280 likes | 423 Views
3. Virtual Private Networks. Selected Topics in Information Security – Bazara Barry. Introduction. A virtual private network (VPN) is a computer network that is implemented on top of an existing larger network for the purpose of creating a private scope of computer communications.
E N D
3 Virtual Private Networks Selected Topics in Information Security – Bazara Barry
Introduction A virtual private network (VPN) is a computer network that is implemented on top of an existing larger network for the purpose of creating a private scope of computer communications. The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network. Selected Topics in Information Security – Bazara Barry
Introduction Company Headquarters Travelling employee Internet VPN (tunnel) VPN (tunnel) Selected Topics in Information Security – Bazara Barry
Introduction Firewalls, gateways, and other such devices can help keep intruders from compromising a network, but firewalls are no defense against an internal hacker. Another layer of defense is necessary at the protocol level to protect the data itself. In VoIP, as in data networks, this can be accomplished by encrypting the packets at the IP level using IPsec. Selected Topics in Information Security – Bazara Barry
Introduction The IPsec suite of security protocols and encryption algorithms is the standard method for securing packets against unauthorized viewers over data networks and will be supported by the protocol stack in IPv6. Hence, it is both logical and practical to extend IPsec to VOIP, encrypting the signal and voice packets on one end and decrypting them only when needed by their intended recipient. Selected Topics in Information Security – Bazara Barry
IPSec IPsec is the preferred form of VPN tunneling across the Internet. There are two basic protocols defined in IPsec: Encapsulating Security Payload (ESP) and Authentication Header (AH). IPsec also supports two modes of delivery: Transport and Tunnel. Selected Topics in Information Security – Bazara Barry
IPSec Selected Topics in Information Security – Bazara Barry
IPSec Security in VoIP is concerned both with protecting what a person says as well as to whom the person is speaking. IPsec can be used to achieve both of these goals. VoIPsec (VoIP using IPsec) helps reduce the threat of man in the middle attacks, packet sniffers, and many types of voice traffic analysis. Selected Topics in Information Security – Bazara Barry
Difficulties arising from VoIPSec There are several issues associated with VOIP that are not applicable to normal data traffic. Of particular interest are Quality of Service (QoS) issues. In VoIP, packets must arrive at their destination and they must arrive fast. The use of VoIPSec, although secures communication, could affect various QoS parameters. Selected Topics in Information Security – Bazara Barry
Encryption/decryption latency Many studies revealed that the cryptographic engine was the bottleneck for voice traffic transmitted over IPSec. Computationally lighter algorithms achieve better throughput than the more expensive ones. Much of the latency results from the computation time required by the underlying encryption. Selected Topics in Information Security – Bazara Barry
Scheduling and Lack of QoS in the Crypto-Engine The driving force behind the latency associated with the crypto-engine is the scheduling algorithm for packets that entere the encryption/decryption process. Unlike routers, crypto-engines provide no support for manual manipulation of the scheduling criteria. Standard FIFO scheduling algorithms employed in today’s crypto-engines creates a severe QoS issue. Scheduling a greater number of packets had a more degrading effect on performance than encrypting/decrypting fewer (but larger) packets. Selected Topics in Information Security – Bazara Barry
Expanded packet size IPsec increases the size of packets in VOIP, which leads to more QoS issues. The increase in packet size due to IPsec does not result in an increased payload capacity. The increase is actually just an increase in the header size due to the encryption and encapsulation of the old IP header and the introduction of the new IP header and encryption information. This leads to several complications especially with bandwidth. Selected Topics in Information Security – Bazara Barry
Incompatibility with NAT Network Address Translation (NAT) traversal completely invalidates the purpose of AH because the source address of the machine behind the NAT is masked from the outside world. Thus, there is no way to authenticate the true sender of the data. The same reasoning demonstrates the inoperability of source authentication in ESP. Selected Topics in Information Security – Bazara Barry
Solutions to the VoIPSec Issues • Encryption at the End Points. • Secure Real Time Protocol (SRTP). • Better Scheduling Schemes. • Compression of Packet Size. • Resolving NAT/IPsec Incompatibilities. Selected Topics in Information Security – Bazara Barry
Multiprotocol Label Switching MPLS MPLS is the convergence of connection-oriented forwarding techniques and the Internet’s routing protocols. Many claims have been made regarding the role of MPLS, chief among them that it is the Internet’s best long-term solution to efficient, high performance forwarding and traffic differentiation (IP QoS). MPLS-labeled packets are switched after a Label Lookup instead of a lookup into the IP table. Selected Topics in Information Security – Bazara Barry
Multiprotocol Label Switching MPLS The entry and exit points of an MPLS network are called Label Edge Routers (LERs). Routers that perform routing based only on the label are called Label Switched Routers (LSR). Labels are distributed between LERs and LSRs using the “Label Distribution Protocol” (LDP), Selected Topics in Information Security – Bazara Barry
Multiprotocol Label Switching MPLS The MPLS Working Group gives the name forwarding equivalence class (FEC) to each set of packet flows with common cross-core forwarding path requirements. LDP dynamically establishes a shortest path VC (now known as a label-switched path, or LSP) tree between all the edge LSRs for each identifiable FEC. The label —virtual path/channel identifier (VPI/VCI) — at each hop is a local key representing the next-hop and QoS requirements for packets belonging to each FEC. Selected Topics in Information Security – Bazara Barry
NIF Node Forwarding Engine Selected Topics in Information Security – Bazara Barry
LSR Forwarding Engine Selected Topics in Information Security – Bazara Barry
MPLS label stack encoding for packet-oriented transport Selected Topics in Information Security – Bazara Barry
MPLS for Virtual Private Networks VPNs share a single physical infrastructure of routers and/or switches between multiple independent networks. An MPLS-based VPN uses LSPs to provide tunnel-like topological isolation, and temporal isolation if the LSPs have associated QoS guarantees. Selected Topics in Information Security – Bazara Barry
MPLS for Virtual Private Networks Selected Topics in Information Security – Bazara Barry
Segregation of Network Traffic Packetized voice is indistinguishable from any other packet data at Layers 2 and 3, and thus is subject to the same networking and security risks that plague data-only networks. The general idea that motivates the logical separation of data from voice is the expectation that network events such as broadcast storms and congestion, and security-related phenomena such as worms and DoS attacks, that affect one network will not impact the other. Selected Topics in Information Security – Bazara Barry
VLANs Logical separation of voice and data traffic via VLANs is recommended in order to prevent data network problems from affecting voice traffic and vice versa. In a switched network environment, VLANs create a logical segmentation of broadcast or collision domains that can span multiple physical network segments. The predominant VLAN flavor is IEEE 802.1q, as defined by the IEEE. VLANs can be configured in various ways—by protocol (IP or IPX, for example) or based on MAC address, subnet, or physical port. Selected Topics in Information Security – Bazara Barry
Location-based VLANs Selected Topics in Information Security – Bazara Barry
Function-based VLANs Selected Topics in Information Security – Bazara Barry
VLANs: benefits Creating a separate VLAN for voice reduces the amount of broadcast traffic (and unicast traffic on a shared LAN) the telephone will receive. Separate VLANs can result in more effective bandwidth utilization, and reduce the processor burden on IP telephones and PCs. Management traffic can be segregated on a management VLAN so that SNMP and syslog traffic do not interfere with data which has the benefit of adding a layer of security to the management network. Selected Topics in Information Security – Bazara Barry
References • T. Porter, Practical VoIP Security. Rockland, MA: Syngress, 2006, Ch 13. • D. Richard Kuhn, Thomas J. Walsh, and Steffen Fries, “Security Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology” Special Publication 800-58, January 2005, Sections 8 and 9. • Grenville Armitage, Bell Labs Research Silicon Valley, Lucent Technologies “MPLS: The Magic Behind the Myths” IEEE Communications Magazine, January 2000. Selected Topics in Information Security – Bazara Barry