Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

Virtual Links: VLANs and Tunneling
Encrypting Wireless Data with VPN Techniques
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Internet Protocol Security (IP Sec)
IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
Identifying MPLS Applications
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.
Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Internetworking II: MPLS, Security, and Traffic Engineering
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
Internet Security Seminar Class CS591 Presentation Topic: VPN.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
1 L2TP OVERVIEW 18-May Agenda VPN Tunneling PPTP L2F LT2P.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Network Access for Remote Users Dr John S. Graham ULCC
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Virtual Private Network
CSCI 465 Data Communications and Networks Lecture 26
IPSec Detailed Description and VPN
Virtual Private Networks
Virtual Private Networks
Virtual Private Network (VPN)
Virtual Private Network (VPN)
Security Protocols in the Internet
Virtual Private Networks (VPNs)
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Topic 12: Virtual Private Networks
Presentation transcript:

Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies

2 What is a VPN? Private network running over shared network infrastructure (Internet) Allows interconnection of different corporate network sites Allows remote users to access the corporate network Allows controlled access between different corporate networks

3 Private Intranet Network Headquarters Why VPNs? Public Internet Intranet Headquarters Intranet Remote Site Intranet Remote Site Frame Relay Or ATM Or Dial-Up Service

4 VPN Rationale Private Networks Costly Inflexible Multiple Infrastructures Virtual Private Networks Inexpensive Configurable Single Infrastructure

5 The First VPN 1975, BBN delivered the first Private Line Interface (PLI) to the Navy Created secure network communication over the ARPANET Used a proprietary encryption and manual keying system

6 VPN Technologies Tunneling Overlay facilitates sharing common infrastructure IPsec, PPTP, L2TP, MPLS Security Authentication: PKI, RADIUS, Smartcard Access Control: Directory Servers, ACLs Data Security: Confidentiality, Integrity Provisioning QoS Traffic Engineering

7 Island Metaphor Hello! ??? Oh! Hi! Hello! SS Encapsulator Hello! SS Encapsulator Tunnel

8 Tunneling Usually layers are inverted Inner PacketOuter HeaderTrailer For target network For transport network EthernetIP PPP 2323 EthernetFTPIPTCP 2743

9 Tunnels at Layer 2 Point-to-Point Tunneling Protocol (PPTP) Integrated into Microsoft DUN and RAS Authentication/encryption provided by PPP Layer 2 Tunneling Protocol (L2TP) Combines PPTP with Cisco L2F Layer 2 tunneling, UDP encapsulation IPIP/IPXGREv2PPP IP IP/IPX/IPsecUDPPPP

10 IPsec Protocol Suite Data encryption and authentication Two protocols Encapsulating Security Payload (ESP) assures data privacy and party authentication Authentication Header (AH) assures only party authentication Cryptographic key management Works well with Public Key Infrastructure and X.509 Certificates Transport and tunnel modes of operation IPsec VPNs use tunnel mode and ESP

11 IPsec Tunneling Original IP Header Original IP Payload New IP Header Security Parameter Index Sequence Number ESP Trailer ESP Authentication Encrypted Authenticated Original IP Packet

12 MPLS Tunneling Multi-Protocol Label Switching High speed switching technology Tunnel any layer Built into edge/core routers and switches No authentication/encryption LabelIP PayloadIP Header Original Packet

13 IPsec vs. MPLS Two dominant VPN technologies Lets compare them viz. their approaches to privacy

14 What is meant by Private? No one can see your stuff Emphasis is on security Confidentiality, integrity, authentication, authorization, access control Carve out a piece of a shared network for your own use Emphasis is on availability Traffic engineering

15 Evolution of IPsec First defined as a security mode for IPv6 Ported to IPv4 Combines tunneling with security Orthogonal services Complex key management

16 Evolution of MPLS ATMs VCI/VPI used for cut-through switching Separates routing from forwarding Supports resource allocation MPLS IP cut-through switching using label Routers switch on preestablished label Routers dont care whats behind the label Originally proposed to accelerate routing

17 A Protocol Looking for a Use Fast routing argument lost with new routing technology Switching technology applied to IP header MPLS for traffic engineering Connection oriented Stateful – keeps tracks resource allocation and usage RSVP adapted for signaling Hot router selling feature

18 MPLS-VPN Security Label Switch Routers will drop packets that do not belong to the VPN based on label BGP guards against injected routes using MD-5 authentication Note: No data confidentiality Weak authentication BGP is not sufficient to prevent fake routes

19 Why MPLS-VPN? Embed label switching in routers Sell more routers Replace Frame Relay and ATM with something that looks like these services No profit in Frame Relay or ATM anymore Control provisioning at the edge of ISP Sell value added service ISP dependent Keeps customers within providers network

20 Why IPsec-VPN? No changes to core routers Security gateway/tunnel endpoint placed anywhere that is appropriate Separation through obfuscation Real data confidentiality Real authentication Routing protocol agnostic No (more than current) reliance on well-behaved protocols ISP agnostic

21 Guarding Privates What separates a VPNs traffic from all other traffic? IPsec: data encryption MPLS: different labels, forwarding tables Who is responsible for separation? IPsec: ISPs, but not necessarily Corporate IT group and even individuals MPLS: ISPs

22 Dichotomy of Assumptions IPsec assumes goal is: IP delivery No trust of intermediate systems MPLS assumes goal is: Engineered delivery Trust entities in the middle Begged question: Is leaving security to someone else a good thing?

23 Which is the Right Way? Depends on what control you are willing to cede to service providers What SLAs you demand What you want to black box Depends on what you mean by private No one is supposed to use your resources No one is able to see your stuff

24 Trends in VPNs IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds Layer 2 tunneled through MPLS Martini Draft Combining MPLS and IPsec IP tunneled through IPsec tunneled through MPLS Best of both worlds

25 Theres more to it Establishing a VPN is much more than just building a set of tunnels between sites Authentication Access Control Data Confidentiality Data Integrity Remote Access

26 Where does Private go? Virtual Private Network Makes sense What the designers had in mind Virtual Private Network What happens if youre not careful

27 More about me This talk and other information at