Virtual Private Networks (VPNs)

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Guide to Network Defense and Countermeasures Second Edition
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Chapter 18: Network Security Business Data Communications, 5e.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
K. Salah1 Security Protocols in the Internet IPSec.
Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
CSCE 715: Network Systems Security
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IPSec Detailed Description and VPN
IPSecurity.
Chapter 18 IP Security  IP Security (IPSec)
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Lecture 36.
Lecture 36.
Presentation transcript:

Virtual Private Networks (VPNs) VPNs allow secure, remote, connections… but they don’t protect you from a compromised remote PC.

Objectives (1 of 2) Explain the reasons organizations implement VPNs. Describe the VPNs core functions. Describe some of the issues associated with implementing VPNs. Describe the four main functions of IPSec.

Objectives (2 of 2) Describe the difference between AH and ESP. Explain the difference between Transport Mode and Tunnel Mode. Implement a VPN solution using Cisco’s ASA solution.

Reasons for Implementing (1 of 1) The need for secure business transactions. Many organizations have adopted VPNs for the following purposes: E-commerce solutions Government/legal/financial reporting Remote user (road warrior) access Budgetary considerations

VPN Core Functions (1 of 3) Core Activity #1: Encapsulation Data encapsulation means that a packet is enclosed within another one that has a different IP Addressing to provide a higher degree of security. Data packets are encapsulated within packets that contain the source and destination of the VPN gateway.

VPN Core Functions (2 of 3) Core Activity #2: Encryption Encryption is the process of rendering information unreadable by all but the intended receiver. VPN endpoints encrypt and decrypt data by exchanging keys, or blocks of encoded data. The key is a part of an electronic document called a digital signature.

VPN Core Functions (3 of 3) Core Activity #3: Authentication Authentication is the process of identifying a user or computer as being authorized to access a network or network resource. Authentication uses digital certificates The tunnel protocol used determines the type of authentication protocol used.

Issues with Implementing (1 of 6) VPNs provide a high level of security but… Depending on how they are implemented it may require opening up ports at the perimeter. If the central VPN device is located in the DMZ and IPSec is used as the VPN tunneling protocol TCP ports 50 and 51 may need to be opened, or the VPN “pass-through” option needs to be turned on.

Issues with Implementing (2 of 6) VPNs can be complex and expensive to implement and troubleshoot. Central VPN devices can be relatively expensive and are often priced based on user and bandwidth capacity. The organization may also have to pay for each client license that is used. Single or multiple point-of-entry greatly alters the implementation design complexity and cost.

Issues with Implementing (3 of 6) Complexity and Expense cont. Encryption of the packet’s header and data makes it difficult to, and requires greater time to troubleshoot problems. Encryption can result in higher bandwidth utilization and slower transfer rates. Organizations may also be limited to a specific vendor as compatibility between vendor hardware and software is not guaranteed.

Issues with Implementing (4 of 6) Poor configuration can result in weakened or bypassed security. Unattended or automated installations may result in weaker security. While these may lower the administrator's workload it does nothing for ensuring the systems base security setup. Often these installations place a “point-and-click” icon on the user’s desktop for ease of use.

Issues with Implementing (5 of 6) Remote user rights and changes can result in weakened or bypassed security. If the remote user has full rights on their system/laptop they may: Disable vital system security features such as personal firewalls and anti-malware applications. Allow the installation of virus/worm infected files, trojans or other spyware.

Issues with Implementing (6 of 6) Compromised systems (especially those with the “point-and-click” icons) allow the system to become a “secure and authenticated” entry point for the hacker to attack through. IPSec’s AH Header does not work with NAT. If NAT needs to be performed it must be done before the AH Header is applied.

IPSec (1 of 11) IPSec is a framework of open standards It has gone through a standardization processes and is supported by most vendors. It operates on the network layer, protecting packets between network devices.

IPSec (2 of 11) IPSec provides four main functions: Confidentiality (Encryption) Data Integrity Origin Authentication Anti-replay Protection

IPSec (3 of 11) Confidentiality (Encryption) The sender encrypts the packets before transmitting them across the network, to prevent anybody except the intended recipient from reading the data. IPSec can be configured to use both symmetric or asymmetric keys.

IPSec (4 of 11) Most often a Preshared Key or a RSA public/private key pair is used. Preshared keys used the same key on all the VPN clients and devices to encrypt and decrypt. RSA public/private key pair is more secure and requires each end-point to have its own private and public key combination.

IPSec (5 of 11) Data Integrity This ensures the receiver can detect if the data has been altered during transmission. To guard against interception and alteration each message is sent with an hash digest. The receiver calculates a hash digest on each message it receives and compares it to the sent hash digest.

IPSec (6 of 11) IPSec uses the “Hashed Message Authentication Codes” (HMAC) protocol to calculate the hash digest. Currently there are two different hash algorithms that are commonly used: HMAC-MD5: uses a 128-bit shared key and the message to produce a 128-bit hash digest. MHAC-SHA1: Uses a 160-bit shared key and the message to produce a 160-bit hash digest.

IPSec (7 of 11) Origin Authentication This allows the receiver to verify and authenticate the source of the packet. To do this the sender must attach some type of digital signature to the message to allow for “peer” authentication. Each end of the VPN tunnel must authenticate through this process before the transmission path is considered secure.

IPSec (8 of 11) There are three common “peer” authentication methods: Preshared keys Each peer has the same secret key entered into it manually. This preshared key is combined with other information to form an “authentication” key. This authentication key information is sent through a hash algorithm to create a hash digest that is sent to the other site/client. If the remote peer is able to generate the same hash, the local peer is authenticated.

IPSec (9 of 11) RSA signatures Uses a digital certificate that is also digitally signed. Like the Preshared Key an authentication key is created using the public/private key pair and other information and is then used to create a hash digest. The hash digest is then encrypted with the sender’s private key to form the digital signature. Both the digital certificate and digital signature are forwarded to the remote site. The public key that is used to decrypt the signature is included in the digital certificate.

IPSec (10 of 11) RSA encryption nonce Each peer generates a random number, encrypts it and then exchanges it with the other peer. Each peer then takes both nonce's and combines then with other information to make the authentication key. All of this is then run through a hash algorithm to create the hash digest. Remainder of the process is the same as RSA signatures.

IPSec (11 of 11) Anti-replay Protection This allows the receiver to verify that the packet is unique (the original) and has not been duplicated. This is done by comparing the sequence number of the received packet with the sliding window’s expected sequence on the destination host. If the sequence number is prior to the sliding window’s sequence number the packet is considered to be late or duplicated and it is dropped.

IPSec Protocols (1 of 10) IPSec relies on existing technology (DES, 3DES and AES for example) to secure communications, however it provides two main framework protocols. Authentication Header (AH) Encapsulation Security Payload (ESP)

IPSec Protocols (2 of 10) Authentication Header Used when confidentiality is not required. It provides data authentication (verifies packets origin) and integrity (verifies data is not modified). It does not encrypt the data so text is sent as is - clear, readable text.

IPSec Protocols (3 of 10) Authentication Header con’t Authentication is achieved by using a one-way hash algorithm to create a message digest based on the message data and the use of a symmetric key known to both systems. Message data only uses fields in the datagram that remain static throughout transmission. i.e. Fields such as TTL are not used as part of the message data.

IPSec Protocols (4 of 10) Authentication Header con’t Once calculated the message digest is then combined with the message data and sent to the receiving end. The receiver performs the same hash calculation and compares the received message digest with its own calculated message digest. If the results are the same then the authenticity of the packet is verified.

IPSec Protocols (5 of 10) Encapsulation Security Payload Used to provide encryption and authentication. It provides confidentiality by performing encryption at the IP packet layer. Like AH it also provides data authentication (verifies packets origin) and integrity (verifies data is not modified).

IPSec Protocols (6 of 10) Encapsulation Security Payload con’t ESP supports several symmetric encryption algorithms including DES, 3DES and AES. If used between two VPN gateways the entire IP Packet (IP Header and payload) are encrypted.

IPSec Protocols (7 of 10) Encapsulation Security Payload con’t When performing encryption an ESP Header and a trailer are added to the encrypted payload. If we are not performing authentication a new IP Header would need to be inserted in front of the ESP header to send the now encrypted packet to the receiver.

IPSec Protocols (8 of 10) Encapsulation Security Payload con’t If we include authentication as part of our ESP scenario it is performed in a similar process to the AH method, however the ESP Header, trailer and encrypted IP Header are all now included in the hashing process.

IPSec Protocols (9 of 10) Encapsulation Security Payload con’t Once the authentication hashing digest has been calculated, the message digest is appended to the packet behind the ESP trailer and then the new IP Header is appended to the front of the packet.

IPSec Protocols (10 of 10) Encapsulation Security Payload con’t If ESP encryption and authentication are both used the encryption is performed first then the authentication. This facilitates faster detection and rejection of incorrect and duplicate packets at the receiving end.

Tunnel and Transport Modes (1 of 7) ESP and AH can be applied in two different modes. Tunnel Mode Used between two VPN gateways. Transport Mode Used between hosts or devices acting as hosts and gateways.

Tunnel and Transport Modes (2 of 7) Tunnel Mode In this mode the original IP header is copied and is used as the packet’s new IP header. This keeps the original IP datagram (IP Header and payload) intact. The AH and/or ESP header is appended in front of the original IP datagram and then the new IP header is inserted at the front of the packet.

Tunnel and Transport Modes (3 of 7) Tunnel Mode con’t When using the AH protocol only the original IP datagram is kept intact. Both the original and new IP Headers now become part of the authentication process. This becomes a bit of a problem if we are using NAT as the new IP Header cannot be changed by NAT or it will destroy the hashing digest calculation. Therefore NAT must be performed first, then the VPN processes can be performed.

Tunnel and Transport Modes (4 of 7) Tunnel Mode con’t When using both ESP and AH, the encryption process of ESP has to be performed first. ESP supports NAT in both Tunnel and Transport Modes. It allows the entire original datagram to be encrypted and authenticated because the receiver can authenticate the datagram before decrypting it.

Tunnel and Transport Modes (5 of 7) In this mode the IP Address in the original IP Header is left intact and readable. It uses the existing IP Header as the mechanism for routing the packet across the internet. Again, if we are using AH only then we must perform NAT before applying our VPN protocols.

Tunnel and Transport Modes (6 of 7) Transport Mode con’t To implement AH or ESP in this mode the original IP datagram is split into two parts the IP Header and the payload. Transport mode only protects the payload portion of the packet and doesn’t care if AH and/or ESP are used.

Tunnel and Transport Modes (7 of 7) Transport Mode con’t Once the IP Header and payload are separated the AH and ESP protocol information can be inserted. If only AH is used then it is inserted between the original IP header and the payload of the datagram. If ESP is used then the ESP trailer (and possibly the ESP message digest) are appended to the end of the datagram.

VPN LAB (1 of 1) Your turn…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.