1 / 31

Internet Security

Internet Security. Seminar Class CS591 Presentation Topic: VPN. Virtual Privacy Network. What is VPN? Extension of an enterprise’s private intranet across a public network by Encrypt the user’s data Validate the user’s data Authenticate the source of the data

rock
Download Presentation

Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security Seminar Class CS591 Presentation Topic: VPN

  2. Virtual Privacy Network • What is VPN? • Extension of an enterprise’s private intranet across a public network by • Encrypt the user’s data • Validate the user’s data • Authenticate the source of the data • Establish & maintain cryptographic secrets

  3. Virtual Private Network • Why business use VPN? • Cost – ISP/NSP vs leased lines • Simplified Infrastructure – No modem bank • Secured – Encrypted, Authenticated, Integrally Safe • Interoperable – supports multiple protocols • Distributed, Deployable, Scalable

  4. Virtual Private Network

  5. Virtual Private Network • Type of VPN Networks • Branch office connection (Intranet) • Business partner/supplier network • Extranet • E-Business • Remote access • Mobile IP

  6. Virtual Private Network • Branch office connection

  7. Virtual Private Network • Business partner/supplier network

  8. Virtual Private Network • Remote access

  9. Virtual Private Network • How VPN works? • Create dedicated link using tunneling • Basic components of a tunnel: • A tunnel initiator (TI) • A routed network • An optional tunnel switch • One or more tunnel terminators (TT)

  10. Virtual Private Network • Protocols standardized by IETF • IPSec • IKE • L2F • PPTP • L2TP

  11. Virtual Private Network

  12. Virtual Private Network • IPSec • Proposed by CISCO to IETF as standard • Initially used by firewall & security products • Secures network or packet processing layer of the communication model • 2 choices of security services: • Authentication Header (AH) • Encapsulating Security Payload (ESP)

  13. Virtual Private Network • CISCO IPSec with IKE • Diffie-Hellman • DES • MD5/SHA

  14. Virtual Private Network • IKE • Protocol for Internet Key Exchange • Formerly Internet Security Association & Key Management Protocol (ISAKMP/Oakley) • ISAKMP manages negotiation of security • Oakley using Diffie-Hellman establish key

  15. Virtual Private Network • L2F • Tunneling protocol created by CISCO • Mechanism for transporting link-layer frames of higher-layer protocols eg PPP • VPDN • NAS – ISP • Home Gateway - Corporation

  16. Virtual Private Network • PPTP • Point-to-Point Tunneling Protocol • Developed by Microsoft, 3com, Ascend, ECI • Encapsulates PPP packets across IP-based internet • Encryption RSA-RC4

  17. Virtual Private Network • L2TP • Combination of PPTP and L2F • Make multiple simultaneous tunnel btw pt • Allow administrators to dedicate task to specific tunnels

  18. Virtual Private Network

  19. Virtual Private Network • VPN Technology • Firewalls • Intrusion Detection Tools • Authentication Servers • Encryption & Key Exchange

  20. Virtual Private Network • Implementation • Networking Connectivity • Intranet or Extranet or Remote Access • Product or Service Provider • VPN Gateway • Software only (<1.5Mbps connection only) • Firewall based • Router based • Authentication Methods • RADIUS, PKI, X509 (ITU), LDAP

  21. Virtual Private Network • Routers and Firewalls with encryption capability. • Pros: • Encryption upgrades, if available, can be cost effective. • Cons: • Mixing vendor solutions can create compatibility issues that inhibit VPN capability. • May not be able to provide PC-to-LAN capability without additional software support. • Could require commitment to vendor's proprietary technology. • May not provide multi-protocol support. • Installation and configuration can add to network complexity. • Encryption processing overhead may reduce performance.

  22. Virtual Private Network • Traditional Remote Access Server (RAS) with VPN add-on. • Pros: • May allow IT to take advantage of an existing hardware investment. • Cons: • Traditional Remote Access Servers are not optimized for VPN. • VPN add-ons may only be available for some high-end RAS solutions. • May be ISP dependent, requiring the company to adopt the same RAS VPN vendor as the ISP. • May not provide multi-protocol support. • May require vendor proprietary software.

  23. Virtual Private Network • NOS/Server-Based VPN • Pros: • More robust solution for PC-to-LAN access than that provided by firewalls or routers. • Cons: • Difficult to set up and manage VPN functionality. • Adding VPN services to a network server can impact performance while decreasing fault tolerance. • Dedicating a network server to remote access can be prohibitively expensive.

  24. Virtual Private Network • VPN Services • Pros: • Security and performance can be guaranteed for a price. • Requires limited corporate support. • Cons: • IT gives up control to the service provider. • May not provide multi-protocol support. • May not provide PC-to-LAN access. • VPN services may be cost prohibitive.

  25. Virtual Private Network • Dedicated VPN Software • Pros: • Optimized to create LAN-to-LAN connections via VPN. • Dedicated VPN solution creates fault tolerance. • Standalone VPN solutions can offer greater performance. • Dedicated VPN solutions are generally easier to use and support than solutions originally designed for non-VPN functions such as firewalls, routers, network servers and traditional remote access servers. • Eliminates the need for costly frame relay circuits, leased lines, etc. • Cons: • Vendor proprietary software is needed for each server hosting VPN and each remote client accessing the LAN via VPN. • Must invest in a dedicated server for maximum performance. • Adding VPN software on an existing, in-use network server decreases fault tolerance and performance. • Many solutions support IP-only VPNs and cannot transport packets from multiple protocols.

  26. Virtual Private Network • Dedicated VPN Hardware • Pros: • Easy to install, configure and manage. • Saves money by reducing equipment needs at corporate site. • Stand-alone solution offers greater performance and fault tolerance because it is optimized for VPN functionality. • Reduces costs of upgrading hardware as remote access technology changes. • Reduces costs of upgrading system as the number of users increases. • Cons: • Some solutions do not support multiple protocols. • Some LAN-to-LAN VPN solutions require costly software add-ons to support remote client PCs. • Some solutions require that proprietary software be loaded on the remote client's PC.

  27. Virtual Private Network • SECURITY STANCE • Permit all access initially; administrator specifically denies individual access according to security policy. • Deny all access initially; administrator specifically permits individual access according to security policy.

  28. Virtual Private Network • Security Techniques • Packet Filters • Circuit-level Gateways • Application-level Gateways • Possible Security Breach/Risk from RA • Unauthorized Remote Access (RA) Computer • RA computer connected to insecure network • Virus infected RA computer

  29. Virtual Private Network • Company supporting VPN • Microsoft • IBM • Novell • CISCO • Nokia • 3com

  30. Virtual Private Network • FAQ • Difference between VPN and Firewall? • Diifference between VPN and Proxy? • Build own VPN or outsource to SP? • Important critique? Interoperable? Scalability? • Can U trust the internet? • Any other Questions? • Virtual Private Networks By Charlie Scott, Paul Wolfe and Mike Erwin, O'Reilly & Associates, March 1998

  31. Virtual Private Network

More Related