VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...

41
VPN Virtual Private Networks Mathias Schäfer WS 2003/2004

Transcript of VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...

Page 1: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPNVirtual Private Networks

Mathias Schäfer

WS 2003/2004

Page 2: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

2Overview

Overview Why VPNs

VPN-use-cases

VPN-technology vs. conventional solutions

Requirements

Tunneling

Security

Performance

Conclusion

Page 3: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

3Why VPNs

Why VPNsIn business-solutions VPN-technology gains

in weight

Enterprises are acting more and more on global range

There is the need of cost-effective solutions to integrate satillite workplaces, like branch offices suppliers field services

into an enterprise-network

Page 4: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

4VPN-use-cases

VPN-use-cases

Enterprises are usually composed of

Head office

Branch offices

Outdoor staff

additionally there are suppliers which are not really part of the company

Page 5: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

5VPN-use-cases

VPN-use-cases

To reflect business-processes in the companys network structure all components of the whole enterprise need to be integrated

VPN-types are classified similar to the use cases

Remote-Access-VPN - field services Branch-Office-VPN - Branch offices Extranet-VPN - Suppliers

Page 6: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

6VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Conventional solutions mostly use wired or dial-in connections between both endpoints

These connections get very expensive in case of long distance or international linking

On central office side lots of connection interfaces are needed to fulfil all connection requests

Page 7: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

7VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

VPN-technology concretely Internet-VPN- or IP-VPN-technology uses the available Internet to split long-distance connections

Instead of establishing connections between endpoints there is only the need of connecting endpoints to the nearest Internet-node

Decrease of distance and fees

Page 8: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

8VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Remote-Access

In case of Remote-Access for outdoor staff, there are many connections needed

Usually there are ppp-dial-in connections used to establish links between outdoor staff and head office

A Remote-Access-Concentrator (RAC) is used to terminate connections on head office side

Normally the RAC is connected to the providers telephone-network using PMX

Page 9: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

9VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Remote-Access

Page 10: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

10VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Remote-Access-VPN

In case of Internet-VPN-technology usage, the outdoor staff connects to the Internet via any link-technology which is provided by local ISP

Head office is connected to the Internet via one broadband link, there is a VPN-Concentrator instead of the RAC

The data link connection is implemented as a tunnel-connection through the Internet, and is terminated inside the VPN-Concentrator

Page 11: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

11VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Remote-Access-VPN

Page 12: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

12VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Branch-Office

Conventional connection-types for the link between branch-office-networks and the head-office-network, are normally based on wired technology, ATM or Frame Relay

Router-equipment on both sides of this connection terminates the link

Similar to Remote-Access the costs of this solution depend on the distance and get very high in case of international connections

Page 13: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

13VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Branch-Office

Page 14: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

14VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Branch-Office-VPN

In case of Branch-Office-VPN the router-equipment is replaced by VPN-gateways which terminate the virtual tunnel-connection between the endpoints

Both endpoints are physically connected only to the Internet not to their opposite

Page 15: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

15VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Branch-Office-VPN

Page 16: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

16VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Extranet-VPN

To allow faster reaction it is advisable to integrate suppliers into the companys network

They should have limited access, because they are not really part of the company

Usally Firewalls limit the access to the Intranet, apart from that the structure is similar to a Branch-Office-VPN

Page 17: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

17VPN-technology vs. conventional solutions

VPN-technology vs. conventional solutions

Extranet-VPN

Page 18: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

18Requirements

RequirementsSecurity Confidential information

Transmitted information has to be protected against unauthorized access

Integrity of informationTransmitted information must not be altered during transmission

AuthentificationAuthenticity of communication-partners has to be proved and warranted during connection-time

Page 19: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

19Requirements

RequirementsAvailability

There has to be a guaranted availability of service

Maximum downtime or minimum uptime percentages are agreed by contract with service provider in SLAs

Page 20: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

20Requirements

RequirementsPerformance

Minimum bandwith and maximum latency are the main performance aspects of a connection

In case of Internet-VPNs it is normally not possible for a service provider to guarantee these parameters

SLAs mostly declare contractual penaltys

Page 21: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

21Tunneling

TunnelingPrinciple

Tunnling is implemented by encapsulation of data-pakets during transmission

Page 22: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

22Tunneling

TunnelingTunneling-modelsThere are differentiated tunneling-models

End-to-End-ModelNo service provider is involved in the tunneling process, except for providing the internet-connection

Intra-Provider-ModelThe company is not involved in the tunneling process

Provider-Enterprise-ModelMixed configuration, one side is provided by the service provider, the other side belongs to the company

Page 23: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

23Tunneling

TunnelingEnd-to-End-Model

Page 24: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

24Tunneling

TunnelingIntra-Provider-Model

Page 25: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

25Tunneling

TunnelingProvider-Enterprise-Model

Page 26: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

26Tunneling

TunnelingIP-Security-Protocol – IPSec

IPSec was developed for security reasons, so there are many security-options to choose

As an option there is an IPSec-tunneling-mode, with the ability of tunneling exclusively IP-Pakets

The connection-partners use unidirectional SAs which represent the configuration of an established IPSec-link

Page 27: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

27Tunneling

TunnelingIP-Security-Protocol – IPSec

IPSec uses symmetric encryption, where the key-exchange is done with the Internet-Key-Exchange Protocol

For authentification IPSec supports Pre-Shared-Secret procedures Public Key methods Certification proceedings

IPSec hides the structure of the internal network by encrypting the internal ip-header

Page 28: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

28Tunneling

TunnelingIP-Security-Protocol – IPSec

IPSec's primary tunneling-model is the end-to-end-model, so the client needs an IPSec-implementation

Software-implementations are available for nearly all operation systems

Page 29: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

29Tunneling

TunnelingIP-Security-Protocol – IPSec

Page 30: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

30Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

L2TP encapsulates PPP-Frames, that allows tunneling of all layer 3 pakettypes which are supported by PPP

L2TP is designed as a tunneling protocol, not for security reasons, it supports only weak CHAP-like authentification and encryption of the control-channel

As the consequence, security has to be implemented on other levels

Page 31: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

31Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

The Provider-Enterprise-Model for Remote-Access is the primary model used for L2TP-implementations

Instead of the normal RAC a L2TP Access Concentrator is used

Page 32: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

32Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

Decisions how to handle incoming calls are made by called number or by prefix or suffix of the user-id

If indicated a tunnel to the enterprise-sided L2TP Network Server is established by the LAC

This enables compulsory tunneling

Page 33: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

33Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

Page 34: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

34Tunneling

TunnelingLayer 2 Tunneling Protocol – L2TP

If used in the end-to-end-model, the functionality of LAC is implemented in client-side software

This implicits voluntary tunneling

Page 35: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

35Tunneling

TunnelingIPSec secured L2TP – L2TP/IPSec

Combining L2TP and IPSec enables securityoptions supplied by IPSec and pakettype-flexibility of L2TP

This causes a lot of overhead, which forces the decision to change over to IP-based applications to enable usage of IPSec without L2TP

Page 36: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

36Tunneling

TunnelingIPSec secured L2TP – L2TP/IPSec

Page 37: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

37Tunneling

TunnelingIPSec secured L2TP – L2TP/IPSec

Also other combinations are possible and suggestive

Tunneling of IPSec in end-to-end-model inside L2TP in provider-enterprise-model for example enables compulsatory tunneling with IPSec security

Page 38: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

38Security

SecurityIf security-opions are needed, IPSec is the protocol to

choose

The used cryptographic algorithms are considered as secure nowadays

IPSec's security-functionality offers Encryption Authentification Paketintegrity Hiding of internal networkstructures Protection from Replay- and Denial-of-Service-Attacks

If additionally other pakettypes than IP are used, IPSec/L2TP is the only mechanism that fulfills both needs

Page 39: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

39Performance

Performance

In addition to the provider- and connection-dependent performance-aspects, the used hardware is also relevant to the performance of VPNs

In case of IPSec the cryptographic algorithms need a lot of computing power

Dedicated VPN-Equipment often uses specialized cryptographic processing units, which offering much better performance than normal cpu's

Page 40: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

40Performance

Performance

In case of L2TP there are a lot of PPP-sessions which have to be terminated primarily at L2TP Network Servers

There are components which are constructed as scalable, so that they can fulfil increased needs

If L2TP/IPSec is used, increased attention has to be payed to performance-aspects

Page 41: VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004 Security 38 Security If security-opions are needed, IPSec

VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004

41Conclusion

Conclusion

Internet-VPN-technology offers cost-effective solutions if planned in detail

If all components are well choosed, IPSec offers high-security solutions, also for major projects

Most important milestone on the way to implement VPNs is a detailed analysis of needs