Wireless VPNWireless VPN

HemaKumar RangineniHemaKumar Rangineni

Zafer BanaganapalleZafer Banaganapalle

ContentsContents

• IntroductionIntroduction• VPN TypesVPN Types• Elements of VPNElements of VPN• AdvantagesAdvantages• Tunneling Tunneling

ProtocolsProtocols• ArchitectureArchitecture• Wireless VPNWireless VPN

• IPSec VPNIPSec VPN• SSL VPNSSL VPN• ComparisonComparison• ConclusionsConclusions• ReferencesReferences• QuestionsQuestions• Thank youThank you

IntroductionIntroduction

• A A virtual private networkvirtual private network is a private network is a private network running over a shared public infrastructure like running over a shared public infrastructure like the Internet.the Internet.

• Used to Used to – interconnect various geographically separated sites,interconnect various geographically separated sites,– connect remote users back to a home network,connect remote users back to a home network,– allow controlled access between different corporate allow controlled access between different corporate

networksnetworks

• constructed from protocols and technologies that constructed from protocols and technologies that run over a shared network run over a shared network

Continued…Continued…

Introduction …Introduction …

• A A virtual private networkvirtual private network is a private is a private network running over a shared network running over a shared public infrastructure like the public infrastructure like the Internet.Internet.

Image source : 3Com

Introduction …Introduction …

• Technologies include Technologies include – A tunneling protocol like, A tunneling protocol like,

• IPsec, IPsec, • Point-to-Point Tunneling Point-to-Point Tunneling

Protocol (PPTP), Protocol (PPTP), • Layer 2 Tunneling Layer 2 Tunneling

Protocol (L2TP), or Protocol (L2TP), or • Multi-Protocol Label Multi-Protocol Label

Switching (MPLS) Switching (MPLS)

– An authentication An authentication mechanism, mechanism,

• provided by PKI, RADIUS, provided by PKI, RADIUS, or Smartcards or Smartcards

– An access control An access control mechanism, mechanism,

• provided by Directory provided by Directory Servers and ACLs Servers and ACLs

– Data security Data security technologies like, technologies like,

• encryption encryption

– Data provisioning Data provisioning techniques, like techniques, like

• quality of service quality of service (QoS) and (QoS) and

• traffic engineeringtraffic engineering

VPN TypesVPN Types

• Remote-accessRemote-access– single remote network device to single remote network device to

intranet intranet • Site-to-site Site-to-site

connect multiple fixed sites over a public connect multiple fixed sites over a public network network

– Intranet -based Intranet -based – Extranet-basedExtranet-based

Elements of VPNElements of VPN

•VPN ClientVPN Client•VPN ServerVPN Server•VPN ConnectionVPN Connection•TunnelTunnel•Transit Public Transit Public NetworkNetwork

AdvantageAdvantage

• Using special tunneling protocols and complex encryption procedures, – data integrity and privacy is achieved – Seems like a dedicated point-to-point

connection.

• And, because these operations occur over a public network, – VPNs can cost significantly less to

implement than privately owned or leased services.

Tunneling ProtocolsTunneling Protocols

• Provide a way to overlay a virtual network Provide a way to overlay a virtual network over a physical one over a physical one – by building tunnels, or special connections, by building tunnels, or special connections, – between various points in the physical between various points in the physical

network network • Three types of VPN Protocols used for Three types of VPN Protocols used for

tunnelling tunnelling – PPTPPPTP (Point-to-Point Tunnelling (Point-to-Point Tunnelling

Protocol)Protocol)– L2TPL2TP (Layer 2 tunnelling Protocol)(Layer 2 tunnelling Protocol)– IPSecIPSec (Internet Protocol Security)(Internet Protocol Security)

PPTPPPTP

• PPTP tunnelling uses two packet typesPPTP tunnelling uses two packet types– Control Packets Control Packets

• Strictly for status enquiry and signalling Strictly for status enquiry and signalling informationinformation

• Uses TCP (Connection-oriented)Uses TCP (Connection-oriented)

– Data Packets Data Packets • Uses PPP with GREv2Uses PPP with GREv2• GRE gives PPTP the flexibility of handling GRE gives PPTP the flexibility of handling

protocols other than IP, such as NetBEUI and IPX.protocols other than IP, such as NetBEUI and IPX.

Media Header

IPHeader

GREHeader

PPPPayload

PPPHeader

L2TPL2TP

• Like PPTP, L2TP is strictly a tunnelling Like PPTP, L2TP is strictly a tunnelling ProtocolProtocol

• L2TP is a standards based combination of two L2TP is a standards based combination of two proprietary Layer 2 tunnel protocolsproprietary Layer 2 tunnel protocols– Cisco’s Layer 2 Forwarding (L2F)Cisco’s Layer 2 Forwarding (L2F)– PPTPPPTP

• L2TP combines the control and data L2TP combines the control and data channels.channels.– L2TP runs over UDPL2TP runs over UDP– Faster and LeanerFaster and Leaner– L2TP is more “Firewall Friendly” than PPTP L2TP is more “Firewall Friendly” than PPTP

since you do not have to support GRE.since you do not have to support GRE.

IP Header

UDP Header

L2TP Header

UserData

PPP IPHeader

IPSecIPSec

Transport layer

Network layer

Link layer

Physical layer

Transport protocols(TCP, UDP)

Routing through network(IP)

Link protocols, physicalInfrastructure

IPSec

L2TP/ PPTP

Open, Standards based, Network layer security protocol.

Aimed at protecting IP Datagrams Robust mechanisms for Authentication and

Encryption Can protect whole datagram or just Upper-

layer protocol (Transport or Tunnel Mode)

Network-Level Network-Level ArchitectureArchitecture

Simplified Diagram of VPN WLAN

Wireless VPN

Wireless VPNWireless VPN

IPSecIPSec

• What is IPSec? What is IPSec? – IPSec is a set of open standards and protocolsIPSec is a set of open standards and protocols– for creating and maintaining secure for creating and maintaining secure

communications over IP networks. communications over IP networks.

• IPSec VPNs use these standards and protocols IPSec VPNs use these standards and protocols – to ensure the privacy and integrity of data to ensure the privacy and integrity of data

transmission andtransmission and– communications across public networks like the communications across public networks like the

Internet.Internet.

Standards for a range of services to address Standards for a range of services to address security riskssecurity risks– Confidentiality.Confidentiality.

• Encryption protects the privacy of communications even Encryption protects the privacy of communications even if they are intercepted. if they are intercepted.

– Access control. Access control. • Access to IPSec VPN private communications is restricted Access to IPSec VPN private communications is restricted

to authorized users. to authorized users. – Authentication. Authentication.

• Authentication verifies the source of received data (data Authentication verifies the source of received data (data origin authentication), and confirms that the original IP origin authentication), and confirms that the original IP packet was not modified in transit (connectionless data packet was not modified in transit (connectionless data integrity). integrity).

– Rejection of replayed packets. Rejection of replayed packets. • An anti-replay service counters a replay attack based on An anti-replay service counters a replay attack based on

an attacker's intercepting a series of packets and then an attacker's intercepting a series of packets and then replaying them. replaying them.

– Limited traffic flow confidentiality. Limited traffic flow confidentiality. • Inner IP headers can be encrypted to conceal the Inner IP headers can be encrypted to conceal the

identities of the traffic source and destination (beyond the identities of the traffic source and destination (beyond the security gateways). security gateways).

IPSec security servicesIPSec security services

IPSecIPSec

How IPSec worksHow IPSec works• Before two devices can establish an IPSec VPN tunnelBefore two devices can establish an IPSec VPN tunnel• must agree on the security parameters :security must agree on the security parameters :security

association (SA). association (SA). • The SA specifies the authentication and encryption The SA specifies the authentication and encryption

algorithms, the encryption keys algorithms, the encryption keys • The Internet Key Exchange (IKE) protocol :The Internet Key Exchange (IKE) protocol :

– needed for secure communication through an IPSec VPN. needed for secure communication through an IPSec VPN.

• In the negotiation process, In the negotiation process, – one IPSec endpoint acts as an initiator and the other as a one IPSec endpoint acts as an initiator and the other as a

responder. responder. – The initiator offers the set of authentication, encryption and other The initiator offers the set of authentication, encryption and other

parameters that it is ready to use with the other endpoint. parameters that it is ready to use with the other endpoint. – The responder tries to match this list against its own list of The responder tries to match this list against its own list of

supported techniques. If there is any overlap, it responds with the supported techniques. If there is any overlap, it responds with the common subset.common subset.

How IPSec worksHow IPSec workscontinued….continued….

• The initiator chooses one combination of The initiator chooses one combination of techniques from the responder and they techniques from the responder and they proceed with the negotiated setting. proceed with the negotiated setting.

• IKE negotiation has two phases: IKE negotiation has two phases: – Phase 1 allows two security gateways to Phase 1 allows two security gateways to

authenticate each other and establish authenticate each other and establish communication parameters.communication parameters.

– At the end of Phase 1, a Phase 1 Security At the end of Phase 1, a Phase 1 Security Association (IKE SA) is established. Association (IKE SA) is established.

– Phase 2 allows two security gateways to agree on Phase 2 allows two security gateways to agree on IPSec communications parameters.IPSec communications parameters.

– At the end of Phase 2, an IPSec SA is established. At the end of Phase 2, an IPSec SA is established.

IPSecIPSec

How IPSec worksHow IPSec workscontinued….continued….

• IPSec uses two protocols to establish security services IPSec uses two protocols to establish security services – Authentication Header (AH) and Authentication Header (AH) and

• Provides connectionless data integrity and data origin authenticationProvides connectionless data integrity and data origin authentication• Includes a cryptographic checksum over the entire packetIncludes a cryptographic checksum over the entire packet• The receiver uses this checksum to verify that the packet has not been The receiver uses this checksum to verify that the packet has not been

tampered with. tampered with. – Encapsulating Security Payload (ESP).Encapsulating Security Payload (ESP).

• Provides confidentiality for IP traffic through encryption. Provides confidentiality for IP traffic through encryption. • Current standard IPSec encryption algorithms include the Current standard IPSec encryption algorithms include the

– Triple Data Encryption Standard (3DES), and the Triple Data Encryption Standard (3DES), and the – Advanced Encryption Standard (AES). Advanced Encryption Standard (AES). – Also provides authentication and anti-replay capabilities. Also provides authentication and anti-replay capabilities.

– Unlike AH, the authentication services of ESP do not protect the IP Unlike AH, the authentication services of ESP do not protect the IP header of the packet.header of the packet.

– Most IPSec VPN implementations today use ESP. Most IPSec VPN implementations today use ESP. – AH and ESP may be used separately or together. AH and ESP may be used separately or together. – use depends on the IPSec mode: use depends on the IPSec mode:

• Transport mode or Tunnel mode. Transport mode or Tunnel mode. • Client-to-LAN connections typically use Transport mode, Client-to-LAN connections typically use Transport mode, • while LAN-to-LAN connections typically use Tunnel mode. while LAN-to-LAN connections typically use Tunnel mode.

Benefits of IPSec VPN Benefits of IPSec VPN technologytechnology

• Tremendous savings over the cost of a private WAN connection, Tremendous savings over the cost of a private WAN connection, leased lines, or long distance phone charges. leased lines, or long distance phone charges.

• IPSec VPNs can also increase an organization's productivity. IPSec VPNs can also increase an organization's productivity. • An organization can grant restricted network accessAn organization can grant restricted network access

– to business partners, customers, or vendors, to business partners, customers, or vendors, – dramatically increasing the efficiency and dramatically increasing the efficiency and – speed of business-tobusiness communicationsspeed of business-tobusiness communications

• Home-office workers, telecommuters, and in-the-field sales and Home-office workers, telecommuters, and in-the-field sales and service workers can access the corporate network resources service workers can access the corporate network resources securely and economically with IPSec VPN remote access securely and economically with IPSec VPN remote access through the public Internet. through the public Internet.

• Global, economical access to an organization's network extends Global, economical access to an organization's network extends the organization's reach to markets formerly too remote or small the organization's reach to markets formerly too remote or small to target or service profitably. to target or service profitably.

IPSec VPN ChallengesIPSec VPN Challenges

• Implementations' compliance with standards Implementations' compliance with standards to ensure correctness and interoperability. to ensure correctness and interoperability.

• Performance and scalability must be Performance and scalability must be constantly upgraded and verified to satisfy constantly upgraded and verified to satisfy the growing needs of the IPSec VPN the growing needs of the IPSec VPN industry. industry.

• The IETF is in the process of updating some The IETF is in the process of updating some of the protocols used with IPSec VPNs (for of the protocols used with IPSec VPNs (for instance, a newer version of IKE - called instance, a newer version of IKE - called IKEv2). IKEv2).

• These present new and ongoing challenges These present new and ongoing challenges to the IPSec community. to the IPSec community.

SSL VPNSSL VPN

What is an SSL VPN?• SSL is a commonly used protocol for managing the

security of a message transmission on the Internet.• SSL works by using a public key to encrypt data that

is transferred over the SSL connection. – SSL is a higher-layer security protocol, sitting closer to the

application. – This close connection provide the granular access control

that remote access and extranet VPNs require.– An SSL VPN uses SSL and proxies to provide authorized

and secure access for end-users to HTTP, client/server, and file sharing resources.

– Adding proxy technology to SSL offers companies greater security, because it prevents users from making a direct connection into a secured network.

– SSL VPNs deliver user-level authentication, ensuring that only authorized users have access to the specific resources as allowed by the company’s security policy.

Benefits of SSL VPNBenefits of SSL VPN• Clientless access

– Without the burden of configuring, managing, and supporting complex IPSec clients for each user,

– SSL VPNs are easier and less expensive to support, and– they’re faster to deploy than IPSec VPNs. – SSL VPNs use any Web browser as the client, providing clientless

access that increases the number of points from which employees, partners, and customers can access network data.

– Users can access Web applications, client/server applications, and enterprise file shares.

– Without a traditional IPSec client, users gain true freedom and anywhere access to the resources they need.

– Clientless access also simplifies configuration and management for IT administrators—which means fewer support calls.

• Anywhere access– SSL VPNs enable users to access more applications from a broad

range of devices and environments – And SSL VPNs work over broadband networks, too. – SSL VPNs can seamlessly traverse network address translation (NAT),

firewalls, and proxy servers.

Benefits of SSL VPNBenefits of SSL VPN(continued …)(continued …)

• Increased security– End-user access to any given resource is restricted unless

authorized, a vastly different approach from that of IPSec VPNs. – This technology provides a secure, proxied connection that

reduces risk • because users never have a direct network connection to the

resources they are authorized to access. – proxies hide the internal domain name system (DNS) namespace, – providing an extra level of protection for your network. – SSL VPNs detect personal firewalls and applications and perform

other client-integrity checks. – ensures that only authenticated users can gain access by

checking privileges against an LDAP-enabled database, a RADIUS server, an NT domain, a UNIX user name/password database, RSA SecurID ACE servers, and others.

– provides a high degree of granular access. – ability to enforce policy based upon the level of trust

Drawbacks of SSL VPN Drawbacks of SSL VPN • concerned that SSL VPN is not as secure as an IPSec VPN, concerned that SSL VPN is not as secure as an IPSec VPN,

the most common security protocol for dial-up and the most common security protocol for dial-up and broadband remote access.broadband remote access.

• IPSec software is installed on employee computers and it IPSec software is installed on employee computers and it creates a full network connection. creates a full network connection.

• With regard to security, if you drill down to the details of With regard to security, if you drill down to the details of IPSec and SSL VPN, they are much the same, just IPSec and SSL VPN, they are much the same, just implemented differently. The technology in SSL VPN is just implemented differently. The technology in SSL VPN is just as secure as IPSec VPN is. However, because of the way it as secure as IPSec VPN is. However, because of the way it is deployed, SSL VPN can be less secure. is deployed, SSL VPN can be less secure.

• By providing users access from any location over any By providing users access from any location over any device, corporations are taking the risk that computers or device, corporations are taking the risk that computers or devices utilised may have security risks that the IT devices utilised may have security risks that the IT department is unaware of. With SSL VPN, you have two department is unaware of. With SSL VPN, you have two unknowns—the user and the device.unknowns—the user and the device.

• However, with strong two-factor authentication, security However, with strong two-factor authentication, security problems can be mitigated. problems can be mitigated.

ComparisonComparison

Best of IPSec-VPN and Best of IPSec-VPN and SSL-VPNSSL-VPN

• In spite of the drawbacks of each, both In spite of the drawbacks of each, both technologies have their purpose.technologies have their purpose.

• Since IPSec can be used to secure network Since IPSec can be used to secure network connections and SSL is focused on connections and SSL is focused on application layer traffic, application layer traffic,

• IPSec is well suited for business needs that IPSec is well suited for business needs that require broad and persistent, site-to-site, require broad and persistent, site-to-site, network layer connections. network layer connections.

• SSL, on the other hand, is well suited for SSL, on the other hand, is well suited for applications where the system needs to applications where the system needs to connect individuals to applications and connect individuals to applications and resources.resources.

ConclusionConclusion• With IPSec VPN technology, With IPSec VPN technology,

– the public Internet can serve as the backbone of an the public Internet can serve as the backbone of an organization's communications infrastructure, organization's communications infrastructure,

– enabling the organization to realize significant savings enabling the organization to realize significant savings and productivity gains. and productivity gains.

• Successful only if the impact of IPSec on network Successful only if the impact of IPSec on network performance is managed.performance is managed.

• Affects network throughput and adds latencies Affects network throughput and adds latencies that can disrupt networked applications. that can disrupt networked applications.

• must also conform to standards, must also conform to standards, • to ensure that IPSec network elements and to ensure that IPSec network elements and

applications interoperate applications interoperate

QuestionsQuestions

• Why is SSL-VPN preferable for Why is SSL-VPN preferable for Mobile Devices ?Mobile Devices ?

• What are the scalability issues for What are the scalability issues for IPSec-VPN?IPSec-VPN?

• What makes use of VPN essential in What makes use of VPN essential in wireless networks ?wireless networks ?

ReferencesReferences

• Comparing Secure Remote Access Options:IPSec VPNs vs. SSL VPNs – Aventail White Paper

• http://www.expresscomputeronline.com/20040216/opinion02.shtml

• http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss21_art83,00.html

• www.vpnc.org• Wireless Network Security -802.11, Bluetooth

and Handheld Devices

Thank youThank you