Virtual Private NetworksWhat is a VPNWhy?HomeNet to the office.VPN TypesVPN ImplementationsVPN as your IntranetWhat a VPN needsVPN ComponentsParts of a VPNVPN works via crypto/EncapsulationEncryption and DecryptionBasic Crypto – Keys are key2 Kinds Key SystemsSymmetric Key AlgorithmsPublic Key Encryption ExamplePKI vs Symmetric KeyUsing Crypto in real lifePKI to send Private KeysPKI Certs a way to authenticateProve the user cert Certificates of authorityDigital Signature to verify data not changed in transitPKI the full pictureWhere you do CryptoTechnologiesApplication Layer: SSLTransport Layer: IPSECTransport Layer: IPSEC VPNs 3 partsTunnel vs TransportDiffie-Hellman Key Exchange (1976)Modular ExponentiationDiffie-Hellman Public Key ExchangeSecurity Association is the agreement on how to securecreate the ISAKMP SA (Internet Security Association Key Management Protocol)IPSEC Key Exchange (IKE)IKE allows scale as I do not need to hard code passwords for each pairLink Layer: L2TP for VPDN (Vir Pvt Dial Net)PPTP: Free from MicrosoftPPTP: SecurityVPN ComparisonsSo why have a private network: QOS not fully cookedOther IssuesLike NatWireless: a new big driver, WAS (Work At Starbucks)Many security protocols, depends on deployerVPN means I don’t care how you connectExampleSo what could be wrong?One answer: clientless VPNSummary: VPNsVirtual Private NetworksFred BakerWhat is a VPNPublic networks are used to move information between trusted network segments using shared facilities like frame relay or atm A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the InternetWhy?HomeNet to the office.VPN TypesVPN ImplementationsVPN as your IntranetWhat a VPN needs•VPNs must be encrypted –so no one can read it•VPNs must be authenticated•No one outside the VPN can alter the VPN•All parties to the VPN must agree on the security propertiesVPN ComponentsParts of a VPNVPN works via crypto/EncapsulationEncryptionEncryptionEncryption and DecryptionClear-Text Clear-TextCipher TextBob Is a Fink8vyaleh31&dktu.dtrw8743$Fie*nP093hBob Is a FinkDecryptionDecryptionBasic Crypto – Keys are key2 Kinds Key SystemsSymmetric Key Algorithms•DES—56-bit key•Triple-DES—encrypt, decrypt, encrypt, using either two or three 56-bit keys•IDEA—128-bit key•Blowfish—variable-length key, up to 448 bitsPublic Key Encryption ExampleMessageAlice BobEncryptedMessageMessageBob’s Public KeyBob’s Private KeyDecrypt•Alice wants to send Bob encrypted data–Alice gets Bob’s public key–Alice encrypts the data with Bob’s public key –Alice sends the encrypted data to Bob•Bob decrypts the data with his private keyEncryptionPKI vs Symmetric Key•PKI easier as you don’t have to manage keys on a per user basis•But MUCH more compute intensive (up to 1000 times faster)•Many systems do a combination I.e. PGP–Use PKI to send a symmetric key–Then use the symmetric key to crypto the dataUsing Crypto in real lifePKI to send Private KeysPKI Certs a way to authenticateProve the user cert Certificates of authorityDigital Signature to verify data not changed in transitPKI the full pictureWhere you do CryptoTechnologiesApplication Layer: SSLTransport Layer: IPSEC•A standard•is composed of:–Diffie-Huffman key exchange–PKI for the DH exchanges–DES and other bulk encryption–Hash to authenticate packets–Digital Certificates to validate keysTransport Layer: IPSEC VPNs3 partsTunnel vs Transport•Transport–Implemented by the end point systems–Real address to real address–Cannot ‘go through’ other networks•Tunnel–Encapsulation of the original IP packet in another packet–Can ‘go through’ other networks–End systems need not support this–Often PC to a box on the ‘inside’Diffie-Hellman Key Exchange (1976)•By openly exchanging non-secret numbers, two people can compute a unique shared secret number known only to themModular Exponentiation•Generator, gg•Modulus (prime), pp•YY = ggXX mod pp22^237276162930753723237276162930753723 mod 7992739798459792657265179927397984597926572651Both g g and p p Are Shared and Well-KnownDiffie-HellmanPublic Key ExchangePrivate Value, XXAAPublic Value, YYAAPrivate Value, XXBBPublic Value, YYBB(shared secret)AliceAliceBobBobYYBB mod p = g mod p = Y YAA mod p XXBBXXAA XXBBYYAAYYBBYYBB = g mod pXXBBYYAA =g mod pXXAA XXAASecurity Association is the agreement on how to securecreate the ISAKMP SA (Internet Security Association Key Management Protocol)IPSEC Key Exchange (IKE)IKE allows scale as I do not need to hard code passwords for each pairLink Layer: L2TP for VPDN (Vir Pvt Dial Net)PPTP: Free from MicrosoftPPTP: SecurityVPN ComparisonsSo why have a private network: QOS not fully cooked•Very dependent on your ISP•Real hard to do across ISPs•So no guarantee of performanceOther IssuesLike NatWireless: a new big driver, WAS (Work At Starbucks)Many security protocols, depends on deployerVPN means I don’t care how you connectExampleWorldComIPNetworkILECDSLNetworkWorldComDigitalAccessNetworkWorldComDigitalAccessNetworkWorldComManaged Linksand CPE at HubSiteWorldComManaged Links andCPE at Hub SiteWorldComManaged Linksand CPE at HubSitePrimary TunnelSecondary TunnelAllstate AgentT-1 SitesAllstate AgentT-1 SitesAllstate AgentDSL SitesAllstate DataCentersSo what could be wrong?•VPN clients hit the network stack•May not play well with personal firewalls•Or other software•May not need full access to the target network just encrypted accessOne answer: clientless VPN•Use SSL as the transport protocol to an appliance•Can add NT authentication to the appliance•Clientless mode: Use web enabled applications over the Internet, the appliance SSLifies web sites•Java Applet: Use an downloadable applet to send traffic over SSL, get more support for applications.•Can work well if you want to have encrypted web based apps without redoing the application–to use SSL you need certs and have to change EVERY link to HTTPs–Also big hit on the server cpuSummary: VPNs•Very big in the work access space–Exploit High speed•Wireless –in the office–public ‘hot spots’ like Borders•Replaces direct dial into the work network•Replace dedicated Business partners•May replace the corporate