260 likes | 563 Views
Chapter 4. Virtual Private Network. Objectives. VPN Overview Tunneling Protocol Deployment models Lab Demo. Overview of VPN. VPN Concept. Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network.
E N D
Chapter 4 Virtual Private Network
Objectives • VPN Overview • Tunneling Protocol • Deployment models • Lab Demo Lecturer : Trần Thị Ngọc Hoa
Overview of VPN Lecturer : Trần Thị Ngọc Hoa
VPN Concept • Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network
VPN Deployment Scenarios • Remote Access VPN
VPN Deployment Scenarios • Extranet VPN ( Site to Site, Router to Router )
VPN Deployment Scenarios • Mixed VPN with Firewall
Tunneling • Tunneling is a process of encapsulating a payload protocol into another protocol • Provide a secure path through an untrusted network or an incompatible network. Lecturer : Trần Thị Ngọc Hoa
Tunneling Protocol • GRE • Generic Routing Encapsulation • Cisco Proprietry Tunneling Protocol • PPTP ( with/without MPPE ) • Point to Point Tunneling Protocol • Microsoft proprietry tunneling protocol • L2TP ( with/without IPSec ) • Layer 2 Tunneling Protocol • Created by Cisco and Microsoft Lecturer : Trần Thị Ngọc Hoa
IP Security • IP Security Overview • Algorithms • IPSec Protocols Lecturer : Trần Thị Ngọc Hoa
IP Security Overview • Open standard developed by IETF’s IPSec working group. • Security Architecture for the Internet Prototol • Designed to work at Layers 3 and 4 of the OSI model. • IPSec protects data by providing the following services : • Data Authentication • Data integrity • Data origin authentication between • A pair of gateways • A pair of hosts • A host and its gateway • Relay protection • Encryption • Many different types of algorithm are used in IPSec • 2 primary protocols • AH – Authentication Header - 51 • ESP – Encryption Security Payload - 50 Lecturer : Trần Thị Ngọc Hoa
Encryption Algorithms • Designed for data confidentiality assurance • 2 different methods • Symmetrical • Asymmetrical Lecturer : Trần Thị Ngọc Hoa
Symmetrical Algorithms • DES – Data Encryption Standard • 56 bit key – 64 data bit block • No of Key = 72,000,000,000,000,000 • 3DES • Three phases Encrypt – Decrypt – Encrypt • 168 bit key – 64 data bit block • AES – Advanced Encryption Standard • 128-192-256 bit key Session key Session key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa
Asymmetric Algorithms • 2 different but related keys are required. • RSA -Rivest, Shamir, and Adelman • ElGamal Public key Private key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa
Hashing Algorithms • Hashing algorithms are used for authentication and integrity assurance for data • They are based on some type of one-way hashing function. • SHA • 128 bits output • MD5 • 160 bits output • Collision : 2 different inputs => the same output • SHA is prefered than MD5 Lecturer : Trần Thị Ngọc Hoa
Hashing Example Lecturer : Trần Thị Ngọc Hoa
Key Exchange Problem • Question :How to get the key from one device to the other ? • If the key is sent across an untrusted network, you run the risk of it being sniffed and captured by a hacker. • If you phone the technician at the other end, you run the risk of phone tapping. • Answer :Diffie Hellman Lecturer : Trần Thị Ngọc Hoa
Diffie Hellman Key Exchange • The Diffe-Hellman key exchange is used for automatic secure key exchange of • Symmetrical keys • Other types of keys • Algorithm Description • Step 1 : A and B pour their favourite drink into the glass • Step 2 : A and B pour the same liquid into the glass • Step 3 : A and B exchange their own glass.Then pickup the other liquid and mixed with their own one Lecturer : Trần Thị Ngọc Hoa
IPSec Protocols • AH • Provide • Data integrity • Data authentication • Antireplay protection (optionally) • Not provide any form of encryption to the payload of the packet. • ESP • Provide payload encryption • Provide authentication and integrity Lecturer : Trần Thị Ngọc Hoa
Security Mode • Both ESP and AH can operate in two different modes • Tunnel Mode : • The entire packet is encrypted then encapsulated with a new, unprotected IP header. • Transport Mode : • Default mode • The original IP header is reused with the new packet • The current IP header has been used in the hashing algorithm and therefore cannot be changed from sender to receiver. Lecturer : Trần Thị Ngọc Hoa
Security Associations • A set of policy and key(s) used to protect data before an IPSec tunnel can be created. • Each SA gets a unique 32-bit Security Parameter Index number – SPI – that is sent in every packet pertaining to the specific SA. • The SA keeps track of general information such as the following: • Source IP address • Destination IP address • IPSec protocols used • SPI number • Encryption and authentication algorithms • Key lifetime (sets the amount of time and/or byte count that a key is valid for; the longer the time, the more vulnerable your data is) Lecturer : Trần Thị Ngọc Hoa
Internet Key Exchange • Internet Key Exchange (IKE) is used to establish all the information needed – SA – for a tunnel. • 2 phases • Main mode – IKE Phase 1 • Quick mode – IKE Phase 2 Lecturer : Trần Thị Ngọc Hoa