Languages
Pages
Legal
Virtual Private Networks (VPNs)
Dominik Herkel
agenda 1 / 3
1. important informations
2.general
3. history
4.benefits for business
agenda 2 / 3
5.implementation
• GRE
• Ipsec
• GRE over Ipsec
• SSL/TLS
6.Cisco VPN solutions
agenda 3 / 3
7. access network resources
8. live configuration
important informations
• always refer to the OSI model, not TCP/IP
• complex topic listen carefully
general
• end-to-end private network connection
• security as a big concern
• access to internal network resources
history
• mostly no need to lease dedicated lines
• small companies are no longer left out
• use already existing infrastructure
• paved the way for telecommuting
benefits for business
• cost efficiency
• security
• scalability
• compatibility
implementation
• GRE
• IPsec VPNs
• GRE over IPsec
• SSL/TLS VPNs
Generic Routing Encapsulation (GRE)
general
• originally developed by cisco
• GRE tunnels are stateless
• still widely in use
process
• original IP packet encapsulated again
• additional overhead of 24 bytes
advantages
• multiprotocol support
• routing protocol support
• multicast and broadcast support
disadvantages
• no security measurements
• big overhead
Internet Protocol Security (IPsec)
general
• isn’t bound to any specific security technologies
• framework of open standards
• in theory operates over all data link layer (OSI model) protocols
modes
• tunnel mode
• transport mode
protocols
• Authentication Header (AH):
• appropriate when confidentiality not required
• only authentication and integrity provided
• Encapsulating Security Payload (ESP):
• different to AH, also supports encryption
confidentiality
• symmetric algorithms are used
• ensures bulk encryption
• examples:
• Data Encryptions Standard (DES)
• Triple Data Encryption Standard (3DES)
• Advanced Encryption Standard (AES)
integrity
• Keyed-Hash Message Authentication Code (HMAC)
• additional shared secret added to plaintext data
• hash value calculated from key-data combination
• examples of hash calculation operations:
• Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA-1, SHA-2, SHA-3)
authentication
• parties authenticate each other
• either pre-shared secrets or signatures used
• examples:
• pre-shared secret
• Rivest-Shamir-Adleman (RSA) signature
secure key exchange
• Diffie-Hellman (DH)
• asymmetric algorithm
• defines several groups
• allows generation of identical shared secret
• shared-secret never exchanged between parties
• examples:
• ranges from group 1 – 24
• differ relating to encryption strength
process
1. Host A (behind R1) sends interesting traffic to Host B (behind R2).
2. R1 and R2 negotiate an IKE phase one session secure channel is set up.
3. Router R1 and R2 negotiate an IKE phase two session matching parameter
needed.
4. Securely transmit data.
5. IPsec tunnel is terminated.
advantages
• security
• based on existing algorithms
disadvantages
• solely IP support
• only unicasts
• no routing protocol support
Decision
GRE over IPsec
• often no need to decide between IPsec or GRE
• combines the benefits of both solutions into one
• flexibility provided by GRE and security ensured by IPsec
Secure Sockets Layer (SSL) / Transport Layer Security (TLS)
general
• SSL is predecessor of TLS
• both work at presentation layer of OSI model
• several security measurements
process
(http://www.youtube.com/watch?v=SJJmoDZ3il8)
advantages
• security
• almost everywhere available
• third party regulation
disadvantages
• faked SSL/TLS certificates
• DoS attacks
Cisco VPN solutions
• Cisco Integrated Services Router (ISR) with enabled VPN
• Cisco Private Internet eXchange (PIX) – end of life (EOL), end of sale (EOS)
• Cisco Adaptive Security Appliance (ASA) 5500 Series
• Cisco VPN 3000 Series Conentrator – end of life (EOL), end of sale (EOS)
• Small and Home Office (SOHO) Routers
access network resources
• Site to Site configuration
• Cisco VPN Client
• Cisco AnyConnect VPN Client
bibliography 1 / 5
• AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf
• AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf
• Cisco. (n.d.). Cisco. Retrieved from http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
• Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html
bibliography 2 / 5
• Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html
• Covenant. (n.d.). DSLreports. Retrieved from http://www.dslreports.com/faq/8228
• Edwards, J. (n.d.). ITsecurity. Retrieved from http://www.itsecurity.com/features/vpn-popularity-021108/
• Itif. (n.d.). Itif. Retrieved from http://www.itif.org/files/Telecommuting.pdf
• Kilpatrick, I. (n.d.). IT Pro Portal. Retrieved from http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/
bibliography 3 / 5
• Mason, A. (n.d.). CiscoPress. Retrieved from http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
• Pearson. (n.d.). Pearsoncmg. Retrieved from http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/158720150X_CH14.pdf
• Rager, A. T. (n.d.). SourceForge. Retrieved from http://ikecrack.sourceforge.net/
• SANS Institute. (n.d.). GoogleDocs. Retrieved from https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_room/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsec-implementation-pro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9jnZscnGxhS2U9roAq
bibliography 4 / 5
• Suida, D. (n.d.). WordPress. Retrieved from http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gre-tunnel/
• Unknown. (n.d.). ETutorials. Retrieved from http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assessing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/
• Unknown. (n.d.). Journey2CCIE. Retrieved from http://journey2ccie.blogspot.co.at
bibliography 5 / 5
• Unknown. (n.d.). Teleworkers Research Network. Retrieved from http://www.teleworkresearchnetwork.com/telecommuting-statistics
• Unknown. (n.d.). The Hackers Choice. Retrieved from http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
• Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statistics
• Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Transport_Layer_Security
• Zandi, S. (n.d.). Cisco LearningNetwork. Retrieved from https://learningnetwork.cisco.com/docs/DOC-2457
• dtommy1979 (n.d.). YouTube. Retrieved from http://www.youtube.com/watch?v=SJJmoDZ3il8