1 / 15

Virtual Private Networks (VPNs) and IP Security (IPSec)

Virtual Private Networks (VPNs) and IP Security (IPSec). G53ACC Chris Greenhalgh. Contents. What is a VPN? Types of VPN Standards How does it Work Issues Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6 th Ed. Ch. 18.5 (“IPv4/IPV6 security”). What is a VPN? (1). Public network:

jacquesj
Download Presentation

Virtual Private Networks (VPNs) and IP Security (IPSec)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Virtual Private Networks (VPNs)and IP Security (IPSec) G53ACC Chris Greenhalgh

  2. Contents • What is a VPN? • Types of VPN • Standards • How does it Work • Issues • Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6th Ed. Ch. 18.5 (“IPv4/IPV6 security”)

  3. What is a VPN? (1) • Public network: • Shared network using common networking infrastructure, e.g. the Internet Trusted machines Public Network (insecure, open) Malicious machines

  4. What is a VPN? (2) • Private network: • Dedicated network, specific to a single company/organisation • More secure, guaranteed quality of service, but more expensive Trusted machines Private Network No physical access to private network for untrusted machines

  5. What is a VPN? (3) • Virtual Private Network: • Benefits of a private network, but making use of a public network to carry packets • Secure, cheaper than a private network Trusted machines Public Network (insecure, open) VPN Can access packets on public network but cannot read/write VPN data

  6. VPN Overview Virtual Private Network! Regular IP packet Regular IP packet VPN Access (encrypt/decrypt) hardware or software VPN Access Encrypted IP packet Encrypted IP packet Public Network Cannot understand encrypted packets; cannot forge encrypted packets.

  7. Types of VPN (CISCO-speak!) • Intranet VPN • Straight replacement for an internal private network • Access VPN • Allows remote dialup users (e.g. from laptop) to securely ‘join’ the company internet • Authentication is a critical concern!i.e. securely identifying the remote user/device • Extranet VPNs • Includes partner organisations, but retains additional security and QoS support over public network(s).

  8. Standards? • E.g. the Internet IP Security (IPsec) standards: • RFCs 2401-2411 & 2451 • Includes standards: • Internet Key Exchange (RFC 2409) • Allows peers to authenticate and establish secure session information • Authentication Header (AH) (RFC 2402) • Packet (& header) integrity & authentication • Encapsulated Security Payload (ESP) (RFC 2406) • Additionally, packet contents are encrypted • (Or Microsoft protocols, MPPE, MMTP?)

  9. How does it work? • Transport mode • End systems negotiate IKE Security Association (SA) directly and use AH and/or ESP on packets sent to each other. • Tunnel mode (more common) • Intermediate systems (e.g. access routers, firewalls) negotiate IKE SAs and tunnel packets to each other (with AH and/or ESP). Transport mode: secured packets Router Router Tunnel mode: secured packets Tunnel mode: normal packets

  10. Security Agreement (SA) • Unidirectional logical channel between two hosts • Logical secure ‘connection’ for ‘connectionless’ IP packets! • Typically defines: • Protocol; chosen ciphers, e.g. HMAC Hash function • shared secret key • Identified by: • Security protocol (AH or ESP) identifier • Destination IP address (not source as per some texts) • 32 bit connection identifier or Security Parameter Index (SPI), selected by destination host • Established before secure communication can take place • e.g. using SKE, or pre-configured

  11. Authentication Header protocol • AH fields: • Next Header: points to TCP/UDP segment • Security Parameter Index: identifies SA • Sequence Number (32 bit): prevent playback/MITM • Authentication Data: signed message digest for whole IP datagram (e.g. DES, MD5, or SHA) • Uses HMAC authentication scheme (see RFC 2104) using shared secret key: • Hash(Key XOR outpad, Hash(Key XOR inpad, text)) IP Header AH Header TCP/UDP Segment Protocol 51

  12. AH Notes • Only the parties sharing the SA’s secret key can compute the Hashed Message Authentication Code (HMAC) • The HMAC covers the source IP address, SPI, sequence number and payload • Therefore: • Another host cannot construct a packet appearing to come from the source host with a correct (for that source) HMAC • Another host cannot re-generate a correct HMAC for that source if it changes any of the packet in transit • Replay is easily detected and packets with repeated sequence number dropped early in processing

  13. Encapsulated Security Payload protocol IP Header ESP Header TCP/UDPSegment ESP Trailer ESP Auth. • Header includes: • Security Parameter Index: as per AH • Sequence Number (32 bit): as per AH • Encryption: e.g. DES-CBC • Trailer include: • Next Header: encrypted, so segment protocol is hidden • Authentication trailer: as per AH authentication data (optional, per SA) Encrypted Protocol 50 Authenticated

  14. ESP Notes • Can be used as above in transport mode • NB does not authenticate or encrypt IP Header info(AH does authenticate IP Header info) • Can also be used in tunnel mode: • Encrypts and authenticates all of original packet • Especially between security gateways, but also between hosts New IP Header ESP Header Original IP Header TCP/UDPSegment ESP Trailer ESP Auth. Encrypted Protocol 50 Authenticated

  15. Issues • Configuration • Public Key infrastructure (or shared initial secrets) for IKE SA establishment • Security policies – defining what is allowed • Resources/deployment • Client IPsec software for transport mode • VPN-capable routers for tunnel mode • Encryption CPU costs (e.g. extra router hardware support)

More Related