Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview ...
-
Upload
antonia-watkins -
Category
Documents
-
view
221 -
download
0
Transcript of Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview ...
![Page 1: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/1.jpg)
Virtual Private NetworkVirtual Private Network
Chapter 4Chapter 4
![Page 2: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/2.jpg)
Lecturer : Trần Thị Ngọc Hoa 2
ObjectivesObjectives
VPN Overview Tunneling Protocol Deployment models Lab Demo
![Page 3: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/3.jpg)
Lecturer : Trần Thị Ngọc Hoa 3
Overview of VPNOverview of VPN
![Page 4: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/4.jpg)
VPN ConceptVPN Concept
Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network
![Page 5: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/5.jpg)
VPN Deployment ScenariosVPN Deployment Scenarios
Remote Access VPN
![Page 6: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/6.jpg)
VPN Deployment ScenariosVPN Deployment Scenarios
Extranet VPN ( Site to Site, Router to Router )
![Page 7: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/7.jpg)
VPN Deployment ScenariosVPN Deployment Scenarios
Mixed VPN with Firewall
![Page 8: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/8.jpg)
Lecturer : Trần Thị Ngọc Hoa 8
Tunneling Tunneling
Tunneling is a process of encapsulating a payload protocol into another protocol
Provide a secure path through an untrusted network or an incompatible network.
![Page 9: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/9.jpg)
Lecturer : Trần Thị Ngọc Hoa 9
Tunneling ProtocolTunneling Protocol
GRE Generic Routing Encapsulation Cisco Proprietry Tunneling Protocol
PPTP ( with/without MPPE ) Point to Point Tunneling Protocol Microsoft proprietry tunneling protocol
L2TP ( with/without IPSec ) Layer 2 Tunneling Protocol Created by Cisco and Microsoft
![Page 10: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/10.jpg)
IP SecurityIP Security
IP Security Overview Algorithms IPSec Protocols
Lecturer : Trần Thị Ngọc Hoa 10
![Page 11: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/11.jpg)
Lecturer : Trần Thị Ngọc Hoa 11
IP Security OverviewIP Security Overview Open standard developed by IETF’s IPSec working group. Security Architecture for the Internet Prototol Designed to work at Layers 3 and 4 of the OSI model. IPSec protects data by providing the following services :
Data Authentication Data integrity Data origin authentication between
A pair of gateways A pair of hosts A host and its gateway
Relay protection Encryption
Many different types of algorithm are used in IPSec 2 primary protocols
AH – Authentication Header - 51 ESP – Encryption Security Payload - 50
![Page 12: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/12.jpg)
Lecturer : Trần Thị Ngọc Hoa 12
Encryption AlgorithmsEncryption Algorithms
Designed for data confidentiality assurance 2 different methods
Symmetrical Asymmetrical
![Page 13: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/13.jpg)
Lecturer : Trần Thị Ngọc Hoa 13
Symmetrical AlgorithmsSymmetrical Algorithms
EncryptEncrypt DecryptDecryptData
#$ad^&*
Data
DES – Data Encryption Standard 56 bit key – 64 data bit block No of Key = 72,000,000,000,000,000
3DES Three phases Encrypt – Decrypt – Encrypt 168 bit key – 64 data bit block
AES – Advanced Encryption Standard 128-192-256 bit key
Session key
Session key
![Page 14: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/14.jpg)
Lecturer : Trần Thị Ngọc Hoa 14
Asymmetric AlgorithmsAsymmetric Algorithms
EncryptEncrypt DecryptDecryptData
#$ad^&*
Data
Public key Private key
2 different but related keys are required. RSA -Rivest, Shamir, and Adelman ElGamal
![Page 15: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/15.jpg)
Lecturer : Trần Thị Ngọc Hoa 15
Hashing AlgorithmsHashing Algorithms
Hashing algorithms are used for authentication and integrity assurance for data
They are based on some type of one-way hashing function.
SHA 128 bits output
MD5 160 bits output
Collision : 2 different inputs => the same output SHA is prefered than MD5
![Page 16: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/16.jpg)
Lecturer : Trần Thị Ngọc Hoa 16
Hashing Example Hashing Example
![Page 17: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/17.jpg)
Lecturer : Trần Thị Ngọc Hoa 17
Key Exchange ProblemKey Exchange Problem
Question : How to get the key from one device to the other ? If the key is sent across an untrusted network, you
run the risk of it being sniffed and captured by a hacker.
If you phone the technician at the other end, you run the risk of phone tapping.
Answer : Diffie Hellman
![Page 18: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/18.jpg)
Lecturer : Trần Thị Ngọc Hoa 18
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
The Diffe-Hellman key exchange is used for automatic secure key exchange of Symmetrical keys Other types of keys
Algorithm Description Step 1 : A and B pour their favourite drink into the glass Step 2 : A and B pour the same liquid into the glass Step 3 : A and B exchange their own glass.Then pickup
the other liquid and mixed with their own one
![Page 19: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/19.jpg)
Lecturer : Trần Thị Ngọc Hoa 19
IPSec ProtocolsIPSec Protocols
AH Provide
Data integrity Data authentication Antireplay protection (optionally)
Not provide any form of encryption to the payload of the packet.
ESP Provide payload encryption Provide authentication and integrity
![Page 20: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/20.jpg)
Lecturer : Trần Thị Ngọc Hoa 20
Security ModeSecurity Mode
Both ESP and AH can operate in two different modes
Tunnel Mode : The entire packet is encrypted then encapsulated with a
new, unprotected IP header. Transport Mode :
Default mode The original IP header is reused with the new packet The current IP header has been used in the hashing
algorithm and therefore cannot be changed from sender to receiver.
![Page 21: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/21.jpg)
Lecturer : Trần Thị Ngọc Hoa 21
Security AssociationsSecurity Associations
A set of policy and key(s) used to protect data before an IPSec tunnel can be created.
Each SA gets a unique 32-bit Security Parameter Index number – SPI – that is sent in every packet pertaining to the specific SA.
The SA keeps track of general information such as the following: Source IP address Destination IP address IPSec protocols used SPI number Encryption and authentication algorithms Key lifetime (sets the amount of time and/or byte count that a key
is valid for; the longer the time, the more vulnerable your data is)
![Page 22: Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo.](https://reader036.fdocuments.us/reader036/viewer/2022062423/5697c0251a28abf838cd56af/html5/thumbnails/22.jpg)
Lecturer : Trần Thị Ngọc Hoa 22
Internet Key ExchangeInternet Key Exchange
Internet Key Exchange (IKE) is used to establish all the information needed – SA – for a tunnel.
2 phases Main mode – IKE Phase 1 Quick mode – IKE Phase 2