Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements.

Published byDortha Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements."— Presentation transcript:

1 Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements. -a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.

2 VPN Source: http://tools.ietf.org/html/rfc2828http://tools.ietf.org/html/rfc2828 –A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. –For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a)using encrypted tunnels to connect from firewall to firewall across the Internet and (b)not allowing any other traffic through the firewalls. –A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. T. A. YangNetwork Security2

3 Characteristics of VPNs End-to-end communications btwn two end points –End points: Routers, firewalls, servers, hosts Virtual Private Networks –Shared ? T. A. YangNetwork Security3

4 4 Alternative Definition of VPN? A VPN is a means of carrying private traffic over a public network. Often used to connect two private networks, over a public network, to form a virtual network The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other. That is, they are part of a single virtual private network (although physically they are two separate networks).  implication? connectivity, security, privacy The VPN should provide the same connectivity and privacy you would find on a typical local private network. T. A. Yang

5 Network Security5 Classifications of VPNs Based on encryption: –Encrypted VPNs –Nonencrypted VPNs Based on OSI model: –Data link layer VPNs –Network layer VPNs –Application layer VPNs Based on business functionality: –Intranet VPNs –Extranet VPNs T. A. Yang

6 Network Security6 VPNs at different OSI layers The layer where VPN is constructed affects its functionality. –Example: In encrypted VPNs, the layer where encryption occurs determines (i)how much traffic gets encrypted (ii)the level of transparency for the end users Data link layer VPNs (Layer-2) –Example protocols: Frame Relay, ATM –Drawbacks: Expensive - Requires dedicated Layer 2 pathways may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection –Q: Is L2TP a layer 2 VPN? T. A. Yang

7 Network Security7 VPNs at different OSI layers Network layer VPNs (Layer-3) –Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol http://computing-dictionary.thefreedictionary.com/tunneling%20protocol –Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that) –Advantages: A ‘proper’ layer –Low enough: transparency –High enough: IP addressing Cisco focuses on this layer for its VPNs. T. A. Yang

8 Network Security8 VPNs at different OSI layers Application layer VPNs –Created to “work” specifically with certain applications –Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH (encrypted and secure login sessions to network devices) –Drawbacks: May not be seamless (transparency issue) –Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) OpenVPN and SSL VPN Revolution “ The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … A VPN is a site-to-site tunnel. … There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” T. A. Yang

9 Network Security9 Other Classification of VPNs ? Intranet VPNs vs Extranet VPNs Remote Access VPNs vs Site-to-site VPNs T. A. Yang

10 Types of VPNs Trusted –non-Cryptographic –Data move over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. –Examples: Layer 2 frames over MPLS (multiprotocol Label Switching) Secure –Cryptographic –Examples: IPSec with encryption, SSL with encryption, L2TP over IPSec, PPTP over MPPE Hybrid T. A. YangNetwork Security10

11 Why Hybrid VPNs? Secure VPNs provide security but no assurance of paths. Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. T. A. YangNetwork Security11

12 Requirements for Secure VPNs 1.All traffic on the secure VPN must be encrypted and authenticated. 2.The security properties of the VPN must be agreed to by all parties in the VPN. Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel. 3.No one outside the VPN can affect the security properties of the VPN. T. A. YangNetwork Security12

13 Requirements for Trusted VPNs 1.No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. 2.No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. –Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. 3.The routing and addressing used in a trusted VPN must be established before the VPN is created. T. A. YangNetwork Security13

14 Requirements for Hybrid VPNs The address boundaries of the secure VPN within the trusted VPN must be extremely clear. –In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. –For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN. T. A. YangNetwork Security14

15 VPN Deployments Internet VPNs Intranet VPNs Extranet VPNs T. A. YangNetwork Security15

16 VPN Technologies Trusted –MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs") –Transport of layer 2 frames over MPLS ("layer 2 VPNs") –Generic Routing Encapsulation (GRE) Secure –IPSec with encryption –SSL with encryption (esp. secure remote access) –L2TP over IPSec Hybrid –A secure VPN technology running over a trusted VPN technology T. A. YangNetwork Security16

17 Network Security17 Generic Routing Encapsulation (GRE) Provides low overhead tunneling (often between two private networks) Does not provide encryption Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested inside e.g., IP protocol type 47: GRE packets using IPv4 headers RFCs: RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL)RFC1701 RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD)RFC2784 RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD)RFC2890 T. A. Yang

18 Network Security18 Generic Routing Encapsulation GRE Header (based on RFC1701, deprecated): Figure 11-2 GRE Header (based on RFC 2784 & 2890): Figure 11-4 C = 1, checksum present Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet Key: –contains a number to prevent misconfiguration of packets; –may be used to identify individual traffic flow within a tunnel –Not the same as a cryptographic key T. A. Yang

19 Network Security19 Generic Routing Encapsulation Summary: -GRE mainly perform ‘tunneling’. -Does not provide a means to securely encrypt its payload -Often relies on application layer to provide encryption -May be used together with a network layer encryption (such as IPsec) Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using IPsec Example 2: use GRE to encapsulate multicast traffic, and then encrypt the GRE packet using IPsec Question: Why not simply use IPsec? T. A. Yang

20 Network Security20 Generic Routing Encapsulation Case Studies: -A GRE tunnel connecting two private networks: Figure 11-5 -GRE between multiple sites: Figure 11-6 -GRE between two sites running IPX T. A. Yang

Download ppt "Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.

Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Virtual Private Networks (VPN)

Virtual Private Networks (VPN)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Virtual Private Networking Karlene R. Samuels COSC513.

Virtual Private Networking Karlene R. Samuels COSC513.
Chapter 10 Virtual Private Networks. VPN Defined  A segment of the public network made to appear part of a private network so that it can be used to.

Chapter 10 Virtual Private Networks. VPN Defined  A segment of the public network made to appear part of a private network so that it can be used to.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

Similar presentations

Ads by Google