Internet Security

Seminar Class CS591

Presentation Topic:

VPN

Virtual Privacy Network

What is VPN?Extension of an enterprise’s private

intranet across a public network byEncrypt the user’s dataValidate the user’s dataAuthenticate the source of the dataEstablish & maintain cryptographic secrets

Virtual Private Network

Why business use VPN?Cost – ISP/NSP vs leased linesSimplified Infrastructure – No modem bankSecured – Encrypted, Authenticated,

Integrally Safe Interoperable – supports multiple protocolsDistributed, Deployable, Scalable

Virtual Private Network

Virtual Private Network

Type of VPN NetworksBranch office connection (Intranet)Business partner/supplier network

ExtranetE-Business

Remote accessMobile IP

                                                                                                                  

Virtual Private Network

Branch office connection

                                                                                                                                    

                         

Virtual Private Network

Business partner/supplier network

                                                                                                                                    

                         

Virtual Private Network

Remote access

                                                                                                                                   

                          

Virtual Private Network

How VPN works?Create dedicated link using tunneling

Basic components of a tunnel: A tunnel initiator (TI) A routed network An optional tunnel switch One or more tunnel terminators (TT)

Virtual Private Network

Protocols standardized by IETF IPSec IKEL2FPPTPL2TP

Virtual Private Network

Virtual Private Network

IPSecProposed by CISCO to IETF as standard Initially used by firewall & security productsSecures network or packet processing

layer of the communication model2 choices of security services:

Authentication Header (AH)Encapsulating Security Payload (ESP)

Virtual Private Network

CISCO IPSec with IKEDiffie-HellmanDESMD5/SHA

Virtual Private Network

IKEProtocol for Internet Key Exchange

Formerly Internet Security Association & Key Management Protocol (ISAKMP/Oakley)

ISAKMP manages negotiation of securityOakley using Diffie-Hellman establish key

Virtual Private Network

L2FTunneling protocol created by CISCOMechanism for transporting link-layer

frames of higher-layer protocols eg PPPVPDN

NAS – ISPHome Gateway - Corporation

Virtual Private Network

PPTPPoint-to-Point Tunneling Protocol

Developed by Microsoft, 3com, Ascend, ECIEncapsulates PPP packets across IP-

based internetEncryption RSA-RC4

Virtual Private Network

L2TPCombination of PPTP and L2FMake multiple simultaneous tunnel btw ptAllow administrators to dedicate task to

specific tunnels

Virtual Private Network

Virtual Private Network

VPN TechnologyFirewalls Intrusion Detection ToolsAuthentication ServersEncryption & Key Exchange

Virtual Private Network

ImplementationNetworking Connectivity

Intranet or Extranet or Remote Access

Product or Service Provider VPN Gateway Software only (<1.5Mbps connection only) Firewall based Router based

Authentication Methods RADIUS, PKI, X509 (ITU), LDAP

Virtual Private Network

Routers and Firewalls with encryption capability. Pros: Encryption upgrades, if available, can be cost effective. Cons: Mixing vendor solutions can create compatibility issues that

inhibit VPN capability. May not be able to provide PC-to-LAN capability without

additional software support. Could require commitment to vendor's proprietary technology. May not provide multi-protocol support. Installation and configuration can add to network complexity. Encryption processing overhead may reduce performance.

Virtual Private Network

Traditional Remote Access Server (RAS) with VPN add-on. Pros: May allow IT to take advantage of an existing hardware investment. Cons: Traditional Remote Access Servers are not optimized for VPN. VPN add-ons may only be available for some high-end RAS

solutions. May be ISP dependent, requiring the company to adopt the same

RAS VPN vendor as the ISP. May not provide multi-protocol support. May require vendor proprietary software.

Virtual Private Network

NOS/Server-Based VPN Pros: More robust solution for PC-to-LAN access than that

provided by firewalls or routers. Cons: Difficult to set up and manage VPN functionality. Adding VPN services to a network server can impact

performance while decreasing fault tolerance. Dedicating a network server to remote access can be

prohibitively expensive.

Virtual Private Network

VPN Services Pros: Security and performance can be guaranteed for a price. Requires limited corporate support. Cons: IT gives up control to the service provider. May not provide multi-protocol support. May not provide PC-to-LAN access. VPN services may be cost prohibitive.

Virtual Private NetworkDedicated VPN Software Pros: Optimized to create LAN-to-LAN connections via VPN. Dedicated VPN solution creates fault tolerance. Standalone VPN solutions can offer greater performance. Dedicated VPN solutions are generally easier to use and support than solutions originally

designed for non-VPN functions such as firewalls, routers, network servers and traditional remote access servers.

Eliminates the need for costly frame relay circuits, leased lines, etc. Cons: Vendor proprietary software is needed for each server hosting VPN and each remote

client accessing the LAN via VPN. Must invest in a dedicated server for maximum performance. Adding VPN software on an existing, in-use network server decreases fault tolerance and

performance. Many solutions support IP-only VPNs and cannot transport packets from multiple

protocols.

Virtual Private Network

Dedicated VPN Hardware Pros: Easy to install, configure and manage. Saves money by reducing equipment needs at corporate site. Stand-alone solution offers greater performance and fault tolerance because

it is optimized for VPN functionality. Reduces costs of upgrading hardware as remote access technology changes. Reduces costs of upgrading system as the number of users increases. Cons: Some solutions do not support multiple protocols. Some LAN-to-LAN VPN solutions require costly software add-ons to

support remote client PCs. Some solutions require that proprietary software be loaded on the remote

client's PC.

Virtual Private Network

SECURITY STANCE Permit all access initially; administrator

specifically denies individual access according to security policy.

Deny all access initially; administrator specifically permits individual access according to security policy.

Virtual Private Network

Security TechniquesPacket FiltersCircuit-level Gateways Application-level Gateways

Possible Security Breach/Risk from RAUnauthorized Remote Access (RA) ComputerRA computer connected to insecure networkVirus infected RA computer

Virtual Private Network

Company supporting VPNMicrosoft IBMNovellCISCONokia3com

Virtual Private Network

FAQ Difference between VPN and Firewall? Diifference between VPN and Proxy? Build own VPN or outsource to SP? Important critique? Interoperable? Scalability? Can U trust the internet?

Any other Questions? Virtual Private Networks By Charlie Scott, Paul

Wolfe and Mike Erwin, O'Reilly & Associates, March 1998

Virtual Private Network