Guide to Network Defense and Countermeasures Second Edition Chapter 5 Virtual Private Network (VPN)...

Guide to Network Defense and Countermeasures Second Edition

Chapter 5Virtual Private Network (VPN) Concepts

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Explain basic VPN concepts

• Describe encapsulation in VPNs

• Describe encryption in VPNs

• Describe authentication in VPNs

• Summarize the advantages and disadvantages of VPNs


Understanding VPN Concepts

• Virtual Private Network (VPN) enables computers to– Communicate securely over insecure channels

– Exchange private encrypted messages that others cannot decipher


What VPNs Are

• VPN– Virtual network connection – Uses the Internet to establish a secure connection

• Secure tunnel

– Extends an organization’s network• Endpoints

– Specified computers, users, or network gateways



Why Establish a VPN?

• Business incentives driving VPN adoption– VPNs are cost-effective– VPNs provide secure connection for remote users

• Contractors• Traveling employees• Partners and suppliers

• VPN Components– VPN server or host

• Configured to accept connections from clients– VPN client or guest

• Endpoints connecting to a VPN


Why Establish a VPN? (continued)

• VPN Components– Tunnel

• Connection through which data is sent– VPN protocols

• Sets of standardized communication settings

• Used to encrypt data sent along the VPN

– Types of VPNs• Site-to-site VPN

– Gateway-to-gateway VPN

• Client-to-site VPN

– Remote access VPN



• Hardware versus software VPNs– Hardware-based VPNs

• Connect one gateway to another• Routers at each network gateway encrypt and decrypt

packets• VPN appliance

– Designed to serve as VPN endpoint– Join multiple LANs

• Benefits– Scalable– Better security





• Hardware versus software VPNs (continued)– Software-based VPNs

• Integrated with firewalls• Appropriate when participating networks use different

routers and firewalls• Benefits

– More cost-effective– Offer maximum flexibility




• VPN combinations– Combining VPN hardware with software adds layers

of network security– One useful combination is a VPN bundled with a

firewall

– VPNs do not eliminate the need for firewalls– Provide flexibility and versatility



• VPN combinations (continued)– Points to consider when selecting VPNs

• Compatibility• Scalability• Security• Cost• Vendor support


VPN Core Activity 1: Encapsulation

• Core set of activities– Encapsulation– Encryption– Authentication

• Encapsulation– Encloses a packet within another

• That has different IP source and destination– Protects integrity of the data



Understanding Tunneling Protocols

• Point-to-Point Tunneling Protocol (PPTP)– Used when you need to dial in to a server with a

modem connection• On a computer using an older OS version

– Encapsulates TCP/IP packets– Header contains only information needed to route

data from the VPN client to the server– Uses Microsoft Point-to-Point Encryption (MPPE)

• Encrypt data that passes between the remote computer and the remote access server

– L2TP uses IPSec encryption• More secure and widely supported


Understanding Tunneling Protocols (continued)

• Layer 2 Tunneling Protocol (L2TP)– Provides better security through IPSec– IPSec enables L2TP to perform

• Authentication• Encapsulation• Encryption



Understanding Tunneling Protocols (continued)

• Secure Shell (SSH)– Provides authentication and encryption– Works with UNIX-based systems

• Versions for Windows are also available– Uses public-key cryptography

• Socks V. 5– Provides proxy services for applications

• That do not usually support proxying– Socks version 5 adds encrypted authentication and

support for UDP


IPSec/IKE

• Internet Protocol Security (IPSec)– Set of standard procedures – Developed by the Internet Engineering Task Force

(IETF) – Enables secure communications on the Internet

• Characteristics– Works at layer 3– Can encrypt an entire TCP/IP packet– Originally developed for use with IPv6– Provides authentication of source and destination

computers


IPSec/IKE (continued)

• Widely supported• Security Association (SA)

– Relationship between two or more entities

– Describes how they will use security services to communicate

– Used by IPSec to track all the particulars of a communication session

– SAs are unidirectional



• Components– Internet Security Association Key Management

Protocol (ISAKMP)– Internet Key Exchange (IKE)– Oakley– IPSecurity Policy Management– IPSec Driver

• IPSec core components– Authentication Header (AH)– Encapsulation Security Payload (ESP)



• Authentication Header (AH)– Provides authentication of TCP/IP packets– Ensures data integrity– Packets are signed with a digital signature– Adds a header calculated by the values in the

datagram• Creating a messages digest of the datagram

– AH in tunnel mode• Authenticates the entire original header• Places a new header at the front of the original packet

– AH in transport mode• Authenticates the payload and the header





• Encapsulation Security Payload (ESP)– Provides confidentiality for messages– Encrypts different parts of a TCP/IP packet– ESP in tunnel mode

• Encrypts both the header and data part of each packet• Data cannot pass through a firewall using NAT

– ESP in transport mode• Encrypts only data portion of the packet• Data can pass through a firewall

– IPSec should be configured to work with transport mode



VPN Core Activity 2: Encryption

• Encryption– Process of rendering information unreadable by all

but the intended recipient– Components

• Key• Digital certificate• Certification Authority (CA)

– Key exchange methods• Symmetric cryptography• Asymmetric cryptography• Internet Key Exchange• FWZ



Encryption Schemes Used by VPNs

• Triple Data Encryption Standard (3DES)– Used by many VPN hardware and software– 3DES is a variation on Data Encryption Standard

(DES)– DES is not secure– 3DES is more secure

• Three separate 64-bit keys to process data– 3DES requires more computer resources than DES



Encryption Schemes Used by VPNs (continued)

• Secure Sockets Layer (SSL)– Developed by Netscape Communications Corporation– Enables Web servers and browsers to exchange

encrypted information– Characteristics

• Uses public and private key encryption• Uses sockets method of communication• Operates at network layer (layer 3) of the OSI model

– Widely used on the Web• Only supports data exchanged by Web-enabled

applications

• Unlikely to replace IPSec



• Secure Sockets Layer (SSL) (continued)– Steps

• Client connects to Web server using SSL protocol• Two machines arrange a “handshake” process

– Client sends its preferences for encryption method, SSL version number, and a randomly generated number

• Server responds with SSL version number, its own cipher preferences, and its digital certificate

• Client verifies date and other information on the digital certificate

– Client generates and send a “pre-master” code



• Secure Sockets Layer (SSL) (continued)– Steps

• Server uses its private key to decode pre-master code– Generates a master secret key– Client and server use it to generate session keys

• Server and client exchange messages saying handshake is completed

• SSL session begins


VPN Core Activity 3: Authentication

• Authentication– Identifying a user or computer as authorized to

access and use network resources– Types of authentication methods used in VPNs

• IPSec• MS-CHAP

– Both computers exchange authentication packets and authenticate one another

– VPNs use digital certificates to authenticate users



Kerberos

• Authentication system – Developed at the Massachusetts Institute of

Technology (MIT)• Authenticates the identity of network users

– Authentication by assertion– Computer that connects to a server and requests

services acts on behalf of an approved user



Kerberos (continued)

• Advantages– Passwords are not stored on the system

• They cannot be intercepted

– Has a lower “network overhead” than a Public Key Infrastructure (PKI)

– Handy for single sign-on (SSO)

• Disadvantages– AS (KDC) is a single point of failure for Kerberos


Advantages and Disadvantages of VPNs


Summary

• VPNs do not make use of dedicated leased lines

• VPNs send data through a secure tunnel that leads from one endpoint to another

• VPNs keep critical business communications private and secure

• VPN components– VPN servers– VPN clients– Protocols


Summary (continued)

• VPN types– Site-to-site– Client-to-site

• Encapsulation encloses one packet within another – Conceals the original information

• VPN protocols– Secure Shell (SSH)– Socks version 5– Point-to-Point Tunneling Protocol (PPTP)– Layer 2 Tunneling Protocol (L2TP)


Summary (continued)

• IPSec/IKE

• Encryption makes the contents of the packet unreadable

• Authentication ensures participating computers are authorized users– Kerberos: strong authentication system

• VPN advantages– High level of security at low cost

• VPN disadvantages– Can introduce serious security risks

Date post:	19-Dec-2015
Category:	Documents
View:	217 times
Download:	0 times

Guide to Network Defense and Countermeasures Second Edition Chapter 5 Virtual Private Network (VPN)...

Documents