Vpn 3
-
Upload
swarup-kumar-mall -
Category
Education
-
view
280 -
download
0
description
Transcript of Vpn 3
![Page 1: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/1.jpg)
Virtual Private Networks
Fred Baker
![Page 2: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/2.jpg)
What is a VPN
Public networks are used to move information between trusted network segments using
shared facilities like frame relay or atm
A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the Internet
![Page 3: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/3.jpg)
Why?
![Page 4: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/4.jpg)
HomeNet to the office.
![Page 5: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/5.jpg)
VPN Types
![Page 6: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/6.jpg)
VPN Implementations
![Page 7: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/7.jpg)
VPN as your Intranet
![Page 8: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/8.jpg)
What a VPN needs
• VPNs must be encrypted – so no one can read it
• VPNs must be authenticated• No one outside the VPN can alter the VPN• All parties to the VPN must agree on the security
properties
![Page 9: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/9.jpg)
VPN Components
![Page 10: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/10.jpg)
Parts of a VPN
![Page 11: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/11.jpg)
VPN works via crypto/Encapsulation
![Page 12: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/12.jpg)
EncryptionEncryption
Encryption and DecryptionClear-Text Clear-Text
Cipher Text
Bob Is a
Fink
8vyaleh31&d
ktu.dtrw8743
$Fie*nP093h
Bob Is a
Fink
DecryptionDecryption
![Page 13: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/13.jpg)
Basic Crypto – Keys are key
![Page 14: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/14.jpg)
2 Kinds Key Systems
![Page 15: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/15.jpg)
Symmetric Key Algorithms
• DES—56-bit key• Triple-DES—encrypt, decrypt,
encrypt, using either two or three 56-bit keys
• IDEA—128-bit key• Blowfish—variable-length key,
up to 448 bits
![Page 16: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/16.jpg)
Public Key Encryption Example
MessageAlice Bob
EncryptedMessage
Message
Bob’s Public Key
Bob’s Private Key
Decrypt
• Alice wants to send Bob encrypted data– Alice gets Bob’s public key
– Alice encrypts the data with Bob’s public key
– Alice sends the encrypted data to Bob
• Bob decrypts the data with his private key
Encryption
![Page 17: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/17.jpg)
PKI vs Symmetric Key
• PKI easier as you don’t have to manage keys on a per user basis
• But MUCH more compute intensive (up to 1000 times faster)
• Many systems do a combination I.e. PGP
–Use PKI to send a symmetric key
–Then use the symmetric key to crypto the data
![Page 18: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/18.jpg)
Using Crypto in real life
![Page 19: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/19.jpg)
PKI to send Private Keys
![Page 20: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/20.jpg)
PKI Certs a way to authenticate
![Page 21: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/21.jpg)
Prove the user cert Certificates of authority
![Page 22: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/22.jpg)
Digital Signature to verify data not changed in transit
![Page 23: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/23.jpg)
PKI the full picture
![Page 24: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/24.jpg)
Where you do Crypto
![Page 25: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/25.jpg)
Technologies
![Page 26: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/26.jpg)
Application Layer: SSL
![Page 27: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/27.jpg)
Transport Layer: IPSEC
• A standard
• is composed of:– Diffie-Huffman key exchange– PKI for the DH exchanges– DES and other bulk encryption– Hash to authenticate packets– Digital Certificates to validate keys
![Page 28: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/28.jpg)
Transport Layer: IPSEC VPNs3 parts
![Page 29: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/29.jpg)
Tunnel vs Transport
• Transport– Implemented by the end point systems– Real address to real address– Cannot ‘go through’ other networks
• Tunnel– Encapsulation of the original IP packet in another
packet– Can ‘go through’ other networks– End systems need not support this– Often PC to a box on the ‘inside’
![Page 30: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/30.jpg)
Diffie-Hellman Key Exchange (1976)
• By openly exchanging non-secret numbers, two people can compute a unique shared secret number known only to them
![Page 31: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/31.jpg)
Modular Exponentiation
• Generator, gg
• Modulus (prime), pp
• YY = ggXX mod pp
22^237276162930753723237276162930753723 mod 7992739798459792657265179927397984597926572651
Both g g and p p Are Shared and Well-Known
![Page 32: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/32.jpg)
Diffie-HellmanPublic Key Exchange
Private Value, XXAA
Public Value, YYAA
Private Value, XXBB
Public Value, YYBB
(shared secret)
AliceAlice BobBob
YYBB mod p = g mod p = Y YAA mod p XXBBXXAA XXBB
YYAA
YYBB
YYBB = g mod pXXBBYYAA =g mod pXXAA
XXAA
![Page 33: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/33.jpg)
Security Association is the agreement on how to secure
![Page 34: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/34.jpg)
create the ISAKMP SA (Internet Security Association Key
Management Protocol)
![Page 35: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/35.jpg)
IPSEC Key Exchange (IKE)
![Page 36: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/36.jpg)
IKE allows scale as I do not need to hard code passwords for each pair
![Page 37: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/37.jpg)
Link Layer: L2TP for VPDN (Vir Pvt Dial Net)
![Page 38: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/38.jpg)
PPTP: Free from Microsoft
![Page 39: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/39.jpg)
PPTP: Security
![Page 40: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/40.jpg)
VPN Comparisons
![Page 41: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/41.jpg)
So why have a private network: QOS not fully cooked
• Very dependent on your ISP• Real hard to do across ISPs• So no guarantee of performance
![Page 42: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/42.jpg)
Other Issues
![Page 43: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/43.jpg)
Like Nat
![Page 44: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/44.jpg)
Wireless: a new big driver, WAS (Work At Starbucks)
![Page 45: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/45.jpg)
Many security protocols, depends on deployer
![Page 46: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/46.jpg)
VPN means I don’t care how you connect
![Page 47: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/47.jpg)
Example
WorldComIP
Network
ILECDSL
Network
WorldCom
DigitalAccessNetwork
WorldCom
DigitalAccessNetwork
WorldComManaged Linksand CPE at Hub
Site
WorldComManaged Links and
CPE at Hub Site
WorldComManaged Linksand CPE at Hub
Site
Primary TunnelSecondary Tunnel
Allstate AgentT-1 Sites
Allstate AgentT-1 Sites
Allstate AgentDSL Sites
Allstate DataCenters
![Page 48: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/48.jpg)
So what could be wrong?
• VPN clients hit the network stack
• May not play well with personal firewalls
• Or other software• May not need full access to the
target network just encrypted access
![Page 49: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/49.jpg)
One answer: clientless VPN• Use SSL as the transport protocol to an appliance• Can add NT authentication to the appliance• Clientless mode: Use web enabled applications over the
Internet, the appliance SSLifies web sites• Java Applet: Use an downloadable applet to send traffic
over SSL, get more support for applications.• Can work well if you want to have encrypted web based
apps without redoing the application– to use SSL you need certs and have to change EVERY link to
HTTPs– Also big hit on the server cpu
![Page 50: Vpn 3](https://reader035.fdocuments.in/reader035/viewer/2022081400/54903db4b4795982638b4f94/html5/thumbnails/50.jpg)
Summary: VPNs
• Very big in the work access space– Exploit High speed
• Wireless – in the office
– public ‘hot spots’ like Borders
• Replaces direct dial into the work network• Replace dedicated Business partners• May replace the corporate WAN