Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements. -a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
VPN Source: –A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. –For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a)using encrypted tunnels to connect from firewall to firewall across the Internet and (b)not allowing any other traffic through the firewalls. –A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. T. A. YangNetwork Security2
Characteristics of VPNs End-to-end communications btwn two end points –End points: Routers, firewalls, servers, hosts Virtual Private Networks –Shared ? T. A. YangNetwork Security3
4 Alternative Definition of VPN? A VPN is a means of carrying private traffic over a public network. Often used to connect two private networks, over a public network, to form a virtual network The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other. That is, they are part of a single virtual private network (although physically they are two separate networks). implication? connectivity, security, privacy The VPN should provide the same connectivity and privacy you would find on a typical local private network. T. A. Yang
Network Security5 Classifications of VPNs Based on encryption: –Encrypted VPNs –Nonencrypted VPNs Based on OSI model: –Data link layer VPNs –Network layer VPNs –Application layer VPNs Based on business functionality: –Intranet VPNs –Extranet VPNs T. A. Yang
Network Security6 VPNs at different OSI layers The layer where VPN is constructed affects its functionality. –Example: In encrypted VPNs, the layer where encryption occurs determines (i)how much traffic gets encrypted (ii)the level of transparency for the end users Data link layer VPNs (Layer-2) –Example protocols: Frame Relay, ATM –Drawbacks: Expensive - Requires dedicated Layer 2 pathways may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection –Q: Is L2TP a layer 2 VPN? T. A. Yang
Network Security7 VPNs at different OSI layers Network layer VPNs (Layer-3) –Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See –Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that) –Advantages: A ‘proper’ layer –Low enough: transparency –High enough: IP addressing Cisco focuses on this layer for its VPNs. T. A. Yang
Network Security8 VPNs at different OSI layers Application layer VPNs –Created to “work” specifically with certain applications –Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH (encrypted and secure login sessions to network devices) –Drawbacks: May not be seamless (transparency issue) –Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) OpenVPN and SSL VPN Revolution “ The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … A VPN is a site-to-site tunnel. … There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” T. A. Yang
Network Security9 Other Classification of VPNs ? Intranet VPNs vs Extranet VPNs Remote Access VPNs vs Site-to-site VPNs T. A. Yang
Types of VPNs Trusted –non-Cryptographic –Data move over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. –Examples: Layer 2 frames over MPLS (multiprotocol Label Switching) Secure –Cryptographic –Examples: IPSec with encryption, SSL with encryption, L2TP over IPSec, PPTP over MPPE Hybrid T. A. YangNetwork Security10
Why Hybrid VPNs? Secure VPNs provide security but no assurance of paths. Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. T. A. YangNetwork Security11
Requirements for Secure VPNs 1.All traffic on the secure VPN must be encrypted and authenticated. 2.The security properties of the VPN must be agreed to by all parties in the VPN. Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel. 3.No one outside the VPN can affect the security properties of the VPN. T. A. YangNetwork Security12
Requirements for Trusted VPNs 1.No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. 2.No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. –Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. 3.The routing and addressing used in a trusted VPN must be established before the VPN is created. T. A. YangNetwork Security13
Requirements for Hybrid VPNs The address boundaries of the secure VPN within the trusted VPN must be extremely clear. –In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. –For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN. T. A. YangNetwork Security14
VPN Deployments Internet VPNs Intranet VPNs Extranet VPNs T. A. YangNetwork Security15
VPN Technologies Trusted –MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs") –Transport of layer 2 frames over MPLS ("layer 2 VPNs") –Generic Routing Encapsulation (GRE) Secure –IPSec with encryption –SSL with encryption (esp. secure remote access) –L2TP over IPSec Hybrid –A secure VPN technology running over a trusted VPN technology T. A. YangNetwork Security16
Network Security17 Generic Routing Encapsulation (GRE) Provides low overhead tunneling (often between two private networks) Does not provide encryption Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested inside e.g., IP protocol type 47: GRE packets using IPv4 headers RFCs: RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL)RFC1701 RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD)RFC2784 RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD)RFC2890 T. A. Yang
Network Security18 Generic Routing Encapsulation GRE Header (based on RFC1701, deprecated): Figure 11-2 GRE Header (based on RFC 2784 & 2890): Figure 11-4 C = 1, checksum present Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet Key: –contains a number to prevent misconfiguration of packets; –may be used to identify individual traffic flow within a tunnel –Not the same as a cryptographic key T. A. Yang
Network Security19 Generic Routing Encapsulation Summary: -GRE mainly perform ‘tunneling’. -Does not provide a means to securely encrypt its payload -Often relies on application layer to provide encryption -May be used together with a network layer encryption (such as IPsec) Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using IPsec Example 2: use GRE to encapsulate multicast traffic, and then encrypt the GRE packet using IPsec Question: Why not simply use IPsec? T. A. Yang
Network Security20 Generic Routing Encapsulation Case Studies: -A GRE tunnel connecting two private networks: Figure GRE between multiple sites: Figure GRE between two sites running IPX T. A. Yang