Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

chap9-slide - GEOCITIES.ws

advertisement 
ADCS
Chapter 9
VIRTUAL PRIVATE
NETWORK (VPN)
"Success is the prize for those who
stand true to their ideas!" -- Josh S.
Hinds
Prepared by:
SITI ZAINAH ADNAN
If you do have any feedback or
comment,
please feel free to email me at
sitizai@hotmail.com
Your cooperation is very much
appreciated !
CS262/0602/V2
Chapter 9 - 1
ADCS
Chapter 9
VIRTUAL PRIVATE
NETWORK (VPN)
TOPICS
• Introduction
• Security Fundamentals of VPN
– Authentication
– message integrity
– Confidentiality
– encryption are
• Network Security Mechanisms
• Layering and Placement of Network Security
Services and Mechanisms
• An Example of a Network Security
Implementation
CS262/0602/V2
Chapter 9 - 2
ADCS
References
• Book (available at the
Informatics library)
– http://www.cert.org/research/JHT
hesis/Word6/
• Notes (available at IVC)
CS262/0602/V2
Chapter 9 - 3
ADCS
Introduction
• Remote Access Service(RAS):
– Provide external users with
secure access to private
network resources thru:
• Wide Area Network (WAN) using leased line
• Public network e.g. Internet using VPN
CS262/0602/V2
Chapter 9 - 4
ADCS
• Traditional remote access required
companies to purchase expensive
dedicated leased lines for remote
offices and maintain costly dial-up
users
• The cost rises as the distance
between the offices increases
CS262/0602/V2
Chapter 9 - 5
ADCS
• By replacing long-haul leased lines
and long-distance telephone
charges with local Internet
connections, companies can costeffectively connect remote offices and
users together via a VPN
• VPN uses “virtual” connections
routed through the Internet from the
company’s private network to the
remote site or employee
CS262/0602/V2
Chapter 9 - 6
ADCS
• VPN creates a private means for
communication between
geographically distributed locations
• Companies can work smarter, reduce
costs and gain competitive advantage
CS262/0602/V2
Chapter 9 - 7
ADCS
Introduction
• Virtual Private Network (VPN):
– A network that is constructed by
using public wires to connect
nodes.
– For example, there are a number
of systems that enable you to
create networks using the
Internet as the medium for
transporting data.
– These systems use encryption
and other security mechanisms to
ensure that only authorized users
can access the network and that
the data cannot be intercepted
CS262/0602/V2
Chapter 9 - 8
ADCS
Introduction
• The goal:
– To simulate a regular network
connection by creating a virtual
point-to-point link
– Any data that is transmitted is
encapsulated.
– A header -provides all the routing
information necessary to allow
the packet to travel across the
shared or public network and
reach its destination.
– The data that is being sent has to
be encrypted.
CS262/0602/V2
Chapter 9 - 9
ADCS
Introduction
• VPN uses “tunnels” between two
gateways to protect private data as it
travels over the Internet
• Tunneling is the process of
encapsulating private IP packets
into a public IPSec packet
• Once the authentication and
authorization between the VPN
gateways is established, the tunnel is
created and the users can send and
receive data across the Internet
CS262/0602/V2
Chapter 9 - 10
ADCS
Introduction
• Assume we live on an island (private
LAN) in a huge ocean (Internet)
• There are many islands around
• Ways to travel from one island to
another:
– Ferry (public Internet)
• Connecting to a Web server or
devices thru Internet
• No control of the wires and routers
CS262/0602/V2
Chapter 9 - 11
ADCS
Introduction
– Bridge (leased line)
• Expensive to build and maintain
• Yet, it is reliable and secure
– Small submarine (VPN)
• Faster, easy to take anywhere,
reasonable cost as compared to
bridge
• Remote members can
communicate securely and more
reliable using the Internet as
medium to connect private LANs
CS262/0602/V2
Chapter 9 - 12
ADCS
Security Fundamentals of VPN
• Internet Protocol (IP) is a
connectionless protocol that gateways
use to identify networks and paths to
networks and hosts.
• In other words, IP handles the routing
of data between networks and nodes
on those networks.
• E.g. 192.85.1.26
• Transmission Control Protocol
(TCP) which manages the movement
of data between applications
• Recall that since IP chops messages
up into packets, we need to assure
that the messages are assembled
correctly at the other end of transport.
And if any errors occur during
transport, such as message
degradation or the loss of some
packets, the sender will know to
resend.
CS262/0602/V2
Chapter 9 - 13
ADCS
Security Fundamentals of VPN
• Security fundamentals that is
important to VPN implementation are:
– Message integrity
– Authentication
– Confidentiality and Encryption
CS262/0602/V2
Chapter 9 - 14
ADCS
Security Fundamentals of VPN
• Data integrity
– Protects information from
unauthorized modification.
– Use mathematical hash functions to
mark, or "sign," each and every packet.
– The receiving computer is
responsible for checking the
signature before it opens the packet.
– If the signature has been changed, it
means the packet has been changed.
– That means the packet will be
discarded without opening it, to
guard against a possible network
attack.
– Authentication Headers (AH)
provide this integrity, and anti-replay
protection for the entire data payload
that is carried in the packet.
CS262/0602/V2
Chapter 9 - 15
ADCS
Security Fundamentals of VPN
• Authentication
– To verify the origin and verify the
integrity of message by making sure of
the genuine identity of the computers
that is part of the communication
process.
– Both AH (Authentication header) and
Encapsulating Security Payload
(ESP) assure the sender and the
receiver that only they are sending and
receiving the IP packets.
– The AH provides authentication,
integrity, and anti-replay protection for
both the IP header and the data
payload that is carried in the packet.
– The IP header and all the data are
readable while on the wire, but they
are protected from modification
during transport through the network
infrastructure.
CS262/0602/V2
Chapter 9 - 16
ADCS
Security Fundamentals of VPN
• Confidentiality and Encryption
– Makes sure that the data is given only
to its intended recipients.
– The Encapsulating Security Payload
(ESP) format of IPSec packets is used.
– With ESP, the packet data is
encrypted before it is transmitted.
– The Data Encryption Standard (DES)
algorithms, and Triple DES, are used
to make sure the exchange of data
are confidential.
– Cipher Block Chaining (CBC) is used
to disguise patterns of identical
blocks of data that may occur within a
certain packet.
CS262/0602/V2
Chapter 9 - 17
ADCS
Security Fundamentals of VPN
– CBC does not increase the size of the
data after it has been encrypted.
– The repeated encryption patterns
can actually compromise security by
providing a clue that the attacker can
use to try to discover the encryption
key.
– An Initialization Vector, a name for an
initial random number, is used as the
first random block to encrypt and
decrypt a block of data.
– These different random blocks are
then used with the secret key to
encrypt each block.
– This makes sure that identical sets of
unsecured data are changed into
unique sets of encrypted data.
CS262/0602/V2
Chapter 9 - 18
ADCS
VPN Connection Type
• There are two types of VPN
connections :
– Remote Access
• Used by mobile workers using
dial-up Internet connections
• A single VPN tunnel is used for
each VPN client
• Secure, scalable, encrypted
tunnels across a public network,
client software
• Cost savings over toll-free
number expenditures
CS262/0602/V2
Chapter 9 - 19
ADCS
VPN Connection Type
– Router-To-Router (Site-To-Site):
• LAN segment to LAN segment
(Intranet-base )
– VPN allows remote offices
and users to securely
access internal TCP/IP
applications running on the
corporate Intranet
– Low cost, tunneled
connections with rich VPN
services like IPSec
encryption and Quality of
Services (QoS) to ensure
reliable throughput
CS262/0602/V2
Chapter 9 - 20
ADCS
VPN Connection Type
– Router-To-Router (Site-To-Site):
• WAN segments (Extranetbased)
– VPN enable secure access
to the corporate Extranet for
vendors, partners and
customers
– Extends WANs to business
partners
– Safe Layer 3
CS262/0602/V2
Chapter 9 - 21
ADCS
• A typical VPN might have a main LAN
at the corporate HQ of a company,
other LANs at remote offices or
facilities and individual users
connecting from out in the field
CS262/0602/V2
Chapter 9 - 22
ADCS
• Examples of the three types of VPN
• Notes: POP - Point of Presence, a
telephone number that gives you dialup access Internet Service Provider
(ISPs) generally provide many POPs
so that users can make a local call to
gain Internet access.
CS262/0602/V2
Chapter 9 - 23
ADCS
VPN Connection Type
• Remote Access VPN Connection
– A remote access connection is
made by a client (usually a singleuser computer).
– This client uses the connection to
connect to the private network.
– The VPN server is put in place to
provide the access to all of the
resources of the server or even
to the network that the VPN server
is attached too.
– All of the packets that are sent
across the VPN connection come
from the remote access client.
– The remote access client has to
authenticate itself to the remote
access server.
– The server has to authenticate
itself to the client.
CS262/0602/V2
Chapter 9 - 24
ADCS
VPN Connection Type
– The VPN server can be
outsourced from enterprise
service provider (ESP)
– ESP sets up a network access
server (NAS) and provides the
remote users with desktop client
s/w for their computers
– The telecommuters can then dial a
toll-free number to reach the NAS
and use their VPN client s/w to
access the corporate n/w
CS262/0602/V2
Chapter 9 - 25
ADCS
VPN Connection Type
• Router-to-Router VPN Connection
– The router-to-router VPN
connection is made between two
routers.
– The VPN server has to provide a
routed connection to the network
to which the other VPN server is
attached.
– On a router-to-router connection,
packets that are sent from either
router across the connection do
not start at either of the routers.
– For mutual authentication, the
VPN server will authenticate itself
to the VPN client.
CS262/0602/V2
Chapter 9 - 26
ADCS
VPN Implementation
• There are three popular standards for
implementing VPN:
– Point to Point tunneling protocol
(PPTP)
– Layer-2 Tunneling Protocol (L2TP)
– IP Security (IPSec)
CS262/0602/V2
Chapter 9 - 27
ADCS
VPN Implementation
• Point to Point Tunneling Protocol
(PPTP)
– It is a popular VPN tunneling
protocol that encapsulates
protocols and transmits them
over the Internet using
encryption.
– The protocol encapsulates data
and information/control packets
(IP) using the Internet Generic
Routing Encapsulation (GRE)
protocol before sending them
down the tunnel
CS262/0602/V2
Chapter 9 - 28
ADCS
VPN Implementation
• Layer-2 Tunneling Protocol (L2TP)
– L2TP is an IETF (Internet
Engineering Task Force)
standard tunneling protocol.
– Primarily used to support VPN
over the Internet for non-IP
protocols.
– For example, Apple Network
can create VPN over the network
using L2TP, so does NOVELL
networks.
– It is a combination of PPTP (by
Microsoft) and Cisco’s Layer 2
Forwarding (L2F) protocol.
CS262/0602/V2
Chapter 9 - 29
ADCS
VPN Implementation
• IP Security (IPSec)
– It is another IETF standard that
provides packet-level encryption,
authentication and integrity for
VPN.
– It functions at layer 3 (Network
Layer) of the OSI, can secure all
packets transmitted over a
network.
– IPSec is expected to become the
VPN standard because it was
designed for IP and IPv6
compatible.
– It is a TCP/IP based protocol
CS262/0602/V2
Chapter 9 - 30
ADCS
VPN Implementation
– If you use IPSec, you can choose
between two protocols:
• Authentication Headers (AH)
– For authentication
• Encapsulating Security
Payloads (ESP)
– For optionally encrypt IP
packets
CS262/0602/V2
Chapter 9 - 31
ADCS
VPN Implementation
- Here are some of the things that
IPSec uses to protect your
information:
– Automatic Key Management
• Key management can
generated automatically
– Key Generation
• IPSec uses the DiffieHellman algorithm:
– Enable key exchange
– Provide key material for any
of the other encryption keys
CS262/0602/V2
Chapter 9 - 32
ADCS
VPN Implementation
– Key Lengths
• There are master keys and
there are session keys. Master
keys are long, usually either
768 bits or 1,024 bits long.
• The master keys are then used
as the source from which the
session keys are derived.
– Dynamic Re-keying
• IPSec can be configured to
automatically generate new
keys during the course of a
communication
CS262/0602/V2
Chapter 9 - 33
ADCS
The Properties of VPN
connection
•
The VPN connections that will be
using PPTP and L2TP over Internet
Protocol Security (IPSec) have the
following things in common:
1. The information sent across the
VPN is encapsulated.
2. To make sure all the parties are
who they say they are, the client
and the server use some form of
authentication.
3. The data sent across the VPN
link is encrypted.
4. There has to be some mutually
agreeable way to handle the
assignment of IP addresses.
CS262/0602/V2
Chapter 9 - 34
ADCS
The Properties of VPN
connection
• Encapsulation
– It must have a way of
encapsulating the private data
with a header.
• Authentication
– Authentication for the VPN
connections can be:
• User authentication
– VPN server must
authenticate the VPN
client and verify that it has
all of the right permissions.
– VPN client also has to
authenticate the VPN
server.
CS262/0602/V2
Chapter 9 - 35
ADCS
The Properties of VPN
connection
• Data authentication and
integrity
– To make sure that that
someone or something has
not modified it in transit.
– The data may contain a
cryptographic checksum
based on an encryption
key.
CS262/0602/V2
Chapter 9 - 36
ADCS
The Properties of VPN
connection
• Data Encryption
– Because they are encrypted,
intercepted packets would be
unusable to anyone who does not
have the encryption key.
• Address Allocation
– When a VPN server is
configured, it has to create virtual
interface that represents the
interface on which all VPN
connections are made.
– When a client establishes a
connection, the virtual interface
is created.
– This creates the point-to-point
VPN connection.
CS262/0602/V2
Chapter 9 - 37
ADCS
The Properties of VPN
connection
– These virtual interfaces have to
be assigned IP addresses. This
is called address allocation.
– By default, the VPN server gets
these addresses for itself and for
the clients using the Dynamic
Host Configuration Protocol
(DHCP).
– Since this is a network
connection, it should have a
name may be by using the
Domain Name System (DNS)
and Windows Internet Name
Service (WINS) servers.
CS262/0602/V2
Chapter 9 - 38
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
CSUN CECS Information Systems JD1112 x3919 Page 2
CSUN CECS Information Systems JD1112 x3919 Page 2
Establishment of the VPN connection with the
Establishment of the VPN connection with the
VPN_Request - ANS Group Plc
VPN_Request - ANS Group Plc
End of Chapter Solutions Template
End of Chapter Solutions Template
Chapter 13
Chapter 13
chap8-slide - GEOCITIES.ws
chap8-slide - GEOCITIES.ws
chap6-slide - GEOCITIES.ws
chap6-slide - GEOCITIES.ws
Download
advertisement