1 / 91

VPN Technology Advances And Challenges

VPN Technology Advances And Challenges. LILISH M SAKI Lmsaki@scu.edu Santa Clara University COEN 329 Winter 2002. AGENDA. Introduction VPN overview and benefits Technology behind VPN VPN tunneling protocols IPsec VPN Implementation details Implementation alternatives

iokina
Download Presentation

VPN Technology Advances And Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VPN Technology Advances And Challenges LILISH M SAKI Lmsaki@scu.edu Santa Clara University COEN 329 Winter 2002

  2. AGENDA • Introduction • VPN overview and benefits • Technology behind VPN • VPN tunneling protocols • IPsec VPN Implementation details • Implementation alternatives • Future challenges • Conclusion SCU - Lilish M Saki - Winter 2002

  3. Introduction to VPN • Earlier organizations used to build WAN - now called intranets, through dedicated leased lines/ATM/frame relay to connect their different branches and offices. • In addition, some organizations selectively open their WAN access to partners to provide extranet services. • Proves costly for many organization to support these kind of intranet/extranet architecture. SCU - Lilish M Saki - Winter 2002

  4. Introduction to VPN (Contd.) • Also for mobile workers to log in to a dial-up intranet, he/she must call into a company's remote access server using either a 1-800 number or a remote number. • Incurs long distance telephone charges. Virtual private network (VPNs) utilize public network, like internet, to carry private communications safely and inexpensively.  . • Very useful for many organizations looking to both expand their networking capabilities and reduce their costs. SCU - Lilish M Saki - Winter 2002

  5. Introduction to VPN (Contd.) • Telecommuters and those who travel often might find VPNs to be a more convenient way to stay "plugged in" to the corporate intranet. • A VPN can support the same intranet/extranet services as a traditional WAN, but VPNs are most popular for their support of secure remote access service. SCU - Lilish M Saki - Winter 2002

  6. VPN Overview Local ISP LAN VPN Tunnel Remote user Secure VPN Connection Dedicated link to ISP Company’s Authentication server Public Network SCU - Lilish M Saki - Winter 2002

  7. VPN Overview (Contd.) • The diagram above illustrates a VPN remote access solution. A remote user (client) wants to log into the company LAN. • The VPN client uses local ISP to connect into the authentication server of his company. • The server authenticates the client, upon which he can now communicate with the company network just as securely over the public network as if it resided on the internal LAN. SCU - Lilish M Saki - Winter 2002

  8. VPN Overview (Contd.) • A small remote office can also be connected this way, which does not have permanent connection to corporate intranet. In this case, remote’s office’s server establishes VPN connection with the corporate server. • In the above process of establishing connection, a VPN tunnel is created between the remote user and the authentication server through internet. SCU - Lilish M Saki - Winter 2002

  9. VPN Overview - Tunneling • Tunneling is needed because internet, though cost-effective, basically is public shared network and its not suitable in its natural state for secure transactions or private communications. • In tunneling instead of sending a frame as it is produced by the originating node, the tunneling protocol encapsulates a data packet within a normal IP packet for forwarding over an IP-based network and routed between tunnel endpoints. SCU - Lilish M Saki - Winter 2002

  10. Common uses of VPNs • There are three main uses of VPN: • Intranet VPNs:Allow private networks to be extended across the internet or other public network service in a secure way. Intranet VPNs are sometimes referred to as site-to-site or LAN-to-LAN VPNs. • Extranet VPNs: Allow secure connections with business partners, suppliers and customers for the purpose of e-commerce. Extranet VPNs are an extension of intranet VPNs with the addition of firewalls to protect the internal network. SCU - Lilish M Saki - Winter 2002

  11. Common uses of VPNs (Contd.) • Remote access VPNs: Allows individual dial-up users to connect to a central site across the internet or other public network service in a secure way. Remote access VPNs are sometimes referred to as dial VPNs. • Secure Intranets Internally: Intranets can also utilize VPN technology to implement controlled access to individual subnets on the private network. In this mode, VPN clients connect to a VPN server that acts as a gateway to computers behind it on the subnet. SCU - Lilish M Saki - Winter 2002

  12. Common Uses of VPNs Three uses of VPN are shown in the following diagram SCU - Lilish M Saki - Winter 2002

  13. VPN Benefits • Low cost. • Eliminates the need for expensive long-distance leased lines. • With VPNs, an organization needs only a relatively short dedicated connection to the service provider. • This connection could be a local leased line (much less expensive), or it could be a local broadband connection such as DSL service. SCU - Lilish M Saki - Winter 2002

  14. VPN Benefits (Contd.) • Dial-in VPNs reduces costs by lessening the need for long-distance telephone charges for remote access. • Lower costs through offloading of the support burden. With VPNs, the service provider rather than the organization must support dial-up access for example. SCU - Lilish M Saki - Winter 2002

  15. VPN Benefits (Contd.) • Scalability: • The cost to an organization of traditional leased lines may be reasonable initially but can increase exponentially as the organization grows. • Four branch offices require six lines for full connectivity, five offices require ten lines, and so on. SCU - Lilish M Saki - Winter 2002

  16. VPN Benefits (Contd.) • In a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the internet avoid this problem by simply tapping into the geographically-distributed access already available. • Due to the ubiquitous nature of ISP services, it is possible to link even the most remote users or branch offices into the network. SCU - Lilish M Saki - Winter 2002

  17. Basic VPN requirements • At a minimum, a VPN solution should provide all of the following: • User Authentication: The solution must verify a user's identity and restrict VPN access to authorized users. In addition, the solution must provide audit and accounting records to show who accessed what information and when. • Address Management: The solution must assign a client's address on the private net, and must ensure that private addresses are kept private. SCU - Lilish M Saki - Winter 2002

  18. Basic VPN Requirements • Data Encryption: Data carried on the public network must be rendered unreadable to unauthorized clients on the network. • Key Management: The solution must generate and refresh encryption keys for the client and server. SCU - Lilish M Saki - Winter 2002

  19. Basic VPN Requirements • Multiprotocol Support: The solution must be able to handle common protocols used in the public network. These include Internet Protocol (IP), Internet Packet Exchange (IPX), and so on. • security negotiation and complex filtering. SCU - Lilish M Saki - Winter 2002

  20. Basic VPN Requirements (Contd.) • Management:Client-based software should be as transparent as possible. VPN carriers will require new management tools in order to simplify the configuration and monitoring of a corporate customer's VPN. • Further emerging requirements like QoS, CoS, etc., will be discussed later on. SCU - Lilish M Saki - Winter 2002

  21. Technology behind VPN • A VPN is essentially a software technique to route private traffic on public internet. • Three functions form basis of VPN. • Packet encapsulation - “Tunneling.” • Encryption. • Authentication. • Scope of Encapsulation and Encryption. • Next slide shows layout of IP header. • Each part of IP packet has security exposures if sent in “clear” over the internet. SCU - Lilish M Saki - Winter 2002

  22. Technology behind VPN • The threats mentioned below, requires us to encrypt the entire packet when sending packets over internet. IP Packet and security threats. IP Header Other header Userdata Passwords, userID, credit card info, all other data Src. And dest. Address, other information Information useful to hackers SCU - Lilish M Saki - Winter 2002

  23. Encryption Concepts • Privacy of the information sent over VPN is ensured by encryption. • Encryption is a technique of scrambling (into cipher text) and unscrambling information (back to clear text ). SCU - Lilish M Saki - Winter 2002

  24. Encryption Concepts • Asymmetric public key cryptography normally used for encryption and decryption. • Encryption Algorithms. • DES (56 bit key length). • 3DES (168 bit key length). • AES (Advanced Encryption standard) newest algorithms supporting. SCU - Lilish M Saki - Winter 2002

  25. Authentication Concepts • Authentication basically answers following question. • “Are you really who you say you are ?” • There are two types of authentication: User/System Authentication and Data Authentication. • User/System Authentication: • Verifying that the person or system is indeed the one who claims to be. • A Common technique is to send a “challenge” to other side by sending a random number. SCU - Lilish M Saki - Winter 2002

  26. Authentication Concepts (Contd.) • The challenged side returns a value by encrypting the random number using key only known to challenged side. • The challenger decrypts the returned value, and if it matched original number, challenged party is termed as authentic. SCU - Lilish M Saki - Winter 2002

  27. Authentication Concepts (Contd.) • Data Authentication: • This verifies that the packet has not be altered during its trip over the internet. • A typical technique done before encryption is that the sender calculate a number ,called a hash, based on data content and append it to the data packet. • Receiver decrypts the packets, calculates the hash independently and compared this receiver calculated hash with the hash appended to the data. • If both hash do not match, data has been altered and receiver rejects it. SCU - Lilish M Saki - Winter 2002

  28. Tunneling Basics • Encrypting IP header is not enough since intermediate routers would not be able to read destination address. • Tunneling protocol encapsulates the frame in an additional header. SCU - Lilish M Saki - Winter 2002

  29. Tunneling Basics • The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork. • Tunneling includes this entire process (encapsulation, transmission, and de-capsulation of packets. SCU - Lilish M Saki - Winter 2002

  30. Tunneling Basics Tunnel End Points Tunnel Tunneled Payload Payload Tunneling SCU - Lilish M Saki - Winter 2002

  31. Tunneling Basics (Contd.) • The logical path through which the encapsulated packets travel through the internetwork is called a tunnel. • Once the encapsulated frames reach their destination on the internetwork, the frame is un-encapsulated and forwarded to its final destination. SCU - Lilish M Saki - Winter 2002

  32. Tunneling Basics (Contd.) • Tunneling technology can be based on either a Layer 2 or Layer 3 tunneling protocol. • Layer 2 Tunneling protocols: PPTP, L2TP, L2TF. • Layer 3 Tunneling Protocols: IP over IP and IPSec (Tunnel Mode). • The next slide shows the comparison table of features that each of above protocol support and then individual protocols are discussed. SCU - Lilish M Saki - Winter 2002

  33. Tunneling Protocols – Features Comparison SCU - Lilish M Saki - Winter 2002

  34. Tunneling Protocols Comparison • Each of above features is critical in determining the implementation of various VPN protocols. • IPSec is gaining more and more support from vendors because of its security, however issues like user authentication and multi-protocol support are still there and work is going on to resolve this issues. • PPTP and L2TP lacks machine and packet authentication as standard which makes this protocols vulnerable and much less secure than IPSec. SCU - Lilish M Saki - Winter 2002

  35. Appropriate Protocol Use SCU - Lilish M Saki - Winter 2002 **X denotes it supports

  36. Tunneling Protocols – PPTP • PPTP protocol is built on the top of PPP and TCP/IP. • PPTP tunneling makes use of two basic packet types – data packets and control packets. • PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission over an IP internetwork, such as the Internet. SCU - Lilish M Saki - Winter 2002

  37. Tunneling Protocols – PPTP • Control packets are used for status inquiry and signaling information and is sent over TCP connection. • Data portion is sent using PPP encapsulated in Generic Routing Encapsulation (GRE) V2 protocol. • GRE protocol allows for encapsulation for arbitrary data packets within arbitrary transport protocol. • Such as IPX, NetBEUI, TCP. SCU - Lilish M Saki - Winter 2002

  38. Tunneling Protocols – PPTP (Contd.) The PPTP Standard MediaHeader IP Header GRE Header PPP Header User DATA What is GRE ? Delivery Protocol GRE Header Payload Protocol Information (x -octets) SCU - Lilish M Saki - Winter 2002

  39. PPTP Security • Security of PPTP has been enhanced to support RAS (Remote access server) which supports MS-CHAP, RSA RC 4 encryption. • It does not intrinsically include any encryption and authentication mechanisms. • There is no packet authentication and in general it is much weaker then IPSec and thus much more susceptible to attack. SCU - Lilish M Saki - Winter 2002

  40. Tunneling Protocols – L2TP • L2TP is standards based combination of two proprietary Layer 2 tunneling approaches. • It combines best parts of Microsoft’s PPTP and Cisco’s L2F. • Main difference between L2TP and PPTP is that L2TP combines data and control channels and runs over UDP as opposed to TCP. • More firewall friendly than PPTP since UDP is faster and also two channels are combined. SCU - Lilish M Saki - Winter 2002

  41. Tunneling Protocols – L2TP • Crucial advantage on extranet VPN applications. • L2TP supports non-Internet based VPNs including frame relay, ATM, and Sonet. • In L2TP PPP connection is tunneled using IP between LAC-LNS pair. • LAC: L2TP access concentrator. • LNS : L2TP Network server. SCU - Lilish M Saki - Winter 2002

  42. L2TP Encapsulation The L2TP Standard Mediaheader IP Header UDP header L2TP Header PPP Header User Data SCU - Lilish M Saki - Winter 2002

  43. L2TP Security • L2TP doesn’t intrinsically include encryption support. • However, secure functionality of IPSec can be used to secure the L2TP tunnel. • L2TP is more suitable for multiprotocol support and remote access VPN. SCU - Lilish M Saki - Winter 2002

  44. Tunneling Protocols - IPSec • IPSec is open standard layer 3 security protocol that protect IP datagrams. • IPSec has many components (including some still in development), but they boil down to just two main functions: authentication and encryption. • It Provides robust, extensible mechanism in which to provide security to IP and upper layer protocols like UDP and TCP. SCU - Lilish M Saki - Winter 2002

  45. Tunneling Protocols – IPSec (Contd.) • It protects IP datagrams by specifying the traffic to protect, how the traffic is protected, and to whom the traffic is sent. • IPsec can protect IP datagrams between hosts, network security gateways (firewalls, routers), and between hosts and security gateways. SCU - Lilish M Saki - Winter 2002

  46. IPSec security features • Data origin authentication: Ensures that received data is same as sent data and that recipient knows who sent that data. • Data integrity: Ensures that data is transmitted without alteration. • Relay protection : It offers partial sequence integrity. • Data Confidentiality: It ensures that no one can read the sent data, possible by using the encryption algorithms. SCU - Lilish M Saki - Winter 2002

  47. IPSec Components • IPSec provides following components. • Encapsulating Security Payload (ESP): Provides data origin authentication, relay protection, data integrity and data confidentiality. • Authentication Header (AH): Provides data origin authentication, relay protection, data integrity. • Internet Key Exchange (IKE): Provides key management and security association (SA) management. SCU - Lilish M Saki - Winter 2002

  48. Encapsulating Security Payload (ESP) • ESP provides authentication, integrity, confidentiality which protects against data tampering and message content protection. • IPSec provides open framework for standard algorithms like MD5, SHA. • ESP also provides encryption services in IPSec. • Encryption/Decryption allows the sender and authorized receiver to read the data. SCU - Lilish M Saki - Winter 2002

  49. Encapsulating Security Payload (ESP) Contd. • ESP also has option called ESP authentication. • Provide authentication and integrity to IP payload not to the IP header. • The ESP header is inserted into the packet between the IP header and any subsequent packet contents. • ESP does not encrypt the ESP header and the ESP authentication. SCU - Lilish M Saki - Winter 2002

  50. ESP format Original Packet IP Header TCP Data Packet with ESP ESP Authentication IP Header ESPHeader ESPTrailer Data TCP Encrypted Authenticated SCU - Lilish M Saki - Winter 2002

More Related