mode
• IPsec server at each siteIPsec server at each site• Secure communication between sitesSecure communication between sites
LocalNetwork
Internet LocalNetwork
Secure Communication
IPsecServer
VPNsVPNs IPsec Modes Can be CombinedIPsec Modes Can be Combined
• End-to-end transport mode connectionEnd-to-end transport mode connection• Within site-to-site tunnel connectionWithin site-to-site tunnel connection
LocalNetwork
Internet LocalNetwork
Tunnel Mode Transport Mode
VPNsVPNs
Another Security System for VPNs Another Security System for VPNs is the Point-to-Point Tunneling is the Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)• For dial-up connections, based on PPPFor dial-up connections, based on PPP• Connects user with securely to a Connects user with securely to a
remote access server at a siteremote access server at a siteInternet Local
Network
Remote Access Server
Dial-UpConnection
PPTP Connection
PKIsPKIs
To use public key methods, an To use public key methods, an organization must establish a organization must establish a comprehensive comprehensive Public Key Public Key Infrastructure (PKI)Infrastructure (PKI)• A PKI automates most aspects of using A PKI automates most aspects of using
public key encryption and public key encryption and authenticationauthentication
• Uses a Uses a PKI ServerPKI ServerPKI
Server
PKIsPKIs PKI Server Creates Public Key-Private PKI Server Creates Public Key-Private
Key PairsKey Pairs• Distributes private keys to applicants Distributes private keys to applicants
securelysecurely• Often, private keys are embedded in Often, private keys are embedded in
delivered softwaredelivered software
PKIServer
Private Key
PKIsPKIs PKI Server Provides CRL ChecksPKI Server Provides CRL Checks
• Distributes digital certificates to Distributes digital certificates to verifiersverifiers
• Checks certificate revocation list before Checks certificate revocation list before sending digital certificatessending digital certificates
• Then can communicate securely using Then can communicate securely using symmetric session key and message-by-symmetric session key and message-by-message authenticationmessage authentication
SSL Integrated Security SystemSSL Integrated Security System
SSLSSL• Secure Sockets LayerSecure Sockets Layer• Developed by NetscapeDeveloped by Netscape
TLS (now)TLS (now)• Netscape gave IETF control over SSLNetscape gave IETF control over SSL• IETF renamed it TLS (Transport Layer Security)IETF renamed it TLS (Transport Layer Security)• Usually still called SSLUsually still called SSL
Location of SSLLocation of SSL
Below the Application LayerBelow the Application Layer• IETF views it at the transport layerIETF views it at the transport layer• Protects all application exchangesProtects all application exchanges• Not limited to any single applicationNot limited to any single application
WWW transactions, e-mail, etc.WWW transactions, e-mail, etc.
SSL SSL
E-Mail WWW E-Mail WWW
SSL OperationSSL Operation
Browser & Webserver Software Browser & Webserver Software Implement SSLImplement SSL• User can be unawareUser can be unaware
SSL OperationSSL Operation SSL ISS ProcessSSL ISS Process
• Two sides negotiate security Two sides negotiate security parametersparameters
• Browser may authenticate itself but Browser may authenticate itself but rarely doesrarely does
• Browser selects a symmetric session Browser selects a symmetric session key, sends to webserverkey, sends to webserver
• Adds a digital signature and encrypts all Adds a digital signature and encrypts all messages with the symmetric keymessages with the symmetric key
Importance of SSLImportance of SSL
Supported by Almost All BrowsersSupported by Almost All Browsers• De facto standard for Internet application De facto standard for Internet application
• Authenticate the partnersAuthenticate the partners
• Exchange a session keyExchange a session key
• Communicate with message-by-Communicate with message-by-message privacy, authentication, and message privacy, authentication, and message integritymessage integrity