Web Security
Download
Report
Transcript Web Security
Virtual Private Networks
(VPN)
Chapters 10, 11, 12
Outline
• The Concept of VPNs: ch. 10
– VPNs defined
– Types
•
•
•
•
Generic Routing Encapsulation (GRE): ch. 11
Layer 2 Tunneling Protocol (L2TP): ch. 12
IPsec VPNs: ch. 13
Other types of VPNs?
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
2
What is VPN?
•
•
•
•
A VPN is a means of carrying private traffic over a
public network.
Often used to connect two private networks, over a
public network, to form a virtual network
The word virtual means that, to the users on either
end, the two private networks seem to be
seamlessly connected to each other.
That is, they are part of a single virtual private
network (although physically they are two separate
networks).
implication? connectivity, security, privacy
The VPN should provide the same connectivity and
privacy you would find on a typical local private
network.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
3
Different Types of VPNs
•
•
•
–
–
–
–
–
–
–
•
–
Based on encryption:
Encrypted VPNs
Nonencrypted VPNs
Based on OSI model:
Data link layer VPNs
Network layer VPNs
Application layer VPNs
Based on business functionality:
Intranet VPNs
Extranet VPNs
Question: How do we classify ‘SSL VPNs’ and
‘IPsec VPNs’?
see OpenVPN and SSL VPN Revolution (or local copy)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
4
Encrypted vs Nonencrypted VPNs
•
In encrypted VPNs, encryption mechanisms
are used to secure the traffic across the
public network.
–
•
Example: IPsec VPNs
In nonencrypted VPNs, either data security is
not ensured at all, or is ensured by other
means (including encryption at higher layers).
–
Examples:
MPLS VPNs (Multiprotocol Label Switching)
–
cisco white paper
GRE-based VPNs (ch. 11)
–
Uses higher layer encryption for confidentiality
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
5
VPNs at different OSI layers
•
–
The layer where VPN is constructed affects
its functionality.
Example: In encrypted VPNs, the layer where
encryption occurs determines
(i) how much traffic gets encrypted
(ii) the level of transparency for the end users
•
–
–
–
Data link layer VPNs (Layer-2)
•
•
Example protocols: Frame Relay, ATM
Drawbacks:
Expensive - Requires dedicated Layer 2 pathways
may not have complete security – mainly segregation of
the traffic, based on types of Layer 2 connection
Q: Is L2TP a layer 2 VPN?
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
6
VPNs at different OSI layers
•
Network layer VPNs (Layer-3)
–
Created using layer 3 tunneling and/or encryption
Q: difference between encapsulation and tunneling ?
See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol
–
Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by
–
Advantages:
using the IP layer to do that)
•
A ‘proper’ layer
–
–
•
Low enough: transparency
High enough: IP addressing
Cisco focuses on this layer for its VPNs.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
7
VPNs at different OSI layers
•
Application layer VPNs
–
Created to “work” specifically with certain applications
–
Example:
SSL-based VPNs (providing encryption between web browsers and servers running SSL)
SSH (encrypted and secure login sessions to network devices)
–
Drawbacks:
•
–
May not be seamless (transparency issue)
Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004)
“The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs)
are used to connect applications together is not true. …
A VPN is a site-to-site tunnel. …
There is a terrible misunderstanding in the industry right now that pigeon-holes SSL
VPNs into the same category with SSL enabled web servers and proxy servers.
…
A VPN, or Virtual Private Network, refers to simulating a private network over the public
Internet by encrypting communications between the two private end-points. …
A VPN device is used to create an encrypted, non-application oriented tunnel between
two machines that allows these machines or the networks they service to
exchange a wide range of traffic regardless of application or protocol. This
exchange is not done on an application by application basis. It is done on the
entire link between the two machines or networks and arbitrary traffic may be
passed over it. …”
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
8
Other Classification of VPNs ?
•
•
Intranet VPNs vs Extranet VPNs
Remote Access VPNs vs Site-to-site VPNs
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
9
Generic Routing Encapsulation
(GRE)
•
Provides low overhead tunneling (often between two private networks)
•
Does not provide encryption
•
Used to encapsulate an arbitrary layer protocol over another arbitrary layer
protocol:
delivery header + GRE header + payload packet
•
Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol
nested inside
e.g., IP protocol type 47: GRE packets using IPv4 headers
•
RFCs:
•
•
•
RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina,
October 1994 (INFORMATIONAL)
RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P.
Traina, March 2000 (PROPOSED STANDARD)
RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000
(PROPOSED STANDARD)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
10
Generic Routing Encapsulation
•
•
GRE Header (based on RFC1701, deprecated): Figure 11-2
GRE Header (based on RFC 2784 & 2890): Figure 11-4
•
•
C = 1, checksum present
Checksum: to ensure the integrity of the GRE header and the payload packet; contains
a checksum of the GRE header and the payload packet
Key:
•
–
–
–
contains a number to prevent misconfiguration of packets;
may be used to identify individual traffic flow within a tunnel
Not the same as a cryptographic key
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
11
Generic Routing Encapsulation
•
Summary:
-
GRE mainly perform ‘tunneling’.
-
Does not provide a means to securely encrypt its payload
-
Often relies on application layer to provide encryption
-
May be used together with a network layer encryption (such as
IPsec)
Example 1: use GRE to encapsulate non-IP traffic and then
encrypt the GRE packet using IPsec
Example 2: use GRE to encapsulate multicast traffic, and then
encrypt the GRE packet using IPsec
Question: Why not simply use IPsec?
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
12
Generic Routing Encapsulation
•
Case Studies:
-
A GRE tunnel connecting two private networks: Figure 11-5
GRE between multiple sites: Figure 11-6
GRE between two sites running IPX
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
13
Layer 2 Tunneling Protocol
•
•
An example of network layer VPN: use IP packets to
encapsulate Layer 2 frames
Previous RFC (v2)
RFC2661 Layer Two Tunneling Protocol L2TP W.
Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn,
B. Palter. August 1999 (PROPOSED STANDARD)
A standard method for tunneling Point-to-Point Protocol (PPP)
[RFC1661] sessions
-
Note: L2TP has since been adopted for tunneling a number of
other L2 protocols (e.g., Ethernet, Frame Relay, etc). L2TPv3
[RFC3931]
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
14
Point-to-Point Protocol (PPP [RFC1661])
-
-
-
PPP defines an encapsulation mechanism for transporting
multiprotocol packets across layer 2 (L2) point-to-point links.
PPP relies on the Link Control Protocol (LCP) for establishing,
configuring, and testing the data-link connection.
It has a family of Network Control Protocols (NCPs) for
establishing and configuring different network-layer protocols.
Typically, a user obtains a L2 connection to a Network Access
Server (NAS) using one of a number of techniques (e.g.,
dialup POTS, ISDN, ADSL, etc.) and then runs PPP over that
connection.
Example: A customer uses a dialup modem or a DSL line to
connect to the ISP or the company’s modem pool.
Dial client (PPP peer) PPP NAS (e.g., ISP)
In such a configuration, the L2 termination point and PPP
session endpoint reside on the same physical device (i.e., the
NAS).
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
15
Layer 2 Tunneling Protocol
•
Types of L2TP Tunnels
1.
Compulsory L2TP Tunneling
The client is completely unaware of the presence of an L2TP connection.
The L2TP Access Concentrator (LAC) is aware of L2TP.
Figure 12-3: (client) PPP + Data (LAC) L2TP + Data (LNS)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
16
Layer 2 Tunneling Protocol
•
Types of L2TP Tunnels (cont.)
2.
Voluntary L2TP Tunneling
The client is aware of the presence of an L2TP connection.
The LAC is unaware of L2TP.
Figure 12-4: (client) PPP + L2TP + Data (LAC) L2TP + Data
(LNS)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
17
Layer 2 Tunneling Protocol (cont.)
•
L2TP
-
L2TP extends the PPP model by allowing the L2 and PPP
endpoints to reside on different devices interconnected by a
packet-switched network.
-
With L2TP, a user has an L2 connection to an L2TP access
concentrator (LAC, e.g., modem bank, ADSL DSLAM, etc.), and
the concentrator then tunnels individual PPP frames to the L2TP
Network Server (LNS). (See Fig. 12-1)
Dial client (PPP peer) PPP LAC L2TP tunnel LNS
-
This allows the actual processing of PPP packets to be divorced
from the termination of the L2 circuit.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
18
Layer 2 Tunneling Protocol (cont.)
•
A typical L2TP scenario (from RFC2661)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
19
Layer 2 Tunneling Protocol (cont.)
RFC3931 Layer Two Tunneling Protocol - Version 3
(L2TPv3) J. Lau, Ed., M. Townsley, Ed., I. Goyret,
Ed. March 2005 (PROPOSED STANDARD)
L2TPv3 defines the base control protocol and encapsulation
for tunneling multiple Layer 2 connections between two
IP nodes.
L2TPv3 consists of
(1) the control protocol for dynamic creation, maintenance,
and teardown of L2TP sessions, and
(2) the L2TP data encapsulation to multiplex and
demultiplex L2 data streams between two L2TP nodes
across an IP network.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
20
Layer 2 Tunneling Protocol (cont.)
•
L2TP (according to TheFreeDictionary, http://computingdictionary.thefreedictionary.com/L2TP)
•
A protocol from the IETF that allows a PPP session to travel over
multiple links and networks. (Note: a limitation of L2TPv2)
•
L2TP is used to allow remote users access to the corporate
network.
•
PPP is used to encapsulate IP packets from the user's PC to the
ISP, and L2TP extends that session across the Internet.
•
L2TP was derived from Microsoft's Point-to-Point Tunneling
Protocol (PPTP) and Cisco's Layer 2 Forwarding (L2F) technology.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
21
Layer 2 Tunneling Protocol (cont.)
•
From Access Concentrator to Network Server
•
•
•
The "L2TP Access Concentrator" (LAC) encapsulates PPP frames with
L2TP headers and sends them over the Internet as UDP packets (or over
an ATM, frame relay or X.25 network).
At the other end, the "L2TP Network Server" (LNS) terminates the PPP
session and hands the IP packets to the LAN. L2TP software can also be
run in the user's PC.
Carriers also use L2TP to offer remote points of presence (POPs) to
smaller ISPs. Users in remote locations dial into the carrier's local modem
pool, and the carrier's LAC forwards L2TP traffic to the ISP's LNS.
user original IP packet (p) PPP+p LAC L2TP+PPP+p LNS
•
L2TP and IPsec
•
L2TP does not include encryption (as does PPTP), but is often used with
IPsec in order to provide virtual private network (VPN) connections from
remote users to the corporate LAN.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
22
L2TP Operations
•
Assumptions: Compulsory tunneling
•
The Procedure:
1.
2.
3.
4.
5.
•
The Client initiates a PPP connection to the LAC.
The LAC does LCP negotiation with the client, and challenges the client for
authentication credentials.
The client supplies the credentials (such as user name, domain name, password).
The LAC uses the domain name to ascertain which LNS it needs to contact (in the
case of multiple domains).
The LAC begins establishing an L2TP tunnel with the LNS.
Two Stages of L2TP Tunnel Setup:
1.
2.
–
Set up a control session between the LAC and the LNS.
Set up the actual L2TP tunnel for passing the data (aka. ‘creating the session’)
Notes:
•
Between a pair of LAC and LNS, there may exist multiple tunnels.
•
Across a single L2TP tunnel, there may exist multiple sessions.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
23
L2TP Tunnel Setup (from RFC2661)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
24
L2TP Operations
•
Control Connection Establishment
-
Securing the peer’s identity, identifying the peer’s L2TP
version, framing, etc.
-
Figure 12-5:
1.
LAC SCCRQ (start-control-connection-request) LNS
2.
LAC SCCRP (start-control-connection-reply LNS
3.
LAC SCCN (start-control-connection-connected LNS
-------------------------------------------------------------------------------------LAC ZLB ACK LNS
The ZLB ACK is sent if there are no further messages waiting in queue for that
peer.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
25
L2TP Operations
•
Session Establishment
A session may be created after successful control connection is
established.
Each session corresponds to a single PPP stream between the
LAC and the LNS.
Session establishment is directional:
-
-
Incoming call: The LAC asks the LNS to accept a session;
Outgoing call: The LNS asks the LAC to accept a session
Figure 12-6 (Incoming Call Establishment):
1.
LAC ICRQ (Incoming-Call-Request) LNS
2.
LAC ICRP (Incoming-Call-Reply LNS
3.
LAC ICCN (Incoming-Call-Connected LNS
-------------------------------------------------------------------------------------LAC ZLB ACK LNS
The ZLB ACK is sent if there are no further messages waiting in queue for that
peer.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
26
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
27
L2TP Message Header
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
28
L2TP
Control
Messages
(from RFC2661)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
29
L2TP Authentication
(from RFC2661)
•
•
Authentication, Authorization and Accounting may be provided by the Home
LAN's Management Domain, which is behind the LNS.
In that case, the LAC performs proxy authentication, by passing
authentication information back and forth between the user and the LNS.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
30
L2TP Operations
•
Case Studies:
-
Setting up compulsory L2TP Tunneling
Figure 12-10
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
31
L2TP Operations
•
Case Studies (cont.)
-
Protecting L2TP Traffic using IPsec in a compulsory tunneling
setup
Figure 12-11
NOTE: L2TP encapsulation occurs before IPSec processing.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
32
L2TPv3 Topology (from RFC3931)
• L2TP operates between two L2TP Control
Connection Endpoints (LCCEs), tunneling traffic
across a packet network.
• There are three predominant tunneling models
in which L2TP operates:
LAC-LNS (or vice versa),
LAC-LAC, and
LNS-LNS.
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
33
L2TPv3 Topology (from RFC3931)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
34
L2TPv3 Topology (from RFC3931)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
35
L2TPv3 Topology (from RFC3931)
http://sce.uhcl.edu/yang/teaching/.
../VPN.ppt
36