Transcript Tunneling
CIT 384: Network Administration
VPNs
CIT 384: Network Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
VPNs
Tunneling
ssh
SSL
IPsec
L2TP
CIT 384: Network Administration
Slide #2
VPNs
VPNs try to provide leased line features
Privacy: preventing unauthorized people from
being able to read VPN traffic.
Authentication: verifying that sender of VPN is an
authorized device.
Integrity: verifying data is not changed in transit.
using a public network at lower cost.
CIT 384: Network Administration
Slide #3
VPN Example
1.
2.
3.
4.
5.
PC1 sends IP packet to S1
Router encapsulates IP in VPN+IP headers
No one can read packet in the middle
ASA-1 checks security and de-encapsulates.
S1 receives IP packet from PC1.
CIT 384: Network Administration
Slide #4
VPN Types
Remote Access: individual user to network.
Intranet: connect networks of two sites.
Extranet: connect networks of two partnering organizations.
CIT 384: Network Administration
Slide #5
Tunneling
Tunneling: Encapsulation of one network
protocol in another protocol
– Carrier Protocol: protocol used by network
through which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data
– Passenger Protocol: protocol carries original data
CIT 384: Network Administration
Slide #6
Tunneling Protocols by Layer
Application
Transport
ssh, SSL
Network
IPsec
Data Link
CIT 384: Network Administration
L2TP, MPLS
Slide #7
ssh
Secure Shell
Replaces
telnet
ftp
rlogin
rsh
rcp
CIT 384: Network Administration
Slide #8
SSH Security Features
CIT 384: Network Administration
Slide #9
ssh tunneling
.Use ssh tunneling to encrypt TCP connections
ssh –L lport:rhost:rport rhost
– Carrier Protocol: IP
– Encapsulating Protocol: ssh
– Passenger Protocol: TCP on a specific port
CIT 384: Network Administration
Slide #10
SSL/TLS
Secure Sockets Layer
– Commonly used to encrypt web connections.
– Also used for IMAP, LDAP, POP, etc.
– Transport Layer Security supersedes SSLv3
Can be used to create tunnels
– Configure similarly to ssh tunnels.
– Stunnel is open source SSL tunnel software.
CIT 384: Network Administration
Slide #11
IPsec
IPsec includes three major protocols
– Internet Key Exchange (IKE) Provides a
framework for negotiating security parameters.
– Encapsulating Security Payload (ESP)
Provides a framework for encrypting,
authenticating, and securing data.
– Authentication Header (AH) provides a
framework for authenticating and securing data.
CIT 384: Network Administration
Slide #12
IPsec General Operation
To communicate with IPsec, devices must
–
–
–
–
Agree on a set of security protocols.
Agree on an encryption algorithm.
Exchange cryptographic keys.
Use above to encode and decode data.
CIT 384: Network Administration
Slide #13
IPsec Packet Encapsulation
Transport Mode
– Original IP header of packet that is being encrypted is
used to transport the packet.
– ESP or AH header inserted btw IP header and payload.
Tunnel Mode
– New IP header is added in front of ESP/AH header. This
header contains IP addresses of the two IP peers as
source + destination.
CIT 384: Network Administration
Slide #14
IKE
IKE handles
–
–
–
–
Negotiating protocol parameters
Exchanging public keys
Authenticating both sides
Managing keys after exchange
IKE is a UDP-based protocol.
CIT 384: Network Administration
Slide #15
ESP
Encapsulates IP packet to provide
–
–
–
–
Authentication
Encryption
Integrity validation
Anti-replay
IP protocol 50, described in RFC 2406
CIT 384: Network Administration
Slide #16
AH
Authentication Header provides auth + integrity
–
–
–
–
Uses keyed hash algorithm as checksum.
Unlike CRC, cannot be reproduced w/o key.
Also protects against replay attacks.
Does not encrypt packet contents.
CIT 384: Network Administration
Slide #17
NAT Transparency
PAT can’t change encrypted transport header.
Solution: add an extra UDP header.
CIT 384: Network Administration
Slide #18
GRE
Generic Routing Encapsulating
– Cisco IP tunneling protocol.
– Allows use of multicast protocols.
– Combine with IPsec to allow routing
information to be passed btw networks.
IP protocol 47
CIT 384: Network Administration
Slide #19
L2TP
• Open successor to
– L2F (Cisco)
– PPTP (MS)
• Layer 2 tunnel so it supports any layer 3 protocols.
– Encapsulates in UDP datagram to port 1701
• Does not provide encryption or authentication.
• Use with IPsec
CIT 384: Network Administration
Slide #20
Key Points
Tunneling
– Carrier Protocol
– Encapsulating Protocol
– Passenger Protocol
VPNs
– layer 4: ssh, SSL
– layer 3: IPsec
– layer 2: L2TP
IPsec
–
–
–
–
ESP
AH
IKE
Tunnel mode vs transport mode
CIT 384: Network Administration
Slide #21
References
1.
2.
3.
4.
5.
6.
7.
Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The
Secure Shell, 2nd edition, O’Reilly, 2005.
Vijay Bollapragda, IPsec VPN Design, Cisco Press, 2005.
James Boney, Cisco IOS in a Nutshell, 2nd edition, O’Reilly, 2005.
Cisco, Cisco Connection Documentation,
http://www.cisco.com/univercd/home/home.htm
Cisco, Internetworking Basics,
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.ht
m
Saadat Malik, Network Security Principles and Practices, Cisco
Press, 2002.
Wendell Odom, CCNA Official Exam Certification Library, 3rd
edition, Cisco Press, 2007.
CIT 384: Network Administration
Slide #22