Virtual Private Networks By: Jacob Anderson
What is a Virtual Private network? A secure network connection on top of a wider network Hence virtual Uses a larger network, like the internet, to connect a remote site and users together Taking advantage of availability Mimics a physical network Convenient accessibility Better alternative to a leased line
leased lines Pay a provider for a “symmetric telecommunications” line Monthly price Each side of the cable is permanently connected No telephone number Advantage in speed Normally fiber optic Dedicated Most of the time infeasible
VPN vs. SSH SSH works at the application layer Port specific SSH establishes connections on a one-to-one basis A single client to a server or another single entity A VPN can connect a user to a whole network Great for business off-site extension A VPN is not limited to single-port connections Network layer connectivity
VPN with SSH In some cases, security may be necessary within the local network as well Confidential data that only some employees are eligible to view VPN handles the security over the internet Encapsulates SSH protocol packet SSH, then, provides application to application security within Only sending and receiving employees will be able to view
How a VPN works An IP packet is wrapped in an extra layer Which provides security The extra layer is processed by a router Not at a higher level in the OSI protocol stack
VPN Router VPN is accomplished using a specific type of router and/or VPN software Designed to handle the IP layer security protocol Cost for a small business VPN router is between 150 to 400 dollars This one is $150
VPN Protocols PPTP L2TP L2F IPSEC Most commonly used
IPSEC Consists of two main protocol sets: Authentication Header (AH) Encapsulating Security Payload (ESP)
Authentication Header Known as “Tunnel Mode” Replay bit Triggered when viewed (Know whether compromised) Process: 1) IP header and data payload is hashed 2) Hash is used to build a new header, which is appended 3) New packet is transmitted to the VPN router 4) The receiving router hashes the IP header and data payload as well, and the result must match the previously appended hash (the authentication header)
AH Diagram
Encapsulating Security Payload (ESP) Known as “Transport Mode” Provides source authentication, integrity, an anti-replay service, and limited traffic flow confidentiality Encryption of the IP Packet Layer is performed Standard is 56-bit DES But others can be used
ESP Diagram
When to use each mode Between IPSec Gateways End station to IPSec Gateway IPSec router to server End station to end station
Advantages of VPN Cost Security Scalability Increase infrastructure without physical addition Compatibility with broadband Multi-point communication Business communication links LAN to LAN Mobile workers access to LAN Off-site remote work more possible
References http://en.wikipedia.org/wiki/Virtual_private_netw ork http://computer.howstuffworks.com/vpn7.htm http://www.schumi.ch/partner/SSHvsVPN.htm http://www.ciscopress.com/articles/article.asp?p= 24833&seqNum=3 http://cba.unomaha.edu/faculty/garfathr/web/vpn _pros_cons.html