Virtual Private Networking

Virtual Private Networking

Irfan Khan

Myo Thein

Nick Merante

VPN + IPSec

• VPN: Virtual Private Network– Enable two remote networks to appear as one

network via the internet.

• IPSec: Internet Protocol Security Extensions– Enable machines to securely communicate over

an insecure medium

What We Will Cover

• The need for security

• Benefits of a VPN/IPSec combination

• The necessary tools

• How to set everything up

• How to verify everything is working

The Need for Security

• Internet not like it used to be

• The hunt for bugs

• Automated tools do most of the dirty work

• Systems targets regardless of content value

• Business need for securing client/customer data in global network

Why Use VPN

• Confidentiality

• Integrity

• Authenticity

• Replay Protection

Who can benefit

• Peer to peer security – encryption of traffic between people.– PGP Desktop Security www.pgpi.org

• Corporate security – encryption of traffic between offices.

Benefits to personal users

• Create a secure path between two machines

• Enhance the level of trust with authentication

Benefits for corporate users

• Can do away with leased lines connecting offices without sacrificing privacy.

• Can then make use of the internet:– More reliable– More portable– More cost-effective

A method of security

• Implementing a Virtual Private Network (VPN)

• Using IPSec to encrypt all traffic

• Authenticating data sent

What is IPSec

IPSec = AH + ESP + IKE

Different ModesAH vs ESP

• AH: Authentication Header– Attaches checksum to packets– Ensures packet not modified in transit

• ESP: Encapsulating Security Payload– Encrypts data– Ensures authentication

• Tunnel Mode– Encapsulate packet into new IPv4/v6 header– Used for VPN Gateways

• Transport Mode– Encrypts normal traffic between peers

Different ModesTunnel vs Transport

Tunnel vs Transport

Host 1 Host 2

Host 1 Gateway 1 Host 2

Transport Mode

Tunnel Mode

Gateway 2

Necessary Tools

• Two unix machines with properly configured kernels to serve as gateways

• Racoon for key exchange

• Internet connection

Preparing the machine

•Modify the kernelbpf # Berkeley packet filter

IPFIREWALL # Enable Firewall

IPDIVERT # Divert IP sockets (Used for NAT)

IPSEC # IP security

IPSEC_ESP # IP security (crypto; define w/ IPSEC)

IPSEC_DEBUG # debug for IP sec

•Install Racoon– Obtain source code or install from ports collection

Creating the tunnel

• Set up tunnel between 2 private networks

• gif – Generic tunnel interface

• Diagram A

• Tunnel Script (Step 3)

Diagram A

InternetInternetGatewayA

NodeB

NodeA

NodeC

GatewayB

NodeB

NodeA

NodeC

VPN Tunnelvan-gw1

gif0: 192.168.6.1

vpn-gw2gif0: 192.168.5.1

192.52.220.22 192.52.220.152

192.168.6.100 192.168.6.101 192.168.6.102 192.168.5.100 192.168.5.101 192.168.5.102

Adding the Encryption

• Creating the policies

• Manual keying

• Automatic keying (racoon)– Racoon configuration

• Different algorithms– des, 3des, blowfish, etc.

• Step 4 / Figure A

Figure A# Ident: ipsec.conf# Usage: setkey –f ipsec.conf

flush; # Flush the Security Association Database spdflush; # Flush the Security Policy Database

#add 192.52.220.22 192.52.220.152 esp 9111 -E blowfish-cbc "12345";#add 192.52.220.152 192.52.220.22 esp 9112 -E blowfish-cbc "12345";

spdadd 192.168.6.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/192.52.220.22-192.52.220.152/require;spdadd 192.168.5.0/24 192.168.6.0/24 any -P in ipsec esp/tunnel/192.52.220.152-192.52.220.22/default;

Changes to the Packet

Orig IP hdr TCP Data

Orig IP hdr TCP DataESP

TrailerESP Auth

ESP Header

encrypted

authenticated

Before applying ESP

After applying ESP

IP v4:

ESP: Encapsulating Security Payload

Manual vs Automatic Keying

• Benefits of manual keying– Simplicity– Less overhead

• Benefits of automatic keying– Much more secure – Encryption keys periodically changed based on

time or amount transferred.

Encryption Algorithms

• Data Encryption Standard (DES)– 64 bits

• Triple DES– 192 bits

• Blowfish– 40 to 448 bits

• Rijndael (AES)– 128/192/256 bits

Verification

• An analysis before and after– Key Policies (Figure B)– Dump Security Association Database with

setkey –D (Figure C)– TCP Dump of Headers (Figure D)– TCP Dump of Data (Figure E)

Diagram A

InternetInternetGatewayA

NodeB

NodeA

NodeC

GatewayB

NodeB

NodeA

NodeC

VPN Tunnelvan-gw1

gif0: 192.168.6.1

vpn-gw2gif0: 192.168.5.1

192.52.220.22 192.52.220.152

192.168.6.100 192.168.6.101 192.168.6.102 192.168.5.100 192.168.5.101 192.168.5.102

Conclusion

Different tools for different jobs

• PGP for encrypting data

• SSL for encrypting sockets

• SSH for encrypting logons

• IPSec for encrypting all traffic

Another tool for the administrator’s toolbox