Embed Size (px)
DESCRIPTION
Virtual Private Networking. Irfan Khan Myo Thein Nick Merante. VPN + IPSec. VPN: Virtual Private Network Enable two remote networks to appear as one network via the internet. IPSec: Internet Protocol Security Extensions Enable machines to securely communicate over an insecure medium. - PowerPoint PPT Presentation
Citation preview
Virtual Private Networking
Irfan Khan
Myo Thein
Nick Merante
VPN + IPSec
• VPN: Virtual Private Network– Enable two remote networks to appear as one
network via the internet.
• IPSec: Internet Protocol Security Extensions– Enable machines to securely communicate over
an insecure medium
What We Will Cover
• The need for security
• Benefits of a VPN/IPSec combination
• The necessary tools
• How to set everything up
• How to verify everything is working
The Need for Security
• Internet not like it used to be
• The hunt for bugs
• Automated tools do most of the dirty work
• Systems targets regardless of content value
• Business need for securing client/customer data in global network
Why Use VPN
• Confidentiality
• Integrity
• Authenticity
• Replay Protection
Who can benefit
• Peer to peer security – encryption of traffic between people.– PGP Desktop Security www.pgpi.org
• Corporate security – encryption of traffic between offices.
Benefits to personal users
• Create a secure path between two machines
• Enhance the level of trust with authentication
Benefits for corporate users
• Can do away with leased lines connecting offices without sacrificing privacy.
• Can then make use of the internet:– More reliable– More portable– More cost-effective
A method of security
• Implementing a Virtual Private Network (VPN)
• Using IPSec to encrypt all traffic
• Authenticating data sent
What is IPSec
IPSec = AH + ESP + IKE
Different ModesAH vs ESP
• AH: Authentication Header– Attaches checksum to packets– Ensures packet not modified in transit
• ESP: Encapsulating Security Payload– Encrypts data– Ensures authentication
• Tunnel Mode– Encapsulate packet into new IPv4/v6 header– Used for VPN Gateways
• Transport Mode– Encrypts normal traffic between peers
Different ModesTunnel vs Transport
Tunnel vs Transport
Host 1 Host 2
Host 1 Gateway 1 Host 2
Transport Mode
Tunnel Mode
Gateway 2
Necessary Tools
• Two unix machines with properly configured kernels to serve as gateways
• Racoon for key exchange
• Internet connection
Preparing the machine
•Modify the kernelbpf # Berkeley packet filter
IPFIREWALL # Enable Firewall
IPDIVERT # Divert IP sockets (Used for NAT)
IPSEC # IP security
IPSEC_ESP # IP security (crypto; define w/ IPSEC)
IPSEC_DEBUG # debug for IP sec
•Install Racoon– Obtain source code or install from ports collection
Creating the tunnel
• Set up tunnel between 2 private networks
• gif – Generic tunnel interface
• Diagram A
• Tunnel Script (Step 3)
Diagram A
InternetInternetGatewayA
NodeB
NodeA
NodeC
GatewayB
NodeB
NodeA
NodeC
VPN Tunnelvan-gw1
gif0: 192.168.6.1
vpn-gw2gif0: 192.168.5.1
192.52.220.22 192.52.220.152
192.168.6.100 192.168.6.101 192.168.6.102 192.168.5.100 192.168.5.101 192.168.5.102
Adding the Encryption
• Creating the policies
• Manual keying
• Automatic keying (racoon)– Racoon configuration
• Different algorithms– des, 3des, blowfish, etc.
• Step 4 / Figure A
Figure A# Ident: ipsec.conf# Usage: setkey –f ipsec.conf
flush; # Flush the Security Association Database spdflush; # Flush the Security Policy Database
#add 192.52.220.22 192.52.220.152 esp 9111 -E blowfish-cbc "12345";#add 192.52.220.152 192.52.220.22 esp 9112 -E blowfish-cbc "12345";
spdadd 192.168.6.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/192.52.220.22-192.52.220.152/require;spdadd 192.168.5.0/24 192.168.6.0/24 any -P in ipsec esp/tunnel/192.52.220.152-192.52.220.22/default;
Changes to the Packet
Orig IP hdr TCP Data
Orig IP hdr TCP DataESP
TrailerESP Auth
ESP Header
encrypted
authenticated
Before applying ESP
After applying ESP
IP v4:
ESP: Encapsulating Security Payload
Manual vs Automatic Keying
• Benefits of manual keying– Simplicity– Less overhead
• Benefits of automatic keying– Much more secure – Encryption keys periodically changed based on
time or amount transferred.
Encryption Algorithms
• Data Encryption Standard (DES)– 64 bits
• Triple DES– 192 bits
• Blowfish– 40 to 448 bits
• Rijndael (AES)– 128/192/256 bits
Verification
• An analysis before and after– Key Policies (Figure B)– Dump Security Association Database with
setkey –D (Figure C)– TCP Dump of Headers (Figure D)– TCP Dump of Data (Figure E)
Diagram A
InternetInternetGatewayA
NodeB
NodeA
NodeC
GatewayB
NodeB
NodeA
NodeC
VPN Tunnelvan-gw1
gif0: 192.168.6.1
vpn-gw2gif0: 192.168.5.1
192.52.220.22 192.52.220.152
192.168.6.100 192.168.6.101 192.168.6.102 192.168.5.100 192.168.5.101 192.168.5.102
Conclusion
Different tools for different jobs
• PGP for encrypting data
• SSL for encrypting sockets
• SSH for encrypting logons
• IPSec for encrypting all traffic
Another tool for the administrator’s toolbox
