SSA%20L5%20VPN
Download
Report
Transcript SSA%20L5%20VPN
Virtual Private Network
2-Apr-16
Why the need
To transmit files securely without disclosing
sensitive information to others in the Internet
Each LAN an island
How to communicate with other islands?
LANs in an Internet sea
Communication in the Internet
Using of Lease Line
Using VPN
Using VPN
Secure communication at different levels
Using the TCP/IP model
Application: PGP, SSH
Transport level: SSL VPN
Network level: IPSec
Datalink level: PPTP, L2TP
Protection at the lower level is usually more
flexible and more simple.
WAN Technology
PPP
X.25
Frame Relay
ATM
Point to Point Protocol
Data link protocol commonly used to establish a
direct connection between two nodes over serial
cable or phone line
Most Internet service providers use PPP for
customers' dial-up access to the Internet
Other versions PPPoE and PPPoA
Point to Point Protocol
Negotiation of IP address, address of name
server
Provide authentication (use of CHAP)
Encryption might be used (DES or RC4)
Support multiple protocols on the same link
What is a Virtual Private Network
A virtual private network (VPN) is the extension
of a private network that encompasses links
across shared or public networks like the
Internet.
A VPN enables you to send data between two
computers across a shared or public internetwork
in a manner that emulates the properties of a
point-to-point private link.
What is a Virtual Private Network
Secure private communications over public
internet
Private IP packets encapsulated within public
packets (tunnel)
Additional header added
Authentication required
Packets are usually encrypted
Advantages of using VPN
Cost saving, use of public network instead of
private lease line
Flexibility, user can connect anywhere
Confidentiality of packets by encryption
Integrity of packets by use of IPSec
Elements of VPN
Authentication
Tunneling
Encryption (including key exchange)
VPN Components
Authentication
User authentication using passwords and
certificates
Machine authentication using certificates
Authentication Protocols
Password Authentication Protocol
Challenge Handshake Authentication Protocol
MS-CHAP Version 1 and 2
Extensible Authentication Protocol (EAP)
Tunneling
To emulate a point-to-point link, data is
encapsulated, or wrapped, with a header that
provides routing information allowing it to
traverse the shared or public transit internetwork
to reach its endpoint.
The tunnel needs to be created, controlled, and
terminated.
Tunnel and VPN
The portion of the connection in which the
private data is encapsulated is known as the
tunnel.
The portion of the connection in which the
private data is encrypted is known as the virtual
private network (VPN)
VPN connection
Tunneling
Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP)
Layer Two Tunneling Protocol (L2TP)
IPSec tunnel mode
Encryption
The data being sent is encrypted for
confidentiality to emulate a private link,
Original IP header information are also hidden
Usual encryption protocol:
Microsoft Point to Point Encryption (MPPE) –
RC4
Advanced Encryption Standard (AES)
Encapsulated Security Payload (ESP) – choose
among many protocols
Types of VPN connection
Gateway to Gateway
Host to Gateway
Connecting network of 2 sites
Mobile worker to connect company server
Host to Host
To administer network remotely
Type of VPN connection
Remote access VPN
Mobile worker to access company network
Requires VPN client
Dial-in connection when necessary
Site-to-Site VPN
To connect LAN of 2 sites together
Requires router with special function
May be persistent for 24 hours a day
Remote Access to Intranet
Site to Site connection
Tunneling Protocol
The encapsulation can be done at layer 2 or layer
3.
Layer 2:
Point to Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
Layer 3:
IP Security
PPTP
PPTP
PPTP establishes the tunnel but does not provide
encryption.
It is used in conjunction with the Microsoft
Point-to-Point Encryption (MPPE) protocol to
create a secure VPN.
PPTP has relatively low overhead, making it
faster than some other VPN methods.
L2TP
L2TP
The Layer 2 Tunneling Protocol (L2TP) was
developed in cooperation between Cisco and
Microsoft, combining features of PPTP with
those of Cisco’s proprietary Layer 2
Forwarding (L2F) protocol.
L2TP/IP Sec
The Encapsulation Security Payload (ESP)
header and trailer of IP Sec encapsulate the L2TP
payload for authentication and encryption and
provides better security
Authentication Header (AH) provides
authentication and data security without
encryption
PPTP VS L2TP
L2TP/IPSec connections provide stronger
authentication by requiring both computerlevel authentication through certificates and
user-level authentication through a PPP
authentication protocol
With PPTP, data encryption begins after the
PPP connection process. With L2TP/IPSec,
data encryption begins before the PPP
connection process by negotiating an IPSec
security association
PPTP VS L2TP
Both PPTP and L2TP can be used with IP,
IPX/SPX, and NETBUI,
L2TP can be used on non-IP networks such as
ATM, frame relay and X.25.
Performance of PPTP is better than L2TP
because of less overhead.
L2TP is more secure and is the preferred method.
PPTP VS L2TP
PPTP
Tunnel
Authentication
Encryption
method
Transit media
support
Datagram
supported
L2TP/IP Sec
Yes
MPPE
IP Sec
(more secure)
IP
IP, X.25, ATM,
Frame Relay
IP, IPX, NETBUI IP, IPX, NETBUI
PPTP VS L2TP
Support older
client
Pass thro’ NAT
PPTP
L2TP/IP Sec
Yes
No
Yes
Might
Requires PKI
Yes
Computer
Authentication
Speed
Yes
Faster
Slower
RADIUS
The Remote Authentication Dial-in User Service
(RADIUS) protocol is a popular method for
managing remote user authentication and
authorization
It is a lightweight, UDP-based protocol.
RADIUS servers can be located anywhere on the
Internet and provide authentication
Secure Network Technologies
PPTP: Free from Microsoft
PPTP: Security
Link Layer: L2TP
Network Layer: IPSEC VPNs
3 parts
IPSec Authentication
IPSec Encryption
Terminology
MPPE: Microsoft Point-to-Point Encryption
MPLS: Multi-Protocol Label Switching
AH: Authentication Header
ESP: Encapsulation Security Payload
GRE: Generic Routing Encapsulation