480 likes | 679 Views
Guide to Network Defense and Countermeasures. Chapter 7. Chapter 7 - Setting up a Virtual Private Network. Explain the “what, why, and how” of virtual private networks (VPNs) Understand the tunneling protocols that enable secure VPN connections Describe the encryption schemes used by VPNs
E N D
Chapter 7 - Setting up a Virtual Private Network • Explain the “what, why, and how” of virtual private networks (VPNs) • Understand the tunneling protocols that enable secure VPN connections • Describe the encryption schemes used by VPNs • Know how to adjust packet filtering rules for VPNs
Exploring VPNs: What, Why, and How • A VPN provides a way for two computers or networks to communicate securely using the same public channels available on the Internet • The “V” in VPN means virtual; rather than a direct network cable connection, a combination of Internet-based routers and network segments are used • The “P” means private; only the designated end points of the VPN connection (tunnel) participate • The “N” means network; it connects one group of computers to another, and extends the network’s boundaries
Exploring VPNs: What, Why, and How • VPN components: • VPN server, or host is a computer configured to accept connections from clients who either dial in or connect directly using a broadband connection • VPN client, or guest can be a router that serves as the end-point of a gateway-to-gateway connection, or can be a computer configured as an endpoint • Tunnel - the connection through which data is sent • VPN protocols are standardized communication settings that hardware and software use to encrypt data that is sent along the VPN, including IPSec, PPTP, and L2TP
Exploring VPNs: What, Why, and How • Two types of VPNs: • Site-to-site links two or more networks • Client-to-site allows network access to dial-in users • Hardware vs. software VPNs: • Hardware-based VPNs connect one gateway to another; typically the gateways are routers that encrypt/decrypt, but could be a VPN appliance • Software-based VPNs are usually integrated with firewalls, and as a result, increase network security; software solutions offer maximum flexibility
Exploring VPNs: What, Why, and How • VPN combinations: • Combining VPN hardware or software with other hardware and software adds network security; one useful combination is a VPN bundled with a firewall, since VPNs do not replace firewall functionality • VPN core activity #1: Encapsulation • Data encapsulation means that a packet is enclosed within another one that has different IP addressing data to provide a higher degree of protection • Data packets are encapsulated within packets that use the source/destination of the VPN gateway
Exploring VPNs: What, Why, and How • VPN core activity #2: Encryption • Encryption is the process of rendering information unreadable by all but the intended recipient • VPN endpoints encrypt/decrypt data by exchanging keys, or blocks of encoded data; the key is part of an electronic document called a digital signature • VPN core activity #3: Authentication • Authentication is the process of identifying a user or computer as being authorized to access a network • Authentication uses digital certificates; the tunneling protocol determines the type of authentication
Exploring VPNs: What, Why, and How • Why establish a VPN? • The need for private business transactions drives an increasing number of organizations to adopt VPNs; e-commerce popularity provides an incentive as well; government and military agencies share more information in order to provide homeland security • Budgetary considerations have always made VPNs attractive to businesses; also, many businesses employ remote users who need network access • Another incentive for creating a VPN is the need to establish a high level of security in an extranet
Exploring VPNs: What, Why, and How • Advantages and disadvantages of VPNs • VPNs provide a high level of security, but if a VPN is poorly configured or a remote user at an endpoint disables their firewall by mistake and lets in a hacker, the normal protection can be undone • VPNs can be complex to configure and the hardware can represent a substantial investment • By focusing on Internet-based technologies, VPNs simplify a network overall • Running a VPN means better opportunity to maximize network uptime
Exploring VPNs: What, Why, and How • How to configure VPNs: • To set up a VPN, define a VPN domain • A VPN domain is a set of one or more computers that is handled by the VPN hardware and software as a single entity, and that uses the VPN to communicate with another domain • Besides defining a VPN domain, determine whether the network gateway will be included in that domain; that, in turn, depends on whether the network has a site-to-site or client-to-site type of VPN configuration
Exploring VPNs: What, Why, and How • Single and multiple-entry point configurations • Smaller networks that use VPNs often have single entry point configurations, where all traffic to and from the network passes through a single gateway such as a router or firewall or both • Large organizations have networks that require multiple-entry point configurations, in which multiple gateways are used, each with a tunnel connecting a different location • In multiple-entry point configurations, it is important to exclude the gateway itself from the VPN domain
Exploring VPNs: What, Why, and How • VPN topology configurations: • In a mesh topology, all the participants in the VPN have Security Associations (SAs) with one another; full mesh is where every subnet is connected to every other; partial mesh is where any subnet may or may not be connected to the other subnets • In a star topology, the VPN gateway is the hub, and other participating networks are called rim subnets • As organizations with VPNs grow to include new computers and new branch offices, they naturally evolve from a mesh or hub-and-spoke to a hybrid system that combines the two topologies
Understanding Tunneling Protocols • IPSec/IKE: • Internet Protocol Security (IPSec) was developed for enabling secure communications in the Internet • IPSec has become the standard set of protocols for VPN security because: it works at the Network layer; it has the ability to encrypt the entire TCP/IP packet; it can work with IPv6; it provides authentication of source and destination computers • The biggest advantage to using IPSec is the fact that it has gone through the standardization process and is supported by a wide variety of VPN hardware and software
Understanding Tunneling Protocols • Secure Shell (SSH): • Secure Shell (SSH) provides for authentication and encryption of TCP/IP packets over a VPN • SSH works with UNIX-based systems and creates a secure Transport layer connection, and makes use of public key cryptography • Socks V.5: • Socks provides proxy services for applications that don’t normally support proxying; Socks Version 5 adds encrypted authentication and UDP support
Understanding Tunneling Protocols • Point-to-point tunneling protocol (PPTP): • Point-to-point tunneling protocol (PPTP) is a VPN configuration for users who need to dial in to a server using a modem connection on a computer running an older operating system • PPTP encapsulates TCP/IP packets and uses a proprietary Microsoft technology called MPPE • Layer 2 tunneling protocol (L2TP): • Layer 2 tunneling protocol (L2TP) provides a higher level of security than PPTP through IPSec support
Encryption Schemes used by VPNs • Triple-data encryption standard (Triple-DES): • Most VPNs make use of Triple-data encryption standard (Triple-DES) encryption • Triple-DES is strong because it uses three separate 64-bit keys to process data • Secure Sockets Layer (SSL): • Secure Sockets Layer (SSL) enables Web servers and browsers to exchange encrypted information • SSL sessions make use of both symmetric and asymmetric keys to encrypt data
Encryption Schemes used by VPNs • Kerberos: • Kerberos is a system for authentication of individual network users that was developed at MIT • Kerberos uses an authentication method called authentication by assertion - the computer that connects to a server and requests services asserts that it is acting on behalf of an approved user • Instead of digital certificates, Kerberos issues tickets; accessing an application protected by Kerberos requires a ticket
Adjusting Packet Filtering Rulesfor VPNs • VPNs need to be used with firewalls • VPNs can be located in front of existing firewalls, or placed in DMZs in parallel to an existing firewall • Packet filtering rules make use of three IP packet header fields: the source address; the destination address; the Protocol Identifier (Protocol ID) • Conduct packet filtering based on any or all of these fields; block all packets from an address with the source address; route entered packets with the destination address; refer to protocols (ICMP, TCP, UDP, ESP, AH) with the Protocol ID
Adjusting Packet Filtering Rulesfor VPNs • PPTP filters • For PPTP traffic to pass through a firewall, set up packet filtering rules that permit it • PPTP uses two protocols: TCP and Generic Routing Encapsulation (GRE) • L2TP and IPSec filters • If L2TP is used, rules must be set up that permit IPSec traffic
Chapter Summary • This chapter discussed issues involved in configuring a Virtual Private Network (VPN) and the role that the VPN plays in a network defense strategy • VPNs are virtual in that they do not make use of proprietary leased lines. Rather, they connect computers and networks through the public Internet. VPNs are private because they send data through a secure tunnel that leads from one endpoint to another. Each endpoint is terminated by VPN hardware or software that encrypts and encapsulates the data. VPNs are networks that connect one network to one or more networks, one computer to another, or one computer to a network
Chapter Summary • VPNs consist of various components. These include VPN servers, which are configured to accept connections from client computers; VPN clients; the tunnels through which data passes, and protocols that determine how the tunneled data is to be encrypted, such as IPSec. A site-to-site VPN uses such components to connect to networks. A client-to-site VPN connects a remote user to a network. VPN endpoints can be terminated by VPN hardware, software, or a combination of both
Chapter Summary • VPNs perform three core activities. Encapsulation encloses one packet of digital information within another one to conceal the original packet’s source and destination IP address and to protect the contents. Encryption makes the contents of the packet - not only its data, but its header information as well - unreadable by all but the intended recipient. Authentication ensures that the computers participating in a VPN are authorized users
Chapter Summary • Because VPNs can be complex to configure, the reasons for establishing them should be understood.The need to keep critical business communications private and secure drives the adoption of VPNs. The cost-effectiveness of using the Internet for VPN communications also makes VPNs attractive. On the other hand, the encryption performed by VPNs can slow down data transfer rates. Reliance on the Internet, which is often unpredictable, can result in the VPN going down along with ISP connections
Chapter Summary • A VPN is often configured by establishing a VPN domain, a group of computers that are handled as one entity. Networks that use VPNs can have single entry point configurations, in which all traffic to and from the network passes through a single gateway. Some VPNs are part of multiple-entry point configurations, in which more than one gateway is used. Whether single or multiple entry points are in place in one network, that network can then be connected to other VPN participants using a mesh or star configuration, or a combination of both
Chapter Summary • VPNs make use of standard instruction sets called protocols that secure tunneled communications between endpoints. IPSec combined with IKE is one of the most popular protocols because of its wide support in the industry and high degree of security through AH and ESP encryption. SSH is a protocol used to authenticate and encrypt packets in a UNIX-based environment. Version 5 of the Socks protocol can also provide security for VPN transactions, though it is not widely used. PPTP and L2TP enable remote users to dial in to a computer over a secure VPN connection
Chapter Summary • Encryption is one of the techniques that make VPNs possible. Most VPNs today use Triple-DES encryption, a variation of DES in which three separate keys are used to process information. However, some VPNs use SSL encryption when Web-based applications need to be connected securely. Another system, Kerberos, is used in Windows and other OSs to give employees access to network resources for relatively short periods of time through the issuance of “tickets”
Chapter Summary • VPNs need to be used in conjunction with firewalls. For the two devices to work together, packet filtering rules need to be set up. The rules cover such protocols as PPTP, L2TP, and IPSec. The have as their ultimate goal the filtering of packets so that only traffic to and from VPN endpoints passes through the VPN, and other traffic is filtered by the firewall to reach specific destinations on the network