Seminar Class CS591 Presentation Topic: VPN Internet Security Seminar Class CS591 Presentation Topic: VPN
Virtual Privacy Network What is VPN? Extension of an enterprise’s private intranet across a public network by Encrypt the user’s data Validate the user’s data Authenticate the source of the data Establish & maintain cryptographic secrets
Virtual Private Network Why business use VPN? Cost – ISP/NSP vs leased lines Simplified Infrastructure – No modem bank Secured – Encrypted, Authenticated, Integrally Safe Interoperable – supports multiple protocols Distributed, Deployable, Scalable Cost: Reduce carrier and access cost by eliminating long distance & 800-line charges Infrastructure: Eliminates need of modem bank. Only required VPN Server to be online on net & consolidate remote access & internet channel. Central management on a single server.
Virtual Private Network
Virtual Private Network Type of VPN Networks Branch office connection (Intranet) Business partner/supplier network Extranet E-Business Remote access Mobile IP
Virtual Private Network Branch office connection
Virtual Private Network Business partner/supplier network
Virtual Private Network Remote access
Virtual Private Network How VPN works? Create dedicated link using tunneling Basic components of a tunnel: A tunnel initiator (TI) A routed network An optional tunnel switch One or more tunnel terminators (TT)
Virtual Private Network Protocols standardized by IETF IPSec IKE L2F PPTP L2TP IKE – Internet Key Exchange formerly Internet Security Association Key Management Protocol (ISAKMO/Oakley)
Virtual Private Network
Virtual Private Network IPSec Proposed by CISCO to IETF as standard Initially used by firewall & security products Secures network or packet processing layer of the communication model 2 choices of security services: Authentication Header (AH) Encapsulating Security Payload (ESP) AH – essentially allows authentication of the sender of data ESP – supports both authentication of the sender and encryption of data as well Specific information associated with each of these services is inserted into the packet that follows the IP packet header. Separate key protocols can be selected such as IKE
Virtual Private Network CISCO IPSec with IKE Diffie-Hellman DES MD5/SHA Diffie-Hellman – Public-Key method for key exchange DES – Data Encryption Standard MD5/SHA – Message Digest 5/SHA hash algorithm are used to authenticate packet data
Virtual Private Network IKE Protocol for Internet Key Exchange Formerly Internet Security Association & Key Management Protocol (ISAKMP/Oakley) ISAKMP manages negotiation of security Oakley using Diffie-Hellman establish key
Virtual Private Network L2F Tunneling protocol created by CISCO Mechanism for transporting link-layer frames of higher-layer protocols eg PPP VPDN NAS – ISP Home Gateway - Corporation
Virtual Private Network PPTP Point-to-Point Tunneling Protocol Developed by Microsoft, 3com, Ascend, ECI Encapsulates PPP packets across IP-based internet Encryption RSA-RC4
Virtual Private Network L2TP Combination of PPTP and L2F Make multiple simultaneous tunnel btw pt Allow administrators to dedicate task to specific tunnels
Virtual Private Network
Virtual Private Network VPN Technology Firewalls Intrusion Detection Tools Authentication Servers Encryption & Key Exchange
Virtual Private Network Implementation Networking Connectivity Intranet or Extranet or Remote Access Product or Service Provider VPN Gateway Software only (<1.5Mbps connection only) Firewall based Router based Authentication Methods RADIUS, PKI, X509 (ITU), LDAP
Virtual Private Network Routers and Firewalls with encryption capability. Pros: Encryption upgrades, if available, can be cost effective. Cons: Mixing vendor solutions can create compatibility issues that inhibit VPN capability. May not be able to provide PC-to-LAN capability without additional software support. Could require commitment to vendor's proprietary technology. May not provide multi-protocol support. Installation and configuration can add to network complexity. Encryption processing overhead may reduce performance.
Virtual Private Network Traditional Remote Access Server (RAS) with VPN add-on. Pros: May allow IT to take advantage of an existing hardware investment. Cons: Traditional Remote Access Servers are not optimized for VPN. VPN add-ons may only be available for some high-end RAS solutions. May be ISP dependent, requiring the company to adopt the same RAS VPN vendor as the ISP. May not provide multi-protocol support. May require vendor proprietary software.
Virtual Private Network NOS/Server-Based VPN Pros: More robust solution for PC-to-LAN access than that provided by firewalls or routers. Cons: Difficult to set up and manage VPN functionality. Adding VPN services to a network server can impact performance while decreasing fault tolerance. Dedicating a network server to remote access can be prohibitively expensive.
Virtual Private Network VPN Services Pros: Security and performance can be guaranteed for a price. Requires limited corporate support. Cons: IT gives up control to the service provider. May not provide multi-protocol support. May not provide PC-to-LAN access. VPN services may be cost prohibitive.
Virtual Private Network Dedicated VPN Software Pros: Optimized to create LAN-to-LAN connections via VPN. Dedicated VPN solution creates fault tolerance. Standalone VPN solutions can offer greater performance. Dedicated VPN solutions are generally easier to use and support than solutions originally designed for non-VPN functions such as firewalls, routers, network servers and traditional remote access servers. Eliminates the need for costly frame relay circuits, leased lines, etc. Cons: Vendor proprietary software is needed for each server hosting VPN and each remote client accessing the LAN via VPN. Must invest in a dedicated server for maximum performance. Adding VPN software on an existing, in-use network server decreases fault tolerance and performance. Many solutions support IP-only VPNs and cannot transport packets from multiple protocols.
Virtual Private Network Dedicated VPN Hardware Pros: Easy to install, configure and manage. Saves money by reducing equipment needs at corporate site. Stand-alone solution offers greater performance and fault tolerance because it is optimized for VPN functionality. Reduces costs of upgrading hardware as remote access technology changes. Reduces costs of upgrading system as the number of users increases. Cons: Some solutions do not support multiple protocols. Some LAN-to-LAN VPN solutions require costly software add-ons to support remote client PCs. Some solutions require that proprietary software be loaded on the remote client's PC.
Virtual Private Network SECURITY STANCE Permit all access initially; administrator specifically denies individual access according to security policy. Deny all access initially; administrator specifically permits individual access according to security policy.
Virtual Private Network Security Techniques Packet Filters Circuit-level Gateways Application-level Gateways Possible Security Breach/Risk from RA Unauthorized Remote Access (RA) Computer RA computer connected to insecure network Virus infected RA computer
Virtual Private Network Company supporting VPN Microsoft IBM Novell CISCO Nokia 3com
Virtual Private Network FAQ Difference between VPN and Firewall? Diifference between VPN and Proxy? Build own VPN or outsource to SP? Important critique? Interoperable? Scalability? Can U trust the internet? Any other Questions? Virtual Private Networks By Charlie Scott, Paul Wolfe and Mike Erwin, O'Reilly & Associates, March 1998
Virtual Private Network