Chapter 6 -Virtual Private Network

advertisement

N ETWORK S ECURITY

V IRTUAL P RIVATE NETWORK

Compiled from

CCNA Certification All-In-One For Dummies by Silviu Angelescu &

CCNA Cisco Certified Network Associate Study Guide, Seventh Edition (Exam 640-802) by Todd Lammle

C

ONTENTS

Introduction

VPN Data security

Types of VPNs

I

NTRODUCTION

A VPN is a private network established using a public network infrastructure, such as the

Internet.

The main purpose of Virtual Private Networks is to provide a cost-effective,

secure

, and highly scalable means of connecting remote sites

The Internet is an open, public resource thus, sensitive corporate data must be protected

VPNs provide methods to ensure that data is protected from eavesdropping, manipulation, and outright theft

Establishing this virtual connection between two endpoints is known as tunneling

VPN C

ONNECTION

VPN

DATA SECURITY

VPNs must provide secure lines of communications by implementing the following security measures

Access control: Denying unauthorized user access to the corporate network

Data origin authentication: Method of verifying sender identity to prevent spoofing or other attacks.

Use IP Security (IPsec), certificates, or the exchange of pre-shared keys

Data confidentiality: which ensures that sensitive corporate data is not copied or read by unauthorized users.

Data integrity: Ensuring that source data reaches the proper destination unaltered while in transit over public infrastructures

T

YPES OF

VPN

S

Remote access VPNs Remote access VPNs allow remote users such as telecommuters to securely access the corporate network wherever and whenever they need to.

Site-to-site VPNs Site-to-site VPNs, or intranet

VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive

WAN connections like Frame Relay.

Extranet VPNs/ Business Partner VPN. Extranet

VPNs allow an organization's suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

M

ETHODS FOR

VPN

CREATION

VPN can be implemented using of the following methods

IPSec – mainly used for site-to-site VPNs

Secure Sockets Layer (SSL) – mainly used for

Remote access VPNs

IPS

EC

VPN

S

IPsec is a layer 3 suite of protocols that provides security mitigation features.

IPsec enforces data confidentiality, integrity, encryption, and authentication features between communication endpoints across IP-based networks.

The two primary security protocols used by IPSec are

Authentication Header (AH) and Encapsulating

Security Payload (ESP)

The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication

ESP will provide confidentiality, data origin authentication, connectionless integrity, antireplay service, and limited traffic-flow confidentiality

IPS

EC HEADER IN TUNNEL

M

ODE

ESP

Confidentiality - Confidentiality is provided through the use of symmetric encryption algorithms like DES or 3DES. Confidentiality can be selected separately from all other services, but the confidentiality selected must be the same on both endpoints of your VPN.

Data origin authentication and connectionless

integrity Data origin authentication and connectionless integrity are joint services offered as an option in conjunction with the likewise optional confidentiality.

Anti-replay service You can only use the antireplay service if data origin authentication is selected.

Anti-replay election is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number.

E

NCRYPTION

IPSec uses various types of protocols to perform encryption

Symmetric encryption This encryption requires a shared secret to encrypt and decrypt. Each computer encrypts the data before sending info across the network, and this same key is used to both encrypt and decrypt the data.

Examples of symmetric key encryption are Data Encryption

Standard (DES), triple DES (3DES), and Advanced

Encryption Standard (AES).

Asymmetric Encryption Devices that use asymmetric encryption use different keys for encryption than they do for decryption. These keys are called private and public keys.

Private keys encrypt a hash from the message to create a digital signature that is then verified (via decryption) using the public key

Public keys encrypt a symmetric key for secure distribution to the receiving host, who then decrypts that symmetric key using their exclusively held private key

A

DVANTAGES OF

IPS

EC

Performance: Only IP packets traversing public (insecure) networks are encrypted. This provides high performance by only encrypting necessary data between insecure networks.

Network layer security: IPsec operates at the network layer and does not require modification of TCP/IP applications to secure them.

Scalability: IPsec VPNs may be implemented over any IPcapable network backbone such as the Internet. Simple deployment also provides organizations with operational cost reduction benefits.

Versatile: Implements various security mechanisms such as data authentication, encryption, digital integrity checking, and replay protection, which prevents duplication of old transactions and mitigates denial of service attacks.

Universal acceptance: IPsec is an industry-recognized IETF standard and is supported by most operating systems.

Application independence: IPsec is transparent to applications (and upper OSI layers) and is not assigned to any one specific application.

IPS

EC

D

ISADVANTAGES

Performance: IPsec may require large amounts of processing power on VPN endpoints (gateways) to encrypt, decrypt, and authenticate traffic.

Security: Because IPsec relies on public keys, security mitigation depends on secure key management. Compromised security keys eliminate the security integrity and benefits of

IPsec

Complexity: The vast configuration options of IPsec make it very flexible, but also overly complex. Configuration errors can expose the corporate network to unnecessary security risks and introduce weaknesses in the VPN.

Firewall restrictions: Connecting to an organization's own network from an off-site location may not be possible due to corporate firewall restrictions (blocking IPsec-specific UDP ports).

Management: IPsec employs digital signature authentication, which relies on a public key infrastructure

(PKI). PKI requires considerable implementation planning and administrative management

SSL VPN

S

SSL operates at Layer 4 (transport) of the OSI model to authenticate and encrypt Hypertext

Transfer Protocol (HTTP) traffic.

By allowing secure VPN communications from any Web-based browser between the internal corporate network and the remote user, SSL eliminates the IPsec installation requirement of third-party VPN client software

SSL

ADVANTAGES

Interoperability: SSL is supported by a variety of device and software manufacturers and allows operability between different vendors and applications.

Management: SSL makes deployment, management, and administration tasks extremely simple and effective. No additional client software installation is required

Cost: The clientless architecture of SSL allows a cheaper deployment alternative than IPsec-based VPNs. No special client software licenses or other expensive hardware is needed.

Granular structure: Provides finely detailed client access policies based on user identity and profile. This allows an administrator to be very specific when defining the corporate VPN. SSL allows narrowing down authenticated user access to specific data, applications, and servers.

Firewall and NAT operation: SSL uses TCP port 443 (HTTPS), which is open on most networks, allowing SSL VPNs to operate without extra administrative overhead.

Security: By only allowing access to certain applications, security mitigation is increased, and the threat of attack is minimized.

Application layer functionality: Unlike IPsec, which operates at the OSI network layer, SSL eliminates IP-based address management problems by operating at the transport layer and provides services to the upper layers.

R

EFERENCES

Angelescu, Silviu. "Chapter 4 - Introducing

Virtual Private Networks (VPNs)". CCNA

Certification All-In-One For Dummies. John

Wiley & Sons. © 2010. Books24x7.

<http://common.books24x7.com/toc.aspx?bookid=

40605> (accessed April 16, 2012)

Lammle, Todd. "Chapter 16 - Wide Area

Networks". CCNA Cisco Certified Network

Associate Study Guide, Seventh Edition (Exam

640-802). Sybex. © 2011. Books24x7.

<http://common.books24x7.com/toc.aspx?bookid=

41059> (accessed April 16, 2012)

Download