Virtual Private Network

ATHENA

Main Function of VPN

Privacy Authenticating Data Integrity Antireplay

ATHENA

VPN tunnel concept for site to site intranet VPN

ATHENA

Mechanism of site to site intranet VPN

PC1 with ip address 10.2.2.2 sent a packet to web server with ip address 10.1.1.1

Router in the branch office encrypt the packet, add some VPN header, add another IP header that public ip address. After that it forward the packet.

A man in the midle copies the packet but cannot change and read the content of the packet.

ATHENA

Past Activities of site to site intranet VPN

Device in the main office (ASA), receive the packet, confirm the authenticity of the sender, confirm the packet has not been changed, then decrypts the original packet.

Web server receive the unencrypted packet.

ATHENA

Types of VPN

Intranet VPN. Extranet VPN. Access VPN.

ATHENA

Types of VPN

ATHENA

Tunnel Protocols

Layer 2 Forwarding (L2F) is a intial Cisco proprietary protocols. First time it is used for private dial up network (VPDN). L2F was replaced by L2TP.

Point to Point Tunnel Protocols (PPTP) Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network.

ATHENA

Tunnel Protocols

Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTPinto one tunneling protocol.

Generic routing encapsulation (GRE) is another Cisco Proprietary tunneling protocol. It forms virtual point-to-point links, allowing for a variety of protocols to be encapsulated in IP tunnels.

ATHENA

Which components are needed for building a VPN network ?

Router: Main function of router is packet forwarding. However it can provide VPN functions. Router can have special add on card that perform encryption more quickly.

ASA: Cisco securiy appliance that can be configure for many security function, including VPN.

PIX: Older cisco firewall that can perform VPN function, new installation today would instead use ASA.

ATHENA

Which components need for building a VPN network ?

VPN concertrator: Older product line from Cisco, that specially perform VPN tunnel. new installation today would instead use ASA.

VPN client: for access VPN, users need software VPN client.

ATHENA

IPSEC VPNs

IPSEC is an architecture or framework for security services for IP networks.

Function of IPSEC:authentication, encryption, rules regarding to each those of functions.

IPSEC allow to use many protocol option for each VPN feature.

The structure of IPSEC packets can be changed or added over time to improve the security.

ATHENA

IPSec Encryption

IPSec encryption that use a pair of encryption algorithms. One to hide (encrypt) the data. Another to re-create (decrypt) the original data from the encrypted data.

Beside a pair of encryption algorithms. There is a encryption key that will be used with two formular.

ATHENA

IPSec Encryption

Formulars can be used consist of following:

• DES (Data Encryption Standard): older version and less seucre than the others.

• 3DES: applied three different 56 bit DES that stronger than DES.

• AES (Advanced Encryption Standard): the best encryption and less computation than 3DES.

ATHENA

IPSec Encryption

ATHENA

Mechanism of IPSec encryption

The sending VPN device feeds the originate packet and the session key into the formula. After that encrypted data.

The sending device encapsulates the encrypted data into packet. Which includes a new IP header and VPN header.

ATHENA

Mechanism of IPSec encryption

The sending device sends this new packet to the destination device.

Destination device receive the packet. After that runs the corresponding decryption formula. Using the encrypted data and session key – having the originate packet.

ATHENA

IPSec Key Exchange

Why must we use Key during encryption and authentication ?

There are two kinds of Key:

• Pre-shared key.

• Dynamic key.

ATHENA

IPSec Key Exchange

Pre-shared key

• Configured manually in both of devices.

• It is easy to configure but key is constantly during operating.

• Weakness security.

ATHENA

IPSec Key Exchange

Dynamic Key Exchange• Frequently change the key to encrypt data.

• Allow device to make up and exchange securely.

• Preventing anyone who can see the message from deviring the key value.

• Reduce the amount of lost data.

Algorithm is Diffie_Hellman. There are three options• DH-1: 768 bit

• DH-2: 1024 bit

• DH-3: 1536 bit

ATHENA

Internet Key Exchange (IKE)

ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) is a protocol framework that defines the payload format, the mechanics of implementing a key exchange protocol, and the negotiation of an SA.

IKE gives us the goods in the following six ways.

ATHENA

Internet Key Exchange (IKE) It eliminates the need to manually specify all the IPSec

security parameters in the crypt maps at both peers. It allows you to specify a lifetime for the IPSec

security SA. It allows encryption keys to change during IPSec

sessions. It allows IPSec to provide anti-replay services. It permits certification authority (CA) support for a

manageable, scalable IPSec implementation. It allows dynamic authentication of peers.

ATHENA

IPSec Authentication and Message Integrity

Authentication prefers a process by which receive device can confirm that a receive packet that was really sent by a trusted peers.

Authentication can use public and private key. A packet can be encrypted with private key of

sender. This packet can be also decrypted with sender’s public key.

ATHENA

IPSec Authentication and Message Integrity

ATHENA

IPSec Authentication and Message Integrity

Message integrity means how to a receiver can get a data from sender. And it was not change in the transit.

Message integrity can be performed by IPSec Athentication Header protocols using shared key.

ATHENA

IPSec Authentication and Message Integrity

Sender will use a hash function that calculate a small number and put it VPN header.

Receiver will also use hash function and shared key to recompute a small number. And compare two numbers.

ATHENA

IPSec Authentication and Message Integrity

Function can be used in message integrity

• HMAC-MD5 (Hash based message authentication code message digest algorithm 5) : 128 bit hash value

• HMAC-SHA (Hash based message authentication code secure hash algorithm): SHA-1 160 bit, SHA-256 256 bit, SHA-512 512 bit

ATHENA

The ESP and AH security protocols

ESP and AH security protocols are two kind of IPSec VPN.

ESP define rule for performing the main four function of VPN. Those are authentication, message integrity, encryption, antireplay.

AH can do two functions that authentication, message integrity.

ATHENA

IPSec Encapsulation

IPSec encapsulate the packet through use ESP and AH.

IPSec encapsule data by one of two methods

• Transport Mode.

• Tunnel Mode.

ATHENA

Transport Mode

Transport mode encapsulation uses the original IP header and inserts the header for ESP and/or AH.

In transport mode, the original IP header must contain a routable IP address.

ATHENA

Transport Mode

Packet format using ESP in transport mode

ATHENA

Transport Mode

Packet format using AH in transport mode

ATHENA

Transport Mode

Packet format using ESP and AH in transport mode

ATHENA

Tunnel Mode

Tunnel mode encapsulation, the original IP header doesn’t transport the packet.

A new IP header is created using the IP addresses of the IPSec peers as the source and destination of the packet.

Addresses of the originating devices can be private, so they’re less vulnerable to unwanted access.

Tunnel mode uses ESP and/or AH.

ATHENA

Tunnel Mode

Packet format using ESP in tunnel mode

ATHENA

Tunnel Mode

Packet format using AH in tunnel mode

ATHENA

Tunnel Mode

Packet format using ESP and AH in tunnel mode