Transcript Wireless VPN - Computer Science and Engineering

Wireless VPN
HemaKumar Rangineni
Zafer Banaganapalle
Contents
•
•
•
•
•
•
•
Introduction
VPN Types
Elements of VPN
Advantages
Tunneling Protocols
Architecture
Wireless VPN
•
•
•
•
•
•
•
IPSec VPN
SSL VPN
Comparison
Conclusions
References
Questions
Thank you
Introduction
• A virtual private network is a private network running over
a shared public infrastructure like the Internet.
• Used to
– interconnect various geographically separated sites,
– connect remote users back to a home network,
– allow controlled access between different corporate networks
• constructed from protocols and technologies that run
over a shared network
Continued…
Introduction …
• A virtual private network is a private network
running over a shared public infrastructure like
the Internet.
Image source : 3Com
Introduction …
• Technologies include
– A tunneling protocol like,
• IPsec,
• Point-to-Point Tunneling
Protocol (PPTP),
• Layer 2 Tunneling Protocol
(L2TP), or
• Multi-Protocol Label
Switching (MPLS)
– An authentication mechanism,
• provided by PKI, RADIUS,
or Smartcards
– An access control mechanism,
• provided by Directory Servers
and ACLs
– Data security technologies like,
• encryption
– Data provisioning techniques,
like
• quality of service (QoS) and
• traffic engineering
VPN Types
• Remote-access
– single remote network device to intranet
• Site-to-site
connect multiple fixed sites over a public network
– Intranet -based
– Extranet-based
Elements of VPN
•VPN Client
•VPN Server
•VPN Connection
•Tunnel
•Transit Public Network
Advantage
• Using special tunneling protocols and complex
encryption procedures,
– data integrity and privacy is achieved
– Seems like a dedicated point-to-point connection.
• And, because these operations occur over a
public network,
– VPNs can cost significantly less to implement than
privately owned or leased services.
Tunneling Protocols
• Provide a way to overlay a virtual network over a
physical one
– by building tunnels, or special connections,
– between various points in the physical network
• Three types of VPN Protocols used for
tunnelling
– PPTP (Point-to-Point Tunnelling Protocol)
– L2TP (Layer 2 tunnelling Protocol)
– IPSec (Internet Protocol Security)
PPTP
Media
Header
IP
Header
GRE
Header
PPP
Header
PPP
Payload
• PPTP tunnelling uses two packet types
– Control Packets
• Strictly for status enquiry and signalling information
• Uses TCP (Connection-oriented)
– Data Packets
• Uses PPP with GREv2
• GRE gives PPTP the flexibility of handling protocols other than
IP, such as NetBEUI and IPX.
L2TP
IP
Header
UDP
Header
L2TP
Header
PPP
IP
Header
User
Data
• Like PPTP, L2TP is strictly a tunnelling Protocol
• L2TP is a standards based combination of two proprietary
Layer 2 tunnel protocols
– Cisco’s Layer 2 Forwarding (L2F)
– PPTP
• L2TP combines the control and data channels.
– L2TP runs over UDP
– Faster and Leaner
– L2TP is more “Firewall Friendly” than PPTP since you
do not have to support GRE.
IPSec
Transport protocols
(TCP, UDP)
Routing through network
(IP)
Link protocols, physical
Infrastructure

Transport layer
Network layer
IPSec
Link layer
L2TP/ PPTP
Physical layer
Open, Standards based, Network layer security protocol.
 Aimed at protecting IP Datagrams
 Robust mechanisms for Authentication and Encryption
 Can protect whole datagram or just Upper-layer protocol
(Transport or Tunnel Mode)
Network-Level Architecture
Simplified Diagram of VPN WLAN
Wireless VPN
Wireless VPN
IPSec
• What is IPSec?
– IPSec is a set of open standards and protocols
– for creating and maintaining secure communications over IP
networks.
• IPSec VPNs use these standards and protocols
– to ensure the privacy and integrity of data transmission and
– communications across public networks like the Internet.
IPSec security services
Standards for a range of services to address security risks
– Confidentiality.
• Encryption protects the privacy of communications even if they are
intercepted.
– Access control.
• Access to IPSec VPN private communications is restricted to
authorized users.
– Authentication.
• Authentication verifies the source of received data (data origin
authentication), and confirms that the original IP packet was not
modified in transit (connectionless data integrity).
– Rejection of replayed packets.
• An anti-replay service counters a replay attack based on an attacker's
intercepting a series of packets and then replaying them.
– Limited traffic flow confidentiality.
• Inner IP headers can be encrypted to conceal the identities of the
traffic source and destination (beyond the security gateways).
IPSec
How IPSec works
• Before two devices can establish an IPSec VPN tunnel
• must agree on the security parameters :security association (SA).
• The SA specifies the authentication and encryption algorithms,
the encryption keys
• The Internet Key Exchange (IKE) protocol :
– needed for secure communication through an IPSec VPN.
• In the negotiation process,
– one IPSec endpoint acts as an initiator and the other as a responder.
– The initiator offers the set of authentication, encryption and other
parameters that it is ready to use with the other endpoint.
– The responder tries to match this list against its own list of supported
techniques. If there is any overlap, it responds with the common subset.
How IPSec works
continued….
• The initiator chooses one combination of techniques
from the responder and they proceed with the
negotiated setting.
• IKE negotiation has two phases:
– Phase 1 allows two security gateways to authenticate each
other and establish communication parameters.
– At the end of Phase 1, a Phase 1 Security Association (IKE
SA) is established.
– Phase 2 allows two security gateways to agree on IPSec
communications parameters.
– At the end of Phase 2, an IPSec SA is established.
IPSec
How IPSec works
continued….
•
IPSec uses two protocols to establish security services
– Authentication Header (AH) and
• Provides connectionless data integrity and data origin authentication
• Includes a cryptographic checksum over the entire packet
• The receiver uses this checksum to verify that the packet has not been tampered with.
– Encapsulating Security Payload (ESP).
• Provides confidentiality for IP traffic through encryption.
• Current standard IPSec encryption algorithms include the
– Triple Data Encryption Standard (3DES), and the
– Advanced Encryption Standard (AES).
– Also provides authentication and anti-replay capabilities.
– Unlike AH, the authentication services of ESP do not protect the IP header of the packet.
– Most IPSec VPN implementations today use ESP.
– AH and ESP may be used separately or together.
– use depends on the IPSec mode:
• Transport mode or Tunnel mode.
• Client-to-LAN connections typically use Transport mode,
• while LAN-to-LAN connections typically use Tunnel mode.
Benefits of IPSec VPN technology
•
•
•
Tremendous savings over the cost of a private WAN connection, leased lines, or long
distance phone charges.
IPSec VPNs can also increase an organization's productivity.
An organization can grant restricted network access
– to business partners, customers, or vendors,
– dramatically increasing the efficiency and
– speed of business-tobusiness communications
•
•
Home-office workers, telecommuters, and in-the-field sales and service workers can
access the corporate network resources securely and economically with IPSec VPN
remote access through the public Internet.
Global, economical access to an organization's network extends the organization's
reach to markets formerly too remote or small to target or service profitably.
IPSec VPN Challenges
• Implementations' compliance with standards to ensure
correctness and interoperability.
• Performance and scalability must be constantly
upgraded and verified to satisfy the growing needs of
the IPSec VPN industry.
• The IETF is in the process of updating some of the
protocols used with IPSec VPNs (for instance, a newer
version of IKE - called IKEv2).
• These present new and ongoing challenges to the IPSec
community.
SSL VPN
What is an SSL VPN?
• SSL is a commonly used protocol for managing the security of a
message transmission on the Internet.
• SSL works by using a public key to encrypt data that is
transferred over the SSL connection.
– SSL is a higher-layer security protocol, sitting closer to the application.
– This close connection provide the granular access control that remote
access and extranet VPNs require.
– An SSL VPN uses SSL and proxies to provide authorized and secure
access for end-users to HTTP, client/server, and file sharing resources.
– Adding proxy technology to SSL offers companies greater security,
because it prevents users from making a direct connection into a secured
network.
– SSL VPNs deliver user-level authentication, ensuring that only authorized
users have access to the specific resources as allowed by the company’s
security policy.
Benefits of SSL VPN
•
Clientless access
– Without the burden of configuring, managing, and supporting complex IPSec clients for
each user,
– SSL VPNs are easier and less expensive to support, and
– they’re faster to deploy than IPSec VPNs.
– SSL VPNs use any Web browser as the client, providing clientless access that increases the
number of points from which employees, partners, and customers can access network data.
– Users can access Web applications, client/server applications, and enterprise file shares.
– Without a traditional IPSec client, users gain true freedom and anywhere access to the
resources they need.
– Clientless access also simplifies configuration and management for IT administrators—
which means fewer support calls.
•
Anywhere access
– SSL VPNs enable users to access more applications from a broad range of devices and
environments
– And SSL VPNs work over broadband networks, too.
– SSL VPNs can seamlessly traverse network address translation (NAT), firewalls, and proxy
servers.
Benefits of SSL VPN
(continued …)
• Increased security
– End-user access to any given resource is restricted unless authorized, a vastly
different approach from that of IPSec VPNs.
– This technology provides a secure, proxied connection that reduces risk
• because users never have a direct network connection to the resources they are
authorized to access.
– proxies hide the internal domain name system (DNS) namespace,
– providing an extra level of protection for your network.
– SSL VPNs detect personal firewalls and applications and perform other clientintegrity checks.
– ensures that only authenticated users can gain access by checking privileges against
an LDAP-enabled database, a RADIUS server, an NT domain, a UNIX user
name/password database, RSA SecurID ACE servers, and others.
– provides a high degree of granular access.
– ability to enforce policy based upon the level of trust
Drawbacks of SSL VPN
• concerned that SSL VPN is not as secure as an IPSec VPN, the most
common security protocol for dial-up and broadband remote access.
• IPSec software is installed on employee computers and it creates a full
network connection.
• With regard to security, if you drill down to the details of IPSec and SSL
VPN, they are much the same, just implemented differently. The technology
in SSL VPN is just as secure as IPSec VPN is. However, because of the way it
is deployed, SSL VPN can be less secure.
• By providing users access from any location over any device, corporations are
taking the risk that computers or devices utilised may have security risks that
the IT department is unaware of. With SSL VPN, you have two unknowns—
the user and the device.
• However, with strong two-factor authentication, security problems can be
mitigated.
Comparison
Best of IPSec-VPN and SSLVPN
• In spite of the drawbacks of each, both technologies
have their purpose.
• Since IPSec can be used to secure network connections
and SSL is focused on application layer traffic,
• IPSec is well suited for business needs that require
broad and persistent, site-to-site, network layer
connections.
• SSL, on the other hand, is well suited for applications
where the system needs to connect individuals to
applications and resources.
Conclusion
• With IPSec VPN technology,
– the public Internet can serve as the backbone of an organization's
communications infrastructure,
– enabling the organization to realize significant savings and productivity
gains.
• Successful only if the impact of IPSec on network performance
is managed.
• Affects network throughput and adds latencies that can disrupt
networked applications.
• must also conform to standards,
• to ensure that IPSec network elements and applications
interoperate
Questions
• Why is SSL-VPN preferable for Mobile Devices
?
• What are the scalability issues for IPSec-VPN?
• What makes use of VPN essential in wireless
networks ?
References
• Comparing Secure Remote Access Options:IPSec
VPNs vs. SSL VPNs – Aventail White Paper
• http://www.expresscomputeronline.com/20040216
/opinion02.shtml
• http://infosecuritymag.techtarget.com/ss/0,29579
6,sid6_iss21_art83,00.html
• www.vpnc.org
• Wireless Network Security -802.11, Bluetooth and
Handheld Devices
Thank you