Upload
milo-pearson
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
1© J. Liebeherr, All rights reserved
Virtual Private Networks
2© J. Liebeherr, All rights reserved 10/22/05
Goal of VPN
• The goal of a Virtual Private Network (VPN) is to provide private communications within the public Internet Infrastructure
• VPNs apply various networking technologies to achieve the goal
• The basic concepts: – Build a virtual overlay network that is run on top of the infrastructure of
the Internet– “Virtual” means that there is not new infrastructure– Connect private networks by the overlay networks
3© J. Liebeherr, All rights reserved 10/22/05
Why is there a need for VPN?
• Internet has insufficient security mechanisms– IP packets are not authenticated or encrypted– Users with access to network can read content of IP traffic
• Application layer solutions not always suitable– Secure Web access, secure mail clients, secure file
transfer, and secure terminal applications are only point-to-point solutions and assume client/server relationship
– Application-layer solutions require that each application is protected in isolation Does not secure networks
4© J. Liebeherr, All rights reserved 10/22/05
VPN Overlay Network
PrivateIntranet
Private Intranet
Private Intranet VPN
Router
Public Internet VPN Router
IP-in-IP tunnel
VPN Router
VPN Router
5© J. Liebeherr, All rights reserved 10/22/05
Tunneling
• VPN routers connect via IP tunnels• With tunneling, IP packets are encapsulated by another IP header (IP-in-IP encapsulation)
Routerin Public Internet
VPN RouterVPN Router
PayloadIP
headerIP
header
Payload of IPv4 header
PayloadIP
headerPayload
IPheader
IPheader
Payload of IPv4 header
PayloadIP
header
PayloadIP
headerPayload
IP headerIP-in-IP Tunnel
6© J. Liebeherr, All rights reserved 10/22/05
VPN Security
• VPNs use many security mechanisms
– Authentication: Identify VPN users and devices– Access control: Ensure authorized use of VPN
resources– Data security: Use cryptography to obscure
content transmitted over VPN
7© J. Liebeherr, All rights reserved 10/22/05
Components of a VPN Solution
VPN Gateway: • Located at the corporate network
perimeter, the gateway performs tunneling, authentication, access control, and data security.
• Sometimes, VPN gateway functions can be integrated in to a router or firewall
VPN Client: • Software used for remote VPN
access • Creates a secure path from a
remote client computer to a VPN gateway
PublicNetwork
Private Network
VPN Gateway
PublicNetwork
Private Network
VPN Gateway
8© J. Liebeherr, All rights reserved 10/22/05
VPN Architectures
• VPN architectures can be separated into three scenarios:
1. Site-to-Site Intranet VPN: – Multiple network sites at different locations within the
same organization are connected using a VPN to form a larger corporate network
2. Remote Access VPN:– Connect a single remote device to a corporate
intranetwork3. Extranet VPN:
– Network resources within a corporate nework are oppend for access for dedicated purposes
9© J. Liebeherr, All rights reserved 10/22/05
Site-to-Site Intranet VPN
Intranet
Intranet
Intranet VPN Gateway
Public Internet
VPN Gateway
VPN tunnel
VPN Gateway
• VPN tunnels establish secure communication links
10© J. Liebeherr, All rights reserved 10/22/05
Remote Access VPN
Intranet
VPN Gateway
Public Internet
VPN tunnelWiFi
Access Point
Cable Modem
• Also called: Virtual Private Dial Network (VPDN)
11© J. Liebeherr, All rights reserved 10/22/05
Extranet VPN
Public Internet
Intranet
VPN GatewayVPN tunnel
Cable Modem
Customer Access
Partner Access
Partnernetwork
VPN Gateway
12© J. Liebeherr, All rights reserved 10/22/05
VPN Tunneling Protocols
• Role of VPN tunnels:
1. Encapsulation of messages
2. Privately address packets through public infrastructure
3. Provide data integrity and confidentiality
– Layer-2 tunneling protocols carry Point-to-Point (PPP) frames through IP networks
– PPP:– PPP is used to send IP packets
over serial connections– Used extensively for point-to-point
data links (dial-in)– Can provide authentication
7E
flag
1
FF
addr
1
03
ctrl
1 2
protocol
<= 1500
data
2
CRC
7E
flag
1
0021 IP datagram
PPP frame
13© J. Liebeherr, All rights reserved 10/22/05
Layer-2 Tunneling Protocol
• Developed to facilitate PPP access by remote computers to a private network over an IP-based network
Remote Dial-in:• Remote Access Service (RAS)
provides banks of phone lines for connecting remote users
• Remote system calls up and establishes PPP connection to RAS service
With Layer-2 tunneling:• Approach: Tunnel PPP packets
through Internet• Access concentrator (possibly inside
the remote system) encapsulates PPP frames
• Network server terminates VPN tunnel
Intranet Telephone Network
RAS Server
PPP Connection
Intranet Internet
NetworkServer
PPP Connection
Access Concentrator
Tunnel
14© J. Liebeherr, All rights reserved 10/22/05
Layer-2 Tunneling Protocols
Point-to-Point Tunneling Protocol (PPTP):– Developed by Microsoft, 3Com, US Robotics, and others
– Goal: Provide VPN between remote access users and network servers
– Approach: Tunneling on client systems
Layer-2 Forwarding Protocol (L2F):– Developed by Cisco, Nortel and others
– Virtual dial-up protocol for managed networks
– Approach: Tunneling is performed as a network service (not by client)
Layer-2 Tunneling Protocol (L2TP):– Developed within the IETF
– Combines concepts of PPTP and L2F
15© J. Liebeherr, All rights reserved 10/22/05
Remote Dial-in Layer-2 Tunneling Protocol
Assumes the Layer-2 tunneling protocol PPTP:• User does remote dial-in to ISP and establishes PPP connection• Establish a (TCP) connection to set up a control channel• Establish a PPTP tunnel • Establish PPP tunnel that sends PPP frames over the PPTP tunnel• IP packets are carried in PPP frames
Intranet Internet
NetworkServer
PPTP Control channel
PPP
ISP NetworkServer
PPTP Tunnel
PPP
IP
16© J. Liebeherr, All rights reserved 10/22/05
Encapsulation at remote client
Intranet Internet
NetworkServer
PPTP Control channel
PPP
ISP NetworkServer
PPTP Tunnel
PPP
IP
PayloadIP header Original IP packet
PayloadIP header PPP encapsulation to remote Network ServerPPP
PayloadIP header GRE header is used by PPTPPPPGRE header
PayloadIP header IP header for public InternetPPPGRE headerIP header
PayloadIP header PPP encapsulation to ISP Network ServerPPPGRE headerIP headerPPP
17© J. Liebeherr, All rights reserved 10/22/05
Other VPN approaches
IPSec: – Protocol suite for secure communications at Layer-3 – Consists of security headers and a set of protocols– Originally designed for IPv6– Performs services for authentication, integrity, confidentifality– Can perform tunneling of IP datagrams
MPLS: – LSPs can provide data link connections between remote networks– Builds on isolation of LSPs in the MPLS networkConsists of security headers
and a set of protocolsSSH/PPP:
– Secure Shell (SSH) is a provides secure access to remote hosts.– Assumes client/server relationship– Intended as a replacement for insecure protocols such as Telnet, rsh, etc.– VPN services can be built by creating a PPP connection within a SSH
connection