Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual...

Network Security Philadelphia Universityl

Ahmad Al-Ghoul 2010-2011 1

Module 12Module 12

Virtual Private Networks MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]



Contents

Relation to SSL & SSH Virtual Private Network Three Types of VPNs The Concept of Tunneling General IPTunneling Look at the stack GRE & PPTP Generic Routing Encapsulation PPTP Ipsec Encapsulating Security Payload



Relation to SSL & SSH

Recall SSL is the secure socket layer– It provides an encrypted and authenticated TCP

connection between a client and a server.– It does not hide your network because you still

use standard IP visible to all.



Virtual Private Network Why?

– Institutions are distribted

– They need to protect themselves

– Old Days• Buy your own phone lines

and build a physically private network.

– VPN• Use the internet as a

“carrier” of your private traffic.



Three Types of VPNs

Remote access– A company uses a dial-up system to allow remote

workers to connect and establish secure connections to the company network

Site-to-site– Intranet

• Connect two different, but remote LANS to form a single network

– Extranet• Two different companies want to establish a private

connection



Reasons and Requirements Typical Reasons for wanting a VPN

– Extend geographic connectivity – Improve security – Reduce operational costs versus traditional WAN – Improve productivity – Simplify network topology – Provide global networking opportunities – Provide telecommuter support

Requirements for a Good VPN– Security – Reliability – Scalability – Network management – Policy management



The Concept of Tunneling tunneling - the process of placing an entire packet

within another packet and sending it over a network.

Tunneling requires three different protocols: – Carrier protocol: The protocol used by the network

that the information is traveling over – Encapsulating protocol: The protocol (GRE, IPSec,

L2F, PPTP, L2TP) that is wrapped around the original data

– Passenger protocol: The original data (IPX, NetBeui, IP) being carried



Tunneling

Key idea: allow packets to move from one point to another point without being directly touched by internet routers

1. Passenger packet goes to gateway

3. Internet (carrier protocol)

2. Gateway wraps passenger withEncapsulation protocol

4. Passenger unwrapped andsent on its way



General IPTunneling

R1 Internet

124.32.45.3 121.101.27.42

R1Network 1 Network 2

Host10.0.2.22

Host10.0.1.15

To: 10.0.2.22From: 10.0.1.15

IP payload

To: 10.0.2.22From: 10.0.1.15

IP payload

To: 10.0.2.22From: 10.0.1.15

IP payload

To: 121.101.27.42From: 124.32.45.3

IP Payload



Look at the stack Tunneling can layer a complete stack

and address space on top of the existing one!

– Almost exactly what we did with our XKernel which was tunneled over the regular IP stack.

– For Site-to-Site use

• Generic Routing Encapsulation (GRE)

• IPsec

– For remote access

• PPTP (point-to-point tunneling protocol)

• L2TP (layer 2 tunneling protocol)

Ethernet or PPP or …

IP

GRE

encrypt

IP

TCP

application

IPsec



GRE & PPTP

GRE– Very simple encapsulation frame that tells you

what type of thing is encapsulated, a sequence number and an ack number.

PPTP– Protocol that allows PPP packets to be

encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.



Generic Routing Encapsulation Runs over IP at port 47. It is a protocol for wrapping other protocols. Protocol Family protocol type Reserved 0000 SNA 0004 OSI network layer 00FE XNS 0600 IP 0800 Chaos 0804 Frame Relay ARP 0808 VINES 0BAD DECnet (Phase IV) 6003 Transparent Ethernet Bridging 6558 Raw Frame Relay 6559 Apollo Domain 8019 Ethertalk (Appletalk) 809B Novell IPX 8137 RFC 1144 TCP/IP compression 876B IP Autonomous Systems 876C

protocol

checksum offset

key

Sequence number

Routing information

data



PPTP

For a dial-up client– First establish a PPP connection to the server– Set up a TCP connection on port 1723 for

control messages• Session management command-replies

• Handles calls and keep-alive messages

– Over the PPP one runs IP and TCP.

In other cases use existing IP level.



PPTP data packets The carrier network delivers GRE packets

– Sliding window used to provide flow control GRE packet contains a PPP packet. PPP has an encryption protocol that is used to encrypt the

contents of each frame. The content frame is the tunneled IP packet.

Carrier IP packet

GRE packet

PPP packet

IP packet



IPsec A General Framework for IP security

– NOTE: SSL is at the TCP level– IPSec is designed to be at the IP level

Two Components– Two protocols for security

• A header for authentication (AH)• A header for secure encapsulation (ESP)

– Internet Security Assoc. and Key Mgmt Protocl A Security Association (SA) is a one way connection

between two hosts/routers that is based on a choice of AH/ESP and Key protocol.



IPSec Authentication

NextHdr Payload length reserved

SPI ( security paramenter index – identifies the sec. Assoc.)

Sequence no

Authentication Data



IPSec Authentication

NOTE:

The authentication data is the cryptographic signature of this packet. It is not authentication of source identity

NextHdr is a pointer to the end of this packet. SPI is an identifier which in combination with the

IP address of the packet completely identifies the secruity association.

Sequence number prevents “replay attacks”



Encapsulating Security Payload

This follows IP header (both v4 and v6) and before the encripted payload.

– The payload data is often part of an “initialization vector” for the encrypted payload that follows

provides

– confidentiality (encryption), data origin authentication, integrity, optional anti-replay service

NextHdrPad length

SPI ( security paramenter index – identifies the sec. Assoc.)

Sequence no

Authentication Data

Up to 256 bytes of Playload data (Initialization Vector)

Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual...

Documents

Transcript of Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual...