PPTP - Dr Ali Fanian
advertisement
In the Name of Allah
Virtual Private Network
Present by
Ali Fanian
Virtual Private Networks
Introduction
What security problems do VPNs solve ?
What security problems are not solved by
VPNs ?
VPN Principles of operation: tunneling,
encapsulation, encryption and authentication
VPN Technologies: Microsoft PPTP, L2TP
and IPsec
History and background of VPNs 1
Internet multi-site organisations operated private networks
using leased lines. This approach was expensive and inflexible.
It became cheaper to use shared Internet than dedicated.
Virtual Private Network is a type of private network that uses
public telecommunication, such as the Internet, instead of
leased lines to communicate
VPNs enabled more flexible use of larger networks by
removing network geography constraints from shared-insider
LAN/Intranet associations and services.
With cryptography as part of a VPN, a travelling saleseman
could communicate with head office at lower risk from spying
competitors etc.
What problems do VPNs solve ?
Avoiding costs of fixed lines.
Extending security context of LAN across sites,
regardless of geography, including to mobile
users.
Authentication: knowing who your users are.
Encryption: preventing monitoring of use of
insecure client server applications at the
network level.
What security problems do VPNs not solve ?
Having a VPN which isn't secure and not
knowing this is probably worse than having no
VPN
Traffic analysis: monitoring of packet sizes,
network usage times, endpoints of
conversation etc.
VPNs can be used to pierce firewalls, by
encapsulating traffic prohibited by
organisation policy within a firewalled
perimeter which the firewall can't inspect or
control.
Tunneling
Typically a VPN consists of a set of point to
point connections tunnelled over the
Internet.
The routers carrying this traffic over the
Internet see each P2P connection externally
as a sequence of packets routed between
endpoints.
VPN Architecture
ISP
Access
Server
VPN
Device
leased circuits
Telephone
Line
Office
VPN
Device
Employee’s
Home
Internet
Backbone
VPN Tunnel
VPN Tunnel
• VPN is transparent to the users, ISP, and
the Internet as a whole;
• It appears to be simply a stream of
packets moving across the Internet
VPN
Device
Office
Backbone
Encapsulation
In order to achieve tunnelling, the packets
including payloads, to and from addresses, port
numbers and other standard protocol packet
headers are encapsulated as the payload of
packets as seen by the external routers carrying
the connection.
Authentication
A digital signing scheme is typically used to
enable verification of the VPN principals.
Note that both the client and the server
need to authenticate each other.
Message authentication codes, hashes or
checksums are typically used to
authenticate message contents.
Encryption
To protect the privacy of the connection from
external snooping, the payload of the packets
visible externally will be encrypted.
To enable routing over conventional networks,
the packet headers of the encapsulating
packets are not encrypted, but the packet
headers of the encapsulated packets are
encrypted along with their contents.
VPN Topology: Types of VPNs
Remote access VPN
Site-to-Site VPN
Types of VPNs
Remote Access VPN
Provides access to
internal corporate
network over the
Internet.
Reduces long
distance, modem
bank, and technical
support costs.
Corporate
Site
Internet
-12-
Types of VPNs
Corporate
Site
Remote Access VPN
Site-to-Site VPN
Connects multiple
offices over Internet
Reduces dependencies
on frame relay and
leased lines
Branch
Office
-13-
Internet
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN
Corporate
Site
Provides business
partners access to
critical information
(leads, sales tools, etc)
Reduces transaction
and operational costs
Internet
Partner #2
Partner #1
-14-
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Database
Server
Extranet VPN
Intranet VPN:
LAN
clients
Links corporate
headquarters, remote
offices, and branch
offices over a shared
infrastructure using
dedicated connections.
LAN clients with
sensitive data
-15-
Internet
VPN Topology: How it works
Operates at layer 2 or 3 of OSI model
Layer 2 frame – Ethernet
Layer 3 packet – IP
VPN Components: Protocols
IP Security (IPSec)
Transport mode
Tunnel mode
Point-to-Point Tunneling Protocol (PPTP)
Uses PPP (Point-to-Point Protocol)
VPN Components: Protocols
Layer 2 Tunneling Protocol (L2TP)
Exists at the data link layer of OSI
Composed from PPTP and L2F (Layer 2
Forwarding)
Compulsory tunneling method
Point-to-Point Tunneling Protocol
(PPTP)
Layer 2 remote access VPN distributed with Windows product
family
Based on Point-to-Point Protocol (PPP)
Uses proprietary authentication and encryption
Limited user management and scalability
Corporate Network
Remote PPTP Client
PPTP RAS Server
Internet
ISP Remote Access
Switch
-19-
PPP
Point-to-Point Protocol (PPP)
PPP was created for dialing into a local RAS
server
But the site’s RAS may be far away
Long-distance calls are expensive
RAS
Long-Distance Call
PPTP
Point-to-Point Tunneling Protocol (PPTP)
We would like PPP to work over the Internet
to avoid long-distance telephone charges
But PPP is only a data link layer protocol
It is only good for transmission within a
subnet (single network)
RAS
PPTP
The Point-to-Point Tunneling Protocol
(PPTP) makes this possible
Created by Microsoft
Widely used
Access
Concentrator
RAS
PPTP
PPTP Operation
User dials into local PPTP access
concentrator host
User sends the access concentrator a PPP
frame within an IP packet
Access
Concentrator
Packet
RAS
PPTP
PPTP Operation
Access concentrator places incoming IP
packet within another IP packet
Sends packet to the distant RAS
Access
Concentrator
Encapsulated Packet
RAS
PPTP
PPTP Operation
Distant RAS removes the original packet
Deals with the PPP frame within the
packet
RAS
PPTP
PPTP Encapsulation
Access concentrator receives the original IP
packet, which has the IP address of the access
concentrator
Adds an enhanced general routing encapsulation
(GRE) header for security
Adds a new IP header with the IP address of the
Enhanced
New
RAS
Original IP Packet
GRE Header
Access
Concentrator
Tunnel
IPRAS
Header
-27-
-28-
IPSec
General IP Security mechanisms
Provides
authentication
confidentiality
key management
Applicable to use over LANs, across
public & private WANs, & for the Internet
IPSec Uses
Transparency
Benefits of IPSec
Is below transport layer, hence transparent
to applications
Can be transparent to end users
Can provide security for individual users
Architecture & Concepts
Tunnel vs. Transport mode
Security association (SA)
Security parameter index (SPI)
Security policy database (SPD)
SA database (SAD)
Authentication header (AH) Protocol
Encapsulating security payload (ESP)
Protocol
Transport Mode vs. Tunnel Mode
Transport mode: host -> host
Tunnel mode: host->gateway or gateway>gateway
Encrypted Tunnel
Gateway 1
Gateway 2
Encrypted
A
B
New IP
Header
AH or ESP
Header
Orig IP
Header
TCP Data
Transport Mode
IP
IP
header options
Real IP
destination
IPSec
header
Higher
layer protocol
ESP
AH
ESP protects higher layer payload only
AH can protect IP headers as well as higher
layer payload
Tunnel Mode
Outer IP IPSec
header header
Destination
IPSec
entity
ESP
Inner IP
header
Higher
layer protocol
Real IP destination
AH
ESP applies only to the tunneled packet
AH can be applied to portions of the outer
header
)Security Association (SA
حاوي
الگوريتم ها
كليدهاي مورد نياز
پروتكل AHيا ESP
زمان انقضاء كليد
پنجره جلوگيري از حمله تكرار
شماره آخرين بسته سالم دريافت شده
SPI
مشخصات ترافيكي كه SAبراي آن توليد شده است شامل:
آدرس مبدا و مقصد بسته
پروتكل اليه باالتر
پورت هاي پروتكل اليه باالتر
36
)Security Association (SA
در يك جدول به نام SADنگاه داري مي گردد
انديس SAدر جدول فوق توسط SPIمشخص مي شود
اتصال يك طرفه از فرستنده به گيرنده
براي ارتباط دو طرفه ،دو SAمورد نياز است
كليدها بايستي به نحوي مذاكره شود
Pre-shared key
IKE
37
جلوگيري از حمله تكرار
اختصاص يك شمارنده با مقدار صفر به هر SA
افزايش شمارنده به ازاي هر بسته جديد كه با اين SAفرستاده مي
شود
38
پروتكل مبادله كليد اينترنت ()IKE
برای برقراری ارتباط بين دو طرف الزم است که يك SAبين طرفين
ايجاد شود.
برقراری و تجديد اين SAها می تواند بصورت دستی يا خودکار
انجام گردد.
پروتکلی که اين وظيفه را (بصورت خودکار) در اينترنت به عهده دارد
IKEمی باشد
39
پروتكل مبادله كليد اينترنت ()IKE
معرفي IKE
• پروتكل اصلي براي ايجاد و ابقاء IPSec SA
• پيش فرض IPSecبراي مبادله امن كليد
• فراهم كردن يك ارتباط امن بين طرفين باتوافق بر روي كليدهاي جلسه
• متكي به مكانيزمهاي رمز كليد عمومي و توابع درهم كليددار
40
روشهاي احراز اصالت
روشهاي احراز اصالت در IKE
-1روش كليد از پيش مشترك ( ) Preshared Key
-2روش امضاي كليد عمومي ( ) Public Key Signature
-3روش رمزكليد عمومي ( ) Public Key Encryption
-4روش رمزكليد عمومي اصالح شده ( )Revised Public Key Encryption
41
پايگاه سياست هاي امنيتي )(SPD
SPDدر يك جدول كه توسط راهبر سيستم تعريف شده است
قرار دارد.
ركوردهاي آن براي هر بسته وارد شده و در حال خروج سياست
امنيتي را مشخص مي كند:
حفاظت )(Apply
عبور بدون حفاظت )(Bypass
دور انداختن )(Reject
42
پايگاه سياست هاي امنيتي )(SPD
هر ركورد حاوي
مشخصات بسته هايي است كه بايد سياست خاص ي در مورد آنها
اعمال شود .پارامترهاي انتخاب سياست عبارتند از:
مشخصات آدرس مبدا و مقصد بسته
Range
Subnet
مشخصات پروتكل اليه باالتر
TCP,UDP,..
در صورت TCPيا UDPبودن ،مشخصات پورتها
43
پايگاه سياست هاي امنيتي )(SPD
هر ركورد حاوي
سياست امنيتي
Apply
Reject
Bypass
و در صورت Applyمشتمل بر:
طرف مقابل در برقراري ارتباط
پروتكل AHيا ESPيا هردو
الگوريتم هاي قابل قبول براي احراز اصالت و رمزنگاري
طول مدت قابل قبول براي (SA Life Time) SA
44
IPSec معماري
IPsec module 1
IPsec module 2
SPD
SPD
IKE
Inbound
SAD Outbound
45
IKE
Inbound
Outbound SAD
SA
Outbound Process
Check SPDS against
Outboun SPD
Reject
Drop packet
F
ou
nd
ard
re
co
rd
w
For
S
P
D
Forward packet
N
o
Is SPD record SA
valid
yes
Drop packet and log
Awake IKE
Make new IPHDR & fill
up SPI field
& Sequence number
Drop Packet
ESP
yes
encryption
required ?
AH or ESP
AH
ICV Computation &
Padding
Encrypt packet
Forward new packet
No
Authentication
required ?
Yes
ICV Computation
NO
46
Forward new packet
Outbound process
Outbound Processing
Outbound packet (on A)
A
IP Packet
Is it for IPSec?
If so, which policy
entry to select?
SPD
(Policy)
B
SA
Database
IPSec processing
…
…
Determine the SA
and its SPI
SPI &
IPSec
Packet
Send to B
Inbound Processing
A
Inbound packet (on B)
B
From A
SPI & Packet
SA Database
SPD
(Policy)
Use SPI to
index the SAD
Was packet properly
secured?
Original IP Packet
…
“un-process”
…
How They Fit Together
SPD
SA-1
SA-2
SADB
SPI
SPI
49
SPD and SADB Example
A’s SPD
Transport Mode
A
C
D
B
Tunnel Mode
A’s SADB
From
To
Protocol
Port
Policy
A
B
Any
Any
AH[HMAC-MD5]
From
To
Protocol
SPI
SA Record
A
B
AH
12
HMAC-MD5 key
From
To
Protocol
Port
Policy
Tunnel Dest
Asub
Bsub
Any
Any
ESP[3DES]
D
From
To
Protocol
SPI
SA Record
Asub
Bsub
ESP
14
3DES key
C’s SPD
C’s SADB
50
پروتكل مبادله كليد اينترنت ()IKE
برای برقراری ارتباط بين دو طرف الزم است که يك SAبين
طرفين ايجاد شود.
برقراری و تجديد اين SAها می تواند بصورت دستی يا خودکار
انجام گردد.
پروتکلی که اين وظيفه را (بصورت خودکار) در اينترنت به عهده
دارد IKEمی باشد
51
پروتكل مبادله كليد اينترنت ()IKE
معرفي IKE
• پروتكل اصلي براي ايجاد و ابقاء IPSec SA
• پيش فرض IPSecبراي مبادله امن كليد
• فراهم كردن يك ارتباط امن بين طرفين باتوافق بر روي كليدهاي جلسه
• متكي به مكانيزمهاي رمز كليد عمومي و توابع درهم كليددار
• چارچوب IKEبر اساس پروتكل ISAKMP
)(Internet SA Key Management Protocol
52
IKEفازهاي
IKE داراي دو فاز مي باشد :
• فاز : Iبرپايي )IKE SA( ISAKMP SA
برپايي يك كانال امن احراز اصالت شده بين دو طرف
• فاز : IIبرپايي IPSec SA
استفاده از كانال امن ايجاد شده در فاز 1براي ارائه سرويسهاي امنيتي IPSec
فاز : Iمي تواند به دو روش انجام شود:
• مبادله مود اصلي ( ) Main mode
• مبادله مود اعالن شناسه ها ( ) Aggressive mode
فاز : IIبه روش زير انجام مي شود:
• مبادله مود سريع ( ) Quick mode
53
روشهاي احراز اصالت
روشهاي احراز اصالت در مبادالت فاز : I
-1روش كليد از پيش مشترك ( ) Preshared Key
-2روش امضاي كليد عمومي ( ) Public Key Signature
-3روش رمزكليد عمومي ( ) Public Key Encryption
-4روش رمزكليد عمومي اصالح شده ( )Revised Public Key Encryption
54
) پروتكل بر اساس روش امضاء( مود اصلي
احراز اصالت توسط امضاي ديجيتال
مخاطب
آغازگر
Header , SAproposal
Header , SAchoice
Header , gi , Ni
Header , gr , Nr
Header , { IDi , [certi] , SIGi }SKEYID-e
Header , { IDr , [certr] , SIGr }SKEYID-e
55
) ( مود سريع2 در فازIKE پروتكل
مخاطب
آغازگر
Header ,{Hash1 , SAproposal , Ni , [gi] , [IDui , IDur]}SKEYID-e
Header ,{Hash2 , SAchoice , Nr , [gr] , [IDur , IDui]}SKEYID-e
Header , {Hash3}SKEYID-e
Hash1 = prf (SKEYID-a , Message ID SANi [gi] [IDui IDur] )
Hash2 = prf (SKEYID-a , Message ID Ni SA Nr [gi] [IDui IDur] )
Hash3 = prf (SKEYID-a , Message ID Ni Nr)
KEYMAT = prf ( SKEYID-d , [ gi ] protocol SPI Ni Nr )
63
وجود نقاط ضعف در IKE
در پروتکل معرفی شدة IKEنقاط ضعفی به چشم می
خورد:
• تعداد زياد پيام
• پيچيدگی مشخصات
• عملکرد ضعيف در برابر حمالت DoS
پروتکلهای جايگزين
64
پروتكلهاي جايگزين IKE
معرفی پروتکل ) 2001( IKEv2
JFKr
معرفی پروتکل ) 2002( JFK
JFKi
Full-SIGMA
معرفی پروتکل ) 2002( SIGMA
SIGMA-0
65
