19-Virtual Private Networks

8/3/2019 19-Virtual Private Networks

http://slidepdf.com/reader/full/19-virtual-private-networks 1/65



By.P. Victer Paul

Dear,We planned to share our eBooks and project/seminar contents

for free to all needed friends like u.. To get to know about morefree computerscience ebooks and technology advancements incomputer science. Please visit....

http://free-computerscience-ebooks.blogspot.com/

http://recent-computer-technology.blogspot.com/

http://computertechnologiesebooks.blogspot.com/

Please to keep provide many eBooks and technology news forFREE. Encourage us by Clicking on the advertisement in theseBlog.

















VPNs can be used to secure communications through the public

Internet.

VPNs are often installed by organizations to provide remote

access to a secure organizational network, or to connect two

network locations together using an insecure network to carry thetraffic.

A VPN does not need to have explicit security features such as

authentication or traffic encryption. For example, a network

service provider could use VPNs to separate the traffic of

multiple customers over an underlying network.

VPNs such as Tor can be used to mask the IP address of

individual computers within the Internet in order, for instance, to

surf the World Wide Web anonymously or to access location

restricted services, such as Internet television.

http://en.wikipedia.org/wiki/Tor_(anonymity_network)

http://en.wikipedia.org/wiki/IP_address

http://en.wikipedia.org/wiki/World_Wide_Web

http://en.wikipedia.org/wiki/Internet_television












http://en.wikipedia.org/wiki/Tor_(anonymity_network)







In the protocols they use to tunnel the traffic over the

underlying network;

By the location of tunnel termination, such as the

customer edge or network provider edge; Whether they offer site-to-site or remote access

connectivity;

In the levels of security provided;

By the OSI layer which they present to the connectingnetwork, such as Layer 2 circuits or Layer 3 network

connectivity.



Secure VPNs explicitly provide mechanisms for

authentication of the tunnel endpoints during tunnel

setup, and encryption of the traffic in transit.

Often secure VPNs are used to protect traffic when

using the Internet as the underlying backbone, but

equally they may be used in any environment when the

security level of the underlying network differs from

the traffic within the VPN.

http://en.wikipedia.org/wiki/Authentication

http://en.wikipedia.org/wiki/Encryption

http://en.wikipedia.org/wiki/Encryption

http://en.wikipedia.org/wiki/Authentication



Secure VPNs may be implemented by organizationswishing to provide remote access facilities to theiremployees or by organizations wishing to connectmultiple networks together securely using the Internet

to carry the traffic. A common use for secure VPNs is in remote access

scenarios, where VPN client software on an end usersystem is used to connect to a remote office network

securely. Secure VPN protocols include L2TP (with IPsec),

SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).

http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol

http://en.wikipedia.org/wiki/IPsec

http://en.wikipedia.org/wiki/Secure_Sockets_Layer_virtual_private_network

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol

http://en.wikipedia.org/wiki/Microsoft_Point-to-Point_Encryption













Trusted VPNs are commonly created by carriers and large

organizations and are used for traffic segmentation on large core

networks. They often provide quality of service guarantees and

other carrier-grade features.

Trusted VPNs may be implemented by network carriers wishingto multiplex multiple customer connections transparently over an

existing core network or by large organizations wishing to

segregate traffic flows from each other in the network. Trusted

VPN protocols include MPLS, ATM or Frame Relay.

Trusted VPNs differ from secure VPNs in that they do not

provide security features such as data confidentiality through

encryption. Secure VPNs however do not offer the level of

control of the data flows that a trusted VPN can provide such as

bandwidth guarantees or routing.

http://en.wikipedia.org/wiki/Quality_of_service

http://en.wikipedia.org/wiki/Multiprotocol_Label_Switching

http://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode

http://en.wikipedia.org/wiki/Frame_Relay




http://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode









Security

Address Translation

Performance: Throughput, Load balancing (round-robin

DNS), fragmentation

Bandwidth Management: RSVP (Resource Reservation

Protocol)

Availability: Good performance at all times

Scalability: Number of locations/Users

Interoperability: Among vendors, Internet Service Providers

(ISPs), customers (for extranets)⇒ Standards Compatibility,

With firewall



Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management

Protocol), Browser based, Java based,centralized/distributed

Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,

HP/Sun/Intel Installation: Changes to desktop or backbone only

Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery



IPsec (Internet Protocol Security) - A standards-basedsecurity protocol developed originally for IPv6, wheresupport is mandatory, but also widely used with IPv4.

For VPNs L2TP is commonly used over IPsec.

Transport Layer Security (SSL/TLS) is used either fortunneling an entire network's traffic (SSL/TLS VPN)

SSL has been the foundation by a number of vendors toprovide remote access VPN capabilities.

SSL-based VPNs may be vulnerable to denial-of-service attacks mounted against their TCP connectionsbecause latter are inherently unauthenticated.


http://en.wikipedia.org/wiki/IPv6




http://en.wikipedia.org/wiki/Tunneling_protocol


http://en.wikipedia.org/wiki/Denial-of-service_attack












http://en.wikipedia.org/wiki/Tunneling_protocol
















Datagram Transport Layer Security (DTLS), used by Cisco for

a next generation VPN product called Cisco AnyConnect

VPN. DTLS solves the issues found when tunneling TCP over

TCP as is the case with SSL/TLS

Microsoft Point-to-Point Encryption (MPPE) by Microsoft isused with their PPTP. Several compatible implementations on

other platforms also exist.

Secure Socket Tunneling Protocol (SSTP) by Microsoft

introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an

SSL 3.0 channel.

http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security

http://en.wikipedia.org/wiki/Cisco_Systems





http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol

http://en.wikipedia.org/wiki/Windows_Server_2008

http://en.wikipedia.org/wiki/Windows_Vista

http://en.wikipedia.org/wiki/Point-to-Point_Protocol







http://en.wikipedia.org/wiki/Point-to-Point_Protocol









































MPVPN (Multi Path Virtual Private Network). Ragula

Systems Development Company owns the registered

trademark "MPVPN“.

SSH VPN -- OpenSSH offers VPN tunneling to secure remote

connections to a network (or inter-network links). This feature(option -w) should not be confused with port forwarding

(option -L).

OpenSSH server provides limited number of concurrent

tunnels and the VPN feature itself does not support personalauthentication.

http://en.wikipedia.org/wiki/Trademark

http://en.wikipedia.org/wiki/Vpn

http://en.wikipedia.org/wiki/Secure_Shell

http://en.wikipedia.org/wiki/OpenSSH

http://en.wikipedia.org/wiki/OpenSSH

http://en.wikipedia.org/wiki/Secure_Shell

http://en.wikipedia.org/wiki/Vpn

http://en.wikipedia.org/wiki/Trademark



Tunnel endpoints are required to authenticate

themselves before secure VPN tunnels can be

established.

End user created tunnels, such as remote access VPNs

may use passwords, biometrics, two-factor

authentication or other cryptographic methods.

For network-to-network tunnels, passwords or digital

certificates are often used, as the key must bepermanently stored and not require manual intervention

for the tunnel to be established automatically.

http://en.wikipedia.org/wiki/Passwords

http://en.wikipedia.org/wiki/Biometrics

http://en.wikipedia.org/wiki/Two-factor_authentication


http://en.wikipedia.org/wiki/Cryptographic

http://en.wikipedia.org/wiki/Digital_Certificate





http://en.wikipedia.org/wiki/Cryptographic






http://en.wikipedia.org/wiki/Biometrics

http://en.wikipedia.org/wiki/Passwords



Depending on whether the PPVPN runs in layer 2 or

layer 3, the building blocks described below may be L2

only, L3 only, or combinations of the two.

Multiprotocol Label Switching (MPLS) functionality

blurs the L2-L3 identity.

◦ Customer edge device. (CE)

◦ Provider edge device (PE)

◦ Provider device (P)









Customer edge device (CE)In general, a CE is a device, physically at the customerpremises, that provides access to the PPVPN service.Some implementations treat it purely as a demarcation

point between provider and customer responsibility,while others allow customers to configure it.

Provider edge device (PE)

A PE is a device or set of devices, at the edge of the

provider network, which provides the provider's viewof the customer site. PEs are aware of the VPNs thatconnect through them, and which maintain VPN state.



Provider device (P)

A P device operates inside the provider's core network, and

does not directly interface to any customer endpoint.

It might, for example, provide routing for many provider-

operated tunnels that belong to different customers'

PPVPNs.

Its principal role is allowing the service provider to scale its

PPVPN offerings, as, for example, by acting as an

aggregation point for multiple PEs. P-to-P connections, insuch a role, often are high-capacity optical links between

major locations of provider.





















GRE: Generic Routing Encaptulation (RFC 1701/2)

PPTP: Point-to-point Tunneling Protocol

2TP: Layer 2 Tunneling protocol

IPsec: Secure IP MPLS: Multiprotocol Label Switching









Layer 2 Tunneling Protocol

L2F = Layer 2 Forwarding (From CISCO)

L2TP = L2F + PPTP Combines the best features of L2F

and PPTP

Easy upgrade from L2F or PPTP

Allows PPP frames to be sent over non-IP (Frame relay,

ATM) networks also (PPTP works on IP only)

Allows multiple (different QoS) tunnels between thesame end-points. Better header compression. Supports

flow control





Universal Transport Interface (UTI) is a pre-standardeffort for transporting L2 frames.

L2TPv3 extends UTI and includes it as one of many

supported encapsulations.

L2TPv3 has a control plane using reliable control

connection for establishment, teardown and

maintenance of individual sessions.





Allows virtual circuits in IP Networks

Each packet has a virtual circuit number called ‘label’

Label determines the packet’s queuing and forwarding

Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use

Allows traffic engineering







Unsolicited: Topology driven ⇒ Routing protocolsexchange labels with routing information.

Many existing routing protocols are being

extended:BGP, OSPF

On-Demand:

⇒ Label assigned when requested,

e.g., when a packet arrives⇒ latency

Label Distribution Protocol called LDP RSVP has been extended to allow label request and

response







VPN allows secure communication on the Internet

Three types: WAN, Access, Extranet

Key issues: address translation, security, performance

Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue ⇒MPLS



FIREWALL



Aspects of Security◦ Data accessibility - contents accessible

◦ Data integrity - contents remain unchanged

◦ Data confidentiality - contents not revealed

AAA

◦ Authentication - You are who you say you are

◦ Authorization - Access control

◦ Accountability- Who is responsible for tracking access to

data





Scrambling of message such that only intended receiver canunscramble them

◦ Encrypting function - produces encrypted message

◦ Decrypting function - extracts original message

◦ Encryption key - parameter that controlsencryption/decryption



Secret Key Encryption◦ Sender and receiver share secret key

◦ Encrypted_Message = encrypt(K, Message)

◦ Message = decrypt(K, Encrypted_Message)

◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)



Previous scheme requires shared secret K If K is discovered, security is compromised

Public key encryption uses two keys:

◦ Private key - kept secret by user

◦ Public key - published by user

Message encrypted with public key can be decrypted only

with private key, and vice-versa



Encrypted_Message = decrypt(Public_Key,encrypt(Private_key, Message)

Message = decrypt(Private_Key,

encrypt(Public_Key,Message)



Goal - guarantee that message must have originatedwith certain entity

Encrypted_Message = encrypt(Private_Key, Message)

Message = decrypt(Public_Key, Encrypted_Message)

=> Authentic



User 1 to User2: Encrypted_Message = encrypt(Public_key2,

encrypt(Private_key1, Message)

Message = decrypt(Public_key1, decrypt

(Private_key2,Encrypted_Message)

=> Authentic and Private



Bastion Host DMZ (demilitarized zone)

Perimeter network



A bastion host is a computer that is fully exposed toattack

The system is on the public side of the demilitarized

zone (DMZ), unprotected by a firewall or filtering

router

Firewalls and routers can be considered bastion hosts

Other types of bastion hosts include web, mail, DNS,

and FTP servers, Proxy servers



DMZ (demilitarized zone) is a computer host or smallnetwork inserted as a "neutral zone" between a

company's private network and the outside public

network.

It prevents outside users from getting direct access to a

server that has company data



A small, single-segment network between a firewalland the Internet for services that the organization wants

to make publicly accessible to the Internet without

exposing the network as a whole

If someone breaks into a bastion host on the perimeter

net, he'll be able to snoop only on traffic on that net

Also known as ‘stub network’



Can configure packet forwarding devices - esp. routers – to drop certain packets

Example: Only email gets in/out

problem: Filter is accessible to outside world







Proxy servers take users' requests and forward them toreal servers

Take server’s responses and forwards them to users

Enforce site security policy = > may refuse certain

requests

Transparency is the major benefit of proxy services

Also known as application-level gateways











Can’t protect against malicious insiders can’t protect against connections that do not go through

it,

◦ e.g. dial up

Can’t protect against completely new threats

Can’t protect against viruses



Security is a problem because Internet is not owned byone entity

Encryption and digital signatures can provide

confidentiality and secure identification

Organizations can use firewalls to prevent unauthorized

access

Documents

19-Virtual Private Networks