Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.
-
Upload
isabella-guthrie -
Category
Documents
-
view
216 -
download
0
Transcript of Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.
![Page 1: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/1.jpg)
Privacy Issues inVirtual Private Networks
Tim Strayer
BBN Technologies
![Page 2: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/2.jpg)
2
What is a VPN?
• Private network running over shared network infrastructure (Internet) Allows interconnection of different
corporate network sites Allows remote users to access the
corporate network Allows controlled access between different
corporate networks
![Page 3: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/3.jpg)
3
Private“Intranet”Network
Headquarters
Why VPNs?
PublicInternet
Intranet
Headquarters
Intranet
Remote Site
Intranet
Remote Site
Frame RelayOr
ATMOr
Dial-Up Service
![Page 4: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/4.jpg)
4
VPN Rationale
• Private Networks Costly Inflexible Multiple Infrastructures
• Virtual Private Networks Inexpensive Configurable Single Infrastructure
![Page 5: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/5.jpg)
5
The First VPN
• 1975, BBN delivered the first Private Line Interface (PLI) to the Navy
• Created secure network communication over the ARPANET
• Used a proprietary encryption and manual keying system
![Page 6: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/6.jpg)
6
VPN Technologies
• Tunneling Overlay facilitates sharing common infrastructure IPsec, PPTP, L2TP, MPLS
• Security Authentication: PKI, RADIUS, Smartcard Access Control: Directory Servers, ACLs Data Security: Confidentiality, Integrity
• Provisioning QoS Traffic Engineering
![Page 7: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/7.jpg)
7
Island Metaphor
“Hello!”
“???”“Oh! Hi!
“Hello!”
“Hello!”SS Encapsulator
SS Encapsulator
“Hello!”
“Hello!”SS Encapsulator
Tunnel
![Page 8: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/8.jpg)
8
Tunneling
• Usually layers are inverted
Inner PacketOuter Header Trailer
For target network
For transport network
Ethernet IPIP PPP
2 323
Ethernet FTPIP TCP
2 743
![Page 9: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/9.jpg)
9
Tunnels at Layer 2
• Point-to-Point Tunneling Protocol (PPTP) Integrated into Microsoft DUN and RAS Authentication/encryption provided by PPP
• Layer 2 Tunneling Protocol (L2TP) Combines PPTP with Cisco L2F Layer 2 tunneling, UDP encapsulation
IP IP/IPXGREv2 PPP
IP IP/IPX/IPsecUDP PPP
3 324
3 324
![Page 10: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/10.jpg)
10
IPsec Protocol Suite
• Data encryption and authentication Two protocols
• Encapsulating Security Payload (ESP) assures data privacy and party authentication
• Authentication Header (AH) assures only party authentication
Cryptographic key management• Works well with Public Key Infrastructure and X.509
Certificates
• Transport and tunnel modes of operation• IPsec VPNs use tunnel mode and ESP
![Page 11: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/11.jpg)
11
IPsec Tunneling
Original IP Header
Original IP Payload
New IP Header
Security Parameter Index
Sequence Number
ESP Trailer
ESP Authentication
Encr
ypte
d
Auth
enti
cate
d
OriginalIP Packet
![Page 12: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/12.jpg)
12
MPLS “Tunneling”
• Multi-Protocol Label Switching High speed switching technology Tunnel any layer Built into edge/core routers and switches No authentication/encryption
Label IP PayloadIP Header
Original Packet
![Page 13: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/13.jpg)
13
IPsec vs. MPLS
• Two dominant VPN technologies
• Let’s compare them viz. their approaches to privacy
![Page 14: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/14.jpg)
14
What is meant by Private?
• No one can see your stuff Emphasis is on security Confidentiality, integrity, authentication,
authorization, access control
• Carve out a piece of a shared network for your own use Emphasis is on availability Traffic engineering
![Page 15: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/15.jpg)
15
Evolution of IPsec
• First defined as a security mode for IPv6
• “Ported” to IPv4
• Combines tunneling with security Orthogonal services
• Complex key management
![Page 16: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/16.jpg)
16
Evolution of MPLS
• ATM’s VCI/VPI used for cut-through switching Separates routing from forwarding Supports resource allocation
• MPLS IP cut-through switching using label Routers switch on preestablished label Routers don’t care what’s behind the label Originally proposed to accelerate routing
![Page 17: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/17.jpg)
17
A Protocol Looking for a Use
• Fast routing argument lost with new routing technology Switching technology applied to IP header
• MPLS for traffic engineering “Connection” oriented Stateful – keeps tracks resource allocation
and usage RSVP adapted for signaling
• Hot router selling feature
![Page 18: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/18.jpg)
18
MPLS-VPN Security
• Label Switch Routers will drop packets that do not belong to the VPN based on label
• BGP guards against injected routes using MD-5 authentication
• Note: No data confidentiality Weak authentication BGP is not sufficient to prevent fake routes
![Page 19: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/19.jpg)
19
Why MPLS-VPN?
• Embed label switching in routers Sell more routers
• Replace Frame Relay and ATM with something that looks like these services No profit in Frame Relay or ATM anymore
• Control provisioning at the edge of ISP Sell value added service
• ISP dependent Keeps customers within provider’s network
![Page 20: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/20.jpg)
20
Why IPsec-VPN?
• No changes to core routers Security gateway/tunnel endpoint placed
anywhere that is appropriate
• Separation through obfuscation Real data confidentiality Real authentication
• Routing protocol agnostic No (more than current) reliance on well-behaved
protocols
• ISP agnostic
![Page 21: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/21.jpg)
21
Guarding “Privates”
• What separates a VPN’s traffic from all other traffic? IPsec: data encryption MPLS: different labels, forwarding tables
• Who is responsible for separation? IPsec:
• ISPs, but not necessarily• Corporate IT group and even individuals
MPLS: ISPs
![Page 22: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/22.jpg)
22
Dichotomy of Assumptions
• IPsec assumes goal is: IP delivery No trust of intermediate systems
• MPLS assumes goal is: Engineered delivery Trust entities in the middle
• Begged question: Is leaving security to someone else a good thing?
![Page 23: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/23.jpg)
23
Which is the Right Way?
• Depends on what control you are willing to cede to service providers What SLAs you demand What you want to “black box”
• Depends on what you mean by “private” No one is supposed to use your resources No one is able to see your stuff
![Page 24: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/24.jpg)
24
Trends in VPNs
• IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds
• Layer 2 tunneled through MPLS Martini Draft
• Combining MPLS and IPsec IP tunneled through IPsec tunneled
through MPLS Best of both worlds
![Page 25: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/25.jpg)
25
There’s more to it
• Establishing a VPN is much more than just building a set of tunnels between sites Authentication Access Control Data Confidentiality Data Integrity Remote Access
![Page 26: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/26.jpg)
26
Where does “Private” go?
• Virtual Private Network Makes sense What the designers had in mind
• Virtual Private Network What happens if you’re not careful
![Page 27: Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.](https://reader033.fdocuments.in/reader033/viewer/2022061305/55141fd0550346ec488b5791/html5/thumbnails/27.jpg)
27
More about me
• This talk and other information athttp://www.ir.bbn.com/~strayer