Andreas Steffen, 5.12.2011, 13-VPN.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
strongSwan Workshop for Siemens
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.
Secure connections.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
ECE Prof. John A. Copeland fax Office: GCATT.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 Network Security Lecture 8 IP Sec Waleed Ejaz
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
Network Access for Remote Users Dr John S. Graham ULCC
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
CSE 4905 IPsec.
Chapter 18 IP Security  IP Security (IPSec)
Virtual Private Networks (VPNs)
Presentation transcript:

Andreas Steffen, , 13-VPN.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 13 Virtual Private Networks

Andreas Steffen, , 13-VPN.pptx 2 Layer 2 versus Layer 3 versus Layer 4 Application layerssh, S/MIME, PGP, Kerberos, WSSTransport layerTLS, [SSL]Network layerIPsecData Link layer[PPTP, L2TP], IEEE 802.1X, IEEE 802.1AE, IEEE i (WPA2) Physical layerQuantum CommunicationsCommunication layersSecurity protocols

Andreas Steffen, , 13-VPN.pptx 3 Internet Security 1 (IntSi1) 13.1 Point-to-Point Protocol (PPP)

Andreas Steffen, , 13-VPN.pptx 4 PPP PPP Encapsulation IP, IPX Payload PSTN (POTS / ISDN) IP, IPX Payload Private Network Public Switched Telephone Network Remote ClientRemote Access Server Authentication using PAP (password), CHAP (challenge/response), or the Extensible Authentication Protocol (EAP) supporting e.g. token cards Optional PPP packet encryption (ECP) using preshared secrets Individual PPP packets are not authenticated The Link Control Protocol (LCP), as well as EAP and ECP are not protected !! PPP–based Remote Access using Dial–In

Andreas Steffen, , 13-VPN.pptx 5 The PPP Encryption Control Protocol (ECP) The Encryption Control Protocol (ECP, RFC 1968) uses the same packet exchange mechanism as the Link Control Protocol (LCP, RFC 1661). ECP packets may not be exchanged until PPP has reached the Network- Layer Protocol phase and should wait for an optional Authentication phase. Exactly one ECP packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x8053. An encrypted packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x0053 (Encrypted datagram). Compression may also be negotiated using the Compression Control Protocol (CCP, RFC 1962). ECP implementations should use the PPP Triple-DES Encryption Protocol (3DESE, RFC 2420). DES-EDE3-CBC with a 168 bit key is used. 0x8053 Code ID Length ECP Options (algorithm, IV) Seq. Nr 0x0053 Ciphertext

Andreas Steffen, , 13-VPN.pptx 6 The PPP Extensible Authentication Protocol (EAP) Some of the authentication types supported by EAP (RFC 2284): 1 Identity 4 MD5-Challenge 5 One-Time Password (OTP, RFC 2289) 6 Generic Token Card 9 RSA Public Key Authentication 13 EAP-TLS (RFC 2716, supported by Windows XP) 15 RSA Security SecurID EAP 17 EAP-Cisco Wireless 18 Nokia IP smart card authentication 23 UMTS Authentication and Key Argreement 24 EAP-3Com Wireless 25 PEAP (Protected EAP, supported by Windows XP) 29 EAP-MSCHAP-V2 (supported by Windows XP) 35 EAP-Actiontec Wireless 36 Cogent Systems Biometrics Authentication EAP 0xC227 Code ID Length Type Data

Andreas Steffen, , 13-VPN.pptx 7 Internet Security 1 (IntSi1) 13.2 Layer 2/3/4 VPNs

Andreas Steffen, , 13-VPN.pptx 8 Layer 2 Tunneling Protocol (L2TP) IP, IPX Payload Private Network Internet IP ISP NAS Remote ClientNetwork Access Server PSTN PPP over PSTN PPP IP, IPX Payload PSTN Layer 2 IP UDP Port 1701 over IP UDP L2TP PPP IP, IPX Payload Layer 3 L2TP LNSLAC L2TP Tunnel PPP IP, IPX Payload Compulsory Mode

Andreas Steffen, , 13-VPN.pptx 9 Layer 2 Tunneling Protocol (L2TP) Voluntary Mode UDP Port 1701 over IP IP UDP L2TP PPP IP, IPX Payload IP, IPX Payload Private Network Internet IP ISP NAS Remote ClientNetwork Access Server PSTN L2TP LNSLAC L2TP Tunnel PPP IP, IPX Payload Layer 2 Connection (Wire) PPP PPP over PSTN IP UDP L2TP PPP IP, IPX Payload PSTN

Andreas Steffen, , 13-VPN.pptx 10 Layer 3 Tunnel based on IPSec IP Payload Private Network Internet IP ISP VPN ClientVPN Gateway PSTN IPsec Tunnel IP ESP IP Payload PPP PSTN IP ESP IP Payload

Andreas Steffen, , 13-VPN.pptx 11 L2TP over IPsec (RFC 3193) – Voluntary Mode IP ESP IPSec Transport Mode UDP L2TP PPP IP, IPX Payload IP, IPX Payload Private Network Internet IP ISP NAS Remote ClientNetwork Access Server PSTN L2TP LNSLAC L2TP Tunnel PPP IP, IPX Payload Layer 2 Connection (Wire) PPP PPP over PSTN IP ESP UDP L2TP PPP IP, IPX Payload

Andreas Steffen, , 13-VPN.pptx 12 IP Payload Private Network Internet IP ISP SSL/TLS Browser with Plugin SSL/TLS Proxy Server PSTN PPP IP PSTN TCP* SSL IP Payload SSL/TLS Tunnel IP TCP* SSL IP Payload Layer 4 Tunnel based on SSL/TLS *OpenVPN uses SSL over UDP

Andreas Steffen, , 13-VPN.pptx 13 Layer 2 – L2TP  Same login procedure as PPP (preshared secrets, RADIUS, etc.)  Same auxiliary information as with PPP (virtual IP, DNS/WINS servers)  No strong security without IPsec, LCP can be cheated into establishing no encryption. Non-authenticated L2TP packets prone to replay attacks. Layer 3 – IPSec  Cryptographically strong encryption and authentication of VPN tunnel  Can negotiate and enforce complex VPN access control policies  XAUTH and IKEv2-EAP authentication offer PPP-like features  Does not allow the tunneling of non-IP protocols (IPX, etc.)  Complex connection setup, PKI management overhead Layer 4 - TLS  Clientless and simple: Internet Browser plus Java Applets or Plugin.  Cryptographically strong encryption and authentication of VPN tunnel  Access to certain applications need special plugin (still clientless?) Layer 2/3/4 VPNs – Pros and Cons

Andreas Steffen, , 13-VPN.pptx 14 Internet Security 1 (IntSi1) 13.3 Multi-Protocol Label Switching (MPLS)

Andreas Steffen, , 13-VPN.pptx 15 IP-Network of a Service Provider MPLS based Virtual Private Networks IPL A IPL AL 1 IPL AL 3 IPL AL 5 IPL B IPL B IPL BL 2 IPL BL 4 IPL BL 6 IPL A User B E1 E2 E3 E4 N1N3 User A User B User A

Andreas Steffen, , 13-VPN.pptx 16 MPLS Layer 2 Shim Header (RFC 3032) 20 Bits Class of Service, 3 Bits Bottom of Stack, 1 Bit Time to Live, 8 Bits LabelCoSBTTL 4 Bytes

Andreas Steffen, , 13-VPN.pptx 17 Internet Security 1 (IntSi1) 13.4 IPsec Transport Mode

Andreas Steffen, , 13-VPN.pptx 18 Internet IPsec – Transport Mode IP connection secure IP datagrams should be authenticated IP datagrams should be encrypted and authenticated

Andreas Steffen, , 13-VPN.pptx 19 IPsec – Transport Mode IP Authentication Header (AH) IP protocol number for AH: 51 Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum Original IP Header TCP Header Data IPv4 Before applying AH AH: RFC 4302 After applying AH IPv4 authenticated except for mutable fields Original IP Header AH Header TCP Header Data

Andreas Steffen, , 13-VPN.pptx 20 IPsec – Transport Mode IP Encapsulating Security Payload (ESP) IP protocol number for ESP: 50 ESP authentication is optional With ESP authentication the IP header is not protected. Original IP Header TCP Header Data IPv4 Before applying ESP ESP: RFC 4303 Original IP Header ESP Header IPv4 After applying ESP encrypted authenticated TCP Header Data ESP Trailer ESP Auth

Andreas Steffen, , 13-VPN.pptx 21 Internet Security (IntSi1) 13.5 IPsec Tunnel Mode

Andreas Steffen, , 13-VPN.pptx 22 Internet IPsec – Tunnel Mode Virtual Private Network (VPN) Subnet / Subnet / Security Gateway secure IP tunnel

Andreas Steffen, , 13-VPN.pptx 23 IPsec Tunnel Mode using ESP Original IP Header TCP Header Data IPv4 Before applying ESP IP protocol number for ESP: 50 ESP authentication is optional but often used in place of AH Original IP Header is encrypted and therefore hidden Outer IP Header ESP Header IPv4 After applying ESP encrypted authenticated Original IP Header TCP Header Data ESP Trailer ESP Auth Encapsulating Security Payload (ESP): RFC 4303

Andreas Steffen, , 13-VPN.pptx 24 ESP Header (Initial Header / Payload / Trailer) encrypted authenticated After applying ESP Security Parameters Index (SPI) Anti-Replay Sequence Number Payload Data (variable, including IV) Padding (0-255 bytes) Authentication Data (variable) bytes Next HeaderPad Length

Andreas Steffen, , 13-VPN.pptx 25 IPsec Tunnel Mode CBC Packet Overhead Outer IP Header AES_XCBC_96 HMAC_SHA1_96 SPI / Seq. Number 3DES_CBC IV AES_CBC IV 3DES_CBC max Pad AES_CBC max Pad Pad Len / Next Header HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_ Best Case Overhead Bytes Worst Case Overhead

Andreas Steffen, , 13-VPN.pptx 26 Authenticated Encryption with Associated Data (AEAD) AEAD is based on special block cipher modes: Block size: 128 bits Key size: 128/256 bits Tag size : 128/96/64 bits Nonce size: 96 bits 32 bits 64 bits 32 bits Recommended AEAD Modes: AES-Galois/Counter Mode AES-GMAC (auth. only) Alternative AEAD Modes: AES-CCM CAMELLIA-GCM CAMELLIA-CCM SaltIVCounter SaltIV0SaltIV1 SaltIV2 Key K Hash Subkey H 0………………..0 Key K Hash Subkey Derivation

Andreas Steffen, , 13-VPN.pptx 27 IPsec Tunnel Mode AEAD Packet Overhead Outer IP Header AES_GCM_96 Tag AES_GCM_64 Tag Security Parameter Index AES_GCM IV AES_CNT max Pad Pad Len / Next Header Best Case Overhead Bytes Worst Case Overhead AES_GCM_128 Tag 16 Additional Authenticated Data: Sequence Number 0123 Security Parameter Index Extended Sequence Number 0123 SPI / Seq. Number or

Andreas Steffen, , 13-VPN.pptx 28 IPsec Tunnel Mode using AH Original IP Header TCP Header Data IPv4 Before applying AH IP protocol number for AH: 51 Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum ESP can be encapsulated in AH Outer IP Header AH Header IPv4 After applying AH authenticated Original IP Header TCP Header Data Authentication Header (AH): RFC 4302

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.