Transcript Virtual Private Network (VPN)

VPN – Technologies and Solutions
CS158B Network Management
April 11, 2005
Alvin Tsang
Eyob Solomon
Wayne Tsui
Virtual Private Network
(VPN)

a private network constructed within a public network
infrastructure, such as the global Internet
two categories of VPNs
 A remote access VPN enables remotely located employees
to communicate with a central location.
 Site-to-site VPN interconnects two private networks via a
public network such as the Internet
Protocols used by VPN
Point-to-Point-Tunneling Protocol (PPTP)
 simple VPN technology based on point-to-point protocol
 supports multiple encapsulation, authentication, and encryption.
Layer 2 Tunneling Protocol (L2TP)
 combination of PPTP and Layer 2 Forwarding (L2F)
 Two types of L2TP
 L2TP Access Concentrator (LAC)
 L2TP Network Server (LNS)
Internet Protocol Security (IPSec)
 framework for protecting the confidentiality and integrity of data in
transit
 A common use of IPSec is the construction of a VPN
IPSec Protocols


IPSec defines new set of headers to be added to IP
datagrams
ESP - Confidentiality, data integrity, and data source
authentication. (frc2406)
IP Header

ESP Header
Protected
Data
ESP Trailer
AH - Data integrity, source authentication (frc2402)
IP Header
AH Header
Protected Data
IPSec Modes
Transport Mode
 Protect upper-layer protocol, endpints exposed
 IPSec header insert between IP header and upper layer protocol
header
Tunnel Mode
 Entire IP Packet is protected, become payload of new packet
 IPSec header is inserted between the outer and inner IP header.
 Used by gateway for VPN, perform encryption on behalf of host
IPSec SA
 Relationship between entities on how to communicate securely.
 Unidirectional, two for each pair, one from A to B, and B to A
Identified by a SPI, destination addr, security protocol identifier
IPSec Phases
SPD




IKE



Security Policy Database maintains IPSec Policy
Each entry defines the traffic to be protected, how to protect
Three actions on traffic match: discard, bypass and protect
IP traffic mapped to IPSec policy by selector
Establish security parameters, authentication (SAs) between IPSec peers
IKE SAs defines the way in which two peers communicate, which algorithm to use to encrypt
IKE traffic, how to authenticate the remote peers.
SPD instruct IKE what to establish, IKE establish IPSec SAs based on its own policy settings
Phase 1 communication

Identify the peers.

Create IKE SAs by authentication and key exchange

One side offers a set of algorithm, other side accept or reject. Derive key material to use for
IPSec with AH, ESP or both
Phase 2 communication

IPSec SAs negotiations are under protection of IKE SAs created in phase 1

IPSec shared key derived by using Diffie-Hellman or refresh shared secret.
VPN Solutions
 Access VPN
offers remote access to a company’s Intranet or Extranet. Example:
employees who are on business trip or in home office
 Intranet VPN
offers the Intranet connection. Example: Branch offices
 Extranet VPN
offers the Extranet connection. Example: Business partners,
customers
VPN Solutions – Benefits
Access VPN
 Economical: Internet access Vs. long distance dialup
 Secure
Intranet VPN




Economical: ISP Vs. dedicated connection
Flexible: topological design, new office
Reliable: Redundant ISP
Secure
Extranet VPN
 Same as Intranet VPN
 Management, Authentication and authorization
VPN Example
VPN Example - Extranet VPN
Conclusion
 Cheaper and Secure, Go for it!
Q&A
Any questions?