VPNs - Presentation.pdf

  • View
    15

  • Download
    0

Embed Size (px)

Transcript

  • Virtual Private Networks (VPNs)

    Dominik Herkel

  • agenda 1 / 3

    1. important informations

    2.general

    3. history

    4.benefits for business

  • agenda 2 / 3

    5.implementation GRE Ipsec GRE over Ipsec SSL/TLS

    6.Cisco VPN solutions

  • agenda 3 / 3

    7. access network resources

    8. live configuration

  • important informations

    always refer to the OSI model, not TCP/IP

    complex topic listen carefully

  • general

    end-to-end private network connection

    security as a big concern

    access to internal network resources

  • history

    mostly no need to lease dedicated lines

    small companies are no longer left out

    use already existing infrastructure

    paved the way for telecommuting

  • benefits for business

    cost efficiency

    security

    scalability

    compatibility

  • implementation

    GRE

    IPsec VPNs

    GRE over IPsec

    SSL/TLS VPNs

  • Generic Routing Encapsulation (GRE)

  • general

    originally developed by cisco

    GRE tunnels are stateless

    still widely in use

  • process

    original IP packet encapsulated again

    additional overhead of 24 bytes

  • advantages

    multiprotocol support

    routing protocol support

    multicast and broadcast support

  • disadvantages

    no security measurements

    big overhead

  • Internet Protocol Security (IPsec)

  • general

    isnt bound to any specific security technologies

    framework of open standards

    in theory operates over all data link layer (OSI model) protocols

  • modes

    tunnel mode

    transport mode

  • protocols

    Authentication Header (AH): appropriate when confidentiality not required only authentication and integrity provided

    Encapsulating Security Payload (ESP): different to AH, also supports encryption

  • confidentiality

    symmetric algorithms are used

    ensures bulk encryption

    examples: Data Encryptions Standard (DES) Triple Data Encryption Standard (3DES) Advanced Encryption Standard (AES)

  • integrity

    Keyed-Hash Message Authentication Code (HMAC) additional shared secret added to plaintext data hash value calculated from key-data combination

    examples of hash calculation operations: Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA-1, SHA-2, SHA-3)

  • authentication

    parties authenticate each other

    either pre-shared secrets or signatures used

    examples: pre-shared secret Rivest-Shamir-Adleman (RSA) signature

  • secure key exchange

    Diffie-Hellman (DH) asymmetric algorithm defines several groups

    allows generation of identical shared secret shared-secret never exchanged between parties examples:

    ranges from group 1 24 differ relating to encryption strength

  • process

    1. Host A (behind R1) sends interesting traffic to Host B (behind R2).

    2. R1 and R2 negotiate an IKE phase one session secure channel is set up.

    3. Router R1 and R2 negotiate an IKE phase two session matching parameterneeded.

    4. Securely transmit data.

    5. IPsec tunnel is terminated.

  • advantages

    security

    based on existing algorithms

  • disadvantages

    solely IP support

    only unicasts

    no routing protocol support

  • Decision

  • GRE over IPsec

    often no need to decide between IPsec or GRE

    combines the benefits of both solutions into one

    flexibility provided by GRE and security ensured by IPsec

  • Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

  • general

    SSL is predecessor of TLS

    both work at presentation layer of OSI model

    several security measurements

  • process

    (http://www.youtube.com/watch?v=SJJmoDZ3il8)

  • advantages

    security

    almost everywhere available

    third party regulation

  • disadvantages

    faked SSL/TLS certificates

    DoS attacks

  • Cisco VPN solutions

    Cisco Integrated Services Router (ISR) with enabled VPN

    Cisco Private Internet eXchange (PIX) end of life (EOL), end of sale (EOS)

    Cisco Adaptive Security Appliance (ASA) 5500 Series

    Cisco VPN 3000 Series Conentrator end of life (EOL), end of sale (EOS)

    Small and Home Office (SOHO) Routers

  • access network resources

    Site to Site configuration

    Cisco VPN Client

    Cisco AnyConnect VPN Client

  • bibliography 1 / 5

    AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf

    AnexGATE. (n.d.). AnexGATE. Retrieved from http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf

    Cisco. (n.d.). Cisco. Retrieved from http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

    Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html

  • bibliography 2 / 5

    Cisco. (n.d.). Cisco Netacademy. Retrieved from http://www.cisco.com/web/learning/netacad/index.html

    Covenant. (n.d.). DSLreports. Retrieved from http://www.dslreports.com/faq/8228 Edwards, J. (n.d.). ITsecurity. Retrieved from

    http://www.itsecurity.com/features/vpn-popularity-021108/

    Itif. (n.d.). Itif. Retrieved from http://www.itif.org/files/Telecommuting.pdf Kilpatrick, I. (n.d.). IT Pro Portal. Retrieved from

    http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/

  • bibliography 3 / 5

    Mason, A. (n.d.). CiscoPress. Retrieved from http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

    Pearson. (n.d.). Pearsoncmg. Retrieved from http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/158720150X_CH14.pdf

    Rager, A. T. (n.d.). SourceForge. Retrieved from http://ikecrack.sourceforge.net/ SANS Institute. (n.d.). GoogleDocs. Retrieved from

    https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_room/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsec-implementation-pro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9jnZscnGxhS2U9roAq

  • bibliography 4 / 5

    Suida, D. (n.d.). WordPress. Retrieved from http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gre-tunnel/

    Unknown. (n.d.). ETutorials. Retrieved from http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assessing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/

    Unknown. (n.d.). Journey2CCIE. Retrieved from http://journey2ccie.blogspot.co.at

  • bibliography 5 / 5

    Unknown. (n.d.). Teleworkers Research Network. Retrieved from http://www.teleworkresearchnetwork.com/telecommuting-statistics

    Unknown. (n.d.). The Hackers Choice. Retrieved from http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/

    Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statistics

    Wikipedia. (n.d.). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Transport_Layer_Security Zandi, S. (n.d.). Cisco LearningNetwork. Retrieved from https://learningnetwork.cisco.com/docs/DOC-

    2457

    dtommy1979 (n.d.). YouTube. Retrieved from http://www.youtube.com/watch?v=SJJmoDZ3il8