Post on 20-Mar-2016
description
Virtual Private NetworkVirtual Private Network
Chapter 4Chapter 4
Lecturer : Trần Thị Ngọc Hoa 2
ObjectivesObjectives
VPN Overview Tunneling Protocol Deployment models Lab Demo
Lecturer : Trần Thị Ngọc Hoa 3
Overview of VPNOverview of VPN
VPN ConceptVPN Concept
Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network
VPN Deployment ScenariosVPN Deployment Scenarios
Remote Access VPN
VPN Deployment ScenariosVPN Deployment Scenarios
Extranet VPN ( Site to Site, Router to Router )
VPN Deployment ScenariosVPN Deployment Scenarios
Mixed VPN with Firewall
Lecturer : Trần Thị Ngọc Hoa 8
Tunneling Tunneling
Tunneling is a process of encapsulating a payload protocol into another protocol
Provide a secure path through an untrusted network or an incompatible network.
Lecturer : Trần Thị Ngọc Hoa 9
Tunneling ProtocolTunneling Protocol GRE
Generic Routing Encapsulation Cisco Proprietry Tunneling Protocol
PPTP ( with/without MPPE ) Point to Point Tunneling Protocol Microsoft proprietry tunneling protocol
L2TP ( with/without IPSec ) Layer 2 Tunneling Protocol Created by Cisco and Microsoft
IP SecurityIP Security
IP Security Overview Algorithms IPSec Protocols
Lecturer : Trần Thị Ngọc Hoa 10
Lecturer : Trần Thị Ngọc Hoa 11
IP Security OverviewIP Security Overview Open standard developed by IETF’s IPSec working group. Security Architecture for the Internet Prototol Designed to work at Layers 3 and 4 of the OSI model. IPSec protects data by providing the following services :
Data Authentication Data integrity Data origin authentication between
A pair of gateways A pair of hosts A host and its gateway
Relay protection Encryption
Many different types of algorithm are used in IPSec 2 primary protocols
AH – Authentication Header - 51 ESP – Encryption Security Payload - 50
Lecturer : Trần Thị Ngọc Hoa 12
Encryption AlgorithmsEncryption Algorithms
Designed for data confidentiality assurance 2 different methods
Symmetrical Asymmetrical
Lecturer : Trần Thị Ngọc Hoa 13
Symmetrical AlgorithmsSymmetrical Algorithms
EncryptEncrypt DecryptDecryptData#$ad^&*
Data
DES – Data Encryption Standard 56 bit key – 64 data bit block No of Key = 72,000,000,000,000,000
3DES Three phases Encrypt – Decrypt – Encrypt 168 bit key – 64 data bit block
AES – Advanced Encryption Standard 128-192-256 bit key
Session key
Session key
Lecturer : Trần Thị Ngọc Hoa 14
Asymmetric AlgorithmsAsymmetric Algorithms
EncryptEncrypt DecryptDecryptData#$ad^&*
Data
Public key Private key
2 different but related keys are required. RSA -Rivest, Shamir, and Adelman ElGamal
Lecturer : Trần Thị Ngọc Hoa 15
Hashing AlgorithmsHashing Algorithms Hashing algorithms are used for authentication and
integrity assurance for data They are based on some type of one-way hashing
function. SHA
128 bits output MD5
160 bits output Collision : 2 different inputs => the same output SHA is prefered than MD5
Lecturer : Trần Thị Ngọc Hoa 16
Hashing Example Hashing Example
Lecturer : Trần Thị Ngọc Hoa 17
Key Exchange ProblemKey Exchange Problem
Question : How to get the key from one device to the other ? If the key is sent across an untrusted network, you
run the risk of it being sniffed and captured by a hacker.
If you phone the technician at the other end, you run the risk of phone tapping.
Answer : Diffie Hellman
Lecturer : Trần Thị Ngọc Hoa 18
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
The Diffe-Hellman key exchange is used for automatic secure key exchange of Symmetrical keys Other types of keys
Algorithm Description Step 1 : A and B pour their favourite drink into the glass Step 2 : A and B pour the same liquid into the glass Step 3 : A and B exchange their own glass.Then pickup
the other liquid and mixed with their own one
Lecturer : Trần Thị Ngọc Hoa 19
IPSec ProtocolsIPSec Protocols AH
Provide Data integrity Data authentication Antireplay protection (optionally)
Not provide any form of encryption to the payload of the packet.
ESP Provide payload encryption Provide authentication and integrity
Lecturer : Trần Thị Ngọc Hoa 20
Security ModeSecurity Mode Both ESP and AH can operate in two different
modes Tunnel Mode :
The entire packet is encrypted then encapsulated with a new, unprotected IP header.
Transport Mode : Default mode The original IP header is reused with the new packet The current IP header has been used in the hashing
algorithm and therefore cannot be changed from sender to receiver.
Lecturer : Trần Thị Ngọc Hoa 21
Security AssociationsSecurity Associations A set of policy and key(s) used to protect data before an IPSec
tunnel can be created. Each SA gets a unique 32-bit Security Parameter Index
number – SPI – that is sent in every packet pertaining to the specific SA.
The SA keeps track of general information such as the following: Source IP address Destination IP address IPSec protocols used SPI number Encryption and authentication algorithms Key lifetime (sets the amount of time and/or byte count that a key
is valid for; the longer the time, the more vulnerable your data is)
Lecturer : Trần Thị Ngọc Hoa 22
Internet Key ExchangeInternet Key Exchange Internet Key Exchange (IKE) is used to establish all the information
needed – SA – for a tunnel. 2 phases
Main mode – IKE Phase 1 Quick mode – IKE Phase 2