SCSC 455 Computer Security Virtual Private Network (VPN)
How to connect LANs There’re common demands of joining two or multiple LANs to facilitate corporate communications secure point-to-point communications The connection can only used by authenticated LANs / hosts One solution (traditional one) is to use private leased lines Problems: don’t scale well, cost is high, and the complexity of maintaining the leased lines Another solution – virtual private networks
VPNs Goal of VPNs Provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks Functionalities of VPNs Encapsulate and encrypt data being transmitted Use authentication to ensure that only approved users can access the VPN Provide a means of secure point-to-point communications over the public Internet
Index VPN components and operations Types of VPNs VPN setups Tunneling protocols used with VPNs Enabling secure remote access connections within VPNs VPNs best practices
Components within VPNS VPNs consist of two different types of components Hardware devices two endpoints (terminators) Encryption, authentication, and encapsulation a (virtual) tunnel A series of connections between two endpoints than makes use of Internet-based hosts/servers Software that performs security-related activities
Essential Activities of VPNs Three essential activities of VPNs IP encapsulation Data payload encryption Encrypted authentication
IP Encapsulation VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway The benefits of encapsulating IP packets Source and destination information of actual data packets are completely hidden source and destination IP addresses of actual data packets can be in private reserved blocks not usually routable over the Internet
Data Payload Encryption VPNs do NOT encrypt the header within packets, only the data payload that the packets carry. The encryption can be performed in one of two ways: Transport method The host encrypts traffic when it’s generated Tunnel method The traffic is encrypted and decrypted in transit, somewhere between the source host and destination.
Encrypted Authentication Authentication is essential Hosts in the network that receive VPN communication need to know that the host originating the communications is an approved user of the VPN Hosts are authenticated by exchanging long blocks of code - keys Types of keys that can be exchanged in an encrypted transaction: Symmetric keys Asymmetric keys
Index VPN components and operations Types of VPNs VPN setups Tunneling protocols used with VPNs Enabling secure remote access connections within VPNs VPNs best practices
Types of VPNs Two types of VPNs Site-to-site VPN Links two or more networks Client-to-site VPN Makes a network accessible to remote users who need dial-in access These two types VPNs are NOT mutually exclusive e.g., a large corporations’ network support both site-to-site VPN and client-to-site VPN
Advantage of Using Hardware Systems
Software VPN Systems Software VPN are generally less expensive than hardware systems Tend to scale better for fast-growing networks Examples F-Secure VPN+ Novell BorderManager VPN services Check Point FireWall-1
Index VPN components and operations Types of VPNs VPN setups Tunneling protocols used with VPNs Enabling secure remote access connections within VPNs VPNs best practices
Index VPN components and operations Types of VPNs VPN setups Tunneling protocols used with VPNs Enabling secure remote access connections within VPNs VPNs best practices
Tunneling Protocols Used with VPNs In the past, firewalls support VPNs used proprietary protocols Both endpoints must use the same brand of firewall Today the proprietary protocols are used less often. Most VPNs use standard tunneling protocols IPSec/IKE PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) PPP over SSH (Point-to-Point Protocol over Secure Shell)
IPSec/IKE IPSec provides: Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP) Authenticated header is used to authenticate packets Encapsulating Security Payload encrypts the data portions of the packet IPSec is commonly combined with IKE as means of using public key cryptography to encrypt data IKE provides: Exchange of public keys Ability to determine which encryption protocols should be used to encrypt data that flows through VPN tunnel
Other tunneling protocols: PPTP PPTP is developed by Microsoft for granting VPN access to remote users over dial-up connections Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data Useful if support for older clients is needed Compatible with Network Address Translation (NAT) Replaced by L2TP
Other tunneling protocols: L2TP L2TP is an extension of Point-to-point Protocol (PPP) that enables dial-up users to establish a VPN connection to a remote access server Uses IPSec rather than MPPE to encrypt data provides a higher level of encryption and authentication Incompatible with NAT
Other tunneling protocols: PPP Over SSL and PPP Over SSH PPP over SSL and PPP over SSH are two UNIX based methods for creating VPNs Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) SSL Public key encryption system used to provide secure communications over the Web SSH UNIX secure shell that perform secure authenticated logons and encrypted communications between a client and a server.
When to Use Different tunneling Protocols (important!)