IPSec VPN Slides Final

  • View
    219

  • Download
    0

Embed Size (px)

Text of IPSec VPN Slides Final

  • 8/3/2019 IPSec VPN Slides Final

    1/30

    IPSec and VPNAli Bodden

    Joseph GonyaMiguel Mendez

  • 8/3/2019 IPSec VPN Slides Final

    2/30

    IPSec / VPN Outline

    What is IPSec?IPSec ArchitectureWhat are the Security Properties/Services of IPSec?What are the IPSec Protocol types?An example of IPSec in use.

    What are the security issues concerning IP?What is IPSecs application to VPN?What is VPN?Transport and Tunnel ModesWhat are the two types of VPN?Current status of VPN solution technology versus first generation

    What is the cost effectiveness of implementing a VPN?What are the advantages of an IPSec VPN?What are the disadvantages of an IPSec VPN?Review and Questions

  • 8/3/2019 IPSec VPN Slides Final

    3/30

    What is IPSec?

    IPSec is a set of extensions to the IP protocol family. It provides cryptographic

    security services. These services allow for Authentication, Integrity, Access Control,and Confidentiality. IPSec provides similar services as SSL, but at the network layer,in a way that is completely transparent to your applications, and much more powerful.We say this because your applications do not have to have any knowledge of IPSecto be able to use it. You can use any IP protocol over IPSec. You can createencrypted tunnels (VPNs), or just do encryption between computers. Since you haveso many options, IPSec is rather complex (much more so then SSL!)

    In a logical sense, IPSec works in any of these three ways: Host-to-Host Host-to-Network Network-to-Network

    In every scenario that involves a network, meaning to imply router. As in, Host-to-Router (and this router controls and encrypts traffic for a particular Network.)

    As you can see, IPSec can be used to tunnel traffic for VPN connections. However,its utility reaches beyond VPNs. With a central Internet Key Exchange registry, everymachine on the internet could talk to another one and employ powerful encryptionand authentication!

  • 8/3/2019 IPSec VPN Slides Final

    4/30

    IPSec Architecture

    IPSec Documents:

    The IPSec specification consists of numerous documents.The most important of these, issued in November of 1998,are RFCs 2401, 2402, 2406, and 2408:

    RFC 2401: An overview of a security architecture

    RFC 2402: Description of a packet authentication extensionto IPv4 and IPv6

    RFC 2406: Description of a packet encryption extension toIPv4 and IPv6

    RFC 2406: Specification of key management capabilities

  • 8/3/2019 IPSec VPN Slides Final

    5/30

    The internet protocol, IP, AKA IPv4, does not inherently provide anyprotection to your transferred data. It does not even guarantee that thesender is who he says he is. IPsec tries to remedy this. These services areconsidered distinct, but the IPsec supports them in a uniform manner.

    ConfidentialityEnsure it is hard for anyone but the receiver to understand what data has beencommunicated. For example: ensuring the secrecy of passwords when logging into a

    remote machine over the Internet.

    IntegrityGuarantee that the data does not get changed on the way. If you are on a line carryinginvoicing data you probably want to know that the amounts and account numbers arecorrect and not altered while in-transit.

    Authenticity

    Sign your data so that others can see that it is really you that sent it. It is clearly nice toknow that documents are not forged.

    Replay protectionWe need ways to ensure a datagram is processed only once, regardless of how manytimes it is received. I.e. it should not be possible for an attacker to record a transaction(such as a bank account withdrawal), and then by replaying it verbatim cause the peerto think a new message (withdrawal request) had been received. WARNING: as per the

    standards specification, replay protection is not performed when using manual-keyedIPsec (e.g., when usingipsecadm(8)).

    What are the SecurityProperties/Services of IPSec?

    http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8
  • 8/3/2019 IPSec VPN Slides Final

    6/30

    What are the IPSec Protocol types?First, the IP protocol is the description of how devices on the Internet can addresseach other. Internet Protocol Security (IPSec) adds security functionality to the IP

    protocol. There are four (4) key protocols that collectively form the basis for IPSec:

    IPSec = AH + ESP + IPComp + IKE

    Authentication Header (AH): provides authenticity guarantee for packets by ensuringthe packet was not generated by an impersonator and was not modified in transit;

    Encapsulating Security Payload (ESP): provides a confidential guarantee for data byencrypting packets with algorithms

    IP Payload Compression (IPComp): provides a way to compress packets beforeencryption.

    Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy

    Security of IPSec depends on secret keys, generated by IKE. If the secret keys arecompromised, IPSec is no longer secure. Data encryption is a function of IPSec,made possible by ESP. An encryption algorithm, generated by ESP, is a way ofchanging data so that only the desired recipient knows how to reconstruct it. TripleDES (Data Encryption Standard) is an encryption algorithm that is unbreakable and isthe most popular algorithm because of its strong encryption and number of keys.Encryption allows only the receiver to read what has been sent over the network.

    IPSEC provides the capability to secure tunnels between two network devices suchas two routers.

  • 8/3/2019 IPSec VPN Slides Final

    7/30

    Step 1: Host A sends a TCP/IP packet toHost B.

    The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    8/30

    Step 2: Router A receives the packet and

    adds the ESP:

    The TCP/IP packet looks like this: [ESP][IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    9/30

    Step 3: Router A adds the AH:The TCP/IP packet looks like this: [AH][ESP][IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    10/30

    Step 4: Router A encapsulates the packetinto a new one, and sends it to Router B:

    The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    11/30

    Step 5: Router B receives the

    packet and removes the AH:The TCP/IP packet looks like this: [ESP][IPHDR2][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    12/30

    Step 6: Router B removes the ESP:The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

  • 8/3/2019 IPSec VPN Slides Final

    13/30

    Step 7: Host B receives the original packetsent by Host A:

    The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

    http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html

    http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.htmlhttp://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html
  • 8/3/2019 IPSec VPN Slides Final

    14/30

    What are the most commonSecurity Issues concerning IP?

    The three most serious types of attacks are:

    Packet Sniffing

    IP Spoofing

    Denial-Of-Service

    Other attacks include:

    Eavesdropping Data Modification

    Password Based Attacks

    Man-in-the-Middle Attacks

    Compromised-Key Attacks

    Application-Layer Attacks

  • 8/3/2019 IPSec VPN Slides Final

    15/30

    Packet Sniffing

    A Packet Sniffer is a program running in a network attached device

    that passively receives all data-link layer frames passing by thedevices network interface.

    Packet Sniffers are commonly used to acquire account names andpasswords.

    Packet Sniffing Software is freely available at various WWW sites

    and as commercial products.

  • 8/3/2019 IPSec VPN Slides Final

    16/30

    IP Spoofing

    The intruder creates and transmits packets from the

    outside with a source IP address field containing anaddress of an internal host.

    Used to exploit applications that use simple sourceaddress security, in which packets from specific trusted

    internal hosts are accepted.

  • 8/3/2019 IPSec VPN Slides Final

    17/30

    Denial-Of-Service

    A Denial-Of-Service attackrenders a network, host, orother piece of networkinfrastructure unusable bylegitimate users.

    DoS attacks work by creatingso much work for theinfrastructure under attack thatlegitimate work cannot beperformed. (Resource

    Exhaustion for ex. Disk Space,CPU Cycles, Memory, NetworkBandwidth, and ApplicationResources)

    TCP Three-Way Handshake

    Simple Example: SYN Flood

  • 8/3/2019 IPSec VPN Slides Final

    18/30

    What is a VPN?

    VPNs (Virtual Private Networks) are private, secure connectionsacross a public network (usually the internet) that extend corporatenetworks to remote offices, mobile users, telecommuters, andextranet partners.

    VPNs maintain privacy through the use of tunneling protocols and

    security procedures. VPN tunnels are secured through encryptiontechnology that uses advanced mathematical algorithms to scramblethe data flowing through the VPN.

    POP = Points of Presence

  • 8/3/2019 IPSec VPN Slides Final

    19/30

    Primary functions of a VPN

    Encryption keep data confidential

    Authentication ensure the identities of the two partiescommunicating

    Tunneling safeguard the identities of communicating

    partiesNon-Repudiation ensure data