8/3/2019 IPSec VPN Slides Final
1/30
IPSec and VPNAli Bodden
Joseph GonyaMiguel Mendez
8/3/2019 IPSec VPN Slides Final
2/30
IPSec / VPN Outline
What is IPSec?IPSec ArchitectureWhat are the Security Properties/Services of IPSec?What are the IPSec Protocol types?An example of IPSec in use.
What are the security issues concerning IP?What is IPSecs application to VPN?What is VPN?Transport and Tunnel ModesWhat are the two types of VPN?Current status of VPN solution technology versus first generation
What is the cost effectiveness of implementing a VPN?What are the advantages of an IPSec VPN?What are the disadvantages of an IPSec VPN?Review and Questions
8/3/2019 IPSec VPN Slides Final
3/30
What is IPSec?
IPSec is a set of extensions to the IP protocol family. It provides cryptographic
security services. These services allow for Authentication, Integrity, Access Control,and Confidentiality. IPSec provides similar services as SSL, but at the network layer,in a way that is completely transparent to your applications, and much more powerful.We say this because your applications do not have to have any knowledge of IPSecto be able to use it. You can use any IP protocol over IPSec. You can createencrypted tunnels (VPNs), or just do encryption between computers. Since you haveso many options, IPSec is rather complex (much more so then SSL!)
In a logical sense, IPSec works in any of these three ways: Host-to-Host Host-to-Network Network-to-Network
In every scenario that involves a network, meaning to imply router. As in, Host-to-Router (and this router controls and encrypts traffic for a particular Network.)
As you can see, IPSec can be used to tunnel traffic for VPN connections. However,its utility reaches beyond VPNs. With a central Internet Key Exchange registry, everymachine on the internet could talk to another one and employ powerful encryptionand authentication!
8/3/2019 IPSec VPN Slides Final
4/30
IPSec Architecture
IPSec Documents:
The IPSec specification consists of numerous documents.The most important of these, issued in November of 1998,are RFCs 2401, 2402, 2406, and 2408:
RFC 2401: An overview of a security architecture
RFC 2402: Description of a packet authentication extensionto IPv4 and IPv6
RFC 2406: Description of a packet encryption extension toIPv4 and IPv6
RFC 2406: Specification of key management capabilities
8/3/2019 IPSec VPN Slides Final
5/30
The internet protocol, IP, AKA IPv4, does not inherently provide anyprotection to your transferred data. It does not even guarantee that thesender is who he says he is. IPsec tries to remedy this. These services areconsidered distinct, but the IPsec supports them in a uniform manner.
ConfidentialityEnsure it is hard for anyone but the receiver to understand what data has beencommunicated. For example: ensuring the secrecy of passwords when logging into a
remote machine over the Internet.
IntegrityGuarantee that the data does not get changed on the way. If you are on a line carryinginvoicing data you probably want to know that the amounts and account numbers arecorrect and not altered while in-transit.
Authenticity
Sign your data so that others can see that it is really you that sent it. It is clearly nice toknow that documents are not forged.
Replay protectionWe need ways to ensure a datagram is processed only once, regardless of how manytimes it is received. I.e. it should not be possible for an attacker to record a transaction(such as a bank account withdrawal), and then by replaying it verbatim cause the peerto think a new message (withdrawal request) had been received. WARNING: as per the
standards specification, replay protection is not performed when using manual-keyedIPsec (e.g., when usingipsecadm(8)).
What are the SecurityProperties/Services of IPSec?
http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=88/3/2019 IPSec VPN Slides Final
6/30
What are the IPSec Protocol types?First, the IP protocol is the description of how devices on the Internet can addresseach other. Internet Protocol Security (IPSec) adds security functionality to the IP
protocol. There are four (4) key protocols that collectively form the basis for IPSec:
IPSec = AH + ESP + IPComp + IKE
Authentication Header (AH): provides authenticity guarantee for packets by ensuringthe packet was not generated by an impersonator and was not modified in transit;
Encapsulating Security Payload (ESP): provides a confidential guarantee for data byencrypting packets with algorithms
IP Payload Compression (IPComp): provides a way to compress packets beforeencryption.
Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy
Security of IPSec depends on secret keys, generated by IKE. If the secret keys arecompromised, IPSec is no longer secure. Data encryption is a function of IPSec,made possible by ESP. An encryption algorithm, generated by ESP, is a way ofchanging data so that only the desired recipient knows how to reconstruct it. TripleDES (Data Encryption Standard) is an encryption algorithm that is unbreakable and isthe most popular algorithm because of its strong encryption and number of keys.Encryption allows only the receiver to read what has been sent over the network.
IPSEC provides the capability to secure tunnels between two network devices suchas two routers.
8/3/2019 IPSec VPN Slides Final
7/30
Step 1: Host A sends a TCP/IP packet toHost B.
The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
8/30
Step 2: Router A receives the packet and
adds the ESP:
The TCP/IP packet looks like this: [ESP][IPHDR][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
9/30
Step 3: Router A adds the AH:The TCP/IP packet looks like this: [AH][ESP][IPHDR][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
10/30
Step 4: Router A encapsulates the packetinto a new one, and sends it to Router B:
The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
11/30
Step 5: Router B receives the
packet and removes the AH:The TCP/IP packet looks like this: [ESP][IPHDR2][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
12/30
Step 6: Router B removes the ESP:The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
8/3/2019 IPSec VPN Slides Final
13/30
Step 7: Host B receives the original packetsent by Host A:
The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html
http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.htmlhttp://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html8/3/2019 IPSec VPN Slides Final
14/30
What are the most commonSecurity Issues concerning IP?
The three most serious types of attacks are:
Packet Sniffing
IP Spoofing
Denial-Of-Service
Other attacks include:
Eavesdropping Data Modification
Password Based Attacks
Man-in-the-Middle Attacks
Compromised-Key Attacks
Application-Layer Attacks
8/3/2019 IPSec VPN Slides Final
15/30
Packet Sniffing
A Packet Sniffer is a program running in a network attached device
that passively receives all data-link layer frames passing by thedevices network interface.
Packet Sniffers are commonly used to acquire account names andpasswords.
Packet Sniffing Software is freely available at various WWW sites
and as commercial products.
8/3/2019 IPSec VPN Slides Final
16/30
IP Spoofing
The intruder creates and transmits packets from the
outside with a source IP address field containing anaddress of an internal host.
Used to exploit applications that use simple sourceaddress security, in which packets from specific trusted
internal hosts are accepted.
8/3/2019 IPSec VPN Slides Final
17/30
Denial-Of-Service
A Denial-Of-Service attackrenders a network, host, orother piece of networkinfrastructure unusable bylegitimate users.
DoS attacks work by creatingso much work for theinfrastructure under attack thatlegitimate work cannot beperformed. (Resource
Exhaustion for ex. Disk Space,CPU Cycles, Memory, NetworkBandwidth, and ApplicationResources)
TCP Three-Way Handshake
Simple Example: SYN Flood
8/3/2019 IPSec VPN Slides Final
18/30
What is a VPN?
VPNs (Virtual Private Networks) are private, secure connectionsacross a public network (usually the internet) that extend corporatenetworks to remote offices, mobile users, telecommuters, andextranet partners.
VPNs maintain privacy through the use of tunneling protocols and
security procedures. VPN tunnels are secured through encryptiontechnology that uses advanced mathematical algorithms to scramblethe data flowing through the VPN.
POP = Points of Presence
8/3/2019 IPSec VPN Slides Final
19/30
Primary functions of a VPN
Encryption keep data confidential
Authentication ensure the identities of the two partiescommunicating
Tunneling safeguard the identities of communicating
partiesNon-Repudiation ensure data
