Transcript VPN

Overview
•
•
•
•
•
•
VPN
VPN requirements
Encryption
VPN-Types
Protocols
VPN and Firewalls
Computer Net Lab/Praktikum Datenverarbeitung 2
1
VPN - Definition
• VPNs (Virtual Private Networks) allow secure data transmission
over insecure connection.
• VPNs connect computer and/or networks (on various locations)
to a common network by use of public communication structures.
Computer Net Lab/Praktikum Datenverarbeitung 2
2
VPN Scheme
LAN
LAN
VPN-Tunnel
VPN
Internet
Client
VPN
Client
Computer Net Lab/Praktikum Datenverarbeitung 2
3
VPN - terms
• Virtual, due to the usage of a public communication
infrastructure there is no permanent physical connection but a
logical one. If there are some data to transmit then the bandwith
is occupied and data is transmitted according the routing
information.
• Private, because only valid users should have access to the
network respectively the data. Additionally all data have to be
transmitted confidential.
Computer Net Lab/Praktikum Datenverarbeitung 2
4
VPN requirements
• Data security must ensure
Confidentiality
Integrity
Authentication
• Quality of Service
Guarantees availability of connectivity
Support of all applications
• Additional requirements
Reasonable administration effort
Effectiveness and extendibility
Computer Net Lab/Praktikum Datenverarbeitung 2
5
Confidentiality
• means that no unauthorized person, who got illegal access to
data, is able to read respectively understand data.
• Is realized by encryption. The data are coded by an encryption
algorithm and an encryption key. Only owner of the appropriate
decryption key are able to decrypt the coded data.
Computer Net Lab/Praktikum Datenverarbeitung 2
6
Integrity
• means that no data has been changed/manipulated during
transmission.
• is realised by checksum of transferred data. By use of a
mathematical function a checksum is build over the data which
has to be transmitted. This checksum is unique. The checksum
together with the data is sent to the recipient.
Computer Net Lab/Praktikum Datenverarbeitung 2
7
Authentication
• means that a recipient of a message is able to ensure that he got
the message from the right person and not from a person who
pretend to be the right one.
• is realized by use of digital signatures. Digital signatures are like
a „normal“ signature in a document which unambiguously
identifies the author.
Computer Net Lab/Praktikum Datenverarbeitung 2
8
Symmetric Encryption
• Each communication partner has the same key
• N (N-1)/2 keys, for N communication partner which communicate
pair wise
• High effort for Key maintenance
• Key length with 128 Bit are said to be sure, typical values
40,56,128
• Fast Method
• DES, Triple DES, Blowfish
Computer Net Lab/Praktikum Datenverarbeitung 2
9
Asymmetric Encryption
• Distinction between private (my) and public keys (for others)
• Communication with N participants means N public keys
• Key length higher than symetric keys
typical length: 512,1024,2048
• Slower than symmetric encryption
• Example: PGP, RSA
Computer Net Lab/Praktikum Datenverarbeitung 2
10
Tunnel
• Tunneling means the embedding of a complete data package
(header and payload) within the payload segment of an other
protocol in the same protocol level.
Advantage: Data can be coded/encrypted
Orig IP Hdr
TCP Hdr
Data
New IP Hdr Orig IP Hdr
TCP Hdr
Data
Computer Net Lab/Praktikum Datenverarbeitung 2
11
End-to-End Constellation
Internet
Computer 1
Computer 2
Computer Net Lab/Praktikum Datenverarbeitung 2
12
End-to-Site Constellation
mobile
computer
ISP
Internet
Intranet
VPN
Gateway
ISP
mobile
computer
Computer Net Lab/Praktikum Datenverarbeitung 2
13
Site-to-Site Constellation
Intranet 1
Intranet 2
Internet
VPN
Gateway 1
VPN
Gateway 2
Computer Net Lab/Praktikum Datenverarbeitung 2
14
VPN-Types
Application-Layer encryption
Applicationlevel
(Layer 5-7)
Transport-/
network level
(Layer 3-4)
Network-Layer encryption
Link-/
physical level
(Layer 1-2)
Link-Layer
encryption
Link-Layer
encryption
Computer Net Lab/Praktikum Datenverarbeitung 2
15
VPN and ISO/OSI Layer
Application
SSH, Kerberos, Virusscans,
Content Screening, IPSEC (IKE)…
Transport
SSL, Socks V5, TLS
Network
Link
IPSEC (AH, ESP),
Paket Filtering, NAT
Tunneling Protocols (L2TP,
PPTP, L2F), CHAP, PAP,…
Computer Net Lab/Praktikum Datenverarbeitung 2
16
PPTP-Protocol
•
•
•
•
Point To Point Tunneling, widespread because simple
Layer-2 Protocol
Only user authentification => Security = Password
Set up of communication:
1.
2.
3.
PPP connection with user –Authentification
Link and control (TCP Port 1723)
Tunnel:
IPHeader
GRE (IP 47)
Header
PPP
Header
IP-Adresses Client+Server, =>
NAT and dynam. IP-Adresses ok
Computer Net Lab/Praktikum Datenverarbeitung 2
PPP Payload
opt. with MPPE
(RC4) encrypted
17
PPTP-Protocol 2
Computer Net Lab/Praktikum Datenverarbeitung 2
18
IPSec 1
• Internet Protocol Security is a protocol family
• Allows encryption and integrity check
– integrity check (Authentication Header Protocol):
– encryption (Encapsulating Security Payload Protocol):
• Open for enhancements, encryption method is not fixed
– Authentification: Diffie-Hellmann key exchange
– confidentiality: Triple,-DES, IDEA, Blowfish
– Integrity by use of Hash building: MD5 und SHA
• Two mode of operation modes
– Tunnel mode protects address information and payload
– Transport mode protects only payload
Computer Net Lab/Praktikum Datenverarbeitung 2
19
IPSec AH
AH allows only check of integrity
Original packet:
Tunnel
mode:
Transport
mode:
Orig IP Hdr
New IP Hdr AH Header Orig IP Hdr
Orig IP Hdr AH Header
TCP Hdr
Data
TCP Hdr
Data
TCP Hdr
Data
Computer Net Lab/Praktikum Datenverarbeitung 2
20
IPSec ESP
ESP allows encryption
Original packet:
Tunnel
mode:
Transport
mode:
Orig IP Hdr
New IP Hdr ESP Hdr
Orig IP Hdr ESP Hdr
TCP Hdr
TCP Hdr
Data
Orig
ESP Trailer ESP Auth
Data
ESP Trailer ESP Auth
Computer Net Lab/Praktikum Datenverarbeitung 2
21
VPN and Firewall
• Idea of the Firewall
The Firewall is the only connection to the Internet. All other
computers (even the VPN-Gateway) are located behind the
Firewall.
• Problem
The firewall ist not able to analyze the data because they are
encrypted.
Computer Net Lab/Praktikum Datenverarbeitung 2
22
VPN behind Firewall
LAN
(branch office)
LAN
(center)
VPN-Gateway
decrypted
Data
Internet
VPN
Firewall
Computer Net Lab/Praktikum Datenverarbeitung 2
VPN
Client
23
VPN and Firewall together
LAN
(center)
Firewall and
VPN-Gateway
decrypted
Daten
LAN
(branch office)
VPN
Internet
VPN
Client
Computer Net Lab/Praktikum Datenverarbeitung 2
24
VPN Gateway in DMZ
LAN
(center)
VPN-Gateway
LAN
(branch office)
DMZ
decrypted
Data
Internet
VPN
Internet
inner Firewall
outer Firewall
Computer Net Lab/Praktikum Datenverarbeitung 2
VPN
client
25
NAT
• Nat = Network Adress Translation
• Allows through mapping the assignment of official IP-Addresses
to private one. Therefore it is possible to gain access to the
internet with private IP-Addresses.
Sender-IP
192.168.0.10
New Sender-IP
134.91.90.70
Internet
Webbrowser New Target-IP
192.168.0.10
NAT
Target-IP
134.91.90.70
Computer Net Lab/Praktikum Datenverarbeitung 2
26
IP
•
•
•
It carries the transport protocols TCP and UDP.
It builds IP-Packages out of the data which have to be
transmitted.
It adds additional information, the IP-Header. It contains source
and destination address.
Computer Net Lab/Praktikum Datenverarbeitung 2
27
TCP
• TCP (Transmission Control Protocol) confirms every received
data package.
• TCP repeats each data package until its receiving is confirmed.
• TCP is reliable, that means the transmission is guaranteed.
32 BIT
Computer Net Lab/Praktikum Datenverarbeitung 2
28
IP-Forwarding
VPN
Gateway
Firewall
private,
local Net
IP-Paket with
target: 192.168.1.1
IP-Paket with
Target: 134.91.90.70
IP-Forwarding
Port 1723 or Gre-Protocol 47
Computer Net Lab/Praktikum Datenverarbeitung 2
29
VPN-Practical training
Firewall
Firewall
Internet
VPN-Gateway
private,
local net
VPN-Gateway
=Tunnel
Computer Net Lab/Praktikum Datenverarbeitung 2
private,
local net
30