Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies.

Published byIsabella Guthrie Modified over 11 years ago

Similar presentations

Presentation on theme: "Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies."— Presentation transcript:

1 Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies

2 2 What is a VPN? Private network running over shared network infrastructure (Internet) Allows interconnection of different corporate network sites Allows remote users to access the corporate network Allows controlled access between different corporate networks

3 3 Private Intranet Network Headquarters Why VPNs? Public Internet Intranet Headquarters Intranet Remote Site Intranet Remote Site Frame Relay Or ATM Or Dial-Up Service

4 4 VPN Rationale Private Networks Costly Inflexible Multiple Infrastructures Virtual Private Networks Inexpensive Configurable Single Infrastructure

5 5 The First VPN 1975, BBN delivered the first Private Line Interface (PLI) to the Navy Created secure network communication over the ARPANET Used a proprietary encryption and manual keying system

6 6 VPN Technologies Tunneling Overlay facilitates sharing common infrastructure IPsec, PPTP, L2TP, MPLS Security Authentication: PKI, RADIUS, Smartcard Access Control: Directory Servers, ACLs Data Security: Confidentiality, Integrity Provisioning QoS Traffic Engineering

7 7 Island Metaphor Hello! ??? Oh! Hi! Hello! SS Encapsulator Hello! SS Encapsulator Tunnel

8 8 Tunneling Usually layers are inverted Inner PacketOuter HeaderTrailer For target network For transport network EthernetIP PPP 2323 EthernetFTPIPTCP 2743

9 9 Tunnels at Layer 2 Point-to-Point Tunneling Protocol (PPTP) Integrated into Microsoft DUN and RAS Authentication/encryption provided by PPP Layer 2 Tunneling Protocol (L2TP) Combines PPTP with Cisco L2F Layer 2 tunneling, UDP encapsulation IPIP/IPXGREv2PPP IP IP/IPX/IPsecUDPPPP 3324 3324

10 10 IPsec Protocol Suite Data encryption and authentication Two protocols Encapsulating Security Payload (ESP) assures data privacy and party authentication Authentication Header (AH) assures only party authentication Cryptographic key management Works well with Public Key Infrastructure and X.509 Certificates Transport and tunnel modes of operation IPsec VPNs use tunnel mode and ESP

11 11 IPsec Tunneling Original IP Header Original IP Payload New IP Header Security Parameter Index Sequence Number ESP Trailer ESP Authentication Encrypted Authenticated Original IP Packet

12 12 MPLS Tunneling Multi-Protocol Label Switching High speed switching technology Tunnel any layer Built into edge/core routers and switches No authentication/encryption LabelIP PayloadIP Header Original Packet

13 13 IPsec vs. MPLS Two dominant VPN technologies Lets compare them viz. their approaches to privacy

14 14 What is meant by Private? No one can see your stuff Emphasis is on security Confidentiality, integrity, authentication, authorization, access control Carve out a piece of a shared network for your own use Emphasis is on availability Traffic engineering

15 15 Evolution of IPsec First defined as a security mode for IPv6 Ported to IPv4 Combines tunneling with security Orthogonal services Complex key management

16 16 Evolution of MPLS ATMs VCI/VPI used for cut-through switching Separates routing from forwarding Supports resource allocation MPLS IP cut-through switching using label Routers switch on preestablished label Routers dont care whats behind the label Originally proposed to accelerate routing

17 17 A Protocol Looking for a Use Fast routing argument lost with new routing technology Switching technology applied to IP header MPLS for traffic engineering Connection oriented Stateful – keeps tracks resource allocation and usage RSVP adapted for signaling Hot router selling feature

18 18 MPLS-VPN Security Label Switch Routers will drop packets that do not belong to the VPN based on label BGP guards against injected routes using MD-5 authentication Note: No data confidentiality Weak authentication BGP is not sufficient to prevent fake routes

19 19 Why MPLS-VPN? Embed label switching in routers Sell more routers Replace Frame Relay and ATM with something that looks like these services No profit in Frame Relay or ATM anymore Control provisioning at the edge of ISP Sell value added service ISP dependent Keeps customers within providers network

20 20 Why IPsec-VPN? No changes to core routers Security gateway/tunnel endpoint placed anywhere that is appropriate Separation through obfuscation Real data confidentiality Real authentication Routing protocol agnostic No (more than current) reliance on well-behaved protocols ISP agnostic

21 21 Guarding Privates What separates a VPNs traffic from all other traffic? IPsec: data encryption MPLS: different labels, forwarding tables Who is responsible for separation? IPsec: ISPs, but not necessarily Corporate IT group and even individuals MPLS: ISPs

22 22 Dichotomy of Assumptions IPsec assumes goal is: IP delivery No trust of intermediate systems MPLS assumes goal is: Engineered delivery Trust entities in the middle Begged question: Is leaving security to someone else a good thing?

23 23 Which is the Right Way? Depends on what control you are willing to cede to service providers What SLAs you demand What you want to black box Depends on what you mean by private No one is supposed to use your resources No one is able to see your stuff

24 24 Trends in VPNs IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds Layer 2 tunneled through MPLS Martini Draft Combining MPLS and IPsec IP tunneled through IPsec tunneled through MPLS Best of both worlds

25 25 Theres more to it Establishing a VPN is much more than just building a set of tunnels between sites Authentication Access Control Data Confidentiality Data Integrity Remote Access

26 26 Where does Private go? Virtual Private Network Makes sense What the designers had in mind Virtual Private Network What happens if youre not careful

27 27 More about me This talk and other information at http://www.ir.bbn.com/~strayer

Download ppt "Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies."

Similar presentations

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Virtual Links: VLANs and Tunneling

Virtual Links: VLANs and Tunneling
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
Identifying MPLS Applications

Identifying MPLS Applications
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing MPLS VPN Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.
Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.

Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.

VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

Similar presentations

Ads by Google