VPNs - Written Report

8/12/2019 VPNs - Written Report

1/12

Virtual Private Networks

NVS1

THIS DOCUMENT DESCRIBES HOW VIRTUAL PRIVATENETWORKS (VPNS) WORK. THE RESULTING BENEFITS ANDIMPORTANT POINTS ARE ALSO MENTIONED.

DOMINIK HERKEL

STERREICH | WIEN | 1050 | Spengergasse 20


2/12

Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF

Page 1 / 11

Table of ContentsVirtual Private Networks ............................................................................................................ 2

General ................................................................................................................................... 2

History .................................................................................................................................... 2

Benefits for Business .............................................................................................................. 2

Implementation ...................................................................................................................... 3

Generic Routing Encapsulation (GRE) ................................................................................ 3

General ........................................................................................................................... 3

Process............................................................................................................................ 3

Advantages ..................................................................................................................... 4

Disadvantages ................................................................................................................ 4

Internet Protocol Security (IPsec) ...................................................................................... 4

General ........................................................................................................................... 4

Process............................................................................................................................ 6

Advantages ..................................................................................................................... 6

Disadvantages ................................................................................................................ 6

GRE over IPsec .................................................................................................................... 7

SSL/TLS ................................................................................................................................ 7

General ........................................................................................................................... 7

Process............................................................................................................................ 7

Advantages ..................................................................................................................... 7

Disadvantages ................................................................................................................ 8

Cisco VPN Solutions ................................................................................................................ 8

Access Network Resources ..................................................................................................... 8Configuration .......................................................................................................................... 8

Bibliography .............................................................................................................................. 10


3/12


Page 2 / 11

Virtual Private NetworksGeneralIn the simplest sense, a Virtual Private Network (VPN) is used to create an end-to-end

private network connection, or rather a tunnel over third party networks, such as theinternet. Depending on the type of VPN used, the connection is less or more secure and its

users have either full, or restricted access to internal network resources.

HistoryThe term VPN has been associated with remote connectivity services such as the public

telephone network and Frame Relay Permanent Virtual Circuits (PVCs). Nowadays its a

synonym for IP-based data networking. (AnexGATE)

Before modern VPNs came up, a company had to lease a dedicated link which connected the

main business campus with its branch Offices to build a comprehensive Intranet.

Companies which couldnt afford such high amount of resources and expertise were left out.

Modern VPNs solve this problem. These days there is no longer the need to buy expensive

infrastructure or lease dedicated lines. No, the solution is built up on existing infrastructure,

which almost any company already has. Instead of using private circuits, the public internet

serves as a medium to connect places in different locations.

Now some people would say that this is questionable solution in relation to data security.

Maybe it was in the past, but nowadays this counterargument is addressed with rise of the

Internet Protocol Security (short IPsec) framework, or Secure Sockets Layer (short SSL)

services.

This new technologies paved the way for the shift to telecommuting. So its a fact that even

some people say that they arent affected by such technical nonsense, they cant ignore the

capabilities which progress offers.

Benefits for BusinessWhen companies use VPNs they can benefit in the following points:

Cost efficiency:In most cases the companies doesnt have to lease dedicated WANlinks anymore. Even if the leased lines provided a reliable and fast solution, it wouldbe a lot better for the companies to spend their money on high-bandwidth internet

connection technologies. So all of the transmissions are fast and not only between

the sites anymore.

Security:When modern VPN technologies are used, the sent data is protected withthe confidentiality and integrity during transit. This is realized through advanced

encryption and authentication protocols.

Scalability: Infrastructure which is already in place can be used to connect an officethrough a VPN connection. In most cases there are no additional costs, because

either way the majority of companies have a high-bandwidth internet connection.(Cisco)


4/12


Page 3 / 11

Compatibility: With VPNs branch offices, as well as remote home offices and mobileworkers can connect to the corporate

network. This type of access is

compatible with broadband

technologies among others. So

flexibility and efficiency is provided,

which are two of the most important

points in todays business.

ImplementationA VPN connection can be made at either Layer

2, 3, or the upper layers of the OSI model.

Common examples of methods to form a

Virtual Private Network are Generic Routing

Encapsulation (GRE), Internet ProtocolSecurity (IPsec) and Secure Sockets Layer (SSL)

to mention but a few.

Generic Routing Encapsulation GRE)GeneralThis protocol was originally developed by

Cisco and later standardized as Request for

Comments (RFC) 1701. GRE tunnels are

stateless, just like the User Datagram Protocol(UDP). This means that each tunnel endpoint

doesnt keep any information about the

availability of the other endpoint. Due to its

advantages it is still widely in use.

ProcessGRE encapsulates the entire original IP packet with a

tunneling IP header and a GRE header.

GRE packet - Dominik Herkel

Flags:Optional header fields.

Protocol Types:Type of payload (0x800 is used for IP).

VPN Method Decision - Dominik Herkel


5/12


Page 4 / 11

(Cisco)

This results in an additional overhead of 24 bytes.

AdvantagesGRE comes up with the following advantages:

Multiprotocol support:GRE supports multiprotocol tunneling, this means that it isntonly narrowed to IP networks, but also to IPX or AppleTalk. Certainly it is a fact that IP

networks are the most common nowadays.

Routing protocol support:Another advantage of GRE as opposed to other VPNprotocols is its routing protocol support. In a GRE tunnel, routers can advertise their

Open Shortest Path First (OSPF), Routing Information Protocol (RIP) and Enhanced

Interior Gateway Routing Protocol (EIGRP) routes to mention but a few.

Multicast and Broadcast support:GRE doesnt only support unicasts, instead it canalso handle multicasts and broadcasts.Disadvantages

Even if GRE has great advantages, it is also affected by some big disadvantages:

Security:In general traffic which traverses through a GRE tunnel isnt protectedbyencryption or other security measurements. This is because when GRE was

developed security wasnt a big concern.It can easily be altered or eavesdropped.

Overhead:The GRE header together with the tunneling IP header, creates at least 24bytes of additional overhead for tunneled packets. (Cisco)

Internet Protocol Security IPsec)GeneralThis protocol is standardized in RFC 2401. One of the main characteristics of IPsec is that it

isnt bound to any specific security technologies. Instead it is a framework of open standards

that defines the rules for a secure communication process. Therefore IPsec itself doesnt

come up with any new encryption algorithms to provide confidentiality of data. It uses

already existing security standards. Furthermore IPsec operates at the network layer and in

theory operates with all data link layer protocols, such like Ethernet or Token Ring of the OSI

model. Although I couldnt find any real implementation of IPsec over Token Ring.

The IPsec process and the security measurements are described below:

Protocol:When using IPsec one of the protocols below must be selected. Bothsolutions can work either in transport, or tunnel mode.


6/12


Page 5 / 11

Tunnel mode:Security for the complete original IP packet is provided. The original IP

packet is encrypted and then encapsulated in another IP packet. This is known as IP-

in-IP encryption. The outside IP packet is

used for routing it through the Internet.

Transport mode:Different to tunnel mode,

the original IP address is left in plaintext.

Security is only provided for the rest of the

packet.

o Authentication Header (AH):It isthe appropriate protocol when

confidentiality is not required.

Therefore it only provides

authentication and integrity.

Confidentiality through encryption

isnt part of this method,consequently all data is sent in

plaintext.

o Encapsulating Security Payload(ESP):Just like AH, this protocol also

supports authentication and

integrity, with the big difference

that data encryption is also

provided.

Confidentiality:To achieve this feature, the trafficis encrypted by symmetric algorithms. For example: Data Encryptions Standard (DES),Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) are

used.

Integrity:Keyed-Hash Message Authentication Code (HMAC) are used to proofintegrity and authentication of data. Instead of only calculating a hash value out of

the data, an additional shared secret key is added to the data before. Then the HMAC

is calculated out of the key-data combination with a hash algorithm like Message-

Digest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA-1, SHA-2 and SHA-3).

Authentication:In a conversation it is necessary that both participating partiesauthenticate each other. To achieve this either pre-shared secret keys or Rivest-

Shamir-Adleman (RSA) signatures are used.

Secure Key Exchange:In a symmetric key system it is important to ensure that allparticipating parties know the secret key prior to encrypt or decrypt data. Therefore

the Diffie-Hellman (DH) key exchange method was developed. It is a mathematical

algorithm that allows two parties to generate an identical shared secret, without

having ever communicated before. The new shared key is never actually exchanged

between the sender and receiver, but both parties now it. DH defines several groups,

from number 1 to 24, which differ relating to strength of encryption.

IPsec Framework - Dominik Herkel


7/12


Page 6 / 11

ProcessThe operation of IPsec VPNs can be broken down into five steps:

1. Initiation:Interesting traffic which match the configured security policy starts theInternet Key Exchange process.

2. IKE phase 1:IPsec peers are authenticated and Security Associations (SAs) arenegotiated. A secure channel is set up.

3. IKE phase 2:IPsec SA parameters are negotiated and matching IPsec SAs are set up.4. Data transfer:Data can be securely transmitted between the IPsec peers.5. IPsec tunnel termination:The tunnel is terminated, because it timed out, or

manually terminated.

A detailed description of these steps is beyond the scope of this presentation, because they

require a comprehensive understanding of security in general, IPsec and the Internet Key

Exchange (IKE). For further information use the internet or attend to a CCNA Security

certification class.

Advantages Security:Authentication, Confidentiality and Integrity is provided by IPsec VPNs. In

fact security is the biggest concern.

Based on existing algorithms:One of the biggest advantages of the IPsec suite is thatit doesnt try to reinvent to wheel. Instead it is based on existing algorithms.

Therefore even new inventions can be added to IPsec and used in the process.

Disadvantages Solely IP support:No other Layer 3 protocol are supported. So when AppleTalk or IPX

should be used, the VPN couldnt be based on IPsec.

Only unicasts:Multicasts and Broadcasts arent supported. Therefore only unicastscan be sent.

Routing protocols not supported:Routing protocols like OSPF, RIP and EIGRP are notsupported. In IPsec VPNs only static routes can be used.

VPN Method Decision - Dominik Herkel

(Cisco)


8/12


Page 7 / 11

GRE over IPsecAs time passed the idea came up to use both GRE as well as IPsec together. So often there is

no need to decide between the two tunnel technologies anymore. This method combines

the benefits of GRE and IPsec into one solution. The security of the data is provided by the

IPsec framework with the flexibility of GRE. Therefore GREsmultiprotocol support, routingupdates, multicasts and broadcasts can be sent encrypted and secured over the tunnel.

SSL/TLSGeneralThe Secure Sockets Layer (SSL) protocol is the predecessor of the modern Transport Layer

Security (TLS) protocol. Both work at the presentation layer of the OSI model, whereas the

term SSL is often used for TLS too. SSL/TLS use asymmetric cryptography for their key

exchange, HMACs for authentication and integrity and symmetric algorithms for bulk

encryption. To authenticate the provider participant in the communication process,certificates delivered by third party Certification Authorities (CA), such as VeriSign are

involved. One of SSL/TLS major operational area is Hypertext Transfer Protocol Secure

(HTTPS).

ProcessTo ease this presentation the process of SSL/TLS is described in the YouTube video below:

http://www.youtube.com/watch?v=SJJmoDZ3il8

Advantages Security:The communication process over a SSL/TLS VPN is secured by

authentication, confidentiality and integrity.

Almost everywhere available:One of the biggest advantages of SSL/TLS over otherVPN technologies is that for most implementations only a generic modern web

browser is needed. So no client software, like Cisco AnyConnect is needed.
http://www.youtube.com/watch?v=SJJmoDZ3il8http://www.youtube.com/watch?v=SJJmoDZ3il8http://www.youtube.com/watch?v=SJJmoDZ3il8


9/12


Page 8 / 11

Third partyregulation:Entities

which provide

SSL/TLS VPNs, for

example for secure

shopping, are

regulate and verified

by third party

organizations.

Disadvantages Faked SSL/TLS

certificates:Users are

lulled into a false

sense of security withcertificates from CAs.

Its not uncommon

that malicious

attackers tamper

SSL/TLS certificates.

Denial of Service (DoS) attacks:Its a fact that establishing a SSL/TLS VPN connectionrequires much more resources on the server than on the client computer. This fact

can be exploited in a DoS attack.

Cisco VPN SolutionsCisco provides a broad and comprehensive selection of VPN solutions:

Cisco Integrated Services Router (ISR) with enabled VPN Cisco Private Internet eXchange (PIX)end of life (EOL), end of sale (EOS) Cisco Adaptive Security Appliance (ASA) 5500 Series Cisco VPN 3000 Series Concentratorend of life (EOL), end of sale (EOS) Small and Home Office (SOHO) Routers

Access Network ResourcesThere are several ways provided by Cisco to access network resources through VPNs:

Site to Site Configuration Cisco VPN Client Cisco AnyConnect VPN Client

ConfigurationTo give only a short overview over the complexity of IPsec tunnel configuration, an excerpt

of the commands which are needed to perform this type of VPN on a Cissco IOs Router:

VPNs - Dominik Herkel


10/12


Page 9 / 11

R1 R3

R1(config)#access-list 110 permit ip

192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption aes

R1(config-isakmp)#hash sha

R1(config-isakmp)#authentication pre-

share

R1(config-isakmp)#group 2

R1(config-isakmp)#lifetime 86400

R1(config-isakmp)#exitR1(config)#crypto isakmp key vpnpa55

address 10.2.2.2 0.0.0.0

R1(config)#crypto ipsec transform-set VPN-

SET esp-3des esp-sha-hmac

R1(config)#crypto map VPN-MAP 10 ipsec-

isakmp

R1(config-crypto-map)#match address 110

R1(config-crypto-map)#set peer 10.2.2.2R1(config-crypto-map)#set transform-set

VPN-SET

R1(config-crypto-map)#exit

R1(config)#interface se0/0/0

R1(config-if)#crypto map VPN-MAP

R3(config)#access-list 110 permit ip

192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption aes

R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-

share

R3(config-isakmp)#group 2

R3(config-isakmp)#lifetime 86400

R3(config-isakmp)#exitR3(config)#crypto isakmp key vpnpa55

address 10.1.1.2 0.0.0.0

R3(config)#crypto ipsec transform-set VPN-

SET esp-3des esp-sha-hmac

R3(config)#crypto map VPN-MAP 10 ipsec-

isakmp

R3(config-crypto-map)#match address 110

R3(config-crypto-map)#set peer 10.1.1.2R3(config-crypto-map)#set transform-set

VPN-SET

R3(config-crypto-map)#exit

R3(config)#interface se0/0/1

R3(config-if)#crypto map VPN-MAP


11/12


Page 10 / 11

BibliographyAnexGATE. (n.d.).AnexGATE.Retrieved from

http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf

AnexGATE. (n.d.).AnexGATE.Retrieved fromhttp://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf

Cisco. (n.d.). Cisco.Retrieved from

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_exampl

e09186a008009438e.shtml

Cisco. (n.d.). Cisco Netacademy.Retrieved from

http://www.cisco.com/web/learning/netacad/index.html

Cisco. (n.d.). Cisco Netacademy.Retrieved from

http://www.cisco.com/web/learning/netacad/index.html

Covenant. (n.d.). DSLreports.Retrieved from http://www.dslreports.com/faq/8228

Edwards, J. (n.d.). ITsecurity.Retrieved from http://www.itsecurity.com/features/vpn-

popularity-021108/

Itif. (n.d.). Itif.Retrieved from http://www.itif.org/files/Telecommuting.pdf

Kilpatrick, I. (n.d.). IT Pro Portal.Retrieved from

http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/

Mason, A. (n.d.). CiscoPress.Retrieved from

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

Pearson. (n.d.). Pearsoncmg.Retrieved from

http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/1587201

50X_CH14.pdf

Rager, A. T. (n.d.). SourceForge.Retrieved from http://ikecrack.sourceforge.net/

SANS Institute. (n.d.). GoogleDocs.Retrieved from

https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_r

oom/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsec-

implementation-pro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9

jnZscnGxhS2U9roAq

Suida, D. (n.d.). WordPress.Retrieved from

http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gre-

tunnel/

Unknown. (n.d.). ETutorials.Retrieved from

http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assess

ing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/

Unknown. (n.d.).Journey2CCIE.Retrieved from http://journey2ccie.blogspot.co.at


12/12


Page 11 / 11

Unknown. (n.d.). Teleworkers Research Network.Retrieved from

http://www.teleworkresearchnetwork.com/telecommuting-statistics

Unknown. (n.d.). The Hackers Choice.Retrieved from

http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/

Wikipedia. (n.d.). Wikipedia.Retrieved from

http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statisti

cs

Wikipedia. (n.d.). Wikipedia.Retrieved from

http://en.wikipedia.org/wiki/Transport_Layer_Security

Zandi, S. (n.d.). Cisco LearningNetwork.Retrieved from

https://learningnetwork.cisco.com/docs/DOC-2457

VPNs - Written Report

Documents

Transcript of VPNs - Written Report