VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...
Transcript of VPN Virtual Private Networks - THMhg10013/Lehre/MMS/WS0304...VPN - Virtual Private Networks Mathias...
VPNVirtual Private Networks
Mathias Schäfer
WS 2003/2004
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
2Overview
Overview Why VPNs
VPN-use-cases
VPN-technology vs. conventional solutions
Requirements
Tunneling
Security
Performance
Conclusion
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
3Why VPNs
Why VPNsIn business-solutions VPN-technology gains
in weight
Enterprises are acting more and more on global range
There is the need of cost-effective solutions to integrate satillite workplaces, like branch offices suppliers field services
into an enterprise-network
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
4VPN-use-cases
VPN-use-cases
Enterprises are usually composed of
Head office
Branch offices
Outdoor staff
additionally there are suppliers which are not really part of the company
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
5VPN-use-cases
VPN-use-cases
To reflect business-processes in the companys network structure all components of the whole enterprise need to be integrated
VPN-types are classified similar to the use cases
Remote-Access-VPN - field services Branch-Office-VPN - Branch offices Extranet-VPN - Suppliers
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
6VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Conventional solutions mostly use wired or dial-in connections between both endpoints
These connections get very expensive in case of long distance or international linking
On central office side lots of connection interfaces are needed to fulfil all connection requests
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
7VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
VPN-technology concretely Internet-VPN- or IP-VPN-technology uses the available Internet to split long-distance connections
Instead of establishing connections between endpoints there is only the need of connecting endpoints to the nearest Internet-node
Decrease of distance and fees
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
8VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Remote-Access
In case of Remote-Access for outdoor staff, there are many connections needed
Usually there are ppp-dial-in connections used to establish links between outdoor staff and head office
A Remote-Access-Concentrator (RAC) is used to terminate connections on head office side
Normally the RAC is connected to the providers telephone-network using PMX
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
9VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Remote-Access
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
10VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Remote-Access-VPN
In case of Internet-VPN-technology usage, the outdoor staff connects to the Internet via any link-technology which is provided by local ISP
Head office is connected to the Internet via one broadband link, there is a VPN-Concentrator instead of the RAC
The data link connection is implemented as a tunnel-connection through the Internet, and is terminated inside the VPN-Concentrator
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
11VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Remote-Access-VPN
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
12VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Branch-Office
Conventional connection-types for the link between branch-office-networks and the head-office-network, are normally based on wired technology, ATM or Frame Relay
Router-equipment on both sides of this connection terminates the link
Similar to Remote-Access the costs of this solution depend on the distance and get very high in case of international connections
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
13VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Branch-Office
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
14VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Branch-Office-VPN
In case of Branch-Office-VPN the router-equipment is replaced by VPN-gateways which terminate the virtual tunnel-connection between the endpoints
Both endpoints are physically connected only to the Internet not to their opposite
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
15VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Branch-Office-VPN
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
16VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Extranet-VPN
To allow faster reaction it is advisable to integrate suppliers into the companys network
They should have limited access, because they are not really part of the company
Usally Firewalls limit the access to the Intranet, apart from that the structure is similar to a Branch-Office-VPN
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
17VPN-technology vs. conventional solutions
VPN-technology vs. conventional solutions
Extranet-VPN
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
18Requirements
RequirementsSecurity Confidential information
Transmitted information has to be protected against unauthorized access
Integrity of informationTransmitted information must not be altered during transmission
AuthentificationAuthenticity of communication-partners has to be proved and warranted during connection-time
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
19Requirements
RequirementsAvailability
There has to be a guaranted availability of service
Maximum downtime or minimum uptime percentages are agreed by contract with service provider in SLAs
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
20Requirements
RequirementsPerformance
Minimum bandwith and maximum latency are the main performance aspects of a connection
In case of Internet-VPNs it is normally not possible for a service provider to guarantee these parameters
SLAs mostly declare contractual penaltys
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
21Tunneling
TunnelingPrinciple
Tunnling is implemented by encapsulation of data-pakets during transmission
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
22Tunneling
TunnelingTunneling-modelsThere are differentiated tunneling-models
End-to-End-ModelNo service provider is involved in the tunneling process, except for providing the internet-connection
Intra-Provider-ModelThe company is not involved in the tunneling process
Provider-Enterprise-ModelMixed configuration, one side is provided by the service provider, the other side belongs to the company
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
23Tunneling
TunnelingEnd-to-End-Model
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
24Tunneling
TunnelingIntra-Provider-Model
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
25Tunneling
TunnelingProvider-Enterprise-Model
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
26Tunneling
TunnelingIP-Security-Protocol – IPSec
IPSec was developed for security reasons, so there are many security-options to choose
As an option there is an IPSec-tunneling-mode, with the ability of tunneling exclusively IP-Pakets
The connection-partners use unidirectional SAs which represent the configuration of an established IPSec-link
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
27Tunneling
TunnelingIP-Security-Protocol – IPSec
IPSec uses symmetric encryption, where the key-exchange is done with the Internet-Key-Exchange Protocol
For authentification IPSec supports Pre-Shared-Secret procedures Public Key methods Certification proceedings
IPSec hides the structure of the internal network by encrypting the internal ip-header
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
28Tunneling
TunnelingIP-Security-Protocol – IPSec
IPSec's primary tunneling-model is the end-to-end-model, so the client needs an IPSec-implementation
Software-implementations are available for nearly all operation systems
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
29Tunneling
TunnelingIP-Security-Protocol – IPSec
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
30Tunneling
TunnelingLayer 2 Tunneling Protocol – L2TP
L2TP encapsulates PPP-Frames, that allows tunneling of all layer 3 pakettypes which are supported by PPP
L2TP is designed as a tunneling protocol, not for security reasons, it supports only weak CHAP-like authentification and encryption of the control-channel
As the consequence, security has to be implemented on other levels
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
31Tunneling
TunnelingLayer 2 Tunneling Protocol – L2TP
The Provider-Enterprise-Model for Remote-Access is the primary model used for L2TP-implementations
Instead of the normal RAC a L2TP Access Concentrator is used
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
32Tunneling
TunnelingLayer 2 Tunneling Protocol – L2TP
Decisions how to handle incoming calls are made by called number or by prefix or suffix of the user-id
If indicated a tunnel to the enterprise-sided L2TP Network Server is established by the LAC
This enables compulsory tunneling
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
33Tunneling
TunnelingLayer 2 Tunneling Protocol – L2TP
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
34Tunneling
TunnelingLayer 2 Tunneling Protocol – L2TP
If used in the end-to-end-model, the functionality of LAC is implemented in client-side software
This implicits voluntary tunneling
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
35Tunneling
TunnelingIPSec secured L2TP – L2TP/IPSec
Combining L2TP and IPSec enables securityoptions supplied by IPSec and pakettype-flexibility of L2TP
This causes a lot of overhead, which forces the decision to change over to IP-based applications to enable usage of IPSec without L2TP
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
36Tunneling
TunnelingIPSec secured L2TP – L2TP/IPSec
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
37Tunneling
TunnelingIPSec secured L2TP – L2TP/IPSec
Also other combinations are possible and suggestive
Tunneling of IPSec in end-to-end-model inside L2TP in provider-enterprise-model for example enables compulsatory tunneling with IPSec security
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
38Security
SecurityIf security-opions are needed, IPSec is the protocol to
choose
The used cryptographic algorithms are considered as secure nowadays
IPSec's security-functionality offers Encryption Authentification Paketintegrity Hiding of internal networkstructures Protection from Replay- and Denial-of-Service-Attacks
If additionally other pakettypes than IP are used, IPSec/L2TP is the only mechanism that fulfills both needs
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
39Performance
Performance
In addition to the provider- and connection-dependent performance-aspects, the used hardware is also relevant to the performance of VPNs
In case of IPSec the cryptographic algorithms need a lot of computing power
Dedicated VPN-Equipment often uses specialized cryptographic processing units, which offering much better performance than normal cpu's
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
40Performance
Performance
In case of L2TP there are a lot of PPP-sessions which have to be terminated primarily at L2TP Network Servers
There are components which are constructed as scalable, so that they can fulfil increased needs
If L2TP/IPSec is used, increased attention has to be payed to performance-aspects
VPN - Virtual Private Networks Mathias Schäfer WS 2003/2004
41Conclusion
Conclusion
Internet-VPN-technology offers cost-effective solutions if planned in detail
If all components are well choosed, IPSec offers high-security solutions, also for major projects
Most important milestone on the way to implement VPNs is a detailed analysis of needs