1 / 22

CIT 384: Network Administration

CIT 384: Network Administration. VPNs. Topics. VPNs Tunneling ssh SSL IPsec L2TP. VPNs. VPNs try to provide leased line features Privacy : preventing unauthorized people from being able to read VPN traffic. Authentication : verifying that sender of VPN is an authorized device.

corbettr
Download Presentation

CIT 384: Network Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 384: Network Administration VPNs CIT 384: Network Administration

  2. Topics • VPNs • Tunneling • ssh • SSL • IPsec • L2TP CIT 384: Network Administration

  3. VPNs VPNs try to provide leased line features Privacy: preventing unauthorized people from being able to read VPN traffic. Authentication: verifying that sender of VPN is an authorized device. Integrity: verifying data is not changed in transit. using a public network at lower cost. CIT 384: Network Administration

  4. VPN Example • PC1 sends IP packet to S1 • Router encapsulates IP in VPN+IP headers • No one can read packet in the middle • ASA-1 checks security and de-encapsulates. • S1 receives IP packet from PC1. CIT 384: Network Administration

  5. VPN Types Remote Access: individual user to network. Intranet: connect networks of two sites. Extranet: connect networks of two partnering organizations. CIT 384: Network Administration

  6. Tunneling Tunneling: Encapsulation of one network protocol in another protocol • Carrier Protocol: protocol used by network through which the information is travelling • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data • Passenger Protocol: protocol carries original data CIT 384: Network Administration

  7. Tunneling Protocols by Layer ssh, SSL IPsec L2TP, MPLS CIT 384: Network Administration

  8. ssh Secure Shell Replaces telnet ftp rlogin rsh rcp CIT 384: Network Administration

  9. SSH Security Features CIT 384: Network Administration

  10. ssh tunneling .Use ssh tunneling to encrypt TCP connections ssh –L lport:rhost:rport rhost • Carrier Protocol: IP • Encapsulating Protocol: ssh • Passenger Protocol: TCP on a specific port CIT 384: Network Administration

  11. SSL/TLS Secure Sockets Layer • Commonly used to encrypt web connections. • Also used for IMAP, LDAP, POP, etc. • Transport Layer Security supersedes SSLv3 Can be used to create tunnels • Configure similarly to ssh tunnels. • Stunnel is open source SSL tunnel software. CIT 384: Network Administration

  12. IPsec IPsec includes three major protocols • Internet Key Exchange (IKE) Provides a framework for negotiating security parameters. • Encapsulating Security Payload (ESP) Provides a framework for encrypting, authenticating, and securing data. • Authentication Header (AH) provides a framework for authenticating and securing data. CIT 384: Network Administration

  13. IPsec General Operation To communicate with IPsec, devices must • Agree on a set of security protocols. • Agree on an encryption algorithm. • Exchange cryptographic keys. • Use above to encode and decode data. CIT 384: Network Administration

  14. IPsec Packet Encapsulation Transport Mode • Original IP header of packet that is being encrypted is used to transport the packet. • ESP or AH header inserted btw IP header and payload. Tunnel Mode • New IP header is added in front of ESP/AH header. This header contains IP addresses of the two IP peers as source + destination. CIT 384: Network Administration

  15. IKE IKE handles • Negotiating protocol parameters • Exchanging public keys • Authenticating both sides • Managing keys after exchange IKE is a UDP-based protocol. CIT 384: Network Administration

  16. ESP Encapsulates IP packet to provide • Authentication • Encryption • Integrity validation • Anti-replay IP protocol 50, described in RFC 2406 CIT 384: Network Administration

  17. AH Authentication Header provides auth + integrity • Uses keyed hash algorithm as checksum. • Unlike CRC, cannot be reproduced w/o key. • Also protects against replay attacks. • Does not encrypt packet contents. CIT 384: Network Administration

  18. NAT Transparency PAT can’t change encrypted transport header. Solution: add an extra UDP header. CIT 384: Network Administration

  19. GRE Generic Routing Encapsulating • Cisco IP tunneling protocol. • Allows use of multicast protocols. • Combine with IPsec to allow routing information to be passed btw networks. IP protocol 47 CIT 384: Network Administration

  20. L2TP • Open successor to • L2F (Cisco) • PPTP (MS) • Layer 2 tunnel so it supports any layer 3 protocols. • Encapsulates in UDP datagram to port 1701 • Does not provide encryption or authentication. • Use with IPsec CIT 384: Network Administration

  21. Key Points Tunneling • Carrier Protocol • Encapsulating Protocol • Passenger Protocol VPNs • layer 4: ssh, SSL • layer 3: IPsec • layer 2: L2TP IPsec • ESP • AH • IKE • Tunnel mode vs transport mode CIT 384: Network Administration

  22. References • Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition, O’Reilly, 2005. • Vijay Bollapragda, IPsec VPN Design, Cisco Press, 2005. • James Boney, Cisco IOS in a Nutshell, 2nd edition, O’Reilly, 2005. • Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm • Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm • Saadat Malik, Network Security Principles and Practices, Cisco Press, 2002. • Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007. CIT 384: Network Administration

More Related