VPNs - Presentation.pdf

Virtual Private Networks (VPNs)

Dominik Herkel

agenda 1 / 3

1. important informations

2.general

3. history

4.benefits for business

agenda 2 / 3

5.implementation

• GRE

• Ipsec

• GRE over Ipsec

• SSL/TLS

6.Cisco VPN solutions

agenda 3 / 3

7. access network resources

8. live configuration

important informations

• always refer to the OSI model, not TCP/IP

• complex topic listen carefully

general

• end-to-end private network connection

• security as a big concern

• access to internal network resources

history

• mostly no need to lease dedicated lines

• small companies are no longer left out

• use already existing infrastructure

• paved the way for telecommuting

benefits for business

• cost efficiency

• security

• scalability

• compatibility

implementation

• GRE

• IPsec VPNs

• GRE over IPsec

• SSL/TLS VPNs

Generic Routing Encapsulation (GRE)

general

• originally developed by cisco

• GRE tunnels are stateless

• still widely in use

process

• original IP packet encapsulated again

• additional overhead of 24 bytes

advantages

• multiprotocol support

• routing protocol support

• multicast and broadcast support

disadvantages

• no security measurements

• big overhead

Internet Protocol Security (IPsec)

general

• isn’t bound to any specific security technologies

• framework of open standards

• in theory operates over all data link layer (OSI model) protocols

• tunnel mode

• transport mode

protocols

• Authentication Header (AH):

• appropriate when confidentiality not required

• only authentication and integrity provided

• Encapsulating Security Payload (ESP):

• different to AH, also supports encryption

confidentiality

• symmetric algorithms are used

• ensures bulk encryption

• examples:

• Data Encryptions Standard (DES)

• Triple Data Encryption Standard (3DES)

• Advanced Encryption Standard (AES)

integrity

• Keyed-Hash Message Authentication Code (HMAC)

• additional shared secret added to plaintext data

• hash value calculated from key-data combination

• examples of hash calculation operations:

• Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA-1, SHA-2, SHA-3)

authentication

• parties authenticate each other

• either pre-shared secrets or signatures used

• examples:

• pre-shared secret

• Rivest-Shamir-Adleman (RSA) signature

secure key exchange

• Diffie-Hellman (DH)

• asymmetric algorithm

• defines several groups

• allows generation of identical shared secret

• shared-secret never exchanged between parties

• examples:

• ranges from group 1 – 24

• differ relating to encryption strength

process

1. Host A (behind R1) sends interesting traffic to Host B (behind R2).

2. R1 and R2 negotiate an IKE phase one session secure channel is set up.

3. Router R1 and R2 negotiate an IKE phase two session matching parameter

needed.

4. Securely transmit data.

5. IPsec tunnel is terminated.

advantages

• security

• based on existing algorithms

disadvantages

• solely IP support

• only unicasts

• no routing protocol support

Decision

GRE over IPsec

• often no need to decide between IPsec or GRE

• combines the benefits of both solutions into one

• flexibility provided by GRE and security ensured by IPsec

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

general

• SSL is predecessor of TLS

• both work at presentation layer of OSI model

• several security measurements

process

(http://www.youtube.com/watch?v=SJJmoDZ3il8)

advantages

• security

• almost everywhere available

• third party regulation

disadvantages

• faked SSL/TLS certificates

• DoS attacks

Cisco VPN solutions

• Cisco Integrated Services Router (ISR) with enabled VPN

• Cisco Private Internet eXchange (PIX) – end of life (EOL), end of sale (EOS)

• Cisco Adaptive Security Appliance (ASA) 5500 Series

• Cisco VPN 3000 Series Conentrator – end of life (EOL), end of sale (EOS)

• Small and Home Office (SOHO) Routers

access network resources

• Site to Site configuration

• Cisco VPN Client

• Cisco AnyConnect VPN Client

bibliography 1 / 5

• AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf

• Cisco. (n.d.). Cisco. Retrieved from http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

• Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html

bibliography 2 / 5

• Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html

• Covenant. (n.d.). DSLreports. Retrieved from http://www.dslreports.com/faq/8228

• Edwards, J. (n.d.). ITsecurity. Retrieved from http://www.itsecurity.com/features/vpn-popularity-021108/

• Itif. (n.d.). Itif. Retrieved from http://www.itif.org/files/Telecommuting.pdf

• Kilpatrick, I. (n.d.). IT Pro Portal. Retrieved from http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/

bibliography 3 / 5

• Mason, A. (n.d.). CiscoPress. Retrieved from http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

• Pearson. (n.d.). Pearsoncmg. Retrieved from http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/158720150X_CH14.pdf

• Rager, A. T. (n.d.). SourceForge. Retrieved from http://ikecrack.sourceforge.net/

• SANS Institute. (n.d.). GoogleDocs. Retrieved from https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_room/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsec-implementation-pro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9jnZscnGxhS2U9roAq

bibliography 4 / 5

• Suida, D. (n.d.). WordPress. Retrieved from http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gre-tunnel/

• Unknown. (n.d.). ETutorials. Retrieved from http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assessing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/

• Unknown. (n.d.). Journey2CCIE. Retrieved from http://journey2ccie.blogspot.co.at

bibliography 5 / 5

• Unknown. (n.d.). Teleworkers Research Network. Retrieved from http://www.teleworkresearchnetwork.com/telecommuting-statistics

• Unknown. (n.d.). The Hackers Choice. Retrieved from http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/

• Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statistics

• Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Transport_Layer_Security

• Zandi, S. (n.d.). Cisco LearningNetwork. Retrieved from https://learningnetwork.cisco.com/docs/DOC-2457

• dtommy1979 (n.d.). YouTube. Retrieved from http://www.youtube.com/watch?v=SJJmoDZ3il8

VPNs - Presentation.pdf

Documents

Transcript of VPNs - Presentation.pdf

Other VPNs

Remote Access IPsec VPNs - Cisco - Global Home · PDF fileRemote Access IPsec VPNs • AboutRemoteAccessIPsecVPNs,page1 • LicensingRequirementsforRemoteAccessIPsecVPNsfor3.1,page2

Virtual Private Networks Introduction: History and background of VPNs What security problems do VPNs solve ? What security problems are not solved by VPNs.

Deploying IPsec VPNs

Juniper Advanced VPNs Update]

MPLS/BGP VPNs - KTH

NAT Integration With MPLS VPNs

CPE-based VPNs

Building VPNs on OpenBSD

Firewalls & VPNS(Edit)2

Juniper MPLS and VPNs

VLAN & VPNs Chapter 8 VLAN & VPNs By Dr.Sukchatri P.

Advanced VPNs

ScreenOS Reference Guide - Psychology & · PDF fileScreenOS Reference Guide Volume 5: VPNs ScreenOS 5.1.0 ... Chapter 1 IPSec ... • Site-to-site VPNs • Dialup VPNs

MPLS VPNs and Security

Deploying MPLS VPNs-2up

Config Guide Vpns Overview

BGP/MPLS IP VPNs - archive.nanog.org · BGP-MPLS VPNs Goal: solve the scaling issues. Support thousands of VPNs, support VPNs with hundreds of sites per VPN, support overlapping address

12 Understanding VPNs

MPLS and VPNs