CS682 – Network Management and Security Session 7
Virtual Private Networking If we have a network in NY and a network in SF we want them to be able to communicate with each other. Solutions: Land based telco lines (T1, T3, etc) Satellite based communications Virtual Private Network
Cost of operation A T1 line from coast to coast can cost over $3000/month A satellite link from coast to coast has very high startup costs and significant monthly costs. A VPN costs only as much as your internet conection
Virtual Private Network A VPN is defined as a system in which two networks are connected through a third, untrusted, network. The two networks are usually a main office and a satellite office, and the third network is usually the Internet.
Security for VPNs 1. We will be sending data over an untrusted network, so it should be encrypted 2. We will have to allow connections to our encrypting host, which presents the usually security issues 3. Can the other side of the VPN be trusted???
1. The Untrusted Network Your ISP may employ someone who has in interest in capturing your data as it traverses the Internet. If your data is unencrypted you may be sending your company secrets to your competors. Encryption must be employed to protect your data
VPN encryption schemes Usually use multiple schemes for Encryption, Authentication, and key management Encryption: DES, or 3DES, IPSec, Blowfish, etc Message Authentication: MD5, SHA-1 Key management (if nescessary): IKE, SKIP
If not using Public key/Private Key Again we get the issue of how to agree on a key Usually the two Security Administrators meet 2-3 times/year and agree on a new (impossible to guess) key.
2. Open Connections Depending on which host is doing our encryption/routing for the VPN we will have to leave application ports open through the firewall. Frequently there is one or more ports for control connections and then data is streamed over IP protocol 47 (gre). This leaves open not a port but an entire protocol!
Which host??? Today routing/VPN is done on either of two places, a server or the router. If the server is to do the routing/ encryption/encapsulation, it shouldn’t be doing anything else! If the router is doing the job, it should be a high performance router! In either case we can usually assist the task by purchasing specialized hardware to do the encryption calculations.
3. Can the other side be trusted? The DoD was hacked a few years ago not directly, but through their VPN. One of their associated agencies was negligent in their task of protecting their Internet connection. A Hacker intruded the agency and used their VPN to attack the DoD.
Problems with VPNs Additional Firewalls Current firewalls to protect the VPN Limitations of the VPN Larger packets (additional header)
Benefits of VPN Two RFC-1918 (not routable Internet addresses) can communicate over the Internet. Since the data is in a “Tunnel” the IP header that is used for routing needs to have a valid IP Much less expensive than a dedicated line
Other uses for VPNs Telecommuting workers Associations with other companies Offsite Backups
Telecommuting Workers Anyone working offsite should have the same availability to the network as someone working on our network. All windows operating systems in use today have support for Point to Point Tunneling Protocol (PPTP). A Microsoft PPTP server can be set up to allow employees to call in and work as if they were at their desks.
Problems with Telecommuting Workers Most Employees are not “tech-savvy” enough to be able to configure a VPN connection. If there are any problems with the VPN will a technician be able to come to their house? A better option would be a solution such as Terminal Server.