Transcript virtual private networks

VIRTUAL PRIVATE NETWORKS
KARTHIK MOHANASUNDARAM
WRIGHT STATE UNIVERSITY
Abstract
The main purpose of this presentation is to
discuss the concept of virtual private
networks, the reasons that lead to the
development
of
this
concept
technology behind this concept
and
the
Evolution of Concept
• The language of the Internet is IP
[Internet Protocol]
• Everything travels on top of IP
• IP does not provide ‘Security’
• IP
packets
can
be
manipulated en route
forged
and
Virtual Private Network
• A
virtual
private
network
is
the
extension of a private network that
encompasses links across shared or
public networks like the internet
• Emulates a point-to-point private link
Continued ..
Types of VPN Connection
• Router – to – Router VPN connection
• Intranet based VPN connections
• Internet based VPN connections
• Combined Internet & Intranet VPN’s
• Remote Access VPN connection
Elements of VPN
• VPN Server
• VPN Client
• VPN Connection
• Tunnel
• Transit Public Network
Tunneling
• Tunneling is the act of encapsulating
ordinary
(non-secure)
IP
packets
inside encrypted (secure) IP packets
• Tunneling
provides
privacy
by
encrypting everything that goes into
and comes out of a secure tunnel
Tunneling Protocols
• Point-to-point tunneling protocol
[PPTP]
• Layer 2 tunneling protocol [L2TP]
• Internet protocol security [IPSec]
Disadvantages of PPTP
• Mainly
developed
for
the
windows
world
• Developed by Microsoft for creating
tunnels in windows NT™
• Built on top of point-to-point protocol
• Weak encryption capabilities
Credentials of L2TP
®
• Proposed by Cisco
Systems
• Operates on low level network layer
• Runs over UDP as opposed to TCP.
[UDP
is
a
faster,leaner
reliable protocol]
• L2TP is “Firewall Friendly”
and
less-
Credentials of IPSec
• Developed by foremost Encryption Experts
• Allows
support
of
multiple
encryption
algorithms
• Provides an ‘integrity check’ of the IP packets
• Uses Machine Level Certificates, authenticating
by Public Key Encryption
• Provides excellent encryption technology due
to which L2TP uses IPSec as the default
Deep into IPSec
Internet Protocol Security [IPSec] is a suite of
protocols being developed by the IETF that
seemlessly
provide
integrate
data
source
security
into
IP
authentication,
integrity, confidentiality and protection
and
data
Continued ..
The IPSec suite comprises of :
• Authentication Header [Responsible for
authentication the IP Traffic]
• Encapsulating Security Payload
[Responsible for encrypting the IP Traffic]
• Key Management [Responsible for several
services mainly for managing & exchanging
keys]
Authentication Header
• In-between the IP Header and Payload
The AH comprises of :
• Security Parameter Index (SPI)
• Sequence Number
• Authentication Data
Continued ..
• Security Parameter Index (SPI) informs
the receiver the security protocol used by the
sender
• Sequence Number informs the number of
packets sent that use the same parameters
• Authentication
Data
signature of the packet
is
the
digital
Continued ..
Encapsulating Security Payload
• Handles encryption of IP data at packet level
• Comprises
of
similar
features
like
the
Authentication Header
• Provides
the
additional
functionality
of
encryption
• Does padding of data to ensure proper length
for certain encryption algorithms
• Preferred when encryption and authentication
is required
Continued ..
Key Management
Duties include :
• Negotiating protocols, algorithms and
keys to be used in the communication
• Verifying the identity of the other party
• Managing and Exchanging keys
Continued ..
• The key management protocol is called
The Internet Security Association and
Key Management Protocol
(ISAKMP)/Oakley key exchange
protocol
• Handles exchange of symmetric keys
between the sender and receiver
ISAKMP
• Based on Diffie-Hellman model of key
generation
• The two parties exchange public keys
and combine with a private key
• Allows the SPI to be reformatted at
specific intervals
• More secure as the SPI is changed
periodically
Continued ..
Methods of Key Exchange:
• Main Mode
• Aggressive Mode
• Quick Mode
Security Association
• Keeps track of all details of keys and
algorithms of an IPSec session
• Includes information about
• AH authentication algorithms
• ESP encryption algorithms and keys lifespan
of the keys and
• Method of exchange of keys
Main Mode ISAKMP
• First
Phase
of
ISAKMP
Security
Association
• Set’s up the Mechanism for future
communications
• Agreement
on
authentication,
algorithms and keys takes place
• Requires
exchanges
three
back
and
forth
Continued ..
Three exchange in Main Mode :
• First
the two parties agree
algorithms
and
hashes
communication
on
for
• Second the parties exchange public
keys
• Third
both the parties
identity of the other party
verify
the
Aggressive & Quick Mode
• Same result as the Main mode but
takes only two back and forth
exchanges
• Quick Mode is used to create new
material for generating keys
Example Exchange
An example key management scheme is shown below :
[root@Codd root]# ipsec auto --up hoare-codd
104 "hoare-codd" #1: STATE_MAIN_I1: initiate
106 "hoare-codd" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
108 "hoare-codd" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
004 "hoare-codd" #1: STATE_MAIN_I4: ISAKMP SA established
112 "hoare-codd" #2: STATE_QUICK_I1: initiate
004 "hoare-codd" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
[root@Codd root]#
Disadvantages of IPSec
• Major drawback is the Network
Layer Perspective followed
• Ignorant about the authenticity
of people using the setup
• ESP can lead to fragmentation
resulting in reduced throughput
Demo of IPSec
• A demonstration has been arranged
using FreeS/WAN which is an IPSec
implementation for Linux.
• The demo demonstrates the gateway-
to-gateway mode of IPSec