Click here to load reader

Virtual Private Networks. Virtual Private Networks (VPNs) uVPN: Virtual Private Network uIPSEC uHighLink’s road map: Q2: Integrated IPSEC = Integrated

  • View
    220

  • Download
    0

Embed Size (px)

Text of Virtual Private Networks. Virtual Private Networks (VPNs) uVPN: Virtual Private Network uIPSEC...

  • Slide 1
  • Virtual Private Networks
  • Slide 2
  • Virtual Private Networks (VPNs) uVPN: Virtual Private Network uIPSEC uHighLinks road map: Q2: Integrated IPSEC = Integrated VPN Later phase: HW based IPSEC
  • Slide 3
  • VPN - two networking concepts: u Virtual networks: uGeographically distributed users and hosts interact and managed as a single virtual entity uVirtual Private Networks: uIncorporate data protection and trust among hosts in virtual network u VPN often includes: u Tunneling u Encryption u Authentication uVPNs solve network problems: u Security over public and private networks u Addressing problems in IP networks uIdeal for Intranet/Extranet, E-commerce, ASPs VPN - What is it all about ?
  • Slide 4
  • What kind of security is provided by VPN ? u Authentication: Who can access your network? u Authorization: What can a user access? u Data protection: u From disclosure From modification VPNs Security
  • Slide 5
  • ISO Model Physical Data Link Network Transport Application Session Presentation VPN Solutions L2TP, PPTP IPSEC SOCKS, SSL, TLS S/MIME, SSH VPNs: Various solutions over 7 layers of ISO model
  • Slide 6
  • u Internet --> security problems: u Many points of eavesdropping u Many points of modification u Public networks are also not secure --> VPN may also be needed over: u DSL u CATV u Leased Lines u Frame Relay u ISDN u Wireless u Satellite Security Problems --> VPN
  • Slide 7
  • u Companies use private addresses due to: u Shortage of IP addresses u Historic reasons (before Internet) u This causes problems when: u Companies want to cooperate u Companies connect to Internet u The problem may be solved with: u Virtual Private Network (VPN) u Network Address Translation (NAT) IP Addressing Problems --> VPN
  • Slide 8
  • IPSEC=IP Security IPSEC is a standard (RFCs, etc) IPSEC is a layer 3 tunneling protocol u IPSEC provides: uEncapsulation (optional) uEncryption (optional) uData origin authentication uData integrity protection (data has not be changed) uReplay protection (data is not being sent again by someone who was eavesdropping - optional) uCryptographic key management IPSEC: Layer 3 tunneling protocol
  • Slide 9
  • u PPTP and L2TP are layer two tunneling u protocols: u PPTP=Point to Point Tunneling Protocol: u Its an old Microsoft tunneling protocol u Has extensions for encryption u Was replaced by L2TP u L2TP= a standard for Layer 2 Tunneling Protocol: u It doesnt provide encryption ! PPTP, L2TP: Layer 2 tunneling protocols
  • Slide 10
  • uIPSEC provides real security features, like encryption in addition to tunneling uIPSEC becomes the leading mean for VPN solutions uL2TP provides a solution for non-IP protocols, like IPX, AppleTalk - it lets them run over the Internet IPSEC Vs L2TP
  • Slide 11
  • u AH = Authentication Header Protocol: u Authentication u Data integrity u Replay protection u ESP = Encapsulation Security Protocol: u Confidentiality u Authentication u Data integrity u Replay protection u IKE = Internet Key Exchange protocol IPSEC: Three major components
  • Slide 12
  • u Transport mode (hardly used): there is no encapsulation uThe original IP Header is kept - it is neither replaced nor encrypted uData may be encrypted u Tunnel mode: there is encapsulation uThere is a new IP header, with a new IP addresses (allowing old private addresses to be used in the organization) uThe old IP header (with old IP addresses) may be encrypted uData may be encrypted IPSEC: Tunnel Mode and Transport Mode
  • Slide 13
  • u IPSEC offers a range of algorithms: AuthenticationEncryption MD5DES SHA-13-DES (Triple DES) DESRC5 IDEA (& Triple IDEA) Blowfish CAST RC4 IPSEC: A range of encryption and authentication algorithms
  • Slide 14
  • uCryptographic Algorithm: a procedure that takes the plaintext data and transforms it into ciphertext in a reversible way uCryptographic Key: a special piece of data that directs the crypto device to encrypt a message in a distinctive way uUsually the key is a large number Cryptography
  • Slide 15
  • uMr. A encrypts his message to B with their shared secret key uMr. B decrypts messages from A with the same secret key Mr. A Mr. B Secret Key (Symmetric) Encryption
  • Slide 16
  • uThe keys must remain secret uThe same key is used to encrypt and decrypt uDistributing the keys is hard because they have to be secret uSecrecy of data is related to: u The length of the key u The secrecy of the key uThe algorithm being used Secret Key (Symmetric): Some facts
  • Slide 17
  • uDifferent keys are used for encryption and for description Public Key (Asymmetric) Encryption
  • Slide 18
  • uMr. B decrypts these messages using his private key Bs public key Mr. B Duck Mr. A Mr. C Public Key (Asymmetric) Encryption
  • Slide 19
  • u Mr. B replies to messages using each recipients public key Ducks public key As public key Cs public key Mr. B Duck Mr. A Mr. C Public Key (Asymmetric) Encryption
  • Slide 20
  • u The private key must remain secret u The public key is widely distributed (on the WEB?) u Distribution of keys is easy Public Key Encryption: Some facts
  • Slide 21
  • uGiven the algorithm, the clear text and the cipher text - one cannot determine the secret key uNo reliance on algorithm secrecy uAvailable for analysis Good Cryptography: Characteristics
  • Slide 22
  • uAH is used mainly to authenticate packets and also provides anti-replay protection uAuthenticate means Checking integrity- We know that the packet has not been modified in transport uAuthenticate means Checking identity- We know that the packet was sent by someone who knows the right secret keys More About AH Protocol
  • Slide 23
  • uSome fields in an IP packet are mutable - they will not be changed, for example: TOS, TTL fields uThe old protocol field (like TCP, UDP) is replaced by 51 (AH) uSequence numbers are used to provide replay protection. Sequence numbers start at 1 and can never repeat AH Protocol: Some technical issues
  • Slide 24
  • uESP is providing confidentiality in addition to: u authentication u anti replay protection. uThe old protocol field (like TCP, UDP) is replaced by 50 (ESP) More About ESP Protocol
  • Slide 25
  • uIKE - Internet Key management and Exchange protocol is responsible for: uNegotiating protocols, encryption algorithms and keys uEstablishing keys uKeeping track of things uIKE was formerly referred as ISAKMP = Internet Security And Key Management Protocol IPSEC IKE : Some Facts
  • Slide 26
  • uNAT = Network Address Translation - changes the source address of outbound packets uNAT which does many-to-one is called: uNAPT - Network Address Port Translation or PAT - Port Address Translation u To use NAT, NAPT (or PAT) with IPSEC - you u must NAT before you encrypt uOften, when VPN is used - NAT (or PAT) is not used VPN & NAT
  • Slide 27
  • uHaving IPSEC machine, Firewall and Routers from different vendors cause : u Routing problems u Security problems u Often avoids the use of NAT (PAT) u Is complex to install u Is difficult to manage u Is expensive uHighLink with integrated IPSEC avoids these problems and especially allows the use of NAT with IPSEC (since NAT is done before IPSEC). Integrated IPSEC in the Router:
  • Slide 28
  • uQ2 2,000: software based IPSEC implementation in HighLink: uAH, ESP, DES, static keys - already implemented (for DATUS) u3DES and IKE - being added uNegotiating with CA - will be added uSecond phase: HW based IPSEC implementation in future HighLink (based on R-Core) to allow IPSEC at high speeds uHighLink NATs before IPSEC - so it can combine them and use them at the same time HighLink and VPN
  • Slide 29
  • uNew: VPN (IPSEC: encryption, tunneling) uIntegrated firewall: u New: QoS based u FACS uPAP and CHAP: Authentication Protocols uSNMP community: RO, RW, Super Community uPasswords for Terminal, Telnet, WEB management HighLinks Security Mechanisms:
  • Slide 30
  • uNew: VPN - encapsulates with new IP addresses uNAT (PAT) - replaces IP addresses and ports uDHCP server - provides IP addresses uIPCP - gets or provides IP addresses over PPP uUnnumbered IP - saves IP addressees over the WAN HighLink Handles IP Addresses
  • Slide 31
  • u New: VPN Firewall DHCP server NAT (PAT) device Quality of Service (QoS) device Router and Bridge u One Box u One Management u Easy to install and maintain u No conflicts HighLink - Many products in one case
  • Slide 32
  • Cisco 700 - none u Cisco 800 - IPSec & L2TP, DES only? u Cisco 900 - cable router - IPSec & L2TP, DES only? u Cisco 1400 - ADSL router with IPSec & L2TP, DES only? u Cisco 1600 - IPSec & L2TP, DES only? u Cisco 1700 - HW based IPSec, DES and 3 DES u Bay Nautica - none u Ascend Pipeline - IPSec u Cabletron SSR - L2TP & DES u Intel Express - none (discontinued the encryption they had) u Motorola Vanguard - none u Netgear routers - none VPN at competing SOHO routers