Download presentation
Presentation is loading. Please wait.
Published byAdam Shepherd Modified over 9 years ago
1
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs
2
CIT 384: Network AdministrationSlide #2 Topics 1.VPNs 2.Tunneling 3.ssh 4.SSL 5.IPsec 6.L2TP
3
CIT 384: Network AdministrationSlide #3 VPNs VPNs try to provide leased line features Privacy: preventing unauthorized people from being able to read VPN traffic. Authentication: verifying that sender of VPN is an authorized device. Integrity: verifying data is not changed in transit. using a public network at lower cost.
4
CIT 384: Network AdministrationSlide #4 VPN Example 1.PC1 sends IP packet to S1 2.Router encapsulates IP in VPN+IP headers 3.No one can read packet in the middle 4.ASA-1 checks security and de-encapsulates. 5.S1 receives IP packet from PC1.
5
CIT 384: Network AdministrationSlide #5 VPN Types Remote Access: individual user to network. Intranet: connect networks of two sites. Extranet: connect networks of two partnering organizations.
6
CIT 384: Network AdministrationSlide #6 Tunneling Tunneling: Encapsulation of one network protocol in another protocol –Carrier Protocol: protocol used by network through which the information is travelling –Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data –Passenger Protocol: protocol carries original data
7
CIT 384: Network AdministrationSlide #7 Tunneling Protocols by Layer Application Transport Network Data Link ssh, SSL IPsec L2TP, MPLS
8
CIT 384: Network AdministrationSlide #8 ssh Secure Shell Replaces telnet ftp rlogin rsh rcp
9
CIT 384: Network AdministrationSlide #9 SSH Security Features
10
CIT 384: Network AdministrationSlide #10 ssh tunneling.Use ssh tunneling to encrypt TCP connections ssh –L lport:rhost:rport rhost –Carrier Protocol: IP –Encapsulating Protocol: ssh –Passenger Protocol: TCP on a specific port
11
CIT 384: Network AdministrationSlide #11 SSL/TLS Secure Sockets Layer –Commonly used to encrypt web connections. –Also used for IMAP, LDAP, POP, etc. –Transport Layer Security supersedes SSLv3 Can be used to create tunnels –Configure similarly to ssh tunnels. –Stunnel is open source SSL tunnel software.
12
CIT 384: Network AdministrationSlide #12 IPsec IPsec includes three major protocols –Internet Key Exchange (IKE) Provides a framework for negotiating security parameters. –Encapsulating Security Payload (ESP) Provides a framework for encrypting, authenticating, and securing data. –Authentication Header (AH) provides a framework for authenticating and securing data.
13
CIT 384: Network AdministrationSlide #13 IPsec General Operation To communicate with IPsec, devices must –Agree on a set of security protocols. –Agree on an encryption algorithm. –Exchange cryptographic keys. –Use above to encode and decode data.
14
CIT 384: Network AdministrationSlide #14 IPsec Packet Encapsulation Transport Mode –Original IP header of packet that is being encrypted is used to transport the packet. –ESP or AH header inserted btw IP header and payload. Tunnel Mode –New IP header is added in front of ESP/AH header. This header contains IP addresses of the two IP peers as source + destination.
15
CIT 384: Network AdministrationSlide #15 IKE IKE handles –Negotiating protocol parameters –Exchanging public keys –Authenticating both sides –Managing keys after exchange IKE is a UDP-based protocol.
16
CIT 384: Network AdministrationSlide #16 ESP Encapsulates IP packet to provide –Authentication –Encryption –Integrity validation –Anti-replay IP protocol 50, described in RFC 2406
17
CIT 384: Network AdministrationSlide #17 AH Authentication Header provides auth + integrity –Uses keyed hash algorithm as checksum. –Unlike CRC, cannot be reproduced w/o key. –Also protects against replay attacks. –Does not encrypt packet contents.
18
CIT 384: Network AdministrationSlide #18 NAT Transparency PAT can’t change encrypted transport header. Solution: add an extra UDP header.
19
CIT 384: Network AdministrationSlide #19 GRE Generic Routing Encapsulating –Cisco IP tunneling protocol. –Allows use of multicast protocols. –Combine with IPsec to allow routing information to be passed btw networks. IP protocol 47
20
CIT 384: Network AdministrationSlide #20 L2TP Open successor to –L2F (Cisco) –PPTP (MS) Layer 2 tunnel so it supports any layer 3 protocols. –Encapsulates in UDP datagram to port 1701 Does not provide encryption or authentication. Use with IPsec
21
CIT 384: Network AdministrationSlide #21 Key Points Tunneling –Carrier Protocol –Encapsulating Protocol –Passenger Protocol VPNs –layer 4: ssh, SSL –layer 3: IPsec –layer 2: L2TP IPsec –ESP –AH –IKE –Tunnel mode vs transport mode
22
CIT 384: Network AdministrationSlide #22 References 1.Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2 nd edition, O’Reilly, 2005. 2.Vijay Bollapragda, IPsec VPN Design, Cisco Press, 2005. 3.James Boney, Cisco IOS in a Nutshell, 2 nd edition, O’Reilly, 2005. 4.Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm http://www.cisco.com/univercd/home/home.htm 5.Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.ht m http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.ht m 6.Saadat Malik, Network Security Principles and Practices, Cisco Press, 2002. 7.Wendell Odom, CCNA Official Exam Certification Library, 3 rd edition, Cisco Press, 2007.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.