Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | erin-dixon |
View: | 225 times |
Download: | 5 times |
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 1
ZürcherHochschuleWinterthurSichere Netzwerkkommunikation (SNK)
Prof. Dr. Andreas Steffen© 2000-2002 Zürcher Hochschule
Winterthur
Virtual Private NetworksApplications
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 2
ZürcherHochschuleWinterthurVirtual Private Networks
Internet
HeadQuarters Subsidiary
„Road Warrior“
VPN Tunnel
VPN Tunnel
VPN Gateway11.22.33.44
VPN Gateway55.66.77.88
VPN Client
10.1.0.0/16
10.2.0.0/16
10.3.0.2
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 3
ZürcherHochschuleWinterthur
• Road Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP.
The „Road Warrior“ Remote Access Case
Internet
HomeNetwork IPsec Tunnel
VPN Gateway11.22.33.44
10.1.0.0/16 Road Warrior
55.66.x.x
Dynamic IP
Virtual IP10.3.0.2
• Authentication is usually based on RSA public keys and X.509 certificates issued by the home network.
• Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 4
ZürcherHochschuleWinterthur
• Internet Drafts: draft-ietf-ipsec-udp-encaps-04.txt draft-ietf-ipsec-nat-t-ike-04.txt
• Supported by SSH Sentinel and Linux FreeS/WAN
• NAT box (e.g. ADSL modem) with IPsec-Passthrough
NAT-Traversal (IPsec over UDP)
ESP and IKE from a single VPN client
• NAT box (e.g. ADSL modem) with NAT-Traversal
ESP encapsulated in UDP (port 4500)
NAT-keepalive packets needed
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 5
ZürcherHochschuleWinterthurIntranet VPNs
InternetPrivate Intranet
Wireless Intranet
User
VPN Tunnel0.0.0.0/0
VPN Gateway/ Firewall
VPN Client
IntranetServer
WLAN Access PointDMZ
Interface
Wireless VPN clients tunnel 100% of their IP traffic over the insecure air link using the peer network subnet mask 0.0.0.0/0.
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 6
ZürcherHochschuleWinterthurExample – University of Freiburg, Germany
• 44 WLAN access points, 1 Linux VPN gateway
• 202 active and 88 revoked X.509 certificates
• FreeS/WAN Linux clients / SSH Sentinel Windows clients
• Further information: http://mopoinfo.wlan.informatik.uni-freiburg.de
IPsec throughput at VPN gateway
Active VPN tunnelsCampus
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 7
ZürcherHochschuleWinterthurExtranet VPNs
Internet
PartnerNetwork
Customer
VPN Tunnel
VPN Tunnel
VPN Client
CustomerAccess
PrivateNetwork
PartnerAccess
VPN GatewayVPN Gateway
Network access must be partitioned and tightly controlled
Flexible and dynamic setup of Extranet VPN connections
Extranet VPN spans multiple administrative trust domains
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 8
ZürcherHochschuleWinterthurSichere Netzwerkkommunikation (SNK)
Linux FreeS/WANSecurity Gateway
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 9
ZürcherHochschuleWinterthur
• Available from www.freeswan.ca / www.strongsec.com• OpenSource IPsec stack for Linux 2.2 and 2.4 kernels• X.509 certificate support developed by ZHW !!!• Easy installation via RedHat/SuSE/Debian/Mandrake RPMs• Number of VPN tunnels is limited by hardware resources,
only.• Linux Free/SWAN can also be used as a VPN client
• Road Warrior and Virtual IP support using X.509 certificates:
conn road-warriorright=%anyrightrsasigkey=%certrightsubnetwithin=10.3.0.0/16left=%defaultrouteleftsubnet=10.1.0.0/16leftcert=gwCert.pemauto=add
• Simple configuration
Linux FreeS/WAN as a VPN Gateway
left right
leftsubnet
gwCert%cert
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 10
ZürcherHochschuleWinterthur
/etc/etc
ipsec.dipsec.d
ipsec.conf
ipsec.secrets
cacertscacerts
cacert.pem
crlscrls
crl.pemprivateprivate
gwKey.pem
FreeS/WAN Directory Structure
certscerts
gwCert.pem
root read access only!
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 11
ZürcherHochschuleWinterthur
• On Oct. 2 2000, the symmetric block cipher Rijndael invented by the Belgian researchers J. Daemen and V. Rijmen was declared the new Advanced Encryption Standard (AES) by NIST (www.nist.gov/aes). One year later on Nov. 26 2001, AES was officially published as the U.S. Federal Information Processing Standard FIPS PUBS 197.
• AES works on a block size of 128 bits and can be used with key lengths of 128, 192 or 256 bits.
• AES is much faster than its predecessor 3DES. A 1 GHz Pentium III processor running under a Linux 2.4 kernel achieves the following constant IPsec throughput:• 3DES: 1000 MHz / 25 = 40 Mbit/s
• AES: 1000 MHz / 11 = 91 Mbit/s (can saturate a Fast Ethernet link)
• SSH Sentinel and PGPvpn have built-in AES support.
• AES patch for Linux FreeS/WAN: www.irrigacion.gov.ar/juanjo/ipsec/
Advanced Encryption Standard (AES)
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 12
ZürcherHochschuleWinterthurSichere Netzwerkkommunikation (SNK)
Windows-basedVPN Clients
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 13
ZürcherHochschuleWinterthurVPN Client - Windows 2000/XP
• Windows 2000/XP comes with a built-in IPsec stack• Configuration via the mmc management console is
tiresome!• OpenSource tool from http://vpn.ebootis.de loads text-
based configuration directly into Windows registry:
conn client-gatewayleft=%any # insert client IPright=194.139.117.253 # gateway IPrightsubnet=10.1.0.0/16 # home network
rightca=”C=CH,O=strongSec GmbH, CN=strongSec CA”network=lan # lan/ras/auto auto=start
• WLAN clients can tunnel whole IP traffic to VPN gateway
conn wlan-gateway...rightsubnet=*...
• 3DES encryption only. Virtual IP not supported.
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 14
ZürcherHochschuleWinterthurVPN Client – SSH Sentinel
• Available from www.ipsec.com. Free for non-commercial use. • Runs on all Windows platforms:
Win 95/98/ME/NT/2000/XP
• Features• Encryption algorithms:
AES, 3DES, Twofish, Blowfish, CAST• Virtual IP support:
- static- DHCP-over-IPsec- IPsec config mode
• NAT-Traversal (IPsec over UDP)• WLAN clients:
Supports tunneling of 0.0.0.0/0• Personal firewall included:
Pre- and Post-IPsec packet filters
• Easy configuration via GUI
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 15
ZürcherHochschuleWinterthurOther Windows-based VPN Clients
• SafeNet/Soft-Remote (www.safenet-inc.com)• Simple and straight-forward configuration• 3DES encryption only• Comes with personal firewall (Zone Alarm)
• PGPvpn (www.pgpi.org / www.pgp.com)• Freeware Version PGP 7.0.3
- IPsec transport mode only- OpenPGP certificates or pre-shared keys only
• Professional Version PGP Desktop Security 7.1 - IPsec tunnel mode- X.509 certificates, with personal firewall
• Network Associates (NAI) closed down PGP Security Inc. last year.PGP Corporation founded with venture capital bought back theintellectual property rights from NAI in June 2002.
• PGP 8.0 for Windows and Macintosh released in December 2002.
Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 16
ZürcherHochschuleWinterthur
• IPsec using IKE has become a mature technology, but still a large amount of fine-tuning is needed to achieve interoperability.
• The Interoperability Tests at the IPsec 2001 Global Summit in Paris have shown that with authentication based on X.509 certificates a full mesh among the following VPN gateways can be established:• Linux FreeS/WAN, OpenBSD, NetScreen, Cisco IOS/PIX/VPN3000
• Nortel Contivity, 6WIND (IPv6), Netcelo, Netasq
• www.hsc.fr/ressources/ipsec/ipsec2001/
Interoperability Issues
• Interoperability with other VPN products have been reported:• Checkpoint VPN-1, BinTec Router
• Many low-end VPN products support pre-shared keys, only:• Symantec Firewall/VPN Appliance, ZyWall, SonicWall (basic
version)