320 likes | 477 Views
Virtual Private Networks. Virtual Private Networks (VPNs). VPN: Virtual Private Network IPSEC HighLink’s road map: Q2: Integrated IPSEC = Integrated VPN Later phase: HW based IPSEC. VPN - What is it all about ?. VPN - two networking concepts: Virtual networks:
E N D
Virtual Private Networks (VPNs) • VPN: Virtual Private Network • IPSEC • HighLink’s road map: Q2: Integrated IPSEC = Integrated VPN Later phase: HW based IPSEC
VPN - What is it all about ? • VPN - two networking concepts: • Virtual networks: • Geographically distributed users and hosts interact and managed as a single “virtual entity” • Virtual Private Networks: • Incorporate data protection and trust among hosts in virtual network • VPN often includes: • Tunneling • Encryption • Authentication • VPNs solve network problems: • Security over public and private networks • Addressing problems in IP networks • Ideal for Intranet/Extranet, E-commerce, ASPs
VPN’s Security • What kind of security is provided by VPN ? • Authentication: Who can access your network? • Authorization: What can a user access? • Data protection: • From disclosure • From modification
VPNs: Various solutions over 7 layers of ISO model ISO Model VPN Solutions Application S/MIME, SSH Session Presentation Transport SOCKS, SSL, TLS Network IPSEC Data Link L2TP, PPTP Physical
Security Problems --> VPN • Internet --> security problems: • Many points of eavesdropping • Many points of modification • Public networks are also not secure --> VPN may also be needed over: • DSL • CATV • Leased Lines • Frame Relay • ISDN • Wireless • Satellite
IP Addressing Problems --> VPN • Companies use “private” addresses due to: • Shortage of IP addresses • Historic reasons (before Internet) • This causes problems when: • Companies want to cooperate • Companies connect to Internet • The problem may be solved with: • Virtual Private Network (VPN) • Network Address Translation (NAT)
IPSEC: Layer 3 tunneling protocol • IPSEC=IP Security • IPSEC is a standard (RFCs, etc) • IPSEC is a layer 3 tunneling protocol • IPSEC provides: • Encapsulation (optional) • Encryption (optional) • Data origin authentication • Data integrity protection (“data has not be changed”) • Replay protection (“data is not being sent again by someone who was eavesdropping” - optional) • Cryptographic key management
PPTP, L2TP: Layer 2 tunneling protocols • PPTP and L2TP are layer two tunneling • protocols: • PPTP=“Point to Point Tunneling Protocol”: • It’s an old Microsoft tunneling protocol • Has extensions for encryption • Was replaced by L2TP • L2TP= a standard for “Layer 2 Tunneling Protocol”: • It doesn’t provide encryption !
IPSEC Vs L2TP • IPSEC provides real security features, like encryption in addition to tunneling • IPSEC becomes the leading mean for VPN solutions • L2TP provides a solution for non-IP protocols, like IPX, AppleTalk - it lets them run over the Internet
IPSEC: Three major components • AH = Authentication Header Protocol: • Authentication • Data integrity • Replay protection • ESP = Encapsulation Security Protocol: • Confidentiality • Authentication • Data integrity • Replay protection • IKE = Internet Key Exchange protocol
IPSEC: Tunnel Mode and Transport Mode • Transport mode (hardly used): there is no encapsulation • The original IP Header is kept - it is neither replaced nor encrypted • Data may be encrypted • Tunnel mode: there is encapsulation • There is a new IP header, with a new IP addresses (allowing old private addresses to be used in the organization…) • The old IP header (with old IP addresses) may be encrypted • Data may be encrypted
IPSEC: A range of encryption and authentication algorithms • IPSEC offers a range of algorithms: • AuthenticationEncryption • MD5 DES • SHA-1 3-DES (Triple DES) • DES RC5 • IDEA (& Triple IDEA) • Blowfish • CAST • RC4
Cryptography • Cryptographic Algorithm: a procedure that takes the plaintext data and transforms it into ciphertext in a reversible way • Cryptographic Key: a special piece of data that directs the crypto device to encrypt a message in a distinctive way • Usually the key is a large number
Secret Key (Symmetric) Encryption Mr.B Mr.A • Mr. A encrypts his message to B with their shared secret key • Mr. B decrypts messages from A with the same secret key
Secret Key (Symmetric): Some facts • The keys must remain secret • The same key is used to encrypt and decrypt • Distributing the keys is hard because they have to be secret • Secrecy of data is related to: • The length of the key • The secrecy of the key • The algorithm being used
Public Key (Asymmetric) Encryption • Different keys are used for encryption and for description
Public Key (Asymmetric) Encryption • B’s public key Duck • B’s public key Mr. A • B’s public key Mr. B Mr. C • Mr. B decrypts these messages using his private key
Public Key (Asymmetric) Encryption • Duck’s public key Duck • A’s public key Mr. A • C’s public key Mr. B Mr. C • Mr. B repliesto messages using each recipients public key
Public Key Encryption: Some facts • The private key must remain secret • The public key is widely distributed (on the WEB?) • Distribution of keys is easy
Good Cryptography: Characteristics • Given the algorithm, the clear text and the cipher text - one cannot determine the secret key • No reliance on algorithm secrecy • Available for analysis
More About AH Protocol • AH is used mainly to authenticate packets and also provides anti-replay protection • Authenticate means “Checking integrity”- We know that the packet has not been modified in transport • Authenticate means “Checking identity”- We know that the packet was sent by someone who knows the right secret keys
AH Protocol: Some technical issues • Some fields in an IP packet are “mutable” - they will not be changed, for example: TOS, TTL fields • The old “protocol field” (like TCP, UDP) is replaced by 51 (AH) • Sequence numbers are used to provide replay protection. Sequence numbers start at 1 and can never repeat
More About ESP Protocol • ESP is providing confidentiality in addition to: • authentication • anti replay protection. • The old “protocol field” (like TCP, UDP) is replaced by 50 (ESP)
IPSEC IKE : Some Facts • IKE - “Internet Key management and Exchange protocol” is responsible for: • Negotiating protocols, encryption algorithms and keys • Establishing keys • Keeping track of things • IKE was formerly referred as ISAKMP = Internet Security And Key Management Protocol
VPN & NAT • NAT = Network Address Translation - changes the source address of outbound packets • NAT which does many-to-one is called: • NAPT - Network Address Port Translation or PAT - Port Address Translation • To use NAT, NAPT (or PAT) with IPSEC - you • must NAT before you encrypt • Often, when VPN is used - NAT (or PAT) is not used
Integrated IPSEC in the Router: • Having IPSEC machine, Firewall and Routers from different vendors cause : • Routing problems • Security problems • Often avoids the use of NAT (PAT) • Is complex to install • Is difficult to manage • Is expensive • HighLink with integrated IPSEC avoids these problems and especially allows the use of NAT with IPSEC (since NAT is done before IPSEC).
HighLink and VPN • Q2 2,000: software based IPSEC implementation in HighLink: • AH, ESP, DES, static keys - already implemented (for DATUS) • 3DES and IKE - being added • Negotiating with CA - will be added • Second phase: HW based IPSEC implementation in future HighLink (based on R-Core) to allow IPSEC at high speeds • HighLink “NATs” before IPSEC - so it can combine them and use them at the same time
HighLink’s Security Mechanisms: • New: VPN (IPSEC: encryption, tunneling) • Integrated firewall: • New: QoS based • FACS • PAP and CHAP: Authentication Protocols • SNMP community: RO, RW, Super Community • Passwords for Terminal, Telnet, WEB management
HighLink Handles IP Addresses • New: VPN - encapsulates with new IP addresses • NAT (PAT) - replaces IP addresses and ports • DHCP server - provides IP addresses • IPCP - gets or provides IP addresses over PPP • Unnumbered IP - saves IP addressees over the WAN
HighLink - Many products in one case • New: VPN • Firewall • DHCP server • NAT (PAT) device • Quality of Service (QoS) device • Router and Bridge • One Box • One Management • Easy to install and maintain • No conflicts
VPN at competing SOHO routers • Cisco 700 - none • Cisco 800 - IPSec & L2TP, DES only? • Cisco 900 - cable router - IPSec & L2TP, DES only? • Cisco 1400 - ADSL router with IPSec & L2TP, DES only? • Cisco 1600 - IPSec & L2TP, DES only? • Cisco 1700 - HW based IPSec, DES and 3 DES • Bay Nautica - none • Ascend Pipeline - IPSec • Cabletron SSR - L2TP & DES • Intel Express - none (discontinued the encryption they had) • Motorola Vanguard - none • Netgear routers - none