View
213
Download
0
Category
Preview:
Citation preview
Apr 21, 2023
Virtual Private Network
Why the need
To transmit files securely without disclosing sensitive information to others in the Internet
Each LAN an island
How to communicate with other islands?
LANs in an Internet sea
Communication in the Internet
Using of Lease Line
Using VPN
Using VPN
Secure communication at different levels
Using the TCP/IP model Application: PGP, SSH Transport level: SSL VPN Network level: IPSec Datalink level: PPTP, L2TP
Protection at the lower level is usually more flexible and more simple.
WAN Technology
PPP X.25 Frame Relay ATM
Point to Point Protocol
Data link protocol commonly used to establish a direct connection between two nodes over serial cable or phone line
Most Internet service providers use PPP for customers' dial-up access to the Internet
Other versions PPPoE and PPPoA
Point to Point Protocol
Negotiation of IP address, address of name server
Provide authentication (use of CHAP) Encryption might be used (DES or RC4) Support multiple protocols on the same link
What is a Virtual Private Network
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet.
A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link.
What is a Virtual Private Network
Secure private communications over public internet
Private IP packets encapsulated within public packets (tunnel)
Additional header added Authentication required Packets are usually encrypted
Advantages of using VPN
Cost saving, use of public network instead of private lease line
Flexibility, user can connect anywhere Confidentiality of packets by encryption Integrity of packets by use of IPSec
Elements of VPN
Authentication Tunneling Encryption (including key exchange)
VPN Components
Authentication
User authentication using passwords and certificates
Machine authentication using certificates Authentication Protocols
Password Authentication Protocol Challenge Handshake Authentication Protocol MS-CHAP Version 1 and 2 Extensible Authentication Protocol (EAP)
Tunneling
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information allowing it to traverse the shared or public transit internetwork to reach its endpoint.
The tunnel needs to be created, controlled, and terminated.
Tunnel and VPN
The portion of the connection in which the private data is encapsulated is known as the tunnel.
The portion of the connection in which the private data is encrypted is known as the virtual private network (VPN)
VPN connection
Tunneling
Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP) Layer Two Tunneling Protocol (L2TP) IPSec tunnel mode
Encryption
The data being sent is encrypted for confidentiality to emulate a private link,
Original IP header information are also hidden Usual encryption protocol:
Microsoft Point to Point Encryption (MPPE) – RC4
Advanced Encryption Standard (AES) Encapsulated Security Payload (ESP) –
choose among many protocols
Types of VPN connection
Gateway to Gateway Connecting network of 2 sites
Host to Gateway Mobile worker to connect company server
Host to Host To administer network remotely
Type of VPN connection
Remote access VPN Mobile worker to access company network Requires VPN client Dial-in connection when necessary
Site-to-Site VPN To connect LAN of 2 sites together Requires router with special function May be persistent for 24 hours a day
Remote Access to Intranet
Site to Site connection
Tunneling Protocol
The encapsulation can be done at layer 2 or layer 3.
Layer 2: Point to Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP)
Layer 3: IP Security
PPTP
PPTP
PPTP establishes the tunnel but does not provide encryption.
It is used in conjunction with the Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN.
PPTP has relatively low overhead, making it faster than some other VPN methods.
L2TP
L2TP
The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft, combining features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol.
L2TP/IP Sec
The Encapsulation Security Payload (ESP) header and trailer of IP Sec encapsulate the L2TP payload for authentication and encryption and provides better security
Authentication Header (AH) provides authentication and data security without encryption
PPTP VS L2TP
L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol
With PPTP, data encryption begins after the PPP connection process. With L2TP/IPSec, data encryption begins before the PPP connection process by negotiating an IPSec security association
PPTP VS L2TP
Both PPTP and L2TP can be used with IP, IPX/SPX, and NETBUI,
L2TP can be used on non-IP networks such as ATM, frame relay and X.25.
Performance of PPTP is better than L2TP because of less overhead.
L2TP is more secure and is the preferred method.
PPTP VS L2TP
PPTP L2TP/IP Sec
Tunnel Authentication
Yes
Encryption method
MPPE IP Sec
(more secure)
Transit media support
IP IP, X.25, ATM, Frame Relay
Datagram supported
IP, IPX, NETBUI IP, IPX, NETBUI
PPTP VS L2TP
PPTP L2TP/IP Sec
Support older client
Yes No
Pass thro’ NAT Yes Might
Requires PKI Yes
Computer Authentication
Yes
Speed Faster Slower
RADIUS
The Remote Authentication Dial-in User Service (RADIUS) protocol is a popular method for managing remote user authentication and authorization
It is a lightweight, UDP-based protocol. RADIUS servers can be located anywhere on the Internet and provide authentication
Secure Network Technologies
PPTP: Free from Microsoft
PPTP: Security
Link Layer: L2TP
Network Layer: IPSEC VPNs3 parts
IPSec Authentication
IPSec Encryption
Terminology
MPPE: Microsoft Point-to-Point Encryption MPLS: Multi-Protocol Label Switching AH: Authentication Header ESP: Encapsulation Security Payload GRE: Generic Routing Encapsulation
Recommended