1 / 25

Virtual Private Networking

Virtual Private Networking. Irfan Khan Myo Thein Nick Merante. VPN + IPSec. VPN: Virtual Private Network Enable two remote networks to appear as one network via the internet. IPSec: Internet Protocol Security Extensions Enable machines to securely communicate over an insecure medium.

opal
Download Presentation

Virtual Private Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Private Networking Irfan Khan Myo Thein Nick Merante

  2. VPN + IPSec • VPN: Virtual Private Network • Enable two remote networks to appear as one network via the internet. • IPSec: Internet Protocol Security Extensions • Enable machines to securely communicate over an insecure medium

  3. What We Will Cover • The need for security • Benefits of a VPN/IPSec combination • The necessary tools • How to set everything up • How to verify everything is working

  4. The Need for Security • Internet not like it used to be • The hunt for bugs • Automated tools do most of the dirty work • Systems targets regardless of content value • Business need for securing client/customer data in global network

  5. Why Use VPN • Confidentiality • Integrity • Authenticity • Replay Protection

  6. Who can benefit • Peer to peer security – encryption of traffic between people. • PGP Desktop Security www.pgpi.org • Corporate security – encryption of traffic between offices.

  7. Benefits to personal users • Create a secure path between two machines • Enhance the level of trust with authentication

  8. Benefits for corporate users • Can do away with leased lines connecting offices without sacrificing privacy. • Can then make use of the internet: • More reliable • More portable • More cost-effective

  9. A method of security • Implementing a Virtual Private Network (VPN) • Using IPSec to encrypt all traffic • Authenticating data sent

  10. What is IPSec IPSec = AH + ESP + IKE

  11. Different ModesAH vs ESP • AH: Authentication Header • Attaches checksum to packets • Ensures packet not modified in transit • ESP: Encapsulating Security Payload • Encrypts data • Ensures authentication

  12. Different ModesTunnel vs Transport • Tunnel Mode • Encapsulate packet into new IPv4/v6 header • Used for VPN Gateways • Transport Mode • Encrypts normal traffic between peers

  13. Tunnel vs Transport Transport Mode Host 1 Host 2 Tunnel Mode Host 1 Gateway 1 Gateway 2 Host 2

  14. Necessary Tools • Two unix machines with properly configured kernels to serve as gateways • Racoon for key exchange • Internet connection

  15. Preparing the machine • Modify the kernel bpf # Berkeley packet filter IPFIREWALL # Enable Firewall IPDIVERT # Divert IP sockets (Used for NAT) IPSEC # IP security IPSEC_ESP # IP security (crypto; define w/ IPSEC) IPSEC_DEBUG # debug for IP sec • Install Racoon • Obtain source code or install from ports collection

  16. Creating the tunnel • Set up tunnel between 2 private networks • gif – Generic tunnel interface • Diagram A • Tunnel Script (Step 3)

  17. Node A Node A Node B Node B Node C Node C Diagram A VPN Tunnel vpn-gw2 gif0: 192.168.5.1 van-gw1 gif0: 192.168.6.1 Internet Gateway B Gateway A 192.52.220.22 192.52.220.152 192.168.5.100 192.168.5.101 192.168.5.102 192.168.6.100 192.168.6.101 192.168.6.102

  18. Adding the Encryption • Creating the policies • Manual keying • Automatic keying (racoon) • Racoon configuration • Different algorithms • des, 3des, blowfish, etc. • Step 4 / Figure A

  19. Figure A # Ident: ipsec.conf # Usage: setkey –f ipsec.conf flush; # Flush the Security Association Database spdflush; # Flush the Security Policy Database #add 192.52.220.22 192.52.220.152 esp 9111 -E blowfish-cbc "12345"; #add 192.52.220.152 192.52.220.22 esp 9112 -E blowfish-cbc "12345"; spdadd 192.168.6.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/192.52.220.22-192.52.220.152/require; spdadd 192.168.5.0/24 192.168.6.0/24 any -P in ipsec esp/tunnel/192.52.220.152-192.52.220.22/default;

  20. Changes to the Packet IP v4: Before applying ESP Orig IP hdr TCP Data After applying ESP ESP Header ESP Trailer ESP Auth Orig IP hdr TCP Data encrypted authenticated ESP: Encapsulating Security Payload

  21. Manual vs Automatic Keying • Benefits of manual keying • Simplicity • Less overhead • Benefits of automatic keying • Much more secure • Encryption keys periodically changed based on time or amount transferred.

  22. Encryption Algorithms • Data Encryption Standard (DES) • 64 bits • Triple DES • 192 bits • Blowfish • 40 to 448 bits • Rijndael (AES) • 128/192/256 bits

  23. Verification • An analysis before and after • Key Policies (Figure B) • Dump Security Association Database with setkey –D (Figure C) • TCP Dump of Headers (Figure D) • TCP Dump of Data (Figure E)

  24. Node A Node A Node B Node B Node C Node C Diagram A VPN Tunnel vpn-gw2 gif0: 192.168.5.1 van-gw1 gif0: 192.168.6.1 Internet Gateway B Gateway A 192.52.220.22 192.52.220.152 192.168.5.100 192.168.5.101 192.168.5.102 192.168.6.100 192.168.6.101 192.168.6.102

  25. Conclusion Different tools for different jobs • PGP for encrypting data • SSL for encrypting sockets • SSH for encrypting logons • IPSec for encrypting all traffic Another tool for the administrator’s toolbox

More Related