200 likes | 206 Views
Virtual Private Networks (VPNs). Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.
E N D
Virtual Private Networks(VPNs) • Source: VPN Technologies: Definitions and Requirements.VPN Consortium, July 2008. • a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
VPN • Source: http://tools.ietf.org/html/rfc2828 • A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. • For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by • using encrypted tunnels to connect from firewall to firewall across the Internet and • not allowing any other traffic through the firewalls. • A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. Network Security
Characteristics of VPNs • End-to-end communications btwn two end points • End points: Routers, firewalls, servers, hosts • Virtual • Private • Networks • Shared ? Network Security
Alternative Definition of VPN? • A VPN is a means of carrying private traffic over a public network. • Often used to connect two private networks, over a public network, to form a virtual network • The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other. • That is, they are part of a single virtual private network (although physically they are two separate networks). implication? connectivity, security, privacy The VPN should provide the same connectivity and privacy you would find on a typical local private network. Network Security
Classifications of VPNs • Based on encryption: • Encrypted VPNs • Nonencrypted VPNs • Based on OSI model: • Data link layer VPNs • Network layer VPNs • Application layer VPNs • Based on business functionality: • Intranet VPNs • Extranet VPNs Network Security
VPNs at different OSI layers • The layer where VPN is constructed affects its functionality. • Example: In encrypted VPNs, the layer where encryption occurs determines • how much traffic gets encrypted • the level of transparency for the end users • Data link layer VPNs (Layer-2) • Example protocols: Frame Relay, ATM • Drawbacks: • Expensive - Requires dedicated Layer 2 pathways • may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection • Q: Is L2TP a layer 2 VPN? Network Security
VPNs at different OSI layers • Network layer VPNs (Layer-3) • Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol • Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that) • Advantages: • A ‘proper’ layer • Low enough: transparency • High enough: IP addressing • Cisco focuses on this layer for its VPNs. Network Security
VPNs at different OSI layers • Application layer VPNs • Created to “work” specifically with certain applications • Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH(encrypted and secure login sessions to network devices) • Drawbacks: • May not be seamless (transparency issue) • Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) • “The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … • A VPN is a site-to-site tunnel. … • There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … • A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … • A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” Network Security
Other Classification of VPNs ? • Intranet VPNs vs Extranet VPNs • Remote Access VPNs vs Site-to-site VPNs Network Security
Types of VPNs • Trusted • non-Cryptographic • Data move over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. • Examples: Layer 2 frames over MPLS (multiprotocol Label Switching) • Secure • Cryptographic • Examples: • IPSec with encryption, SSL with encryption, L2TP over IPSec, PPTP over MPPE • Hybrid Network Security
Why Hybrid VPNs? • Secure VPNs provide security but no assurance of paths. • Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. • A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. Network Security
Requirements forSecure VPNs • All traffic on the secure VPN must be encrypted and authenticated. • The security properties of the VPN must be agreed to by all parties in the VPN. • Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel. • No one outside the VPN can affect the security properties of the VPN. Network Security
Requirements forTrusted VPNs • No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. • No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. • Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. • The routing and addressing used in a trusted VPN must be established before the VPN is created. Network Security
Requirements forHybrid VPNs • The address boundaries of the secure VPN within the trusted VPN must be extremely clear. • In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. • For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN. Network Security
VPN Deployments • Internet VPNs • Intranet VPNs • Extranet VPNs Network Security
VPN Technologies • Trusted • MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs") • Transport of layer 2 frames over MPLS ("layer 2 VPNs") • Generic Routing Encapsulation (GRE) • Secure • IPSec with encryption • SSL with encryption (esp. secure remote access) • L2TP over IPSec • Hybrid • A secure VPN technology running over a trusted VPN technology Network Security
Generic Routing Encapsulation(GRE) • Provides low overhead tunneling (often between two private networks) • Does not provide encryption • Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet • Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested inside e.g., IP protocol type 47: GRE packets using IPv4 headers • RFCs: • RFC1701Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL) • RFC2784Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD) • RFC2890Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD) Network Security
Generic Routing Encapsulation • GRE Header (based on RFC1701, deprecated): Figure 11-2 • GRE Header (based on RFC 2784 & 2890): Figure 11-4 • C = 1, checksum present • Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet • Key: • contains a number to prevent misconfiguration of packets; • may be used to identify individual traffic flow within a tunnel • Not the same as a cryptographic key Network Security
Generic Routing Encapsulation • Summary: • GRE mainly perform ‘tunneling’. • Does not provide a means to securely encrypt its payload • Often relies on application layer to provide encryption • May be used together with a network layer encryption (such as IPsec) Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using IPsec Example 2: use GRE to encapsulate multicast traffic, and then encrypt the GRE packet using IPsec Question: Why not simply use IPsec? Network Security
Generic Routing Encapsulation • Case Studies: • A GRE tunnel connecting two private networks: Figure 11-5 • GRE between multiple sites: Figure 11-6 • GRE between two sites running IPX Network Security