330 likes | 441 Views
Chapter 10-2 -Virtual Private Networks (VPNs) Security can work over many physical networks: Dedicated (point-to-point) private lines (company owns Lines – not common). 2. Dedicated leased lines (lines rented from a telco like AT&T, Qwest, etc.).
E N D
Chapter 10-2 -Virtual Private Networks (VPNs) • Security can work over many physical networks: • Dedicated (point-to-point) private lines (company owns • Lines – not common). • 2. Dedicated leased lines (lines rented from a telco like • AT&T, Qwest, etc.). • 3. Dial-up lines (direct connection). • 4. Integrated Services Digital Network (ISDN) (direct • link). • # 1-4 exclude all but private traffic - they are point-to- • point links. Virtual Private Networks
Chapter 10-2 -Virtual Private Networks (VPNs) 5. Digital Subscriber Lines (DSL) (public shared link). 6. Cable TV Modem (public shared link). 7. Wireless Modem (public shared link). 8. Internet (public shared link). # 5-7 are exposed to other local users that share the media and, if connected to the Internet, to the world. # 8 exposes the system to the world. Virtual Private Networks
Public Internetwork Virtual Private Network Logical Equivalent VPN – What is it? • Virtual Private Network • Temporary, but secure, link over public networks • VPN creates a “tunnel” through the Internet • Provides authentication, confidentiality, and integrity services Virtual Private Networks
VPN Architecture Allows a wide range of connectivity options and speeds limited only by connection speed to the Internet. Three VPNs models: LAN-to-LAN: Provides connections between corporate locations – called an Intranet VPN Intranet is an internal network not exposed to the Internet, typically behind a firewall with access limited to employees. Virtual Private Networks
VPN Architecture LAN-to-traveling/work at home employee – called a remote access VPN Remote access provides staff located outside a network firewall access through the firewall to the internal network. LAN-to-external customer - Extranet VPN Extranet is an isolated network, behind a firewall, but intended to provide access to non-employees to selected information. Virtual Private Networks
LAN-to-LAN (Intranet) VPN Remote Office Network Corporate Network Database Internet VPN Proxy Server VPN Proxy Server Web Compute VPN Tunnel Unencrypted Encrypted/Authenticated Virtual Private Networks
Remote Access VPN Global ISP Global ISP Dial Access Dial-up ISP Modem Access Wireless Access Internet Radio Connection Corporate Network Wired Connetion ISDN/DSL/Cable ISP Modem Access VPN Tunnel Virtual Private Networks
Extranet VPN Web Data Server Web Commerce Server Extranet Business Partner Database Internet Web Integrated Firewall & VPN Server Compute Corporate Network Technical Collaborator Virtual Private Networks
VPN – Different Protocol Implementations IPSec - network to network (typically between firewalls, but can be between two hosts). Secure Sockets Layer (SSL)/Transport Layer Security (TLS) – usually net-to-net & can be combined with a proxy like SOCKs. SOCKs Version 5 - secure firewall traversal. Tunneling Protocols – Point – to - Point (PPTP) , Layer 2 (L2TP), TACACS, RADIUS - remote access. Virtual Private Networks
Protection Options - Typical Network Layer Physical Data Link Network Transport TECHNOLOGY Dedicated Lines (Switched Circuits, Frame Relay, etc. SOCKSv5/SSL Proprietary Proxies & TLS PPTP, L2TP IPSEC PROVIDERS Microsoft, Remote Access Vendors Firewall, Router VPN Hardware Vendors Extranet VPN Vendors Telcos, ISPs LAN-TO-LAN (TRUSTED) MOBILE/REMOTE ACCESS EXTRANET Virtual Private Networks
LAN-to-LAN VPN Networks trust each other - little or no encryption inside the firewall (not usually required - this is likely to change over time). Means LANs must have comparable internal protection measures for trust. Cryptographic services - encryption, authentication, integrity, and authorization are typically firewall-to- firewall or proxy-to-proxy (i.e., encrypted outside, cleartext inside). Virtual Private Networks
LAN-to-LAN VPN Proxy/VPN server - typically part of the firewall, but could be a proxy positioned behind the firewall. No special requirement for client software, the firewall does the work – but this leads to a potential scaling issue at the firewall (is it fast enough for a large # of VPN sessions?). Doesn’t mean all traffic is handled the same - this would be based on specific firewall rules for different services. Virtual Private Networks
Remote Access Services (RAS & VPN) Remote Users Corporate Network ISP Database ISP Internet VPN Proxy Server Web ISP Remote Access Server Compute Dial-Up/DSL/Cable/ISDN Dial-Up Unencrypted Encrypted/Authenticated VPN Tunnel Virtual Private Networks
Access is by long distance dial-up (1-800) Calls fielded by a modem pool Uses a Point-to-point tunneling protocol (PPTP), encapsulated in IP RADIUS/TACACS standards Weak (cleartext passwords) to strong (token cards) authentication Encryption & integrity Client must run appropriate protocol (e.g., TACACS) VPN Type - Remote Access Server Virtual Private Networks
VPN Type - Remote Access VPN • Local dial-up to ISP, ISP provides modem pool. • Encapsulated in IP and uses IPSec standards. • Authentication, encryption, integrity, and authorization. • Authorization by VPN proxy. • VPN proxy often integrated into firewall. • Client must run VPN software. • Main difference compared to remote access server - reduced h/w & telephone charges. Virtual Private Networks
Remote Access Options – Cost Comparison Virtual Private Networks
DSL Connections • Digital Subscriber Line • Provisioned by local telephone company or 3rd party • (careful on 3rd party – Northpoint failed). • Uses existing telephone lines – simultaneous • voice/data use. • Requires DSL modem, sometimes installation fee. • Speeds much faster than dial-up modems – • 768kbs/256kbs (downlink/uplink). • Nominal cost ($40/mo). Virtual Private Networks
Digital Subscriber Line To Telco Plain Old Telephone System (POTS) Telco Home Splitter Splitter To Telco’s DSL modem bank DSL modem Upstream Data Downstream Data POTS Physical Line Bandwidth Virtual Private Networks
Cable TV Connections • Cable Modems • Provisioned by TV cable service provider. • Uses existing cable TV coax – simultaneous TV/data • use. • Requires cable modem, usually installation fee. • Speeds faster than dial or DSL, but bandwidth is • shared, so speed depends on # concurrent users. • Nominal cost ($40/mo). Virtual Private Networks
Cable Modem Cable Co Home To TV distribution system Splitter Splitter To data modems TV channels Data channel Virtual Private Networks
DSL and Cable Modem Cautions Dial and ISDN lines are dedicated lines from the client to the firewall - not reachable from the Internet except when connected. Adversary would have to compromise the telco service provider or attack while you are on-line - it can happen while you are in a chat room or accessing a malevolent server. DSL/cable modems are always-on devices and reachable from the Internet whenever your system is turned on. Virtual Private Networks
DSL and Cable Modems Cautions May be a good idea to turn off the computer or modem When no in use. Better yet, add protection in the form of a host firewall (e.g., BlackIce software firewall or a Linksys or D-Link router/firewall - ~ $50). A router/firewall sits between the cable modem and your Ethernet connection – also allows multiple devices. User also should be careful to not compromise the host with Trojans, viruses, chat-room attacks, etc. Virtual Private Networks
Extranet VPN External Partners/Customers/Suppliers Corporate Extranet Company A Database Internet Company B Web VPN Proxy Server 1 per partner (logically) Company C Compute Unencrypted Encrypted/Authenticated Virtual Private Networks
Extranet VPN Intended to allow secure access from authorized collaborators, business partners, customers, suppliers. These may be collaborators in one context and competitors in another, so the VPN typically has high security requirements and access to internal network is limited. Main difference is these are often called “directed” VPNs – meaning access is only provided to specific resources. Virtual Private Networks
Extranet VPN Collaborators tend to be proxied differently, either individually or in groups so the proxy only delivers the information required between the partners. This disallows roaming around on the internal network. Individuals are authenticated & authorized for specific access. Virtual Private Networks
VPN Tunnels Two types are defined – full and /2 tunnels. ½ tunnel means 2 connections are allowed, one is the VPN connection, the other might be anything. This is a security vulnerability. If the system is compromised by the 2nd connection, the adversary can take over the VPN. Full tunnel means no secondary connection is allowed. Virtual Private Networks
SOCKS, Version 5 • SOCKS: Circuit-level gateway that operates as a proxy • for TCP/UDP, designed to traverse firewalls. Functions: • Receives TCP/UDP requests sent from a client, makes • Connections and authenticates/authorizes client access. • Opens a second connection inside the firewall to satisfy • the original request, and relays packets between the • client and server. • The client must run SOCKS software (code and library), • Must have a SOCKS server, and authentication must be • successful. Virtual Private Networks
SOCKS, Version 5 SOCKS operates at the session layer (between application and transport layers in IP) by establishing a virtual circuit between the source and destination. Traffic is proxied so the external user never has direct access to an internal system. The side of the proxy connected to the firewall listens for connection requests. On a connection request, the proxy authenticates the user and negotiates any encryption rules. Virtual Private Networks
SOCKS, more Requests are buffered and a second process reads the buffer, validates the request, and issues the query (e.g., web page, SQL query, etc.) to an internal server. Request responses are returned to SOCKS proxy and forwarded to the external client. Application independent as long as the application uses TCP or UDP. This generality is an advantage. SOCKS proxy does not examine content after initial authentication (bad guy could insert malicious content). Virtual Private Networks
SOCKS - Graphically Database Query Target Internet SOCKs Server Remote User Encrypted & Authenticated Unencrypted Virtual Private Networks
SOCKS - Summary Services: Authentication, confidentiality, and integrity. Requires: SOCKS - enabled client & server Relays information from requestor - to - SOCKS server – to - destination server, then back from destination server – SOCKS server - requestor. Supported by some VPN vendors (e.g., Aventail), but not Widely used since it requires a client. Version 5 is specified in Internet rfc 1928. Virtual Private Networks
Data Link Layer - PPTP, L2TP In the IP Stack at the Data Link Layer (DLL) - Layer 2 Application --- Pretty Good Privacy - e-mail --- SSL, TLS --- IPSec --- PPTP, L2TP --- Hardware Encryption Transport Network Data Link Physical PPTP is secure version of PPP, successor to SLIP. Virtual Private Networks
Point to Point Tunneling Protocol - PPTP Protocol Error Protocol Address Authent. Standard Name SLIP None IP None None No PPP Yes Multiple Yes Yes Proposed Adding PPTP means – 1. Establish a PPP connection and authenticate user. 2. Negotiate a tunnel into the network. 3. Operate tunnel with encryption. Virtual Private Networks