Post on 18-Dec-2015
SCSC 455 Computer Security
Virtual Private Network (VPN)
How to connect LANsThere’re common demands of joining two or multiple LANs to facilitate corporate communications secure point-to-point communications The connection can only used by authenticated LANs /
hosts
One solution (traditional one) is to use private leased lines Problems: don’t scale well, cost is high, and the
complexity of maintaining the leased lines
Another solution – virtual private networks
VPNs
Goal of VPNs Provide a cost-effective and secure way to connect
businesses to one another and remote workers to office networks
Functionalities of VPNs Encapsulate and encrypt data being transmitted Use authentication to ensure that only approved users
can access the VPN Provide a means of secure point-to-point
communications over the public Internet
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
Components within VPNSVPNs consist of two different types of components
Hardware devices two endpoints (terminators)
Encryption, authentication, and encapsulation a (virtual) tunnel
A series of connections between two endpoints than makes
use of Internet-based hosts/servers
Software that performs security-related activities
Essential Activities of VPNs
Three essential activities of VPNs
IP encapsulation
Data payload encryption
Encrypted authentication
IP Encapsulation
VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway
The benefits of encapsulating IP packets Source and destination information of actual data packets are
completely hidden source and destination IP addresses of actual data packets can be
in private reserved blocks not usually routable over the Internet
Data Payload Encryption
VPNs do NOT encrypt the header within packets, only the data payload that the packets carry.
The encryption can be performed in one of two ways: Transport method
The host encrypts traffic when it’s generated Tunnel method
The traffic is encrypted and decrypted in transit, somewhere between the source host and destination.
Encrypted Authentication
Authentication is essentialHosts in the network that receive VPN communicationneed to know that the host originating thecommunications is an approved user of the VPN
Hosts are authenticated by exchanging long blocks of code - keys Types of keys that can be exchanged in an encrypted
transaction: Symmetric keys Asymmetric keys
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
Types of VPNs
Two types of VPNs Site-to-site VPN
Links two or more networks Client-to-site VPN
Makes a network accessible to remote users who need dial-in access
These two types VPNs are NOT mutually exclusivee.g., a large corporations’ network support both site-to-site
VPN and client-to-site VPN
Advantage of Using Hardware Systems
Software VPN Systems
Software VPN are generally less expensive than hardware systems Tend to scale better for fast-growing networks
Examples F-Secure VPN+ Novell BorderManager VPN services Check Point FireWall-1
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
Tunneling Protocols Used with VPNs
In the past , firewalls support VPNs used proprietary protocols
Both endpoints must use the same brand of firewall
Today the proprietary protocols are used less often. Most VPNs use standard tunneling protocols
IPSec/IKE PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) PPP over SSH (Point-to-Point Protocol over Secure Shell)
IPSec/IKEIPSec provides:
Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP)
Authenticated header is used to authenticate packets Encapsulating Security Payload encrypts the data portions of
the packet IPSec is commonly combined with IKE as means of using public
key cryptography to encrypt data
IKE provides: Exchange of public keys Ability to determine which encryption protocols should be used to
encrypt data that flows through VPN tunnel
Other tunneling protocols: PPTP
PPTP is developed by Microsoft for granting VPN access to
remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation (NAT)
Replaced by L2TP
Other tunneling protocols: L2TP
L2TP is an extension of Point-to-point Protocol (PPP) that enables dial-up users to establish a VPN connection to a remote access server Uses IPSec rather than MPPE to encrypt data provides a higher level of encryption and authentication Incompatible with NAT
Other tunneling protocols: PPP Over SSL and PPP Over SSH
PPP over SSL and PPP over SSH are two UNIX based methods for creating VPNs
Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH)
SSL Public key encryption system used to provide secure
communications over the Web SSH
UNIX secure shell that perform secure authenticated logons and encrypted communications between a client and a server.
When to Use Different tunneling Protocols (important!)