Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | victer-paul |
View: | 220 times |
Download: | 0 times |
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 1/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 2/65
By.P. Victer Paul
Dear,We planned to share our eBooks and project/seminar contents
for free to all needed friends like u.. To get to know about morefree computerscience ebooks and technology advancements incomputer science. Please visit....
http://free-computerscience-ebooks.blogspot.com/
http://recent-computer-technology.blogspot.com/
http://computertechnologiesebooks.blogspot.com/
Please to keep provide many eBooks and technology news forFREE. Encourage us by Clicking on the advertisement in theseBlog.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 3/65
VPNs can be used to secure communications through the public
Internet.
VPNs are often installed by organizations to provide remote
access to a secure organizational network, or to connect two
network locations together using an insecure network to carry thetraffic.
A VPN does not need to have explicit security features such as
authentication or traffic encryption. For example, a network
service provider could use VPNs to separate the traffic of
multiple customers over an underlying network.
VPNs such as Tor can be used to mask the IP address of
individual computers within the Internet in order, for instance, to
surf the World Wide Web anonymously or to access location
restricted services, such as Internet television.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 4/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 5/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 6/65
In the protocols they use to tunnel the traffic over the
underlying network;
By the location of tunnel termination, such as the
customer edge or network provider edge; Whether they offer site-to-site or remote access
connectivity;
In the levels of security provided;
By the OSI layer which they present to the connectingnetwork, such as Layer 2 circuits or Layer 3 network
connectivity.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 7/65
Secure VPNs explicitly provide mechanisms for
authentication of the tunnel endpoints during tunnel
setup, and encryption of the traffic in transit.
Often secure VPNs are used to protect traffic when
using the Internet as the underlying backbone, but
equally they may be used in any environment when the
security level of the underlying network differs from
the traffic within the VPN.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 8/65
Secure VPNs may be implemented by organizationswishing to provide remote access facilities to theiremployees or by organizations wishing to connectmultiple networks together securely using the Internet
to carry the traffic. A common use for secure VPNs is in remote access
scenarios, where VPN client software on an end usersystem is used to connect to a remote office network
securely. Secure VPN protocols include L2TP (with IPsec),
SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 9/65
Trusted VPNs are commonly created by carriers and large
organizations and are used for traffic segmentation on large core
networks. They often provide quality of service guarantees and
other carrier-grade features.
Trusted VPNs may be implemented by network carriers wishingto multiplex multiple customer connections transparently over an
existing core network or by large organizations wishing to
segregate traffic flows from each other in the network. Trusted
VPN protocols include MPLS, ATM or Frame Relay.
Trusted VPNs differ from secure VPNs in that they do not
provide security features such as data confidentiality through
encryption. Secure VPNs however do not offer the level of
control of the data flows that a trusted VPN can provide such as
bandwidth guarantees or routing.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 10/65
Security
Address Translation
Performance: Throughput, Load balancing (round-robin
DNS), fragmentation
Bandwidth Management: RSVP (Resource Reservation
Protocol)
Availability: Good performance at all times
Scalability: Number of locations/Users
Interoperability: Among vendors, Internet Service Providers
(ISPs), customers (for extranets)⇒ Standards Compatibility,
With firewall
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 11/65
Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management
Protocol), Browser based, Java based,centralized/distributed
Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,
HP/Sun/Intel Installation: Changes to desktop or backbone only
Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 12/65
IPsec (Internet Protocol Security) - A standards-basedsecurity protocol developed originally for IPv6, wheresupport is mandatory, but also widely used with IPv4.
For VPNs L2TP is commonly used over IPsec.
Transport Layer Security (SSL/TLS) is used either fortunneling an entire network's traffic (SSL/TLS VPN)
SSL has been the foundation by a number of vendors toprovide remote access VPN capabilities.
SSL-based VPNs may be vulnerable to denial-of-service attacks mounted against their TCP connectionsbecause latter are inherently unauthenticated.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 13/65
Datagram Transport Layer Security (DTLS), used by Cisco for
a next generation VPN product called Cisco AnyConnect
VPN. DTLS solves the issues found when tunneling TCP over
TCP as is the case with SSL/TLS
Microsoft Point-to-Point Encryption (MPPE) by Microsoft isused with their PPTP. Several compatible implementations on
other platforms also exist.
Secure Socket Tunneling Protocol (SSTP) by Microsoft
introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an
SSL 3.0 channel.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 14/65
MPVPN (Multi Path Virtual Private Network). Ragula
Systems Development Company owns the registered
trademark "MPVPN“.
SSH VPN -- OpenSSH offers VPN tunneling to secure remote
connections to a network (or inter-network links). This feature(option -w) should not be confused with port forwarding
(option -L).
OpenSSH server provides limited number of concurrent
tunnels and the VPN feature itself does not support personalauthentication.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 15/65
Tunnel endpoints are required to authenticate
themselves before secure VPN tunnels can be
established.
End user created tunnels, such as remote access VPNs
may use passwords, biometrics, two-factor
authentication or other cryptographic methods.
For network-to-network tunnels, passwords or digital
certificates are often used, as the key must bepermanently stored and not require manual intervention
for the tunnel to be established automatically.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 16/65
Depending on whether the PPVPN runs in layer 2 or
layer 3, the building blocks described below may be L2
only, L3 only, or combinations of the two.
Multiprotocol Label Switching (MPLS) functionality
blurs the L2-L3 identity.
◦ Customer edge device. (CE)
◦ Provider edge device (PE)
◦ Provider device (P)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 17/65
Customer edge device (CE)In general, a CE is a device, physically at the customerpremises, that provides access to the PPVPN service.Some implementations treat it purely as a demarcation
point between provider and customer responsibility,while others allow customers to configure it.
Provider edge device (PE)
A PE is a device or set of devices, at the edge of the
provider network, which provides the provider's viewof the customer site. PEs are aware of the VPNs thatconnect through them, and which maintain VPN state.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 18/65
Provider device (P)
A P device operates inside the provider's core network, and
does not directly interface to any customer endpoint.
It might, for example, provide routing for many provider-
operated tunnels that belong to different customers'
PPVPNs.
Its principal role is allowing the service provider to scale its
PPVPN offerings, as, for example, by acting as an
aggregation point for multiple PEs. P-to-P connections, insuch a role, often are high-capacity optical links between
major locations of provider.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 19/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 20/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 21/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 22/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 23/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 24/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 25/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 26/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 27/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 28/65
GRE: Generic Routing Encaptulation (RFC 1701/2)
PPTP: Point-to-point Tunneling Protocol
2TP: Layer 2 Tunneling protocol
IPsec: Secure IP MPLS: Multiprotocol Label Switching
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 29/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 30/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 31/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 32/65
Layer 2 Tunneling Protocol
L2F = Layer 2 Forwarding (From CISCO)
L2TP = L2F + PPTP Combines the best features of L2F
and PPTP
Easy upgrade from L2F or PPTP
Allows PPP frames to be sent over non-IP (Frame relay,
ATM) networks also (PPTP works on IP only)
Allows multiple (different QoS) tunnels between thesame end-points. Better header compression. Supports
flow control
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 33/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 34/65
Universal Transport Interface (UTI) is a pre-standardeffort for transporting L2 frames.
L2TPv3 extends UTI and includes it as one of many
supported encapsulations.
L2TPv3 has a control plane using reliable control
connection for establishment, teardown and
maintenance of individual sessions.
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 35/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 36/65
Allows virtual circuits in IP Networks
Each packet has a virtual circuit number called ‘label’
Label determines the packet’s queuing and forwarding
Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use
Allows traffic engineering
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 37/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 38/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 39/65
Unsolicited: Topology driven ⇒ Routing protocolsexchange labels with routing information.
Many existing routing protocols are being
extended:BGP, OSPF
On-Demand:
⇒ Label assigned when requested,
e.g., when a packet arrives⇒ latency
Label Distribution Protocol called LDP RSVP has been extended to allow label request and
response
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 40/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 41/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 42/65
VPN allows secure communication on the Internet
Three types: WAN, Access, Extranet
Key issues: address translation, security, performance
Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue ⇒MPLS
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 43/65
FIREWALL
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 44/65
Aspects of Security◦ Data accessibility - contents accessible
◦ Data integrity - contents remain unchanged
◦ Data confidentiality - contents not revealed
AAA
◦ Authentication - You are who you say you are
◦ Authorization - Access control
◦ Accountability- Who is responsible for tracking access to
data
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 45/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 46/65
Scrambling of message such that only intended receiver canunscramble them
◦ Encrypting function - produces encrypted message
◦ Decrypting function - extracts original message
◦ Encryption key - parameter that controlsencryption/decryption
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 47/65
Secret Key Encryption◦ Sender and receiver share secret key
◦ Encrypted_Message = encrypt(K, Message)
◦ Message = decrypt(K, Encrypted_Message)
◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 48/65
Previous scheme requires shared secret K If K is discovered, security is compromised
Public key encryption uses two keys:
◦ Private key - kept secret by user
◦ Public key - published by user
Message encrypted with public key can be decrypted only
with private key, and vice-versa
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 49/65
Encrypted_Message = decrypt(Public_Key,encrypt(Private_key, Message)
Message = decrypt(Private_Key,
encrypt(Public_Key,Message)
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 50/65
Goal - guarantee that message must have originatedwith certain entity
Encrypted_Message = encrypt(Private_Key, Message)
Message = decrypt(Public_Key, Encrypted_Message)
=> Authentic
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 51/65
User 1 to User2: Encrypted_Message = encrypt(Public_key2,
encrypt(Private_key1, Message)
Message = decrypt(Public_key1, decrypt
(Private_key2,Encrypted_Message)
=> Authentic and Private
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 52/65
Bastion Host DMZ (demilitarized zone)
Perimeter network
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 53/65
A bastion host is a computer that is fully exposed toattack
The system is on the public side of the demilitarized
zone (DMZ), unprotected by a firewall or filtering
router
Firewalls and routers can be considered bastion hosts
Other types of bastion hosts include web, mail, DNS,
and FTP servers, Proxy servers
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 54/65
DMZ (demilitarized zone) is a computer host or smallnetwork inserted as a "neutral zone" between a
company's private network and the outside public
network.
It prevents outside users from getting direct access to a
server that has company data
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 55/65
A small, single-segment network between a firewalland the Internet for services that the organization wants
to make publicly accessible to the Internet without
exposing the network as a whole
If someone breaks into a bastion host on the perimeter
net, he'll be able to snoop only on traffic on that net
Also known as ‘stub network’
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 56/65
Can configure packet forwarding devices - esp. routers – to drop certain packets
Example: Only email gets in/out
problem: Filter is accessible to outside world
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 57/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 58/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 59/65
Proxy servers take users' requests and forward them toreal servers
Take server’s responses and forwards them to users
Enforce site security policy = > may refuse certain
requests
Transparency is the major benefit of proxy services
Also known as application-level gateways
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 60/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 61/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 62/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 63/65
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 64/65
Can’t protect against malicious insiders can’t protect against connections that do not go through
it,
◦ e.g. dial up
Can’t protect against completely new threats
Can’t protect against viruses
8/3/2019 19-Virtual Private Networks
http://slidepdf.com/reader/full/19-virtual-private-networks 65/65
Security is a problem because Internet is not owned byone entity
Encryption and digital signatures can provide
confidentiality and secure identification
Organizations can use firewalls to prevent unauthorized
access