19-Virtual Private Networks
-
Upload
victer-paul -
Category
Documents
-
view
223 -
download
0
Transcript of 19-Virtual Private Networks
![Page 1: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/1.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 1/65
![Page 2: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/2.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 2/65
By.P. Victer Paul
Dear,We planned to share our eBooks and project/seminar contents
for free to all needed friends like u.. To get to know about morefree computerscience ebooks and technology advancements incomputer science. Please visit....
http://free-computerscience-ebooks.blogspot.com/
http://recent-computer-technology.blogspot.com/
http://computertechnologiesebooks.blogspot.com/
Please to keep provide many eBooks and technology news forFREE. Encourage us by Clicking on the advertisement in theseBlog.
![Page 3: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/3.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 3/65
VPNs can be used to secure communications through the public
Internet.
VPNs are often installed by organizations to provide remote
access to a secure organizational network, or to connect two
network locations together using an insecure network to carry thetraffic.
A VPN does not need to have explicit security features such as
authentication or traffic encryption. For example, a network
service provider could use VPNs to separate the traffic of
multiple customers over an underlying network.
VPNs such as Tor can be used to mask the IP address of
individual computers within the Internet in order, for instance, to
surf the World Wide Web anonymously or to access location
restricted services, such as Internet television.
![Page 4: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/4.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 4/65
![Page 5: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/5.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 5/65
![Page 6: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/6.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 6/65
In the protocols they use to tunnel the traffic over the
underlying network;
By the location of tunnel termination, such as the
customer edge or network provider edge; Whether they offer site-to-site or remote access
connectivity;
In the levels of security provided;
By the OSI layer which they present to the connectingnetwork, such as Layer 2 circuits or Layer 3 network
connectivity.
![Page 7: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/7.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 7/65
Secure VPNs explicitly provide mechanisms for
authentication of the tunnel endpoints during tunnel
setup, and encryption of the traffic in transit.
Often secure VPNs are used to protect traffic when
using the Internet as the underlying backbone, but
equally they may be used in any environment when the
security level of the underlying network differs from
the traffic within the VPN.
![Page 8: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/8.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 8/65
Secure VPNs may be implemented by organizationswishing to provide remote access facilities to theiremployees or by organizations wishing to connectmultiple networks together securely using the Internet
to carry the traffic. A common use for secure VPNs is in remote access
scenarios, where VPN client software on an end usersystem is used to connect to a remote office network
securely. Secure VPN protocols include L2TP (with IPsec),
SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).
![Page 9: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/9.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 9/65
Trusted VPNs are commonly created by carriers and large
organizations and are used for traffic segmentation on large core
networks. They often provide quality of service guarantees and
other carrier-grade features.
Trusted VPNs may be implemented by network carriers wishingto multiplex multiple customer connections transparently over an
existing core network or by large organizations wishing to
segregate traffic flows from each other in the network. Trusted
VPN protocols include MPLS, ATM or Frame Relay.
Trusted VPNs differ from secure VPNs in that they do not
provide security features such as data confidentiality through
encryption. Secure VPNs however do not offer the level of
control of the data flows that a trusted VPN can provide such as
bandwidth guarantees or routing.
![Page 10: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/10.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 10/65
Security
Address Translation
Performance: Throughput, Load balancing (round-robin
DNS), fragmentation
Bandwidth Management: RSVP (Resource Reservation
Protocol)
Availability: Good performance at all times
Scalability: Number of locations/Users
Interoperability: Among vendors, Internet Service Providers
(ISPs), customers (for extranets)⇒ Standards Compatibility,
With firewall
![Page 11: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/11.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 11/65
Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management
Protocol), Browser based, Java based,centralized/distributed
Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,
HP/Sun/Intel Installation: Changes to desktop or backbone only
Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery
![Page 12: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/12.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 12/65
IPsec (Internet Protocol Security) - A standards-basedsecurity protocol developed originally for IPv6, wheresupport is mandatory, but also widely used with IPv4.
For VPNs L2TP is commonly used over IPsec.
Transport Layer Security (SSL/TLS) is used either fortunneling an entire network's traffic (SSL/TLS VPN)
SSL has been the foundation by a number of vendors toprovide remote access VPN capabilities.
SSL-based VPNs may be vulnerable to denial-of-service attacks mounted against their TCP connectionsbecause latter are inherently unauthenticated.
![Page 13: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/13.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 13/65
Datagram Transport Layer Security (DTLS), used by Cisco for
a next generation VPN product called Cisco AnyConnect
VPN. DTLS solves the issues found when tunneling TCP over
TCP as is the case with SSL/TLS
Microsoft Point-to-Point Encryption (MPPE) by Microsoft isused with their PPTP. Several compatible implementations on
other platforms also exist.
Secure Socket Tunneling Protocol (SSTP) by Microsoft
introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an
SSL 3.0 channel.
![Page 14: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/14.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 14/65
MPVPN (Multi Path Virtual Private Network). Ragula
Systems Development Company owns the registered
trademark "MPVPN“.
SSH VPN -- OpenSSH offers VPN tunneling to secure remote
connections to a network (or inter-network links). This feature(option -w) should not be confused with port forwarding
(option -L).
OpenSSH server provides limited number of concurrent
tunnels and the VPN feature itself does not support personalauthentication.
![Page 15: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/15.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 15/65
Tunnel endpoints are required to authenticate
themselves before secure VPN tunnels can be
established.
End user created tunnels, such as remote access VPNs
may use passwords, biometrics, two-factor
authentication or other cryptographic methods.
For network-to-network tunnels, passwords or digital
certificates are often used, as the key must bepermanently stored and not require manual intervention
for the tunnel to be established automatically.
![Page 16: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/16.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 16/65
Depending on whether the PPVPN runs in layer 2 or
layer 3, the building blocks described below may be L2
only, L3 only, or combinations of the two.
Multiprotocol Label Switching (MPLS) functionality
blurs the L2-L3 identity.
◦ Customer edge device. (CE)
◦ Provider edge device (PE)
◦ Provider device (P)
![Page 17: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/17.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 17/65
Customer edge device (CE)In general, a CE is a device, physically at the customerpremises, that provides access to the PPVPN service.Some implementations treat it purely as a demarcation
point between provider and customer responsibility,while others allow customers to configure it.
Provider edge device (PE)
A PE is a device or set of devices, at the edge of the
provider network, which provides the provider's viewof the customer site. PEs are aware of the VPNs thatconnect through them, and which maintain VPN state.
![Page 18: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/18.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 18/65
Provider device (P)
A P device operates inside the provider's core network, and
does not directly interface to any customer endpoint.
It might, for example, provide routing for many provider-
operated tunnels that belong to different customers'
PPVPNs.
Its principal role is allowing the service provider to scale its
PPVPN offerings, as, for example, by acting as an
aggregation point for multiple PEs. P-to-P connections, insuch a role, often are high-capacity optical links between
major locations of provider.
![Page 19: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/19.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 19/65
![Page 20: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/20.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 20/65
![Page 21: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/21.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 21/65
![Page 22: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/22.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 22/65
![Page 23: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/23.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 23/65
![Page 24: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/24.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 24/65
![Page 25: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/25.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 25/65
![Page 26: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/26.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 26/65
![Page 27: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/27.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 27/65
![Page 28: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/28.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 28/65
GRE: Generic Routing Encaptulation (RFC 1701/2)
PPTP: Point-to-point Tunneling Protocol
2TP: Layer 2 Tunneling protocol
IPsec: Secure IP MPLS: Multiprotocol Label Switching
![Page 29: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/29.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 29/65
![Page 30: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/30.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 30/65
![Page 31: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/31.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 31/65
![Page 32: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/32.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 32/65
Layer 2 Tunneling Protocol
L2F = Layer 2 Forwarding (From CISCO)
L2TP = L2F + PPTP Combines the best features of L2F
and PPTP
Easy upgrade from L2F or PPTP
Allows PPP frames to be sent over non-IP (Frame relay,
ATM) networks also (PPTP works on IP only)
Allows multiple (different QoS) tunnels between thesame end-points. Better header compression. Supports
flow control
![Page 33: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/33.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 33/65
![Page 34: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/34.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 34/65
Universal Transport Interface (UTI) is a pre-standardeffort for transporting L2 frames.
L2TPv3 extends UTI and includes it as one of many
supported encapsulations.
L2TPv3 has a control plane using reliable control
connection for establishment, teardown and
maintenance of individual sessions.
![Page 35: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/35.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 35/65
![Page 36: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/36.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 36/65
Allows virtual circuits in IP Networks
Each packet has a virtual circuit number called ‘label’
Label determines the packet’s queuing and forwarding
Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use
Allows traffic engineering
![Page 37: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/37.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 37/65
![Page 38: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/38.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 38/65
![Page 39: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/39.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 39/65
Unsolicited: Topology driven ⇒ Routing protocolsexchange labels with routing information.
Many existing routing protocols are being
extended:BGP, OSPF
On-Demand:
⇒ Label assigned when requested,
e.g., when a packet arrives⇒ latency
Label Distribution Protocol called LDP RSVP has been extended to allow label request and
response
![Page 40: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/40.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 40/65
![Page 41: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/41.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 41/65
![Page 42: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/42.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 42/65
VPN allows secure communication on the Internet
Three types: WAN, Access, Extranet
Key issues: address translation, security, performance
Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue ⇒MPLS
![Page 43: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/43.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 43/65
FIREWALL
![Page 44: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/44.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 44/65
Aspects of Security◦ Data accessibility - contents accessible
◦ Data integrity - contents remain unchanged
◦ Data confidentiality - contents not revealed
AAA
◦ Authentication - You are who you say you are
◦ Authorization - Access control
◦ Accountability- Who is responsible for tracking access to
data
![Page 45: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/45.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 45/65
![Page 46: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/46.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 46/65
Scrambling of message such that only intended receiver canunscramble them
◦ Encrypting function - produces encrypted message
◦ Decrypting function - extracts original message
◦ Encryption key - parameter that controlsencryption/decryption
![Page 47: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/47.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 47/65
Secret Key Encryption◦ Sender and receiver share secret key
◦ Encrypted_Message = encrypt(K, Message)
◦ Message = decrypt(K, Encrypted_Message)
◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)
![Page 48: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/48.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 48/65
Previous scheme requires shared secret K If K is discovered, security is compromised
Public key encryption uses two keys:
◦ Private key - kept secret by user
◦ Public key - published by user
Message encrypted with public key can be decrypted only
with private key, and vice-versa
![Page 49: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/49.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 49/65
Encrypted_Message = decrypt(Public_Key,encrypt(Private_key, Message)
Message = decrypt(Private_Key,
encrypt(Public_Key,Message)
![Page 50: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/50.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 50/65
Goal - guarantee that message must have originatedwith certain entity
Encrypted_Message = encrypt(Private_Key, Message)
Message = decrypt(Public_Key, Encrypted_Message)
=> Authentic
![Page 51: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/51.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 51/65
User 1 to User2: Encrypted_Message = encrypt(Public_key2,
encrypt(Private_key1, Message)
Message = decrypt(Public_key1, decrypt
(Private_key2,Encrypted_Message)
=> Authentic and Private
![Page 52: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/52.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 52/65
Bastion Host DMZ (demilitarized zone)
Perimeter network
![Page 53: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/53.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 53/65
A bastion host is a computer that is fully exposed toattack
The system is on the public side of the demilitarized
zone (DMZ), unprotected by a firewall or filtering
router
Firewalls and routers can be considered bastion hosts
Other types of bastion hosts include web, mail, DNS,
and FTP servers, Proxy servers
![Page 54: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/54.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 54/65
DMZ (demilitarized zone) is a computer host or smallnetwork inserted as a "neutral zone" between a
company's private network and the outside public
network.
It prevents outside users from getting direct access to a
server that has company data
![Page 55: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/55.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 55/65
A small, single-segment network between a firewalland the Internet for services that the organization wants
to make publicly accessible to the Internet without
exposing the network as a whole
If someone breaks into a bastion host on the perimeter
net, he'll be able to snoop only on traffic on that net
Also known as ‘stub network’
![Page 56: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/56.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 56/65
Can configure packet forwarding devices - esp. routers – to drop certain packets
Example: Only email gets in/out
problem: Filter is accessible to outside world
![Page 57: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/57.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 57/65
![Page 58: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/58.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 58/65
![Page 59: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/59.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 59/65
Proxy servers take users' requests and forward them toreal servers
Take server’s responses and forwards them to users
Enforce site security policy = > may refuse certain
requests
Transparency is the major benefit of proxy services
Also known as application-level gateways
![Page 60: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/60.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 60/65
![Page 61: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/61.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 61/65
![Page 62: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/62.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 62/65
![Page 63: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/63.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 63/65
![Page 64: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/64.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 64/65
Can’t protect against malicious insiders can’t protect against connections that do not go through
it,
◦ e.g. dial up
Can’t protect against completely new threats
Can’t protect against viruses
![Page 65: 19-Virtual Private Networks](https://reader035.fdocuments.in/reader035/viewer/2022062504/577d24661a28ab4e1e9c61eb/html5/thumbnails/65.jpg)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 65/65
Security is a problem because Internet is not owned byone entity
Encryption and digital signatures can provide
confidentiality and secure identification
Organizations can use firewalls to prevent unauthorized
access