Transcript VPN
Virtual Private Networking
Irfan Khan
Myo Thein
Nick Merante
VPN + IPSec
• VPN: Virtual Private Network
– Enable two remote networks to appear as one
network via the internet.
• IPSec: Internet Protocol Security
Extensions
– Enable machines to securely communicate over
an insecure medium
What We Will Cover
•
•
•
•
•
The need for security
Benefits of a VPN/IPSec combination
The necessary tools
How to set everything up
How to verify everything is working
The Need for Security
•
•
•
•
•
Internet not like it used to be
The hunt for bugs
Automated tools do most of the dirty work
Systems targets regardless of content value
Business need for securing client/customer
data in global network
Why Use VPN
•
•
•
•
Confidentiality
Integrity
Authenticity
Replay Protection
Who can benefit
• Peer to peer security – encryption of traffic
between people.
– PGP Desktop Security www.pgpi.org
• Corporate security – encryption of traffic
between offices.
Benefits to personal users
• Create a secure path between two machines
• Enhance the level of trust with
authentication
Benefits for corporate users
• Can do away with leased lines connecting
offices without sacrificing privacy.
• Can then make use of the internet:
– More reliable
– More portable
– More cost-effective
A method of security
• Implementing a Virtual Private Network
(VPN)
• Using IPSec to encrypt all traffic
• Authenticating data sent
What is IPSec
IPSec = AH + ESP + IKE
Different Modes
AH vs ESP
• AH: Authentication Header
– Attaches checksum to packets
– Ensures packet not modified in transit
• ESP: Encapsulating Security Payload
– Encrypts data
– Ensures authentication
Different Modes
Tunnel vs Transport
• Tunnel Mode
– Encapsulate packet into new IPv4/v6 header
– Used for VPN Gateways
• Transport Mode
– Encrypts normal traffic between peers
Tunnel vs Transport
Transport Mode
Host 1
Host 2
Tunnel Mode
Host 1
Gateway 1
Gateway 2
Host 2
Necessary Tools
• Two unix machines with properly
configured kernels to serve as gateways
• Racoon for key exchange
• Internet connection
Preparing the machine
•Modify the kernel
bpf
IPFIREWALL
IPDIVERT
IPSEC
IPSEC_ESP
IPSEC_DEBUG
# Berkeley packet filter
# Enable Firewall
# Divert IP sockets (Used for NAT)
# IP security
# IP security (crypto; define w/ IPSEC)
# debug for IP sec
•Install Racoon
– Obtain source code or install from ports collection
Creating the tunnel
•
•
•
•
Set up tunnel between 2 private networks
gif – Generic tunnel interface
Diagram A
Tunnel Script (Step 3)
Diagram A
VPN Tunnel
vpn-gw2
gif0: 192.168.5.1
van-gw1
gif0: 192.168.6.1
Gateway 192.52.220.22
A
Internet
192.52.220.152
Gateway
B
Node
A
Node
B
Node
C
Node
A
Node
B
Node
C
192.168.6.100
192.168.6.101
192.168.6.102
192.168.5.100
192.168.5.101
192.168.5.102
Adding the Encryption
• Creating the policies
• Manual keying
• Automatic keying (racoon)
– Racoon configuration
• Different algorithms
– des, 3des, blowfish, etc.
• Step 4 / Figure A
Figure A
# Ident: ipsec.conf
# Usage: setkey –f ipsec.conf
flush;
spdflush;
# Flush the Security Association Database
# Flush the Security Policy Database
#add 192.52.220.22 192.52.220.152 esp 9111 -E blowfish-cbc "12345";
#add 192.52.220.152 192.52.220.22 esp 9112 -E blowfish-cbc "12345";
spdadd 192.168.6.0/24 192.168.5.0/24 any -P out ipsec
esp/tunnel/192.52.220.22-192.52.220.152/require;
spdadd 192.168.5.0/24 192.168.6.0/24 any -P in ipsec
esp/tunnel/192.52.220.152-192.52.220.22/default;
Changes to the Packet
IP v4:
Before applying ESP
Orig IP hdr
TCP
Data
After applying ESP
ESP
Orig IP hdr Header TCP
Data
encrypted
authenticated
ESP: Encapsulating Security Payload
ESP
Trailer
ESP
Auth
Manual vs Automatic Keying
• Benefits of manual keying
– Simplicity
– Less overhead
• Benefits of automatic keying
– Much more secure
– Encryption keys periodically changed based on
time or amount transferred.
Encryption Algorithms
• Data Encryption Standard (DES)
– 64 bits
• Triple DES
– 192 bits
• Blowfish
– 40 to 448 bits
• Rijndael (AES)
– 128/192/256 bits
Verification
• An analysis before and after
– Key Policies (Figure B)
– Dump Security Association Database with
setkey –D (Figure C)
– TCP Dump of Headers (Figure D)
– TCP Dump of Data (Figure E)
Diagram A
VPN Tunnel
vpn-gw2
gif0: 192.168.5.1
van-gw1
gif0: 192.168.6.1
Gateway 192.52.220.22
A
Internet
192.52.220.152
Gateway
B
Node
A
Node
B
Node
C
Node
A
Node
B
Node
C
192.168.6.100
192.168.6.101
192.168.6.102
192.168.5.100
192.168.5.101
192.168.5.102
Conclusion
Different tools for different jobs
• PGP for encrypting data
• SSL for encrypting sockets
• SSH for encrypting logons
• IPSec for encrypting all traffic
Another tool for the administrator’s toolbox