Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

Published byPriscilla Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh."— Presentation transcript:

1 1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh

2 2 Contents l What is a VPN? l Types of VPN l Standards l How does it Work l Issues l Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6 th Ed. Ch. 18.5 (“IPv4/IPV6 security”)

3 3 What is a VPN? (1) l Public network: –Shared network using common networking infrastructure, e.g. the Internet Public Network (insecure, open) Trusted machines Malicious machines

4 4 What is a VPN? (2) l Private network: –Dedicated network, specific to a single company/organisation l More secure, guaranteed quality of service, but more expensive Trusted machines Private Network No physical access to private network for untrusted machines

5 5 What is a VPN? (3) l Virtual Private Network: –Benefits of a private network, but making use of a public network to carry packets l Secure, cheaper than a private network Public Network (insecure, open) Trusted machines Can access packets on public network but cannot read/write VPN data VPN

6 6 VPN Overview Regular IP packet Encrypted IP packet VPN Access (encrypt/decrypt) hardware or software Public Network Regular IP packet Encrypted IP packet VPN Access Cannot understand encrypted packets; cannot forge encrypted packets. Virtual Private Network!

7 7 Types of VPN (CISCO-speak!) l Intranet VPN –Straight replacement for an internal private network l Access VPN –Allows remote dialup users (e.g. from laptop) to securely ‘join’ the company internet l Authentication is a critical concern! i.e. securely identifying the remote user/device l Extranet VPNs –Includes partner organisations, but retains additional security and QoS support over public network(s).

8 8 Standards? l E.g. the Internet IP Security (IPsec) standards: –RFCs 2401-2411 & 2451 l Includes standards: –Internet Key Exchange (RFC 2409) l Allows peers to authenticate and establish secure session information –Authentication Header (AH) (RFC 2402) l Packet (& header) integrity & authentication –Encapsulated Security Payload (ESP) (RFC 2406) l Additionally, packet contents are encrypted l (Or Microsoft protocols, MPPE, MMTP?)

9 9 How does it work? l Transport mode –End systems negotiate IKE Security Association (SA) directly and use AH and/or ESP on packets sent to each other. l Tunnel mode (more common) –Intermediate systems (e.g. access routers, firewalls) negotiate IKE SAs and tunnel packets to each other (with AH and/or ESP). Router Transport mode: secured packets Tunnel mode: secured packets Tunnel mode: normal packets

10 10 Security Agreement (SA) l Unidirectional logical channel between two hosts –Logical secure ‘connection’ for ‘connectionless’ IP packets! l Typically defines: –Protocol; chosen ciphers, e.g. HMAC Hash function –shared secret key l Identified by: –Security protocol (AH or ESP) identifier –Destination IP address (not source as per some texts) –32 bit connection identifier or Security Parameter Index (SPI), selected by destination host l Established before secure communication can take place –e.g. using SKE, or pre-configured

11 11 Authentication Header protocol l AH fields: –Next Header: points to TCP/UDP segment –Security Parameter Index: identifies SA –Sequence Number (32 bit): prevent playback/MITM –Authentication Data: signed message digest for whole IP datagram (e.g. DES, MD5, or SHA) l Uses HMAC authentication scheme (see RFC 2104) using shared secret key: –Hash(Key XOR outpad, Hash(Key XOR inpad, text)) IP HeaderAH HeaderTCP/UDP Segment Protocol 51

12 12 AH Notes l Only the parties sharing the SA’s secret key can compute the Hashed Message Authentication Code (HMAC) l The HMAC covers the source IP address, SPI, sequence number and payload l Therefore: –Another host cannot construct a packet appearing to come from the source host with a correct (for that source) HMAC –Another host cannot re-generate a correct HMAC for that source if it changes any of the packet in transit –Replay is easily detected and packets with repeated sequence number dropped early in processing

13 13 Encapsulated Security Payload protocol l Header includes: –Security Parameter Index: as per AH –Sequence Number (32 bit): as per AH l Encryption: e.g. DES-CBC l Trailer include: –Next Header: encrypted, so segment protocol is hidden l Authentication trailer: as per AH authentication data (optional, per SA) ESP Header Protocol 50 ESP Auth. ESP Trailer TCP/UDP Segment IP Header Authenticated Encrypted

14 14 ESP Notes l Can be used as above in transport mode –NB does not authenticate or encrypt IP Header info (AH does authenticate IP Header info) l Can also be used in tunnel mode: –Encrypts and authenticates all of original packet –Especially between security gateways, but also between hosts Original IP Header ESP Auth. ESP Trailer TCP/UDP Segment ESP Header Authenticated Encrypted Protocol 50 New IP Header

15 15 Issues l Configuration –Public Key infrastructure (or shared initial secrets) for IKE SA establishment –Security policies – defining what is allowed l Resources/deployment –Client IPsec software for transport mode –VPN-capable routers for tunnel mode –Encryption CPU costs (e.g. extra router hardware support)

Download ppt "1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IPSec.

IPSec.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IPSec Isaac Ghansah.

IPSec Isaac Ghansah.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

Similar presentations

Ads by Google