250 likes | 384 Views
Virtual Private Networking. Irfan Khan Myo Thein Nick Merante. VPN + IPSec. VPN: Virtual Private Network Enable two remote networks to appear as one network via the internet. IPSec: Internet Protocol Security Extensions Enable machines to securely communicate over an insecure medium.
E N D
Virtual Private Networking Irfan Khan Myo Thein Nick Merante
VPN + IPSec • VPN: Virtual Private Network • Enable two remote networks to appear as one network via the internet. • IPSec: Internet Protocol Security Extensions • Enable machines to securely communicate over an insecure medium
What We Will Cover • The need for security • Benefits of a VPN/IPSec combination • The necessary tools • How to set everything up • How to verify everything is working
The Need for Security • Internet not like it used to be • The hunt for bugs • Automated tools do most of the dirty work • Systems targets regardless of content value • Business need for securing client/customer data in global network
Why Use VPN • Confidentiality • Integrity • Authenticity • Replay Protection
Who can benefit • Peer to peer security – encryption of traffic between people. • PGP Desktop Security www.pgpi.org • Corporate security – encryption of traffic between offices.
Benefits to personal users • Create a secure path between two machines • Enhance the level of trust with authentication
Benefits for corporate users • Can do away with leased lines connecting offices without sacrificing privacy. • Can then make use of the internet: • More reliable • More portable • More cost-effective
A method of security • Implementing a Virtual Private Network (VPN) • Using IPSec to encrypt all traffic • Authenticating data sent
What is IPSec IPSec = AH + ESP + IKE
Different ModesAH vs ESP • AH: Authentication Header • Attaches checksum to packets • Ensures packet not modified in transit • ESP: Encapsulating Security Payload • Encrypts data • Ensures authentication
Different ModesTunnel vs Transport • Tunnel Mode • Encapsulate packet into new IPv4/v6 header • Used for VPN Gateways • Transport Mode • Encrypts normal traffic between peers
Tunnel vs Transport Transport Mode Host 1 Host 2 Tunnel Mode Host 1 Gateway 1 Gateway 2 Host 2
Necessary Tools • Two unix machines with properly configured kernels to serve as gateways • Racoon for key exchange • Internet connection
Preparing the machine • Modify the kernel bpf # Berkeley packet filter IPFIREWALL # Enable Firewall IPDIVERT # Divert IP sockets (Used for NAT) IPSEC # IP security IPSEC_ESP # IP security (crypto; define w/ IPSEC) IPSEC_DEBUG # debug for IP sec • Install Racoon • Obtain source code or install from ports collection
Creating the tunnel • Set up tunnel between 2 private networks • gif – Generic tunnel interface • Diagram A • Tunnel Script (Step 3)
Node A Node A Node B Node B Node C Node C Diagram A VPN Tunnel vpn-gw2 gif0: 192.168.5.1 van-gw1 gif0: 192.168.6.1 Internet Gateway B Gateway A 192.52.220.22 192.52.220.152 192.168.5.100 192.168.5.101 192.168.5.102 192.168.6.100 192.168.6.101 192.168.6.102
Adding the Encryption • Creating the policies • Manual keying • Automatic keying (racoon) • Racoon configuration • Different algorithms • des, 3des, blowfish, etc. • Step 4 / Figure A
Figure A # Ident: ipsec.conf # Usage: setkey –f ipsec.conf flush; # Flush the Security Association Database spdflush; # Flush the Security Policy Database #add 192.52.220.22 192.52.220.152 esp 9111 -E blowfish-cbc "12345"; #add 192.52.220.152 192.52.220.22 esp 9112 -E blowfish-cbc "12345"; spdadd 192.168.6.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/192.52.220.22-192.52.220.152/require; spdadd 192.168.5.0/24 192.168.6.0/24 any -P in ipsec esp/tunnel/192.52.220.152-192.52.220.22/default;
Changes to the Packet IP v4: Before applying ESP Orig IP hdr TCP Data After applying ESP ESP Header ESP Trailer ESP Auth Orig IP hdr TCP Data encrypted authenticated ESP: Encapsulating Security Payload
Manual vs Automatic Keying • Benefits of manual keying • Simplicity • Less overhead • Benefits of automatic keying • Much more secure • Encryption keys periodically changed based on time or amount transferred.
Encryption Algorithms • Data Encryption Standard (DES) • 64 bits • Triple DES • 192 bits • Blowfish • 40 to 448 bits • Rijndael (AES) • 128/192/256 bits
Verification • An analysis before and after • Key Policies (Figure B) • Dump Security Association Database with setkey –D (Figure C) • TCP Dump of Headers (Figure D) • TCP Dump of Data (Figure E)
Node A Node A Node B Node B Node C Node C Diagram A VPN Tunnel vpn-gw2 gif0: 192.168.5.1 van-gw1 gif0: 192.168.6.1 Internet Gateway B Gateway A 192.52.220.22 192.52.220.152 192.168.5.100 192.168.5.101 192.168.5.102 192.168.6.100 192.168.6.101 192.168.6.102
Conclusion Different tools for different jobs • PGP for encrypting data • SSL for encrypting sockets • SSH for encrypting logons • IPSec for encrypting all traffic Another tool for the administrator’s toolbox