View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Virtual Private Networks and IPSec
ECE 4112
ECE 4112 - Internetwork Security
What is a VPN?
• VPN Stands for Virtual Private Network• A method of ensuring private, secure
communication between hosts over an insecure medium using tunneling
• Usually between geographically separate locations, but doesn’t have to be
• Via tunneling and software drivers, computer is logically directly connected to a network that it is not physically a part of
ECE 4112 - Internetwork Security
Sidebar: What is tunneling?
• Putting one type of packet inside another
• Both parties must be aware of tunnel for it to work
• Example in next slide - AppleTalk over IP Tunnel
ECE 4112 - Internetwork Security
Example: AppleTalk over IP Tunnel
Gateway(AppleTalk Aware)Old Macintosh Old Macintosh
AppletalkIP
Appletalkencapsulated inside
Appletalk
Internet
Gateway(AppleTalk Aware)
ECE 4112 - Internetwork Security
What is a VPN? (cont…)
• Uses some means of encryption to secure communications IPSec SSH Software could be written to support any
type of encryption scheme
• Two main types of VPNs – Remote-Access Site-to-Site
ECE 4112 - Internetwork Security
What is a VPN? (cont…)
• Remote-Access The typical example of this is a dial-up
connection from home or for a mobile worker, who needs to connect to secure materials remotely
• Site-to-Site The typical example of this is a company
that has offices in two different geographical locations, and wants to have a secure network connection between the two
ECE 4112 - Internetwork Security
Remote-Access Example
Network A VPN EnabledGateway
VPN over Internet
Mobile User
Home User
ECE 4112 - Internetwork Security
Site-to-Site Example
Network A VPN EnabledGateway
VPN over Internet
Network BVPN EnabledGateway
ECE 4112 - Internetwork Security
Why Use a VPN?
• Originally designed as inexpensive alternative WAN over leased lines
• Now mostly used to securely connect computers over the internet
• Convenient• Lot’s of cheap and convenient
protocols are insecure (IP, 802.11, etc) Can now communicate securely over
these insecure protocols
ECE 4112 - Internetwork Security
Why Use a VPN? (cont…)
• Example – it can simplify security (what is about to be proposed is not the most secure thing in the world – so don’t
raise your hands and tell how you would make it more secure… it’s just an example)
Assume simple security policy with IP based access management – for example, an FTP server with site-licensed software on it for employees
Before VPN, complicated to allow access to FTP site for telecommuters or traveling employees– Train all employees to use SSH tunnel, etc…
After VPN, employees offsite can still connect using an internal IP address
ECE 4112 - Internetwork Security
VPN Advantages
• Improved Security• Consolidation of Scattered Resources• Transparency to Users
If set up properly
• Reduced Cost (vs. Leased Lines)
ECE 4112 - Internetwork Security
VPN Disadvantages
• Time Consuming Setup• Possibly Frustrating Troubleshooting• Interoperability with other
Networks/VPNs• Small performance overhead
Should be negligible on today’s hardware
ECE 4112 - Internetwork Security
VPN Security
• In academic terms, VPN can provide Confidentiality, Integrity, and Authenticity
• Security against determined hacker (read: academic attacks) depends largely upon underlying protocols used
• Assuming security of SSH, IPSec, or other protocol used, should be secure
ECE 4112 - Internetwork Security
How are VPNs set up?
• Many different types of setup• Vary in:
Amount of hardware used vs. amount of software used– All hardware based– All software based– Mixed
Amount of transparency to end-user– Does the user even realize that they are using a
VPN?
ECE 4112 - Internetwork Security
How are VPNs set up? (cont…)
• The following is not an exhaustive list Gateway to gateway
– Using two VPN aware Gateways
End host to gateway– End host uses VPN Software
End host to end host– Both hosts use software
End host to concentrator
ECE 4112 - Internetwork Security
How are VPNs set up? (cont…)
• SSH over PPP
• SSL over PPP
• Concentrator using IPSec
• Others (PPTP, L2TP, etc)
ECE 4112 - Internetwork Security
VPN via SSH & PPP
• Point-to-Point Protocol over a Secure Shell connection
• Establishing a Network Connection Establish an SSH connection
– VPN Client VPN Server
Each have PPP daemons that will communicate through the SSH connection
Viola! A VPN CONNECTION!
ECE 4112 - Internetwork Security
VPN via SSL & PPP
• Point-to-Point Protocol over a Secure Socket Layer connection
• Secure Socket Layer Built-in support for Host Authentication Certificates
ECE 4112 - Internetwork Security
VPN via SSL & PPP (cont…)
• Establishing a Network Connection Initial Handshake for secure communication “Hello” messages establish:
– SSL Version, support for Cipher suites, and some random data
Key is determined separately from handshake
SSL Connection Complete! Data transferred over the link
ECE 4112 - Internetwork Security
VPN via Concentrator
• What is a Concentrator? Concentrator is NOT a gateway or firewall Specialized device that accepts
connections from VPN peers Authenticates clients Enforces VPN security policies Takes overhead of VPN management and
encryption off of gateways and local hosts
ECE 4112 - Internetwork Security
VPN via Concentrator (cont…)
• Steps to Establish VPN Set up Concentrator (add users, specify
authentication mechanisms, set IP address ranges, etc)
Install client software Client runs software when wants to be
on VPN
ECE 4112 - Internetwork Security
Other Methods
• Point-to-Point Tunneling Protocol Microsoft’s Implementation of VPN Data is first encapsulated inside PPP
packets PPP packets are then encapsulated in GRE
packets and sent over the link
• PPTP uses two connections One for the data being sent Another for a control channel
ECE 4112 - Internetwork Security
Other Methods (cont…)
• Any technology can be used Must have hardware or software to support it
• Another example: L2TP on Gateways Layer 2 Tunneling Protocol Supported by routers If two routers support L2TP, and are properly
configured, then VPN is set up between routers Transparent to end user
ECE 4112 - Internetwork Security
Intro to IPSec
• Created to add Authentication, Confidentiality, and Integrity to IP traffic
• Designed to combat specific shortcomings in IP
• IPSec is large and implementation is complicated
• What follows is a high-level overview• As will see in lab, need not be used only
as VPN technology – can be stand alone
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• IP Sec ≠ VPN IP Sec is a protocol used in many VPNs
• Two main modes Transport Tunnel
• Two main services AH (Authentication Header protocol) ESP (Encapsulating Security Protocol)
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Authentication Header protocol Offers Authenticity and Integrity Uses cryptographic hash
– Covers entire packet, including static header fields
If any part of original message changes, it will be detected
Does not encrypt message Can be used to authenticate –
– Prevents IP Spoofing
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Encapsulating Security Protocol Provides Integrity and Confidentiality Encrypts payload If used in tunnel mode, encrypts original
IP header
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Transport Mode
Or
Real IP Header IP Options IPSec Header Payload (For example, TCP and Payload)
ESP Header
Could be either
AH Header
Authenticates Over
Encrypts Over
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• Tunnel Mode
Or
GW IP Header IPSec Header Real IP Header Payload (For example, TCP and Payload)
ESP Header
Could be either
AH Header
Authenticates Over
Encrypts Over
ECE 4112 - Internetwork Security
Intro to IPSec (cont…)
• AH and ESP can be used together Tunnel ESP through AH transport packets
• Want to protect cryptographic keys• Internet Key Exchange protocol (IKE)
Secure way to exchange session keys based on shared secret
Can also use certificates (public key cryptography)
ECE 4112 - Internetwork Security
Resources
• Books: Building Linux Virtual Private Networks
– Oleg Kolesnikov, Brian Hatch
Linux Server Hacks– Rob Flickenger
Network Security– Charlie Kaufman, Radia Perlman, Mike
Speciner
ECE 4112 - Internetwork Security
Resources (cont…)
• Lecture Slides by Wenke Lee (see below)• Websites:
http://vpn.shmoo.com/ http://www.tldp.org/HOWTO/VPN-HOWTO/ http://www.onlamp.com/lpt/a/3009 http://www.cisco.com/warp/public/471/how_vp
n_works.shtml http://www.cc.gatech.edu/classes/AY2004/cs48
03_fall/ipsec_1.ppt http://www.cc.gatech.edu/classes/AY2004/cs48
03_fall/ipsec_2.ppt