Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.

Slides:



Advertisements
Similar presentations
Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
Advertisements

Encrypting Wireless Data with VPN Techniques
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
Guide to Network Defense and Countermeasures Second Edition
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Internet Security Seminar Class CS591 Presentation Topic: VPN.
Internet Protocol Security (IPSec)
Copyright Kenneth M. Chipps Ph.D. 1 VPN Last Update
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Virtual Private Network
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Copyright ©Universalinet.Com, LLC 2009 Implementing Secure Converged Wide Area Networks ( ISCW) Take-Aways Course 1: Cable (HFC) Technologies.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Module 11: Remote Access Fundamentals
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Virtual Private Networking Irfan Khan Myo Thein Nick Merante.
Module 5: Configuring Access for Remote Clients and Networks.
BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Providing Teleworker Services Accessing the WAN – Chapter 6.
Providing Teleworker Services
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Module 10: Providing Secure Access to Remote Offices.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
STORAGE ARCHITECTURE/ MASTER): Where IP and FC Storage Fit in Your Enterprise Randy Kerns Senior Partner The Evaluator Group.
Network Access for Remote Users Dr John S. Graham ULCC
An Analysis on NAT Security
Virtual Private Networks
Virtual Private Networks
Providing Teleworker Services
Securing Access to Mobile Operator Core Networks using IKEv2
Virtual Private Network
Virtual Private Networks
Providing Teleworker Services
VPN: Virtual Private Network
Providing Teleworker Services
Enabling the hybrid cloud with remote access appliances
Topic 12: Virtual Private Networks
Providing Teleworker Services
OCI – VPN Connect Internet Customer Premises
Presentation transcript:

Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor Raimo Kantola InstructorM.Sc. Ville Hapuoja Helsinki University of Technology Networking laboratory Master’s thesis seminar

Introduction IPsec is current best practise solution for implementing virtual private networks over the public Internet IPsec solutions are classified in two categories o GW-to-GW o Client-to-GW (remote access) Service operators offer IPsec VPN-solutions for corporate customers Object of the thesis: Evaluate if a new service platform is ready to be used in commercial service production for IPsec client-to-GW VPN service. Methods include a literature study on IPsec service components and IPsec client-to-GW service architecture. The characteristics of the new platform are evaluated based on vendor documentation and example configurations.

Agenda o Introduction o IPsec client-to-GW VPN service architecture o IP service switch concept o Concept evaluation o Technical evaluation o Problem with IPsec and NAT o Conclusions

IPsec client-to-GW VPN service architecture (1/2) o The public Internet or other insecure network enables connectivity o IPsec client is typically a piece of software installed in a client machine o VPN gateway terminates the IPsec client connections o Authentication infrastructure, for example PKI, is required for strong client authentication o Authorisation infrastructure is needed for access control o Management infrastructure for all the blocks mentioned above o Protected network contains the secured network services offered to the clients

IPsec client-to-GW VPN service architecture (2/2)

IP service switch concept (1/2) o Traditionally IP services have been implemented with dedicated CPE appliances o The IP service switch concept is combines many of these services into a single appliance o Services are offered in the service provider network instead of customer premises o Reduces the amount of equipment, integrates services management and makes service provisioning easier

IP service switch concept (2/2) Legacy CPE implementation Service switch implementation

Evaluation of the concept o The IP service switch concept introduces an opportunity for service providers through smaller capital and operational costs o The concept offers scalability in amount of served subscribers, service offering and management o Introduces a possible single point of failure o The performance of a multifunctional device does not achieve the performance of dedicated service appliances

Technical evaluation of the new platform (1/2) o The platform under evaluation is CoSine Communications IP Processing Switch IPSX 3500 , a multifunctional IP service switch o The characteristics of the IPsec VPN GW functionality of the CoSine platform are evaluated o Starting point is the current service implementation and functionality o Integration of the existing authentication, authorisation, management and network infrastructure should be seamless o Performance should be adequate for mass-scale IPsec service production

Technical evaluation of the new platform (2/2) o The CoSine platform has all the basic IPsec VPN GW functionality o Necessary functions and interfaces for integration to the service operator network and infrastructure exist o The CoSine platform offers provider class performance in IPsec tunnel termination and encryption o Main problem in technical implementation is the NAT-Traversal solution o Inconsistent NAT-T solution leads to interoperability problems

Problem with IPsec and NAT (1/2) o Network address translation is everywhere in the Internet o NAT modifies the IP address and port fields in the IP header and in some cases in the IP payload o NAT cannot modify IPsec protected packet because of the encryption or checksum calculation.

Problem with IPsec and NAT (2/2) o No existing standard for implementing IPsec NAT Traversal o Several vendor specific solutions exist, no guarantee of interoperability o CoSine’s NAT Traversal solution based on early IETF drafts o No complete NAT-T implementation in CoSine for pure IPsec tunnel implementation o The NAT Traversal solution has to be the same at both ends of the IPsec VPN tunnel o CoSine is not interoperable with the current IPsec client-to-GW VPN service

Summary The IP service switch concept has lots of potential. The performance, scalability and other characteristics of the CoSine platform are adequate for mass-scale IP service delivery. Interoperability problems exist with NAT-T and IPsec tunnel mode. Deployment of the CoSine platform would require rethinking of the other service components and service functionality. The standardisation of the IPsec NAT-Traversal is still unfinished at IETF. As long as this is the case the interoperability problems will exist.