19-Virtual Private Networks

8/3/2019 19-Virtual Private Networks

http://slidepdf.com/reader/full/19-virtual-private-networks 1/65

By.P. Victer Paul

Dear,We planned to share our eBooks and project/seminar contents

for free to all needed friends like u.. To get to know about morefree computerscience ebooks and technology advancements incomputer science. Please visit....

http://free-computerscience-ebooks.blogspot.com/

http://recent-computer-technology.blogspot.com/

http://computertechnologiesebooks.blogspot.com/

Please to keep provide many eBooks and technology news forFREE. Encourage us by Clicking on the advertisement in theseBlog.

VPNs can be used to secure communications through the public

Internet.

VPNs are often installed by organizations to provide remote

access to a secure organizational network, or to connect two

network locations together using an insecure network to carry thetraffic.

A VPN does not need to have explicit security features such as

authentication or traffic encryption. For example, a network

service provider could use VPNs to separate the traffic of

multiple customers over an underlying network.

VPNs such as Tor can be used to mask the IP address of

individual computers within the Internet in order, for instance, to

surf the World Wide Web anonymously or to access location

restricted services, such as Internet television.

In the protocols they use to tunnel the traffic over the

underlying network;

By the location of tunnel termination, such as the

customer edge or network provider edge; Whether they offer site-to-site or remote access

connectivity;

In the levels of security provided;

By the OSI layer which they present to the connectingnetwork, such as Layer 2 circuits or Layer 3 network

connectivity.

Secure VPNs explicitly provide mechanisms for

authentication of the tunnel endpoints during tunnel

setup, and encryption of the traffic in transit.

Often secure VPNs are used to protect traffic when

using the Internet as the underlying backbone, but

equally they may be used in any environment when the

security level of the underlying network differs from

the traffic within the VPN.

Secure VPNs may be implemented by organizationswishing to provide remote access facilities to theiremployees or by organizations wishing to connectmultiple networks together securely using the Internet

to carry the traffic. A common use for secure VPNs is in remote access

scenarios, where VPN client software on an end usersystem is used to connect to a remote office network

securely. Secure VPN protocols include L2TP (with IPsec),

SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).

Trusted VPNs are commonly created by carriers and large

organizations and are used for traffic segmentation on large core

networks. They often provide quality of service guarantees and

other carrier-grade features.

Trusted VPNs may be implemented by network carriers wishingto multiplex multiple customer connections transparently over an

existing core network or by large organizations wishing to

segregate traffic flows from each other in the network. Trusted

VPN protocols include MPLS, ATM or Frame Relay.

Trusted VPNs differ from secure VPNs in that they do not

provide security features such as data confidentiality through

encryption. Secure VPNs however do not offer the level of

control of the data flows that a trusted VPN can provide such as

bandwidth guarantees or routing.

Security

Address Translation

Performance: Throughput, Load balancing (round-robin

DNS), fragmentation

Bandwidth Management: RSVP (Resource Reservation

Protocol)

Availability: Good performance at all times

Scalability: Number of locations/Users

Interoperability: Among vendors, Internet Service Providers

(ISPs), customers (for extranets)⇒ Standards Compatibility,

With firewall

Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management

Protocol), Browser based, Java based,centralized/distributed

Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,

HP/Sun/Intel Installation: Changes to desktop or backbone only

Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery

IPsec (Internet Protocol Security) - A standards-basedsecurity protocol developed originally for IPv6, wheresupport is mandatory, but also widely used with IPv4.

For VPNs L2TP is commonly used over IPsec.

Transport Layer Security (SSL/TLS) is used either fortunneling an entire network's traffic (SSL/TLS VPN)

SSL has been the foundation by a number of vendors toprovide remote access VPN capabilities.

SSL-based VPNs may be vulnerable to denial-of-service attacks mounted against their TCP connectionsbecause latter are inherently unauthenticated.

Datagram Transport Layer Security (DTLS), used by Cisco for

a next generation VPN product called Cisco AnyConnect

VPN. DTLS solves the issues found when tunneling TCP over

TCP as is the case with SSL/TLS

Microsoft Point-to-Point Encryption (MPPE) by Microsoft isused with their PPTP. Several compatible implementations on

other platforms also exist.

Secure Socket Tunneling Protocol (SSTP) by Microsoft

introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an

SSL 3.0 channel.

MPVPN (Multi Path Virtual Private Network). Ragula

Systems Development Company owns the registered

trademark "MPVPN“.

SSH VPN -- OpenSSH offers VPN tunneling to secure remote

connections to a network (or inter-network links). This feature(option -w) should not be confused with port forwarding

(option -L).

OpenSSH server provides limited number of concurrent

tunnels and the VPN feature itself does not support personalauthentication.

Tunnel endpoints are required to authenticate

themselves before secure VPN tunnels can be

established.

End user created tunnels, such as remote access VPNs

may use passwords, biometrics, two-factor

authentication or other cryptographic methods.

For network-to-network tunnels, passwords or digital

certificates are often used, as the key must bepermanently stored and not require manual intervention

for the tunnel to be established automatically.

Depending on whether the PPVPN runs in layer 2 or

layer 3, the building blocks described below may be L2

only, L3 only, or combinations of the two.

Multiprotocol Label Switching (MPLS) functionality

blurs the L2-L3 identity.

◦ Customer edge device. (CE)

◦ Provider edge device (PE)

◦ Provider device (P)

Customer edge device (CE)In general, a CE is a device, physically at the customerpremises, that provides access to the PPVPN service.Some implementations treat it purely as a demarcation

point between provider and customer responsibility,while others allow customers to configure it.

Provider edge device (PE)

A PE is a device or set of devices, at the edge of the

provider network, which provides the provider's viewof the customer site. PEs are aware of the VPNs thatconnect through them, and which maintain VPN state.

Provider device (P)

A P device operates inside the provider's core network, and

does not directly interface to any customer endpoint.

It might, for example, provide routing for many provider-

operated tunnels that belong to different customers'

PPVPNs.

Its principal role is allowing the service provider to scale its

PPVPN offerings, as, for example, by acting as an

aggregation point for multiple PEs. P-to-P connections, insuch a role, often are high-capacity optical links between

major locations of provider.

GRE: Generic Routing Encaptulation (RFC 1701/2)

PPTP: Point-to-point Tunneling Protocol

2TP: Layer 2 Tunneling protocol

IPsec: Secure IP MPLS: Multiprotocol Label Switching

Layer 2 Tunneling Protocol

L2F = Layer 2 Forwarding (From CISCO)

L2TP = L2F + PPTP Combines the best features of L2F

and PPTP

Easy upgrade from L2F or PPTP

Allows PPP frames to be sent over non-IP (Frame relay,

ATM) networks also (PPTP works on IP only)

Allows multiple (different QoS) tunnels between thesame end-points. Better header compression. Supports

flow control

Universal Transport Interface (UTI) is a pre-standardeffort for transporting L2 frames.

L2TPv3 extends UTI and includes it as one of many

supported encapsulations.

L2TPv3 has a control plane using reliable control

connection for establishment, teardown and

maintenance of individual sessions.

Allows virtual circuits in IP Networks

Each packet has a virtual circuit number called ‘label’

Label determines the packet’s queuing and forwarding

Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use

Allows traffic engineering

Unsolicited: Topology driven ⇒ Routing protocolsexchange labels with routing information.

Many existing routing protocols are being

extended:BGP, OSPF

On-Demand:

⇒ Label assigned when requested,

e.g., when a packet arrives⇒ latency

Label Distribution Protocol called LDP RSVP has been extended to allow label request and

response

VPN allows secure communication on the Internet

Three types: WAN, Access, Extranet

Key issues: address translation, security, performance

Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue ⇒MPLS

FIREWALL

Aspects of Security◦ Data accessibility - contents accessible

◦ Data integrity - contents remain unchanged

◦ Data confidentiality - contents not revealed

◦ Authentication - You are who you say you are

◦ Authorization - Access control

◦ Accountability- Who is responsible for tracking access to

Scrambling of message such that only intended receiver canunscramble them

◦ Encrypting function - produces encrypted message

◦ Decrypting function - extracts original message

◦ Encryption key - parameter that controlsencryption/decryption

Secret Key Encryption◦ Sender and receiver share secret key

◦ Encrypted_Message = encrypt(K, Message)

◦ Message = decrypt(K, Encrypted_Message)

◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)

Previous scheme requires shared secret K If K is discovered, security is compromised

Public key encryption uses two keys:

◦ Private key - kept secret by user

◦ Public key - published by user

Message encrypted with public key can be decrypted only

with private key, and vice-versa

Encrypted_Message = decrypt(Public_Key,encrypt(Private_key, Message)

Message = decrypt(Private_Key,

encrypt(Public_Key,Message)

Goal - guarantee that message must have originatedwith certain entity

Encrypted_Message = encrypt(Private_Key, Message)

Message = decrypt(Public_Key, Encrypted_Message)

=> Authentic

User 1 to User2: Encrypted_Message = encrypt(Public_key2,

encrypt(Private_key1, Message)

Message = decrypt(Public_key1, decrypt

(Private_key2,Encrypted_Message)

=> Authentic and Private

Bastion Host DMZ (demilitarized zone)

Perimeter network

A bastion host is a computer that is fully exposed toattack

The system is on the public side of the demilitarized

zone (DMZ), unprotected by a firewall or filtering

router

Firewalls and routers can be considered bastion hosts

Other types of bastion hosts include web, mail, DNS,

and FTP servers, Proxy servers

DMZ (demilitarized zone) is a computer host or smallnetwork inserted as a "neutral zone" between a

company's private network and the outside public

network.

It prevents outside users from getting direct access to a

server that has company data

A small, single-segment network between a firewalland the Internet for services that the organization wants

to make publicly accessible to the Internet without

exposing the network as a whole

If someone breaks into a bastion host on the perimeter

net, he'll be able to snoop only on traffic on that net

Also known as ‘stub network’

Can configure packet forwarding devices - esp. routers – to drop certain packets

Example: Only email gets in/out

problem: Filter is accessible to outside world

Proxy servers take users' requests and forward them toreal servers

Take server’s responses and forwards them to users

Enforce site security policy = > may refuse certain

requests

Transparency is the major benefit of proxy services

Also known as application-level gateways

Can’t protect against malicious insiders can’t protect against connections that do not go through

◦ e.g. dial up

Can’t protect against completely new threats

Can’t protect against viruses

Security is a problem because Internet is not owned byone entity

Encryption and digital signatures can provide

confidentiality and secure identification

Organizations can use firewalls to prevent unauthorized

access

19-Virtual Private Networks

Documents

Transcript of 19-Virtual Private Networks

Private Networks, Virtual Private Networks, and Network ... filePrivate Networks, Virtual Private Networks, and. ... VIRTUAL PRIVATE NETWORKS (VPN) • NETWORK ADDRESS RESOLUTION (NAT)

Module 12 Virtual Private Networks

Virtual Private Networks (VPNs)

Virtual Private Networks Updatedppt4398

Virtual Private Networks Security PPTX

GAWDA Webinar: Virtual Private Networks

How Virtual Private Networks Work

Virtual Private Networks. Virtual Private Networks (VPNs) uVPN: Virtual Private Network uIPSEC uHighLink’s road map: Q2: Integrated IPSEC = Integrated.

Virtual Private Networks

MPLS Virtual Private Networks (VPNs)

Virtual Private Networks updated.ppt

BANDIT CMG: Virtual Private Networks

บทที่ 12 Virtual Private Networks

IP Virtual Private Networks

Virtual Private Networks · Virtual Private Networks Administration Guide Version R70 703333 April 23, 2009

Virtual Private Networks Updated

Virtual Private Networks - Computer Networks & Information ... · Virtual Private Networks VPN Examples: PPTP, L2TP, IPSec Private Network: Uses leased lines Virtual Private Network:

VIRTUAL PRIVATE NETWORKS (VPN)

Virtual Private Networks (Tunnels)

Implementing Virtual Private Networks