Virtual Private Networks and IPSecWhat is a VPN?Sidebar: What is tunneling?Example: AppleTalk over IP TunnelWhat is a VPN? (cont…)What is a VPN? (cont…)Remote-Access ExampleSite-to-Site ExampleWhy Use a VPN?Why Use a VPN? (cont…)VPN AdvantagesVPN DisadvantagesVPN SecurityHow are VPNs set up?How are VPNs set up? (cont…)Slide 16VPN via SSH & PPPVPN via SSL & PPPVPN via SSL & PPP (cont…)VPN via ConcentratorVPN via Concentrator (cont…)Other MethodsOther Methods (cont…)Intro to IPSecIntro to IPSec (cont…)Slide 26Slide 27Slide 28Slide 29Slide 30ResourcesResources (cont…)Virtual Private Networks and IPSecECE 4112ECE 4112 - Internetwork SecurityWhat is a VPN?•VPN Stands for Virtual Private Network•A method of ensuring private, secure communication between hosts over an insecure medium using tunneling •Usually between geographically separate locations, but doesn’t have to be•Via tunneling and software drivers, computer is logically directly connected to a network that it is not physically a part ofECE 4112 - Internetwork SecuritySidebar: What is tunneling?•Putting one type of packet inside another•Both parties must be aware of tunnel for it to work•Example in next slide - AppleTalk over IP TunnelECE 4112 - Internetwork SecurityExample: AppleTalk over IP TunnelECE 4112 - Internetwork SecurityWhat is a VPN? (cont…)•Uses some means of encryption to secure communicationsIPSecSSHSoftware could be written to support any type of encryption scheme•Two main types of VPNs – Remote-AccessSite-to-SiteECE 4112 - Internetwork SecurityWhat is a VPN? (cont…)•Remote-AccessThe typical example of this is a dial-up connection from home or for a mobile worker, who needs to connect to secure materials remotely•Site-to-SiteThe typical example of this is a company that has offices in two different geographical locations, and wants to have a secure network connection between the twoECE 4112 - Internetwork SecurityRemote-Access ExampleECE 4112 - Internetwork SecuritySite-to-Site ExampleECE 4112 - Internetwork SecurityWhy Use a VPN?•Originally designed as inexpensive alternative WAN over leased lines•Now mostly used to securely connect computers over the internet•Convenient•Lot’s of cheap and convenient protocols are insecure (IP, 802.11, etc) Can now communicate securely over these insecure protocolsECE 4112 - Internetwork SecurityWhy Use a VPN? (cont…)•Example – it can simplify security(what is about to be proposed is not the most secure thing in the world – so don’t raise your hands and tell how you would make it more secure… it’s just an example)Assume simple security policy with IP based access management – for example, an FTP server with site-licensed software on it for employeesBefore VPN, complicated to allow access to FTP site for telecommuters or traveling employees–Train all employees to use SSH tunnel, etc…After VPN, employees offsite can still connect using an internal IP addressECE 4112 - Internetwork SecurityVPN Advantages•Improved Security•Consolidation of Scattered Resources•Transparency to UsersIf set up properly•Reduced Cost (vs. Leased Lines)ECE 4112 - Internetwork SecurityVPN Disadvantages•Time Consuming Setup•Possibly Frustrating Troubleshooting•Interoperability with other Networks/VPNs•Small performance overheadShould be negligible on today’s hardwareECE 4112 - Internetwork SecurityVPN Security•In academic terms, VPN can provide Confidentiality, Integrity, and Authenticity•Security against determined hacker (read: academic attacks) depends largely upon underlying protocols used•Assuming security of SSH, IPSec, or other protocol used, should be secureECE 4112 - Internetwork SecurityHow are VPNs set up?•Many different types of setup•Vary in:Amount of hardware used vs. amount of software used–All hardware based–All software based–MixedAmount of transparency to end-user–Does the user even realize that they are using a VPN?ECE 4112 - Internetwork SecurityHow are VPNs set up? (cont…)•The following is not an exhaustive listGateway to gateway–Using two VPN aware GatewaysEnd host to gateway–End host uses VPN SoftwareEnd host to end host–Both hosts use softwareEnd host to concentratorECE 4112 - Internetwork SecurityHow are VPNs set up? (cont…)•SSH over PPP•SSL over PPP•Concentrator using IPSec•Others (PPTP, L2TP, etc)ECE 4112 - Internetwork SecurityVPN via SSH & PPP•Point-to-Point Protocol over a Secure Shell connection•Establishing a Network ConnectionEstablish an SSH connection–VPN Client VPN ServerEach have PPP daemons that will communicate through the SSH connectionViola! A VPN CONNECTION!ECE 4112 - Internetwork SecurityVPN via SSL & PPP•Point-to-Point Protocol over a Secure Socket Layer connection•Secure Socket LayerBuilt-in support for Host AuthenticationCertificatesECE 4112 - Internetwork SecurityVPN via SSL & PPP (cont…)•Establishing a Network ConnectionInitial Handshake for secure communication“Hello” messages establish:–SSL Version, support for Cipher suites, and some random dataKey is determined separately from handshakeSSL Connection Complete!Data transferred over the linkECE 4112 - Internetwork SecurityVPN via Concentrator•What is a Concentrator?Concentrator is NOT a gateway or firewallSpecialized device that accepts connections from VPN peersAuthenticates clientsEnforces VPN security policiesTakes overhead of VPN management and encryption off of gateways and local hostsECE 4112 - Internetwork SecurityVPN via Concentrator (cont…)•Steps to Establish VPNSet up Concentrator (add users, specify authentication mechanisms, set IP address ranges, etc)Install client softwareClient runs software when wants to be on VPNECE 4112 - Internetwork SecurityOther Methods•Point-to-Point Tunneling ProtocolMicrosoft’s Implementation of VPNData is first encapsulated inside PPP packetsPPP packets are then encapsulated in GRE packets and sent over the link•PPTP uses two connectionsOne for the data being sentAnother for a control channelECE 4112 - Internetwork SecurityOther Methods (cont…)•Any technology can be usedMust have hardware or software to support it•Another example: L2TP on GatewaysLayer 2 Tunneling ProtocolSupported by routersIf two routers support L2TP, and are properly configured, then
View Full Document