Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 12 Module 12 Virtual Private Networks MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number E Address:
Network Security Philadelphia UniversitylAhmad Al-Ghoul Contents Relation to SSL & SSH Virtual Private Network Three Types of VPNs The Concept of Tunneling General IPTunneling Look at the stack GRE & PPTP Generic Routing Encapsulation PPTP Ipsec Encapsulating Security Payload
Network Security Philadelphia UniversitylAhmad Al-Ghoul Relation to SSL & SSH Recall SSL is the secure socket layer –It provides an encrypted and authenticated TCP connection between a client and a server. –It does not hide your network because you still use standard IP visible to all.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Virtual Private Network Why? –Institutions are distribted –They need to protect themselves –Old Days Buy your own phone lines and build a physically private network. –VPN Use the internet as a “carrier” of your private traffic.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Three Types of VPNs Remote access –A company uses a dial-up system to allow remote workers to connect and establish secure connections to the company network Site-to-site –Intranet Connect two different, but remote LANS to form a single network –Extranet Two different companies want to establish a private connection
Network Security Philadelphia UniversitylAhmad Al-Ghoul Reasons and Requirements Typical Reasons for wanting a VPN –Extend geographic connectivity –Improve security –Reduce operational costs versus traditional WAN –Improve productivity –Simplify network topology –Provide global networking opportunities –Provide telecommuter support Requirements for a Good VPN –Security –Reliability –Scalability –Network management –Policy management
Network Security Philadelphia UniversitylAhmad Al-Ghoul The Concept of Tunneling tunneling - the process of placing an entire packet within another packet and sending it over a network. Tunneling requires three different protocols: –Carrier protocol: The protocol used by the network that the information is traveling over –Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data –Passenger protocol: The original data (IPX, NetBeui, IP) being carried
Network Security Philadelphia UniversitylAhmad Al-Ghoul Tunneling Key idea: allow packets to move from one point to another point without being directly touched by internet routers 1. Passenger packet goes to gateway 3. Internet (carrier protocol) 2. Gateway wraps passenger with Encapsulation protocol 4. Passenger unwrapped and sent on its way
Network Security Philadelphia UniversitylAhmad Al-Ghoul General IPTunneling R1 Internet R1 Network 1 Network 2 Host Host To: From: IP payload To: From: IP payload To: From: IP payload To: From: IP Payload
Network Security Philadelphia UniversitylAhmad Al-Ghoul Look at the stack Tunneling can layer a complete stack and address space on top of the existing one! –Almost exactly what we did with our XKernel which was tunneled over the regular IP stack. –For Site-to-Site use Generic Routing Encapsulation (GRE) IPsec –For remote access PPTP (point-to-point tunneling protocol) L2TP (layer 2 tunneling protocol) Ethernet or PPP or … IP GRE encrypt IP TCP application IPsec
Network Security Philadelphia UniversitylAhmad Al-Ghoul GRE & PPTP GRE –Very simple encapsulation frame that tells you what type of thing is encapsulated, a sequence number and an ack number. PPTP –Protocol that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Generic Routing Encapsulation Runs over IP at port 47. It is a protocol for wrapping other protocols. Protocol Family protocol type Reserved 0000 SNA 0004 OSI network layer 00FE XNS 0600 IP 0800 Chaos 0804 Frame Relay ARP 0808 VINES 0BAD DECnet (Phase IV) 6003 Transparent Ethernet Bridging 6558 Raw Frame Relay 6559 Apollo Domain 8019 Ethertalk (Appletalk) 809B Novell IPX 8137 RFC 1144 TCP/IP compression 876B IP Autonomous Systems 876C protocol checksumoffset key Sequence number Routing information data
Network Security Philadelphia UniversitylAhmad Al-Ghoul PPTP For a dial-up client –First establish a PPP connection to the server –Set up a TCP connection on port 1723 for control messages Session management command-replies Handles calls and keep-alive messages –Over the PPP one runs IP and TCP. In other cases use existing IP level.
Network Security Philadelphia UniversitylAhmad Al-Ghoul PPTP data packets The carrier network delivers GRE packets –Sliding window used to provide flow control GRE packet contains a PPP packet. PPP has an encryption protocol that is used to encrypt the contents of each frame. The content frame is the tunneled IP packet. Carrier IP packet GRE packet PPP packet IP packet
Network Security Philadelphia UniversitylAhmad Al-Ghoul IPsec A General Framework for IP security –NOTE: SSL is at the TCP level –IPSec is designed to be at the IP level Two Components –Two protocols for security A header for authentication (AH) A header for secure encapsulation (ESP) –Internet Security Assoc. and Key Mgmt Protocl A Security Association (SA) is a one way connection between two hosts/routers that is based on a choice of AH/ESP and Key protocol.
Network Security Philadelphia UniversitylAhmad Al-Ghoul IPSec Authentication NextHdrPayload lengthreserved SPI ( security paramenter index – identifies the sec. Assoc.) Sequence no Authentication Data
Network Security Philadelphia UniversitylAhmad Al-Ghoul IPSec Authentication NOTE: The authentication data is the cryptographic signature of this packet. It is not authentication of source identity NextHdr is a pointer to the end of this packet. SPI is an identifier which in combination with the IP address of the packet completely identifies the secruity association. Sequence number prevents “replay attacks”
Network Security Philadelphia UniversitylAhmad Al-Ghoul Encapsulating Security Payload This follows IP header (both v4 and v6) and before the encripted payload. –The payload data is often part of an “initialization vector” for the encrypted payload that follows provides –confidentiality (encryption), data origin authentication, integrity, optional anti-replay service NextHdrPad length SPI ( security paramenter index – identifies the sec. Assoc.) Sequence no Authentication Data Up to 256 bytes of Playload data (Initialization Vector)