1 / 32

Virtual Private Networks

Virtual Private Networks. Virtual Private Networks (VPNs). VPN: Virtual Private Network IPSEC HighLink’s road map: Q2: Integrated IPSEC = Integrated VPN Later phase: HW based IPSEC. VPN - What is it all about ?. VPN - two networking concepts: Virtual networks:

Download Presentation

Virtual Private Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Virtual Private Networks

  2. Virtual Private Networks (VPNs) • VPN: Virtual Private Network • IPSEC • HighLink’s road map: Q2: Integrated IPSEC = Integrated VPN Later phase: HW based IPSEC

  3. VPN - What is it all about ? • VPN - two networking concepts: • Virtual networks: • Geographically distributed users and hosts interact and managed as a single “virtual entity” • Virtual Private Networks: • Incorporate data protection and trust among hosts in virtual network • VPN often includes: • Tunneling • Encryption • Authentication • VPNs solve network problems: • Security over public and private networks • Addressing problems in IP networks • Ideal for Intranet/Extranet, E-commerce, ASPs

  4. VPN’s Security • What kind of security is provided by VPN ? • Authentication: Who can access your network? • Authorization: What can a user access? • Data protection: • From disclosure • From modification

  5. VPNs: Various solutions over 7 layers of ISO model ISO Model VPN Solutions Application S/MIME, SSH Session Presentation Transport SOCKS, SSL, TLS Network IPSEC Data Link L2TP, PPTP Physical

  6. Security Problems --> VPN • Internet --> security problems: • Many points of eavesdropping • Many points of modification • Public networks are also not secure --> VPN may also be needed over: • DSL • CATV • Leased Lines • Frame Relay • ISDN • Wireless • Satellite

  7. IP Addressing Problems --> VPN • Companies use “private” addresses due to: • Shortage of IP addresses • Historic reasons (before Internet) • This causes problems when: • Companies want to cooperate • Companies connect to Internet • The problem may be solved with: • Virtual Private Network (VPN) • Network Address Translation (NAT)

  8. IPSEC: Layer 3 tunneling protocol • IPSEC=IP Security • IPSEC is a standard (RFCs, etc) • IPSEC is a layer 3 tunneling protocol • IPSEC provides: • Encapsulation (optional) • Encryption (optional) • Data origin authentication • Data integrity protection (“data has not be changed”) • Replay protection (“data is not being sent again by someone who was eavesdropping” - optional) • Cryptographic key management

  9. PPTP, L2TP: Layer 2 tunneling protocols • PPTP and L2TP are layer two tunneling • protocols: • PPTP=“Point to Point Tunneling Protocol”: • It’s an old Microsoft tunneling protocol • Has extensions for encryption • Was replaced by L2TP • L2TP= a standard for “Layer 2 Tunneling Protocol”: • It doesn’t provide encryption !

  10. IPSEC Vs L2TP • IPSEC provides real security features, like encryption in addition to tunneling • IPSEC becomes the leading mean for VPN solutions • L2TP provides a solution for non-IP protocols, like IPX, AppleTalk - it lets them run over the Internet

  11. IPSEC: Three major components • AH = Authentication Header Protocol: • Authentication • Data integrity • Replay protection • ESP = Encapsulation Security Protocol: • Confidentiality • Authentication • Data integrity • Replay protection • IKE = Internet Key Exchange protocol

  12. IPSEC: Tunnel Mode and Transport Mode • Transport mode (hardly used): there is no encapsulation • The original IP Header is kept - it is neither replaced nor encrypted • Data may be encrypted • Tunnel mode: there is encapsulation • There is a new IP header, with a new IP addresses (allowing old private addresses to be used in the organization…) • The old IP header (with old IP addresses) may be encrypted • Data may be encrypted

  13. IPSEC: A range of encryption and authentication algorithms • IPSEC offers a range of algorithms: • AuthenticationEncryption • MD5 DES • SHA-1 3-DES (Triple DES) • DES RC5 • IDEA (& Triple IDEA) • Blowfish • CAST • RC4

  14. Cryptography • Cryptographic Algorithm: a procedure that takes the plaintext data and transforms it into ciphertext in a reversible way • Cryptographic Key: a special piece of data that directs the crypto device to encrypt a message in a distinctive way • Usually the key is a large number

  15. Secret Key (Symmetric) Encryption Mr.B Mr.A • Mr. A encrypts his message to B with their shared secret key • Mr. B decrypts messages from A with the same secret key

  16. Secret Key (Symmetric): Some facts • The keys must remain secret • The same key is used to encrypt and decrypt • Distributing the keys is hard because they have to be secret • Secrecy of data is related to: • The length of the key • The secrecy of the key • The algorithm being used

  17. Public Key (Asymmetric) Encryption • Different keys are used for encryption and for description

  18. Public Key (Asymmetric) Encryption • B’s public key Duck • B’s public key Mr. A • B’s public key Mr. B Mr. C • Mr. B decrypts these messages using his private key

  19. Public Key (Asymmetric) Encryption • Duck’s public key Duck • A’s public key Mr. A • C’s public key Mr. B Mr. C • Mr. B repliesto messages using each recipients public key

  20. Public Key Encryption: Some facts • The private key must remain secret • The public key is widely distributed (on the WEB?) • Distribution of keys is easy

  21. Good Cryptography: Characteristics • Given the algorithm, the clear text and the cipher text - one cannot determine the secret key • No reliance on algorithm secrecy • Available for analysis

  22. More About AH Protocol • AH is used mainly to authenticate packets and also provides anti-replay protection • Authenticate means “Checking integrity”- We know that the packet has not been modified in transport • Authenticate means “Checking identity”- We know that the packet was sent by someone who knows the right secret keys

  23. AH Protocol: Some technical issues • Some fields in an IP packet are “mutable” - they will not be changed, for example: TOS, TTL fields • The old “protocol field” (like TCP, UDP) is replaced by 51 (AH) • Sequence numbers are used to provide replay protection. Sequence numbers start at 1 and can never repeat

  24. More About ESP Protocol • ESP is providing confidentiality in addition to: • authentication • anti replay protection. • The old “protocol field” (like TCP, UDP) is replaced by 50 (ESP)

  25. IPSEC IKE : Some Facts • IKE - “Internet Key management and Exchange protocol” is responsible for: • Negotiating protocols, encryption algorithms and keys • Establishing keys • Keeping track of things • IKE was formerly referred as ISAKMP = Internet Security And Key Management Protocol

  26. VPN & NAT • NAT = Network Address Translation - changes the source address of outbound packets • NAT which does many-to-one is called: • NAPT - Network Address Port Translation or PAT - Port Address Translation • To use NAT, NAPT (or PAT) with IPSEC - you • must NAT before you encrypt • Often, when VPN is used - NAT (or PAT) is not used

  27. Integrated IPSEC in the Router: • Having IPSEC machine, Firewall and Routers from different vendors cause : • Routing problems • Security problems • Often avoids the use of NAT (PAT) • Is complex to install • Is difficult to manage • Is expensive • HighLink with integrated IPSEC avoids these problems and especially allows the use of NAT with IPSEC (since NAT is done before IPSEC).

  28. HighLink and VPN • Q2 2,000: software based IPSEC implementation in HighLink: • AH, ESP, DES, static keys - already implemented (for DATUS) • 3DES and IKE - being added • Negotiating with CA - will be added • Second phase: HW based IPSEC implementation in future HighLink (based on R-Core) to allow IPSEC at high speeds • HighLink “NATs” before IPSEC - so it can combine them and use them at the same time

  29. HighLink’s Security Mechanisms: • New: VPN (IPSEC: encryption, tunneling) • Integrated firewall: • New: QoS based • FACS • PAP and CHAP: Authentication Protocols • SNMP community: RO, RW, Super Community • Passwords for Terminal, Telnet, WEB management

  30. HighLink Handles IP Addresses • New: VPN - encapsulates with new IP addresses • NAT (PAT) - replaces IP addresses and ports • DHCP server - provides IP addresses • IPCP - gets or provides IP addresses over PPP • Unnumbered IP - saves IP addressees over the WAN

  31. HighLink - Many products in one case • New: VPN • Firewall • DHCP server • NAT (PAT) device • Quality of Service (QoS) device • Router and Bridge • One Box • One Management • Easy to install and maintain • No conflicts

  32. VPN at competing SOHO routers • Cisco 700 - none • Cisco 800 - IPSec & L2TP, DES only? • Cisco 900 - cable router - IPSec & L2TP, DES only? • Cisco 1400 - ADSL router with IPSec & L2TP, DES only? • Cisco 1600 - IPSec & L2TP, DES only? • Cisco 1700 - HW based IPSec, DES and 3 DES • Bay Nautica - none • Ascend Pipeline - IPSec • Cabletron SSR - L2TP & DES • Intel Express - none (discontinued the encryption they had) • Motorola Vanguard - none • Netgear routers - none

More Related