V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
-
Upload
amberly-jenkins -
Category
Documents
-
view
216 -
download
1
description
Transcript of V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
![Page 1: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/1.jpg)
VVIRTUALIRTUAL P PRIVATERIVATE N NETWORKSETWORKS
KKARTHIKARTHIK M MOHANASUNDARAMOHANASUNDARAMWWRIGHT RIGHT SSTATE TATE UUNIVERSITYNIVERSITY
![Page 2: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/2.jpg)
AbstractAbstract
The main purpose of this presentation is to discuss the concept of virtual private networks, the reasons that lead to the development of this concept and the technology behind this concept
![Page 3: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/3.jpg)
Evolution of ConceptEvolution of Concept
• The language of the Internet is IP [Internet Protocol]
• Everything travels on top of IP• IP does not provide ‘Security’
• IP packets can be forged and manipulated en route
![Page 4: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/4.jpg)
Virtual Private NetworkVirtual Private Network
• A virtual private network is the extension of a private network that encompasses links across shared or public networks like the internet
• Emulates a point-to-point private link
![Page 5: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/5.jpg)
Continued ..Continued ..
![Page 6: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/6.jpg)
Types of VPN ConnectionTypes of VPN Connection
• Router – to – Router VPN connection
• Intranet based VPN connections
• Internet based VPN connections
• Combined Internet & Intranet VPN’s
• Remote Access VPN connection
![Page 7: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/7.jpg)
Elements of VPN
• VPN Server • VPN Client
• VPN Connection • Tunnel
• Transit Public Network
![Page 8: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/8.jpg)
TunnelingTunneling
• Tunneling is the act of encapsulating ordinary (non-secure) IP packets inside encrypted (secure) IP packets
• Tunneling provides privacy by encrypting everything that goes into and comes out of a secure tunnel
![Page 9: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/9.jpg)
Tunneling ProtocolsTunneling Protocols
• Point-to-point tunneling protocol [PPTP]
• Layer 2 tunneling protocol [L2TP]
• Internet protocol security [IPSec]
![Page 10: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/10.jpg)
Disadvantages of PPTP
• Mainly developed for the windows world
• Developed by Microsoft for creating tunnels in windows NT™
• Built on top of point-to-point protocol• Weak encryption capabilities
![Page 11: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/11.jpg)
Credentials of L2TPCredentials of L2TP
• Proposed by Cisco® Systems• Operates on low level network layer• Runs over UDP as opposed to TCP.
[UDP is a faster,leaner and less-
reliable protocol]• L2TP is “Firewall Friendly”
![Page 12: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/12.jpg)
Credentials of IPSecCredentials of IPSec• Developed by foremost Encryption Experts
• Allows support of multiple encryption algorithms
• Provides an ‘integrity check’ of the IP packets
• Uses Machine Level Certificates, authenticating by Public Key Encryption
• Provides excellent encryption technology due to which L2TP uses IPSec as the default
![Page 13: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/13.jpg)
Deep into IPSecDeep into IPSec
Internet Protocol Security [IPSec] is a suite of
protocols being developed by the IETF that
seemlessly integrate security into IP and
provide data source authentication, data
integrity, confidentiality and protection
![Page 14: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/14.jpg)
Continued ..Continued ..The IPSec suite comprises of :
• Authentication Header [Responsible for authentication the IP Traffic]
• Encapsulating Security Payload [Responsible for encrypting the IP Traffic]
• Key Management [Responsible for several services mainly for managing & exchanging keys]
![Page 15: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/15.jpg)
Authentication HeaderAuthentication Header
• In-between the IP Header and Payload
The AH comprises of :
• Security Parameter Index (SPI)
• Sequence Number
• Authentication Data
![Page 16: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/16.jpg)
Continued ..Continued ..• Security Parameter Index (SPI) informs
the receiver the security protocol used by the sender
• Sequence Number informs the number of
packets sent that use the same parameters
• Authentication Data is the digital
signature of the packet
![Page 17: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/17.jpg)
Continued ..Continued ..
![Page 18: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/18.jpg)
Encapsulating Security PayloadEncapsulating Security Payload
• Handles encryption of IP data at packet level• Comprises of similar features like the
Authentication Header• Provides the additional functionality of
encryption• Does padding of data to ensure proper length
for certain encryption algorithms• Preferred when encryption and authentication
is required
![Page 19: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/19.jpg)
Continued ..Continued ..
![Page 20: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/20.jpg)
Key ManagementKey Management
Duties include :
• Negotiating protocols, algorithms and
keys to be used in the communication
• Verifying the identity of the other party
• Managing and Exchanging keys
![Page 21: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/21.jpg)
Continued ..Continued ..
• The key management protocol is called The Internet Security Association and Key Management Protocol (ISAKMP)/Oakley key exchange protocol
• Handles exchange of symmetric keys between the sender and receiver
![Page 22: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/22.jpg)
ISAKMPISAKMP• Based on Diffie-Hellman model of key
generation• The two parties exchange public keys
and combine with a private key• Allows the SPI to be reformatted at
specific intervals• More secure as the SPI is changed
periodically
![Page 23: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/23.jpg)
Continued ..Continued ..
Methods of Key Exchange:
• Main Mode
• Aggressive Mode
• Quick Mode
![Page 24: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/24.jpg)
Security AssociationSecurity Association
• Keeps track of all details of keys and algorithms of an IPSec session
• Includes information about • AH authentication algorithms
• ESP encryption algorithms and keys lifespan of the keys and
• Method of exchange of keys
![Page 25: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/25.jpg)
Main Mode ISAKMPMain Mode ISAKMP• First Phase of ISAKMP Security
Association• Set’s up the Mechanism for future
communications• Agreement on authentication,
algorithms and keys takes place• Requires three back and forth
exchanges
![Page 26: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/26.jpg)
Continued ..Continued ..Three exchange in Main Mode :• First the two parties agree on
algorithms and hashes for communication
• Second the parties exchange public keys
• Third both the parties verify the identity of the other party
![Page 27: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/27.jpg)
Aggressive & Quick ModeAggressive & Quick Mode
• Same result as the Main mode but
takes only two back and forth
exchanges
• Quick Mode is used to create new
material for generating keys
![Page 28: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/28.jpg)
Example ExchangeExample Exchange
An example key management scheme is shown below :
[root@Codd root]# ipsec auto --up hoare-codd104 "hoare-codd" #1: STATE_MAIN_I1: initiate106 "hoare-codd" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2108 "hoare-codd" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3004 "hoare-codd" #1: STATE_MAIN_I4: ISAKMP SA established112 "hoare-codd" #2: STATE_QUICK_I1: initiate004 "hoare-codd" #2: STATE_QUICK_I2: sent QI2, IPsec SA established[root@Codd root]#
![Page 29: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/29.jpg)
Disadvantages of IPSecDisadvantages of IPSec
• Major drawback is the Network Layer Perspective followed
• Ignorant about the authenticity of people using the setup
• ESP can lead to fragmentation resulting in reduced throughput
![Page 30: V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.](https://reader036.fdocuments.us/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c81/html5/thumbnails/30.jpg)
Demo of IPSec
• A demonstration has been arranged
using FreeS/WAN which is an IPSec
implementation for Linux.
• The demo demonstrates the gateway-
to-gateway mode of IPSec