Virtual Private Networking Irfan Khan Myo Thein Nick Merante
VPN + IPSec VPN: Virtual Private Network –Enable two remote networks to appear as one network via the internet. IPSec: Internet Protocol Security Extensions –Enable machines to securely communicate over an insecure medium
What We Will Cover The need for security Benefits of a VPN/IPSec combination The necessary tools How to set everything up How to verify everything is working
The Need for Security Internet not like it used to be The hunt for bugs Automated tools do most of the dirty work Systems targets regardless of content value Business need for securing client/customer data in global network
Why Use VPN Confidentiality Integrity Authenticity Replay Protection
Who can benefit Peer to peer security – encryption of traffic between people. –PGP Desktop Security Corporate security – encryption of traffic between offices.
Benefits to personal users Create a secure path between two machines Enhance the level of trust with authentication
Benefits for corporate users Can do away with leased lines connecting offices without sacrificing privacy. Can then make use of the internet: –More reliable –More portable –More cost-effective
A method of security Implementing a Virtual Private Network (VPN) Using IPSec to encrypt all traffic Authenticating data sent
What is IPSec IPSec = AH + ESP + IKE
Different Modes AH vs ESP AH: Authentication Header –Attaches checksum to packets –Ensures packet not modified in transit ESP: Encapsulating Security Payload –Encrypts data –Ensures authentication
Tunnel Mode –Encapsulate packet into new IPv4/v6 header –Used for VPN Gateways Transport Mode –Encrypts normal traffic between peers Different Modes Tunnel vs Transport
Tunnel vs Transport Host 1Host 2 Host 1Gateway 1Host 2 Transport Mode Tunnel Mode Gateway 2
Necessary Tools Two unix machines with properly configured kernels to serve as gateways Racoon for key exchange Internet connection
Preparing the machine Modify the kernel bpf # Berkeley packet filter IPFIREWALL# Enable Firewall IPDIVERT# Divert IP sockets (Used for NAT) IPSEC # IP security IPSEC_ESP# IP security (crypto; define w/ IPSEC) IPSEC_DEBUG # debug for IP sec Install Racoon –Obtain source code or install from ports collection
Creating the tunnel Set up tunnel between 2 private networks gif – Generic tunnel interface Diagram A Tunnel Script (Step 3)
Diagram A Internet Gateway A Node B Node A Node C Gateway B Node B Node A Node C VPN Tunnel van-gw1 gif0: vpn-gw2 gif0:
Adding the Encryption Creating the policies Manual keying Automatic keying (racoon) –Racoon configuration Different algorithms –des, 3des, blowfish, etc. Step 4 / Figure A
Figure A # Ident: ipsec.conf # Usage: setkey –f ipsec.conf flush; # Flush the Security Association Database spdflush;# Flush the Security Policy Database #add esp E blowfish-cbc "12345"; #add esp E blowfish-cbc "12345"; spdadd / /24 any -P out ipsec esp/tunnel/ /require; spdadd / /24 any -P in ipsec esp/tunnel/ /default;
Changes to the Packet Orig IP hdrTCPData Orig IP hdrTCPData ESP Trailer ESP Auth ESP Header encrypted authenticated Before applying ESP After applying ESP IP v4: ESP: Encapsulating Security Payload
Manual vs Automatic Keying Benefits of manual keying –Simplicity –Less overhead Benefits of automatic keying –Much more secure –Encryption keys periodically changed based on time or amount transferred.
Encryption Algorithms Data Encryption Standard (DES) –64 bits Triple DES –192 bits Blowfish –40 to 448 bits Rijndael (AES) –128/192/256 bits
Verification An analysis before and after –Key Policies (Figure B) –Dump Security Association Database with setkey –D (Figure C) –TCP Dump of Headers (Figure D) –TCP Dump of Data (Figure E)
Diagram A Internet Gateway A Node B Node A Node C Gateway B Node B Node A Node C VPN Tunnel van-gw1 gif0: vpn-gw2 gif0:
Conclusion Different tools for different jobs PGP for encrypting data SSL for encrypting sockets SSH for encrypting logons IPSec for encrypting all traffic Another tool for the administrator’s toolbox