Transcript Secure

Virtual Private Networks
(VPNs)
•
Source: VPN Technologies: Definitions and Requirements.
VPN Consortium, July 2008.
- a private data network that makes use of the
public telecommunication infrastructure,
maintaining privacy through the use of a tunneling
protocol and security procedures.
VPN
• Source: http://tools.ietf.org/html/rfc2828
– A restricted-use, logical (i.e., artificial or simulated) computer
network that is constructed from the system resources of a
relatively public, physical (i.e., real) network (such as the
Internet), often by using encryption (located at hosts or
gateways), and often by tunneling links of the virtual network
across the real network.
– For example, if a corporation has LANs at several different sites,
each connected to the Internet by a firewall, the corporation
could create a VPN by
(a) using encrypted tunnels to connect from firewall to firewall
across the Internet and
(b) not allowing any other traffic through the firewalls.
– A VPN is generally less expensive to build and operate than a
dedicated real network, because the virtual network shares the
cost of system resources with other users of the real network.
T. A. Yang
Network Security
2
Characteristics of VPNs
• End-to-end communications btwn two end points
– End points: Routers, firewalls, servers, hosts
• Virtual
• Private
• Networks
– Shared ?
T. A. Yang
Network Security
3
Alternative Definition of VPN?
•
•
•
•
T. A. Yang
A VPN is a means of carrying private traffic over a
public network.
Often used to connect two private networks, over a
public network, to form a virtual network
The word virtual means that, to the users on either
end, the two private networks seem to be
seamlessly connected to each other.
That is, they are part of a single virtual private
network (although physically they are two separate
networks).
 implication? connectivity, security, privacy
The VPN should provide the same connectivity and
privacy you would find on a typical local private
network.
Network Security
4
Classifications of VPNs
•
•
•
–
–
–
–
–
–
–
T. A. Yang
Based on encryption:
Encrypted VPNs
Nonencrypted VPNs
Based on OSI model:
Data link layer VPNs
Network layer VPNs
Application layer VPNs
Based on business functionality:
Intranet VPNs
Extranet VPNs
Network Security
5
VPNs at different OSI layers
•
–
The layer where VPN is constructed affects
its functionality.
Example: In encrypted VPNs, the layer where
encryption occurs determines
(i) how much traffic gets encrypted
(ii) the level of transparency for the end users
•
–
–
–
T. A. Yang
Data link layer VPNs (Layer-2)
•
•
Example protocols: Frame Relay, ATM
Drawbacks:
Expensive - Requires dedicated Layer 2 pathways
may not have complete security – mainly segregation of
the traffic, based on types of Layer 2 connection
Q: Is L2TP a layer 2 VPN?
Network Security
6
VPNs at different OSI layers
•
Network layer VPNs (Layer-3)
–
Created using layer 3 tunneling and/or encryption
Q: difference between encapsulation and tunneling ?
See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol
–
Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by
–
Advantages:
using the IP layer to do that)
•
A ‘proper’ layer
–
–
•
T. A. Yang
Low enough: transparency
High enough: IP addressing
Cisco focuses on this layer for its VPNs.
Network Security
7
VPNs at different OSI layers
•
Application layer VPNs
–
Created to “work” specifically with certain applications
–
Example:
SSL-based VPNs (providing encryption between web browsers and servers running SSL)
SSH (encrypted and secure login sessions to network devices)
–
Drawbacks:
•
–
T. A. Yang
May not be seamless (transparency issue)
Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004)
“The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs)
are used to connect applications together is not true. …
A VPN is a site-to-site tunnel. …
There is a terrible misunderstanding in the industry right now that pigeon-holes SSL
VPNs into the same category with SSL enabled web servers and proxy servers.
…
A VPN, or Virtual Private Network, refers to simulating a private network over the public
Internet by encrypting communications between the two private end-points. …
A VPN device is used to create an encrypted, non-application oriented tunnel between
two machines that allows these machines or the networks they service to
exchange a wide range of traffic regardless of application or protocol. This
exchange is not done on an application by application basis. It is done on the
entire link between the two machines or networks and arbitrary traffic may be
passed over it. …”
Network Security
8
Other Classification of VPNs ?
•
•
T. A. Yang
Intranet VPNs vs Extranet VPNs
Remote Access VPNs vs Site-to-site VPNs
Network Security
9
Types of VPNs
• Trusted
– non-Cryptographic
– Data move over a set of paths that has specified properties and
is controlled by one ISP or a trusted confederation of ISPs.
– Examples: Layer 2 frames over MPLS (multiprotocol Label Switching)
• Secure
– Cryptographic
– Examples:
•IPSec with encryption, SSL with encryption, L2TP over IPSec, PPTP
over MPPE
• Hybrid
T. A. Yang
Network Security
10
Why Hybrid VPNs?
• Secure VPNs provide security but no assurance of
paths.
• Trusted VPNs provide assurance of properties of paths
such as QoS, but no security from snooping or
alternation.
• A typical situation for hybrid VPN deployment is when a
company already has a trusted VPN in place and some
parts of the company also need security over part of the
VPN.
T. A. Yang
Network Security
11
Requirements for
Secure VPNs
1. All traffic on the secure VPN must be encrypted and
authenticated.
2. The security properties of the VPN must be agreed to by
all parties in the VPN.
•
Secure VPNs have one or more tunnels, and each tunnel has two
endpoints. The administrators of the two endpoints of each tunnel must be
able to agree on the security properties of the tunnel.
3. No one outside the VPN can affect the security
properties of the VPN.
T. A. Yang
Network Security
12
Requirements for
Trusted VPNs
1. No one other than the trusted VPN provider can affect
the creation or modification of a path in the VPN.
2. No one other than the trusted VPN provider can change
data, inject data, or delete data on a path in the VPN.
– Although the paths are typically shared among many customers
of a provider, the path itself must be specific to the VPN and no
one other than trusted provider can affect the data on that path.
3. The routing and addressing used in a trusted VPN must
be established before the VPN is created.
T. A. Yang
Network Security
13
Requirements for
Hybrid VPNs
• The address boundaries of the secure VPN within the
trusted VPN must be extremely clear.
– In a hybrid VPN, the secure VPN may be a subset of
the trusted VPN, such as if one department in a
corporation runs its own secure VPN over the
corporate trusted VPN.
– For any given pair of address in a hybrid VPN, the
VPN administrator must be able to definitively say
whether or not traffic between those two addresses is
part of the secure VPN.
T. A. Yang
Network Security
14
VPN Deployments
• Internet VPNs
• Intranet VPNs
• Extranet VPNs
T. A. Yang
Network Security
15
VPN Technologies
• Trusted
– MPLS with constrained distribution of routing information through
BGP ("layer 3 VPNs")
– Transport of layer 2 frames over MPLS ("layer 2 VPNs")
– Generic Routing Encapsulation (GRE)
• Secure
– IPSec with encryption
– SSL with encryption (esp. secure remote access)
– L2TP over IPSec
• Hybrid
– A secure VPN technology running over a trusted VPN
technology
T. A. Yang
Network Security
16
Generic Routing Encapsulation
(GRE)
•
Provides low overhead tunneling (often between two private networks)
•
Does not provide encryption
•
Used to encapsulate an arbitrary layer protocol over another arbitrary layer
protocol:
delivery header + GRE header + payload packet
•
Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol
nested inside
e.g., IP protocol type 47: GRE packets using IPv4 headers
•
RFCs:
•
•
•
T. A. Yang
RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina,
October 1994 (INFORMATIONAL)
RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P.
Traina, March 2000 (PROPOSED STANDARD)
RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000
(PROPOSED STANDARD)
Network Security
17
Generic Routing Encapsulation
•
•
GRE Header (based on RFC1701, deprecated): Figure 11-2
GRE Header (based on RFC 2784 & 2890): Figure 11-4
•
•
C = 1, checksum present
Checksum: to ensure the integrity of the GRE header and the payload packet; contains
a checksum of the GRE header and the payload packet
Key:
•
–
–
–
T. A. Yang
contains a number to prevent misconfiguration of packets;
may be used to identify individual traffic flow within a tunnel
Not the same as a cryptographic key
Network Security
18
Generic Routing Encapsulation
•
Summary:
-
GRE mainly perform ‘tunneling’.
-
Does not provide a means to securely encrypt its payload
-
Often relies on application layer to provide encryption
-
May be used together with a network layer encryption (such as
IPsec)
Example 1: use GRE to encapsulate non-IP traffic and then
encrypt the GRE packet using IPsec
Example 2: use GRE to encapsulate multicast traffic, and then
encrypt the GRE packet using IPsec
Question: Why not simply use IPsec?
T. A. Yang
Network Security
19
Generic Routing Encapsulation
•
Case Studies:
-
T. A. Yang
A GRE tunnel connecting two private networks: Figure 11-5
GRE between multiple sites: Figure 11-6
GRE between two sites running IPX
Network Security
20