Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Notes

advertisement 
VIRTUAL PRIVATE NETWORK (VPN)



An IP VPN is a private data Network built over a shared IP based backbone
Employs advanced technology to provide enhanced security and privacy of data
(either implemented by the user or provided by the ISP
Provides:
1.
2.
3.
4.
5.
6.


Remote access to the corporate LAN
Site to site connectivity in conjunction with other WAN Technology
An Extranet
Authentication of remote users
Encryption of corporate data
Creates a private tunnel between corporate sites or between remote users
and the corporate LANS
In short, a VPN uses existing technology infrastructure to provide a secure,
private and shared link between corporate sites, over the WAN, that appears to be
dedicated to the user. See fig 6.3 P291N.
Two most important components of a VPN are
1. Tunneling - provided through PPTP (Point –to-point Tunneling
Protocol).
2. Security – of Private data through Encryption.
Types of VPN:
1. Access VPN: Provides secure, shared access to a corporate intranet or extranet
over analog, DSL, ISDN or cable Network
2. Intranet VPN: Provides secure links between corporate sites using shared
infrastructure but dedicated connection.
3. Extranet VPN: Connects users to a corporate intranet using shared facilities but
dedicated connections
Tunneling: Is a process of encoding packets with a protocol in such a way that they can
only be decoded at well-defined entry and end points. These tunnels are configured in
software, although they represent hardwired interfaces.
Types of Tunnels: There are two types of Tunnels:
1. Voluntary Tunnels:
 Created at the request of a user for a specific use.
 Used for secure access over Internet.
 Resides in the User’s computer
Hyder Khoja
Page 1
2/17/2016
2. Compulsory Tunnels:



Created automatically by the ISPS
Transparent to the user
The Client end-point resides in a RAS (Remote Access Server) running in a
Windows Server. See Fig 6.3 P 191 N.
Tunneling Protocols: Tunneling requires 3 types of Protocols as shown in the Table 6-1
P192 N.

Fig below shows a tunneled packet. Fig 6.4 P 192 N

AH stands for Authentication Header and ESP stands for Encapsulating Security
Payload.
Security: VPN provides
1.
2.
3.
4.
Authentication: Authorized users only
Access Control: Keeps unauthorized users away
Confidentiality: Protection from intruders
Security: No tapping



Security is implemented at Data Link and Network Layers through Digital
Signatures and Encryption.
Security can be implemented either end-to-end or Node –to Node.
Fig 6.5 P193 N shows node –to node security implemented (such as a
Firewall or at the Router.
VPN Connectivity and Design:


Fig 6-6 P194 N shows a VPN Network.
Notice that IP based VPNS are cost effective, flexible, Scaleable, less complex,
easy to maintain since ISPS assume most of the responsibility
Hyder Khoja
Page 2
2/17/2016
VPN Hardware and Software:
VPN Hardware:







Security Gateways
Policy Servers
Certificate Authority Holders
Firewalls
Routers.
Mostly Firewalls and Routers implement Security
See Fig 6-7 P197 N

We shall look at some of the firewall techniques and Router Security
implementations.
There are 3 Types of Firewalls:
1. Packet Filter: Allows packets to pass only based on the IP Address or Protocols
such as allow only FTP or SMTP and Block HTTP as shown in the fig below. Not
very effective.
2. Application and Circuit Gateways (also Called Proxies):
-
-
Hyder Khoja
Uses a Proxy Server to communicate with secure systems
Accepts a connection from the other side and if the connection is allowed,
establishes a 2nd connection to the destination host on the other side
thereby hiding the data
Client does not have a direct connection to the destination
Implemented in software through several Proxy Agents, one for each
application
Installed between the company’s Network Routers and the Public network
Page 3
2/17/2016
-
Only the Proxy Address is made public. Rest of the Company Address is
masked
Proxies recreate the IP Packets and relay them to the correct destination.
3. Stateful Multiplayer Inspection:
-
High level Security technique
Better security, faster and easy to use firewalls
Uses traffic screen algorithm
Each packet is examined (from Application Layer to Data Link Layer) and
compared against known states of familiar packets
Closes all ports and opens up temporary dynamic ports for establishing
temporary connection
Works in conjunction with Proxy Servers
ROUTERS:

Since Routers operate at the Network Layer and examine each packet, it is cost
effective to implement security software right inside the Routers or incorporate an
additional encrypting co-processor on the Router.
Routers are available in the Industry with security features and encryption
capabilities and support both transport mode and Tunnel mode IP Security.
They work with some kind of authentication system to create a secure VPN
Only drawback is that if the Router fails, the access to the VPN is temporarily
interrupted.



Other Special Security Hardware:



Another solution is to insert special tunneling and encryption hardware between
the Network Routers and the WAN links. These devices are called Encrypting
Bridges.
They can be used for either LAN-to-LAN configuration or Client to LAN
tunneling.
Fig 6-8 P200 N shows a Rack mounted Router and a desktop Firewall
VPN Software:



Several protocols are available today to provide VPN using the Internet as an
Enterprise Networking backbone. These protocols establish private secure
channels between the connected systems using Internet.
Three of them operate at the Data Link Layer and one operates at the Network
Layer
Data link Layer Tunneling Protocols are listed below
1. Microsoft’s Point-to-Point Tunneling Protocol (PPTP)
2. Cisco’s Layer 2 forwarding protocol (L2F)
Hyder Khoja
Page 4
2/17/2016
3. A combination of two called Layer 2 tunneling Protocol (L2TP)
Network Layer Tunneling Protocol:


IPSec (IP Security) protocol developed by the Internet Engineering task
Force (IETF)
Fig 6-9 P201 N shows how tunneling Protocols are used to create secure
VPNS.
PPTP: ( See Fig 6-10 P202 N)







Provides a secure dialed up connection between a Client computer and the Private
corporate Network over the Internet through ISPS.
First a PPP connection is made between the client and the Remote Host using PPP
by dialing into an ISP
The ISP then creates a second connection between the Client and the PPTP Server
at the Remote site over the existing PPP connection.
The Client runs PPP and PPTP and the ISP maintains a Windows NT Server
running RAS (Remote Access Server).
ISP then creates a secure virtual tunnel between the Client machine and the
corporate private Network.
A VPN can also be established permanently across the Internet by leasing
dedicated lines to an ISP at each end of 2 way link and maintaining on-going
PPTP based connection across the dedicated links on both sides
ISP also uses RADIUS (Remote Authentication Dialed-in Users Service) for
authentication.
L2FP:






Developed by Cisco
Authentication is provided by the user not the ISP
Corporation is responsible for managing Addresses
Accounting is provided by both the User and the ISP
The idea is to tunnel the user directly to the corporate site and let the corporate
gateway perform most of the functions. ISP is given minimal responsibility
See fig 6-12 P204 N
Hyder Khoja
Page 5
2/17/2016
L2TP:









Next generation of VPN solution
Combination of PPTP and L2F
Can be used for other protocols as well such as ATM, FR etc.
See fig 6-11 P203 N
Provides 2 levels of Authentication, one at the ISP level by the ISP prior to setting
up the tunnel and the second when the connection is set up at the corporate
Gateway
Provides multiple connections on the same tunnel
Provides different QoS parameters for different tunnels for the same site
Provides tighter security by incorporating IP Sec’s Encrypting Security Payload
(ESP) for encrypting packets over PPP between the user and the ISP
Most of the vendors today are incorporating L2TP in their products.
IPSec (IP Security):






Provides Data privacy, Authentication, integrity, management capability and
Tunneling
Uses 2 different Headers for IP Packets- An Authentication header (AH) for
Authentication and an ESP (Encrypting Security Payload) for Encryption.
Also uses an SA ( Security Association ) for Key Management.
Exchanges keys to create Security associations between VPN sites based on
Cryptographic Algorithms that will be used for a sessions
Provides Internet Key Exchange (IKE) or ISAKMP/OAKLEY (Internet Security
Association Key Management Protocol) for automatic Key management
Resides in hosts, mobile clients (for clients to LAN connection), security
gateways (for LAN-to-LAN connection
VPN Deployments and Implementation:
1. Over a shared public ATM Network: See fig 6-13 P205 N
2. Virtual Dial Up: See fig 6-14 P207 N
VPN Standards:
1. Microsoft has incorporated PPTP in its Windows NT Server which is usually
installed on a Companies firewall
2. Cisco has implemented NAS (Network Access Server) in the IOS
(Internetworking Operating System) on its Routers to provide a virtual dialed up
functionality using L2FP
VPN Applications:
1. Economical for large corporations with a lot of on-net calling ( eg over
200,000minutes/month)
Hyder Khoja
Page 6
2/17/2016
2.
3.
4.
5.
6.
Multiple locations with T1-Lines
Remote access
ISP Access
Mobile Workstations
Tie line dialing such as extension number dialing
VPN Providers
1. NetCom, UUNET, MCI, IPASS, GTE, AT&T
VPN Vendors
Lucient, Nortel, VPNet Technologies, Microsoft, CISCO, 3COM, IBM, NOVELL, NEC
VPN Cryptography: I will present only an overview of Cryptography and IPSec as this
is not a course in IP Security. IP Security is specified in RFC 2401 and a good discussion
of Cryptography and IP Sec appears in Timothy, 2nd edition P 680-686.
1. Hashing: Refers to one way Key, common Protocols are HMAC, MD2,
MD4, SHA
2. Key Cryptography: SKC- Secret Key Cryptography:- Two way
symmetric cryptography used for privacy and confidentiality. Common
Protocols employing this technique are DES, 3DES, RC4, RC5 and few
others.
3. Public Cryptography:


Uses 2 different Keys- one private used by the sender and one
public used by the Receiver to decode.
RSA (Rivest, Shamir and Alderman) is a popular protocol that uses
public Cryptography
4. Authenticity Certificates
5. Digital Signatures
Hyder Khoja
Page 7
2/17/2016
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
Chapter 13
Chapter 13
Establishment of the VPN connection with the
Establishment of the VPN connection with the
3.3d - mr-damon.com
3.3d - mr-damon.com
201193040347
201193040347
VPN_Request - ANS Group Plc
VPN_Request - ANS Group Plc
Ch. 6 - Teleworker Services - Information Systems Technology
Ch. 6 - Teleworker Services - Information Systems Technology
CS 2813 - Loyola College
CS 2813 - Loyola College
Download
advertisement