Defence R&D Canada R et D pour la défense Canada Dynamic VPN Controller Developed by NRNS Inc. July 2, 2003.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Internet Protocol Security (IP Sec)

Heroix Longitude - multiplatform, automated application performance monitoring and management software.

Computer networks Fundamentals of Information Technology Session 6.

Guide to Network Defense and Countermeasures Second Edition

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

Chapter 7 HARDENING SERVERS.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Internet Protocol Security (IPSec)

Copyright Kenneth M. Chipps Ph.D. 1 VPN Last Update

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Virtual Private Network

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Course 201 – Administration, Content Inspection and SSL VPN

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Chapter 20: Getting from the Office to the Road: VPNs BAI617.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Chapter 13 – Network Security

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Module 9: Fundamentals of Securing Network Communication.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.

Defence R&D Canada R et D pour la défense Canada Dynamic VPN Controller Update Developed by NRNS Inc. November 12, 2003.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Lemon security. Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Security Data Transmission and Authentication Lesson 9.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,

Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Virtual Private Networks

Securing the Network Perimeter with ISA 2004

Chapter 3: Windows7 Part 4.

Server-to-Client Remote Access and DirectAccess

Goals Introduce the Windows Server 2003 family of operating systems

Chapter 10: Advanced Cisco Adaptive Security Appliance

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Defence R&D Canada R et D pour la défense Canada Dynamic VPN Controller Developed by NRNS Inc. July 2, 2003

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Dynamic VPN Controller (DVC) Concept originated by DRDC Ottawa, fertilized by the DARPA X-Bone project at ISI. Developed from open-source software plus portions of the X-Bone software.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Rationale Initial experimentation with VPN technology among ICB members determined that VPN solutions were difficult to configure and manage. Each partner needed to configure explicit network and security policy information about all other members. Proper VPN operation was also dependent on firewall, routing and name binding (DNS) configurations. A system was needed that could: Effectively establish and manage VPNs without requiring advance detailed knowledge of other partners’ network infrastructures and security policies. Dynamically reconfigure firewall, routing and DNS subsystems.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Dynamic VPN Principles Each partner owns resources that will be utilized in the VPN. These resources may range from a single service to a complete network. Each DVC exchanges policies identifying available resources with each other DVC. Policies must be agreed upon by both partners before a DVC establishes a VPN link between them. Policies may be different between different partner pairs. The exchange must remain private. Each DVC must authenticate itself to each other DVC to avoid spoofing. X.509 certificates authenticate both SSL control sessions and possibly IPSec based VPN tunnels.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Dynamic VPN Principles (cont.) VPN links are established as peer-to-peer links, resulting in a fully meshed VPN topology. The DVC ensures that only traffic permitted by mutually agreed policies uses the VPN - Firewall subsystem. The DVC ensures that traffic for remote partner networks is directed at the DVC - Routing subsystem. The DVC ensures that name bindings needed to access remote services are locally accessible - DNS Subsystem. The health of the VPN is monitored and reported to all partners.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa DVC System Components Currently runs on FreeBSD-4.6 System is written in perl. Main DVC process: 4000 lines DVC GUI (cgi script): 1300 lines Subsystems: 1800 lines System also employs: OpenSSL: Certificate issuance, authenticated/secure sessions KAME: IPSec subsystem IPFilter: Firewall subsystem Bind: DNS subsystem Zebra: Routing subsystem Apache, mod-ssl: Graphical User Interface

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa DVC System Authentication SSL is used to secure control connections between DVCs. SSL control connections between DVCs are authenticated with X.509 certificates. Same X.509 certificates are used to authenticate ISAKMP security associations - if dynamic keying is used. Each DVC system uses the OpenSSL software to generate its own key pair and certificate signing request (CSR). Private keys generated for the local DVC never leave the system. DVC certificates are currently signed by a common OpenSSL CA for the project - need cross-certification to overcome this. The CSR and signed public certificate are exchanged via Internet e- mail.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa DVC Operator Authentication HTTPS/SSL is used to secure the connection between the Operator’s browser and the DVC system. HTTPS/SSL connections between the browser and the DVC system are authenticated with X.509 certificates. Each DVC system operates its own distinct OpenSSL CA to issue operator certificates. This ensures that only operators recognized by the local DVC system can operate the local DVC system. The Operator key pairs are generated on the DVC system and provided to the Operator in password protected PKCS #12 files.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa DVC Use of Certificates

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa DVC Operator Interface

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Local Policy Database Policies are compiled for each partner and are stored in a local Policy Database. These policies define: Which local networks require access to the remote partner site via the VPN. Which local services are available to a remote partner site. Which name bindings are needed by the remote partner site to make use of the services offered via the local DVC system. What type of services are expected from the remote partner site. The Policies may be different for each partner.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Policy Exchange DVC systems exchange policies to configure all aspects of VPN. DVC “A” provides to DVC “B” the list of “A’s” local networks that require access to “B’s” services. DVC “B” provides similar information to DVC “A”. DVC “A” provides to DVC “B” the list of services that “A” is willing to make available to “B”. DVC “B” provides similar information to DVC “A”. The remote partner’s offered services are compared and validated against the locally configured “expected” services. The exchanged information is used by each DVC in configuring the local side of the VPN, which includes the Firewall, Routing and DNS subsystems.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Policy Validation The DVC software is being enhanced to automatically determine the suitability of policies presented by a remote DVC peer. DVC will validate proposed policies with additional configuration items such as “Must Contain”, “May Contain” and “Must Not Contain”: Must Contain TCP/80<-- Web is a must May Contain TCP/22<-- SSH is OK Must Not Contain TCP/23<-- No TELNET New configuration items simply identify the types of services expected from the remote partner, not how the services will be provided.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Subsystems The DVC software controls four subsystems: IPSec (KAME with manual keying). Establishes secure/authenticated tunnels to trusted remote peers. Firewall (IPFilter). Enforces both local and remote access policies. Routing (Zebra). Advertizes routes for remote networks within local routing domain. DNS (Bind). Advertizes name binding necessary to access remote services from within local domain. DVC Subsystems implemented as perl packages with well-defined interfaces. Will facilitate the development of subsystems on different platforms such as Cisco and Linux.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Health & Status Monitoring A DVC monitors the health (round-trip-time, packet loss) of the VPN to all remote DVCs. A DVC also reports status information (# of packets, # of bytes). Health and Status are periodically reported to DVC Operator. Health is also communicated to other partner DVCs. Each DVC can determine the current topology of the entire VPN. Who is connected to who? What is the health of their connections?

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa No Central Authority A DVC maintains all configuration information in its Local Policy Database. A DVC does not rely on any central authority for configuration information. All members of VPN are equal partners. Each DVC maintains its own notion of its partners.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Scaling Issues The system establishes a fully-meshed topology. The system will not scale to hundreds of sites. A SSL connection is needed between each pair of DVCs. An IPSec tunnel is needed between each pair of DVCs. Partial meshing requires that intermediate DVCs can decrypt data in transit.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Current Enhancements Introduction of locally defined “expect” policies to assist in validating policies proposed by remote partner. Introduction of XML as the encoding mechanism for DVC control messages and security policies. A “Policy Editor” will be added to the DVC GUI. Currently the policy must be edited on the DVC system using a Unix text-based editor. Policy Editor is likely to be implemented in Java.

Defence R&D Canada - Ottawa Centre de recherches pour la défense Ottawa Future Enhancements? Multi-platform support - Linux Porting DVC system to IPv6 including the integration of IPv6 support within the IPSec, Firewall, Routing and DNS subsystems. Migrate the IPsec, Firewall, Routing and DNS subsystems onto separate systems. IPSec, firewall and routing could reside on the boundary enforcement point - Cisco. The development of an active GUI to shift most of the operator update responsibility to the client workstation. Real-Time “pushed” updates instead of periodic “pulled” updates would considerably speed up the feedback to the DVC Operator.