Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Security Seminar Class CS591 Presentation Topic: VPN.

Similar presentations


Presentation on theme: "Internet Security Seminar Class CS591 Presentation Topic: VPN."— Presentation transcript:

1 Internet Security Seminar Class CS591 Presentation Topic: VPN

2 Virtual Privacy Network What is VPN? Extension of an enterprise’s private intranet across a public network by Encrypt the user’s data Validate the user’s data Authenticate the source of the data Establish & maintain cryptographic secrets

3 Virtual Private Network Why business use VPN? Cost – ISP/NSP vs leased lines Simplified Infrastructure – No modem bank Secured – Encrypted, Authenticated, Integrally Safe Interoperable – supports multiple protocols Distributed, Deployable, Scalable

4 Virtual Private Network

5 Type of VPN Networks Branch office connection (Intranet) Business partner/supplier network Extranet E-Business Remote access Mobile IP

6 Virtual Private Network Branch office connection

7 Virtual Private Network Business partner/supplier network

8 Virtual Private Network Remote access

9 Virtual Private Network How VPN works? Create dedicated link using tunneling Basic components of a tunnel: A tunnel initiator (TI) A routed network An optional tunnel switch One or more tunnel terminators (TT)

10 Virtual Private Network Protocols standardized by IETF IPSec IKE L2F PPTP L2TP

11 Virtual Private Network

12 IPSec Proposed by CISCO to IETF as standard Initially used by firewall & security products Secures network or packet processing layer of the communication model 2 choices of security services: Authentication Header (AH) Encapsulating Security Payload (ESP)

13 Virtual Private Network CISCO IPSec with IKE Diffie-Hellman DES MD5/SHA

14 Virtual Private Network IKE Protocol for Internet Key Exchange Formerly Internet Security Association & Key Management Protocol (ISAKMP/Oakley) ISAKMP manages negotiation of security Oakley using Diffie-Hellman establish key

15 Virtual Private Network L2F Tunneling protocol created by CISCO Mechanism for transporting link-layer frames of higher-layer protocols eg PPP VPDN NAS – ISP Home Gateway - Corporation

16 Virtual Private Network PPTP Point-to-Point Tunneling Protocol Developed by Microsoft, 3com, Ascend, ECI Encapsulates PPP packets across IP- based internet Encryption RSA-RC4

17 Virtual Private Network L2TP Combination of PPTP and L2F Make multiple simultaneous tunnel btw pt Allow administrators to dedicate task to specific tunnels

18 Virtual Private Network

19 VPN Technology Firewalls Intrusion Detection Tools Authentication Servers Encryption & Key Exchange

20 Virtual Private Network Implementation Networking Connectivity Intranet or Extranet or Remote Access Product or Service Provider VPN Gateway Software only (<1.5Mbps connection only) Firewall based Router based Authentication Methods RADIUS, PKI, X509 (ITU), LDAP

21 Virtual Private Network Routers and Firewalls with encryption capability. Pros: Encryption upgrades, if available, can be cost effective. Cons: Mixing vendor solutions can create compatibility issues that inhibit VPN capability. May not be able to provide PC-to-LAN capability without additional software support. Could require commitment to vendor's proprietary technology. May not provide multi-protocol support. Installation and configuration can add to network complexity. Encryption processing overhead may reduce performance.

22 Virtual Private Network Traditional Remote Access Server (RAS) with VPN add-on. Pros: May allow IT to take advantage of an existing hardware investment. Cons: Traditional Remote Access Servers are not optimized for VPN. VPN add-ons may only be available for some high-end RAS solutions. May be ISP dependent, requiring the company to adopt the same RAS VPN vendor as the ISP. May not provide multi-protocol support. May require vendor proprietary software.

23 Virtual Private Network NOS/Server-Based VPN Pros: More robust solution for PC-to-LAN access than that provided by firewalls or routers. Cons: Difficult to set up and manage VPN functionality. Adding VPN services to a network server can impact performance while decreasing fault tolerance. Dedicating a network server to remote access can be prohibitively expensive.

24 Virtual Private Network VPN Services Pros: Security and performance can be guaranteed for a price. Requires limited corporate support. Cons: IT gives up control to the service provider. May not provide multi-protocol support. May not provide PC-to-LAN access. VPN services may be cost prohibitive.

25 Virtual Private Network Dedicated VPN Software Pros: Optimized to create LAN-to-LAN connections via VPN. Dedicated VPN solution creates fault tolerance. Standalone VPN solutions can offer greater performance. Dedicated VPN solutions are generally easier to use and support than solutions originally designed for non-VPN functions such as firewalls, routers, network servers and traditional remote access servers. Eliminates the need for costly frame relay circuits, leased lines, etc. Cons: Vendor proprietary software is needed for each server hosting VPN and each remote client accessing the LAN via VPN. Must invest in a dedicated server for maximum performance. Adding VPN software on an existing, in-use network server decreases fault tolerance and performance. Many solutions support IP-only VPNs and cannot transport packets from multiple protocols.

26 Virtual Private Network Dedicated VPN Hardware Pros: Easy to install, configure and manage. Saves money by reducing equipment needs at corporate site. Stand-alone solution offers greater performance and fault tolerance because it is optimized for VPN functionality. Reduces costs of upgrading hardware as remote access technology changes. Reduces costs of upgrading system as the number of users increases. Cons: Some solutions do not support multiple protocols. Some LAN-to-LAN VPN solutions require costly software add-ons to support remote client PCs. Some solutions require that proprietary software be loaded on the remote client's PC.

27 Virtual Private Network SECURITY STANCE Permit all access initially; administrator specifically denies individual access according to security policy. Deny all access initially; administrator specifically permits individual access according to security policy.

28 Virtual Private Network Security Techniques Packet Filters Circuit-level Gateways Application-level Gateways Possible Security Breach/Risk from RA Unauthorized Remote Access (RA) Computer RA computer connected to insecure network Virus infected RA computer

29 Virtual Private Network Company supporting VPN Microsoft IBM Novell CISCO Nokia 3com

30 Virtual Private Network FAQ Difference between VPN and Firewall? Diifference between VPN and Proxy? Build own VPN or outsource to SP? Important critique? Interoperable? Scalability? Can U trust the internet? Any other Questions? Virtual Private Networks By Charlie Scott, Paul Wolfe and Mike Erwin, O'Reilly & Associates, March 1998 Virtual Private Networks

31 Virtual Private Network


Download ppt "Internet Security Seminar Class CS591 Presentation Topic: VPN."

Similar presentations


Ads by Google