DOC PREVIEW
CORNELL CS 514 - Lecture 21 VPNs and other network-level security concepts

This preview shows page 1-2-24-25 out of 25 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1CS514: Intermediate Course in Computer SystemsLecture 21: Nov 5, 2003“VPNs and other network-level security concepts”CS514VPN TaxonomyVPNEnd-to-endNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secure2CS514What is a VPN?| Making a shared network look like a private network| Why do this?z Private networks have all kinds of advantages • (we’ll get to that)z But building a private network is expensive• (cheaper to have shared resources rather than dedicated)CS514History of VPNs| Originally a telephone network conceptz Separated offices could have a phone system that looked like one internal phone system| Benefits?z Fewer digits to dialz Could have different tariffs• Company didn’t have to pay for individual long distance callsz Came with own blocking probabilities, etc.• Service guarantees better (or worse) than public phone service3CS514Original data VPNs| Lots of different network technologies in those daysz Decnet, Appletalk, SNA, XNS, IPX, …z None of these were meant to scale to global proportionsz Virtually always used in corporate settings| Providers offer virtual circuits between customer sitesz Frame Relay or ATMz A lot cheaper than dedicated leased lines| Customer runs whatever network technology over these | These still exist (but being replaced by IP VPNs)CS514VPN TaxonomyVPNEnd-to-endNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secure4CS514Advantages of original data VPNs| Repeat: a lot cheaper than dedicated leased linesz Corporate users had no other choicez This was the whole business behind frame-relay and ATM services| Fine-grained bandwidth tariffs| Bandwidth guaranteesz Service Level Agreements (SLA)| “Multi-protocol”CS514Frame Relay VPN ExampleFRFRFRFRFRFRFRCECECECECECECECECE = CustomerEquipmentFR = FrameRelay5CS514Define circuits CE to CE(for given customer: purple)FRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelay243112CS514Customer establishes routing tables (per protocol)FRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelay243112dest circuitCE2 24CE3 12CE4 316CS514Provider provisions underlying networkFRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelayProvider does queueing analysis of load through each link, determines, throughput characteristics, gives service guarantees to customers accordingly.CS514How has the world changed?| Everything is IP nowz Some old stuff still around, but most data networks are just IP| So, why do we still care about VPNs???7CS514IP VPN benefits| IP not really global (private addresses)z VPN makes separated IP sites look like one private IP network| Security| Bandwidth guarantees across ISPz QoS, SLAs| Simplified network operationz ISP can do the routing for youCS514End-to-end VPNsVPNEnd-to-endNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secure8CS514End-to-end VPNs| Solves problem of how to connect remote hosts to a firewalled networkz Security and private addresses benefits onlyz Not simplicity or QoS benefitsCS514End-to-end VPNs| Solves problem of how to connect remote hosts to a firewalled networkSite (private network)InternetRemoteHostRemoteHostFW/VPNSiteHostSiteHostIPsecTunnels9CS514End-to-end VPNs:ConfigurationRemoteHostFW/VPNSiteHostSiteHostVPN IP addr: 20.1.1.1User name: joePassword: Rtu44!+3wyZ20.1.1.1joe: Rtu44!+3wyZsally: 5Yee#34hB!2CS514End-to-end VPNsVPNEnd-to-endNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secure10CS514End-to-end VPNs:ConfigurationRemoteHostFW/VPNSiteHostSiteHostVPN IP addr: 20.1.1.1User name: joePassword: Rtu44!+3wyZjoe: Rtu44!+3wyZsally: 5Yee#34hB!220.1.1.1AAAMore likely AAA or LDAPbackend has the passwordsCS514End-to-end VPNs:Host gets local IP addressRemoteHostFW/VPNSiteHostSiteHostDHCPRouter20.1.1.130.1.1.1AAA11CS514RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1End-to-end VPNs:Host connects to VPNIPsecRADIUSVPN authenticates remote host through backend database (RADIUS or LDAP)AAACS514RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1End-to-end VPNs:VPN assigns site addressIPsecAAARADIUS10.1.1.110.1.1.1As proprietary enhancement to IPsec,or with PPP (over IPsec)12CS514RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1End-to-end VPNs:Packets tunneled over IPsecIPsecAAARADIUS10.1.1.110.1.1.210.1.1.110.1.1.210.1.1.110.1.1.230.1.1.120.1.1.230.1.1.120.1.1.2IPsec TunnelCS514RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1End-to-end VPNs:Packets tunneled over IPsecIPsecAAARADIUS10.1.1.110.1.1.2PublicHostSome VPN clients smart enough to avoid sending non-VPN traffic through the VPN tunnelNot thisThis13CS514IPsec| Two parts: Session Establishment (key exchange) and Payload| IKE/ISAKMP is session establishmentz Negotiate encryption algorithmsz Negotiate payload headers (AH, ESP)z Negotiate policies| Payloadsz AH: Authentication Header• Authenticates each packet but doesn’t encrypt• Has fallen out of favor (redundant and no more efficient, and doesn’t work with NAT)z ESP: Encapsulating Security Payload• Encrypts (with authentication as side effect)CS514IPsec transmission modes:Transport or Tunnel modeESP or AHTCP/UDPIPIPsecTransportTransport mode. Used when IPsec tunnel is end-to-end. ESP or AHTCP/UDPIPIPsecTunnel mode. Used when IPsec tunnel not end-to-end. Hides the IP identity of endpoints.IPTransport14CS514New IPsec transmission modesESP or AHTCP/UDPIPIPsecTransportExtra layer of UDP allows IPsec to work over NAT.ESP or AHTCP/UDPIPIPsecIPTransportUDPUDPNATNATCS514End-to-end VPNsVPNEnd-to-endNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secure15CS514End-to-end VPNs:Host gets local IP addressRemoteHostFW/VPNSiteHostSiteHostAccessRouter30.1.1.1AAAIPsec orGRE orL2TP1. Remote host connects to Internet (dialup-PPP or PPPoE (cable) or DSL)2. If PPP, AAA tells Access Router to tunnel user to VPN. (If not PPP, Access Router uses local configuration.)3. Tunnel pre-established (or packets forwarded over pre-established tunnel)Compulsory if Access


View Full Document

CORNELL CS 514 - Lecture 21 VPNs and other network-level security concepts

Documents in this Course
LECTURE

LECTURE

29 pages

LECTURE

LECTURE

28 pages

Load more
Download Lecture 21 VPNs and other network-level security concepts
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 21 VPNs and other network-level security concepts and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 21 VPNs and other network-level security concepts 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?