Guide to Network Defense and Countermeasures
description
Transcript of Guide to Network Defense and Countermeasures
1
Guide to Network Defense and Countermeasures
Chapter 7
2
Chapter 7 - Setting up a Virtual Private Network
Explain the “what, why, and how” of virtual private networks (VPNs)
Understand the tunneling protocols that enable secure VPN connections
Describe the encryption schemes used by VPNs
Know how to adjust packet filtering rules for VPNs
3
A VPN provides a way for two computers or networks to communicate securely using the same public channels available on the Internet The “V” in VPN means virtual; rather than a direct
network cable connection, a combination of Internet-based routers and network segments are used
The “P” means private; only the designated end points of the VPN connection (tunnel) participate
The “N” means network; it connects one group of computers to another, and extends the network’s boundaries
Exploring VPNs: What, Why, and How
4
VPN components: VPN server, or host is a computer configured to accept
connections from clients who either dial in or connect directly using a broadband connection
VPN client, or guest can be a router that serves as the end-point of a gateway-to-gateway connection, or can be a computer configured as an endpoint
Tunnel - the connection through which data is sent VPN protocols are standardized communication settings
that hardware and software use to encrypt data that is sent along the VPN, including IPSec, PPTP, and L2TP
Exploring VPNs: What, Why, and How
5
Two types of VPNs: Site-to-site links two or more networks Client-to-site allows network access to dial-in users
Hardware vs. software VPNs: Hardware-based VPNs connect one gateway to
another; typically the gateways are routers that encrypt/decrypt, but could be a VPN appliance
Software-based VPNs are usually integrated with firewalls, and as a result, increase network security; software solutions offer maximum flexibility
Exploring VPNs: What, Why, and How
6
7
8
9
VPN combinations: Combining VPN hardware or software with other
hardware and software adds network security; one useful combination is a VPN bundled with a firewall, since VPNs do not replace firewall functionality
VPN core activity #1: Encapsulation Data encapsulation means that a packet is enclosed
within another one that has different IP addressing data to provide a higher degree of protection
Data packets are encapsulated within packets that use the source/destination of the VPN gateway
Exploring VPNs: What, Why, and How
10
11
VPN core activity #2: Encryption Encryption is the process of rendering information
unreadable by all but the intended recipient VPN endpoints encrypt/decrypt data by exchanging
keys, or blocks of encoded data; the key is part of an electronic document called a digital signature
VPN core activity #3: Authentication Authentication is the process of identifying a user or
computer as being authorized to access a network Authentication uses digital certificates; the tunneling
protocol determines the type of authentication
Exploring VPNs: What, Why, and How
12
13
14
Why establish a VPN? The need for private business transactions drives an
increasing number of organizations to adopt VPNs; e-commerce popularity provides an incentive as well; government and military agencies share more information in order to provide homeland security
Budgetary considerations have always made VPNs attractive to businesses; also, many businesses employ remote users who need network access
Another incentive for creating a VPN is the need to establish a high level of security in an extranet
Exploring VPNs: What, Why, and How
15
16
Advantages and disadvantages of VPNs VPNs provide a high level of security, but if a VPN is
poorly configured or a remote user at an endpoint disables their firewall by mistake and lets in a hacker, the normal protection can be undone
VPNs can be complex to configure and the hardware can represent a substantial investment
By focusing on Internet-based technologies, VPNs simplify a network overall
Running a VPN means better opportunity to maximize network uptime
Exploring VPNs: What, Why, and How
17
18
How to configure VPNs: To set up a VPN, define a VPN domain A VPN domain is a set of one or more computers
that is handled by the VPN hardware and software as a single entity, and that uses the VPN to communicate with another domain
Besides defining a VPN domain, determine whether the network gateway will be included in that domain; that, in turn, depends on whether the network has a site-to-site or client-to-site type of VPN configuration
Exploring VPNs: What, Why, and How
19
20
Single and multiple-entry point configurations Smaller networks that use VPNs often have single
entry point configurations, where all traffic to and from the network passes through a single gateway such as a router or firewall or both
Large organizations have networks that require multiple-entry point configurations, in which multiple gateways are used, each with a tunnel connecting a different location
In multiple-entry point configurations, it is important to exclude the gateway itself from the VPN domain
Exploring VPNs: What, Why, and How
21
22
23
VPN topology configurations: In a mesh topology, all the participants in the VPN have
Security Associations (SAs) with one another; full mesh is where every subnet is connected to every other; partial mesh is where any subnet may or may not be connected to the other subnets
In a star topology, the VPN gateway is the hub, and other participating networks are called rim subnets
As organizations with VPNs grow to include new computers and new branch offices, they naturally evolve from a mesh or hub-and-spoke to a hybrid system that combines the two topologies
Exploring VPNs: What, Why, and How
24
25
26
IPSec/IKE: Internet Protocol Security (IPSec) was developed for
enabling secure communications in the Internet IPSec has become the standard set of protocols for VPN
security because: it works at the Network layer; it has the ability to encrypt the entire TCP/IP packet; it can work with IPv6; it provides authentication of source and destination computers
The biggest advantage to using IPSec is the fact that it has gone through the standardization process and is supported by a wide variety of VPN hardware and software
Understanding Tunneling Protocols
27
28
29
Secure Shell (SSH): Secure Shell (SSH) provides for authentication and
encryption of TCP/IP packets over a VPN SSH works with UNIX-based systems and creates a
secure Transport layer connection, and makes use of public key cryptography
Socks V.5: Socks provides proxy services for applications that
don’t normally support proxying; Socks Version 5 adds encrypted authentication and UDP support
Understanding Tunneling Protocols
30
Point-to-point tunneling protocol (PPTP): Point-to-point tunneling protocol (PPTP) is a VPN
configuration for users who need to dial in to a server using a modem connection on a computer running an older operating system
PPTP encapsulates TCP/IP packets and uses a proprietary Microsoft technology called MPPE
Layer 2 tunneling protocol (L2TP): Layer 2 tunneling protocol (L2TP) provides a higher
level of security than PPTP through IPSec support
Understanding Tunneling Protocols
31
32
Triple-data encryption standard (Triple-DES): Most VPNs make use of Triple-data encryption
standard (Triple-DES) encryption Triple-DES is strong because it uses three separate
64-bit keys to process data Secure Sockets Layer (SSL):
Secure Sockets Layer (SSL) enables Web servers and browsers to exchange encrypted information
SSL sessions make use of both symmetric and asymmetric keys to encrypt data
Encryption Schemes used by VPNs
33
34
Kerberos: Kerberos is a system for authentication of individual
network users that was developed at MIT Kerberos uses an authentication method called
authentication by assertion - the computer that connects to a server and requests services asserts that it is acting on behalf of an approved user
Instead of digital certificates, Kerberos issues tickets; accessing an application protected by Kerberos requires a ticket
Encryption Schemes used by VPNs
35
VPNs need to be used with firewalls VPNs can be located in front of existing firewalls, or
placed in DMZs in parallel to an existing firewall Packet filtering rules make use of three IP packet
header fields: the source address; the destination address; the Protocol Identifier (Protocol ID)
Conduct packet filtering based on any or all of these fields; block all packets from an address with the source address; route entered packets with the destination address; refer to protocols (ICMP, TCP, UDP, ESP, AH) with the Protocol ID
Adjusting Packet Filtering Rulesfor VPNs
36
PPTP filters For PPTP traffic to pass through a firewall, set up
packet filtering rules that permit it PPTP uses two protocols: TCP and Generic Routing
Encapsulation (GRE) L2TP and IPSec filters
If L2TP is used, rules must be set up that permit IPSec traffic
Adjusting Packet Filtering Rulesfor VPNs
37
38
39
Chapter Summary
This chapter discussed issues involved in configuring a Virtual Private Network (VPN) and the role that the VPN plays in a network defense strategy
VPNs are virtual in that they do not make use of proprietary leased lines. Rather, they connect computers and networks through the public Internet. VPNs are private because they send data through a secure tunnel that leads from one endpoint to another. Each endpoint is terminated by VPN hardware or software that encrypts and encapsulates the data. VPNs are networks that connect one network to one or more networks, one computer to another, or one computer to a network
40
Chapter Summary
VPNs consist of various components. These include VPN servers, which are configured to accept connections from client computers; VPN clients; the tunnels through which data passes, and protocols that determine how the tunneled data is to be encrypted, such as IPSec. A site-to-site VPN uses such components to connect to networks. A client-to-site VPN connects a remote user to a network. VPN endpoints can be terminated by VPN hardware, software, or a combination of both
41
Chapter Summary
VPNs perform three core activities. Encapsulation encloses one packet of digital information within another one to conceal the original packet’s source and destination IP address and to protect the contents. Encryption makes the contents of the packet - not only its data, but its header information as well - unreadable by all but the intended recipient. Authentication ensures that the computers participating in a VPN are authorized users
42
Chapter Summary
Because VPNs can be complex to configure, the reasons for establishing them should be understood.The need to keep critical business communications private and secure drives the adoption of VPNs. The cost-effectiveness of using the Internet for VPN communications also makes VPNs attractive. On the other hand, the encryption performed by VPNs can slow down data transfer rates. Reliance on the Internet, which is often unpredictable, can result in the VPN going down along with ISP connections
43
Chapter Summary
A VPN is often configured by establishing a VPN domain, a group of computers that are handled as one entity. Networks that use VPNs can have single entry point configurations, in which all traffic to and from the network passes through a single gateway. Some VPNs are part of multiple-entry point configurations, in which more than one gateway is used. Whether single or multiple entry points are in place in one network, that network can then be connected to other VPN participants using a mesh or star configuration, or a combination of both
44
Chapter Summary
VPNs make use of standard instruction sets called protocols that secure tunneled communications between endpoints. IPSec combined with IKE is one of the most popular protocols because of its wide support in the industry and high degree of security through AH and ESP encryption. SSH is a protocol used to authenticate and encrypt packets in a UNIX-based environment. Version 5 of the Socks protocol can also provide security for VPN transactions, though it is not widely used. PPTP and L2TP enable remote users to dial in to a computer over a secure VPN connection
45
Chapter Summary
Encryption is one of the techniques that make VPNs possible. Most VPNs today use Triple-DES encryption, a variation of DES in which three separate keys are used to process information. However, some VPNs use SSL encryption when Web-based applications need to be connected securely. Another system, Kerberos, is used in Windows and other OSs to give employees access to network resources for relatively short periods of time through the issuance of “tickets”
46
Chapter Summary
VPNs need to be used in conjunction with firewalls. For the two devices to work together, packet filtering rules need to be set up. The rules cover such protocols as PPTP, L2TP, and IPSec. The have as their ultimate goal the filtering of packets so that only traffic to and from VPN endpoints passes through the VPN, and other traffic is filtered by the firewall to reach specific destinations on the network