Transcript Lecture 7

CS682 – Network
Management and Security
Session 7
Virtual Private Networking

If we have a network in NY and a
network in SF we want them to be able
to communicate with each other.

Solutions:



Land based telco lines (T1, T3, etc)
Satellite based communications
Virtual Private Network
Cost of operation



A T1 line from coast to coast can cost
over $3000/month
A satellite link from coast to coast has
very high startup costs and significant
monthly costs.
A VPN costs only as much as your
internet conection
Virtual Private Network


A VPN is defined as a system in which
two networks are connected through a
third, untrusted, network.
The two networks are usually a main
office and a satellite office, and the
third network is usually the Internet.
Security for VPNs
1.
2.
3.
We will be sending data over an
untrusted network, so it should be
encrypted
We will have to allow connections to
our encrypting host, which presents
the usually security issues
Can the other side of the VPN be
trusted???
1. The Untrusted Network


Your ISP may employ someone who has
in interest in capturing your data as it
traverses the Internet. If your data is
unencrypted you may be sending your
company secrets to your competors.
Encryption must be employed to protect
your data
VPN encryption schemes

Usually use multiple schemes for
Encryption, Authentication, and key
management



Encryption: DES, or 3DES, IPSec, Blowfish,
etc
Message Authentication: MD5, SHA-1
Key management (if nescessary): IKE,
SKIP
If not using Public key/Private
Key


Again we get the issue of how to agree
on a key
Usually the two Security Administrators
meet 2-3 times/year and agree on a
new (impossible to guess) key.
2. Open Connections


Depending on which host is doing our
encryption/routing for the VPN we will have
to leave application ports open through the
firewall.
Frequently there is one or more ports for
control connections and then data is
streamed over IP protocol 47 (gre). This
leaves open not a port but an entire protocol!
Which host???

Today routing/VPN is done on either of two
places, a server or the router.



If the server is to do the routing/
encryption/encapsulation, it shouldn’t be doing
anything else!
If the router is doing the job, it should be a high
performance router!
In either case we can usually assist the task
by purchasing specialized hardware to do the
encryption calculations.
3. Can the other side be
trusted?



The DoD was hacked a few years ago
not directly, but through their VPN.
One of their associated agencies was
negligent in their task of protecting
their Internet connection.
A Hacker intruded the agency and used
their VPN to attack the DoD.
Problems with VPNs




Additional Firewalls
Current firewalls to protect the VPN
Limitations of the VPN
Larger packets (additional header)
Benefits of VPN

Two RFC-1918 (not routable Internet
addresses) can communicate over the
Internet.


Since the data is in a “Tunnel” the IP
header that is used for routing needs to
have a valid IP
Much less expensive than a dedicated
line
Other uses for VPNs



Telecommuting workers
Associations with other companies
Offsite Backups
Telecommuting Workers



Anyone working offsite should have the same
availability to the network as someone
working on our network.
All windows operating systems in use today
have support for Point to Point Tunneling
Protocol (PPTP).
A Microsoft PPTP server can be set up to
allow employees to call in and work as if they
were at their desks.
Problems with Telecommuting
Workers



Most Employees are not “tech-savvy”
enough to be able to configure a VPN
connection.
If there are any problems with the VPN
will a technician be able to come to
their house?
A better option would be a solution
such as Terminal Server.