Virtual Private Network (VPN)
Download
Report
Transcript Virtual Private Network (VPN)
VPN – Technologies and Solutions
CS158B Network Management
April 11, 2005
Alvin Tsang
Eyob Solomon
Wayne Tsui
Virtual Private Network
(VPN)
a private network constructed within a public network
infrastructure, such as the global Internet
two categories of VPNs
A remote access VPN enables remotely located employees
to communicate with a central location.
Site-to-site VPN interconnects two private networks via a
public network such as the Internet
Protocols used by VPN
Point-to-Point-Tunneling Protocol (PPTP)
simple VPN technology based on point-to-point protocol
supports multiple encapsulation, authentication, and encryption.
Layer 2 Tunneling Protocol (L2TP)
combination of PPTP and Layer 2 Forwarding (L2F)
Two types of L2TP
L2TP Access Concentrator (LAC)
L2TP Network Server (LNS)
Internet Protocol Security (IPSec)
framework for protecting the confidentiality and integrity of data in
transit
A common use of IPSec is the construction of a VPN
IPSec Protocols
IPSec defines new set of headers to be added to IP
datagrams
ESP - Confidentiality, data integrity, and data source
authentication. (frc2406)
IP Header
ESP Header
Protected
Data
ESP Trailer
AH - Data integrity, source authentication (frc2402)
IP Header
AH Header
Protected Data
IPSec Modes
Transport Mode
Protect upper-layer protocol, endpints exposed
IPSec header insert between IP header and upper layer protocol
header
Tunnel Mode
Entire IP Packet is protected, become payload of new packet
IPSec header is inserted between the outer and inner IP header.
Used by gateway for VPN, perform encryption on behalf of host
IPSec SA
Relationship between entities on how to communicate securely.
Unidirectional, two for each pair, one from A to B, and B to A
Identified by a SPI, destination addr, security protocol identifier
IPSec Phases
SPD
IKE
Security Policy Database maintains IPSec Policy
Each entry defines the traffic to be protected, how to protect
Three actions on traffic match: discard, bypass and protect
IP traffic mapped to IPSec policy by selector
Establish security parameters, authentication (SAs) between IPSec peers
IKE SAs defines the way in which two peers communicate, which algorithm to use to encrypt
IKE traffic, how to authenticate the remote peers.
SPD instruct IKE what to establish, IKE establish IPSec SAs based on its own policy settings
Phase 1 communication
Identify the peers.
Create IKE SAs by authentication and key exchange
One side offers a set of algorithm, other side accept or reject. Derive key material to use for
IPSec with AH, ESP or both
Phase 2 communication
IPSec SAs negotiations are under protection of IKE SAs created in phase 1
IPSec shared key derived by using Diffie-Hellman or refresh shared secret.
VPN Solutions
Access VPN
offers remote access to a company’s Intranet or Extranet. Example:
employees who are on business trip or in home office
Intranet VPN
offers the Intranet connection. Example: Branch offices
Extranet VPN
offers the Extranet connection. Example: Business partners,
customers
VPN Solutions – Benefits
Access VPN
Economical: Internet access Vs. long distance dialup
Secure
Intranet VPN
Economical: ISP Vs. dedicated connection
Flexible: topological design, new office
Reliable: Redundant ISP
Secure
Extranet VPN
Same as Intranet VPN
Management, Authentication and authorization
VPN Example
VPN Example - Extranet VPN
Conclusion
Cheaper and Secure, Go for it!
Q&A
Any questions?