network security philadelphia universitylahmad al-ghoul 2010-20111 module 12 module 12 virtual...
Post on 23-Dec-2015
218 Views
Preview:
TRANSCRIPT
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 1
Module 12Module 12
Virtual Private Networks MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: ahmad4_2_69@hotmail.com
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 2
Contents
Relation to SSL & SSH Virtual Private Network Three Types of VPNs The Concept of Tunneling General IPTunneling Look at the stack GRE & PPTP Generic Routing Encapsulation PPTP Ipsec Encapsulating Security Payload
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 3
Relation to SSL & SSH
Recall SSL is the secure socket layer– It provides an encrypted and authenticated TCP
connection between a client and a server.– It does not hide your network because you still
use standard IP visible to all.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 4
Virtual Private Network Why?
– Institutions are distribted
– They need to protect themselves
– Old Days• Buy your own phone lines
and build a physically private network.
– VPN• Use the internet as a
“carrier” of your private traffic.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 5
Three Types of VPNs
Remote access– A company uses a dial-up system to allow remote
workers to connect and establish secure connections to the company network
Site-to-site– Intranet
• Connect two different, but remote LANS to form a single network
– Extranet• Two different companies want to establish a private
connection
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 6
Reasons and Requirements Typical Reasons for wanting a VPN
– Extend geographic connectivity – Improve security – Reduce operational costs versus traditional WAN – Improve productivity – Simplify network topology – Provide global networking opportunities – Provide telecommuter support
Requirements for a Good VPN– Security – Reliability – Scalability – Network management – Policy management
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 7
The Concept of Tunneling tunneling - the process of placing an entire packet
within another packet and sending it over a network.
Tunneling requires three different protocols: – Carrier protocol: The protocol used by the network
that the information is traveling over – Encapsulating protocol: The protocol (GRE, IPSec,
L2F, PPTP, L2TP) that is wrapped around the original data
– Passenger protocol: The original data (IPX, NetBeui, IP) being carried
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 8
Tunneling
Key idea: allow packets to move from one point to another point without being directly touched by internet routers
1. Passenger packet goes to gateway
3. Internet (carrier protocol)
2. Gateway wraps passenger withEncapsulation protocol
4. Passenger unwrapped andsent on its way
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 9
General IPTunneling
R1 Internet
124.32.45.3 121.101.27.42
R1Network 1 Network 2
Host10.0.2.22
Host10.0.1.15
To: 10.0.2.22From: 10.0.1.15
IP payload
To: 10.0.2.22From: 10.0.1.15
IP payload
To: 10.0.2.22From: 10.0.1.15
IP payload
To: 121.101.27.42From: 124.32.45.3
IP Payload
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 10
Look at the stack Tunneling can layer a complete stack
and address space on top of the existing one!
– Almost exactly what we did with our XKernel which was tunneled over the regular IP stack.
– For Site-to-Site use
• Generic Routing Encapsulation (GRE)
• IPsec
– For remote access
• PPTP (point-to-point tunneling protocol)
• L2TP (layer 2 tunneling protocol)
Ethernet or PPP or …
IP
GRE
encrypt
IP
TCP
application
IPsec
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 11
GRE & PPTP
GRE– Very simple encapsulation frame that tells you
what type of thing is encapsulated, a sequence number and an ack number.
PPTP– Protocol that allows PPP packets to be
encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 12
Generic Routing Encapsulation Runs over IP at port 47. It is a protocol for wrapping other protocols. Protocol Family protocol type Reserved 0000 SNA 0004 OSI network layer 00FE XNS 0600 IP 0800 Chaos 0804 Frame Relay ARP 0808 VINES 0BAD DECnet (Phase IV) 6003 Transparent Ethernet Bridging 6558 Raw Frame Relay 6559 Apollo Domain 8019 Ethertalk (Appletalk) 809B Novell IPX 8137 RFC 1144 TCP/IP compression 876B IP Autonomous Systems 876C
protocol
checksum offset
key
Sequence number
Routing information
data
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 13
PPTP
For a dial-up client– First establish a PPP connection to the server– Set up a TCP connection on port 1723 for
control messages• Session management command-replies
• Handles calls and keep-alive messages
– Over the PPP one runs IP and TCP.
In other cases use existing IP level.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 14
PPTP data packets The carrier network delivers GRE packets
– Sliding window used to provide flow control GRE packet contains a PPP packet. PPP has an encryption protocol that is used to encrypt the
contents of each frame. The content frame is the tunneled IP packet.
Carrier IP packet
GRE packet
PPP packet
IP packet
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 15
IPsec A General Framework for IP security
– NOTE: SSL is at the TCP level– IPSec is designed to be at the IP level
Two Components– Two protocols for security
• A header for authentication (AH)• A header for secure encapsulation (ESP)
– Internet Security Assoc. and Key Mgmt Protocl A Security Association (SA) is a one way connection
between two hosts/routers that is based on a choice of AH/ESP and Key protocol.
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 16
IPSec Authentication
NextHdr Payload length reserved
SPI ( security paramenter index – identifies the sec. Assoc.)
Sequence no
Authentication Data
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 17
IPSec Authentication
NOTE:
The authentication data is the cryptographic signature of this packet. It is not authentication of source identity
NextHdr is a pointer to the end of this packet. SPI is an identifier which in combination with the
IP address of the packet completely identifies the secruity association.
Sequence number prevents “replay attacks”
Network Security Philadelphia Universityl
Ahmad Al-Ghoul 2010-2011 18
Encapsulating Security Payload
This follows IP header (both v4 and v6) and before the encripted payload.
– The payload data is often part of an “initialization vector” for the encrypted payload that follows
provides
– confidentiality (encryption), data origin authentication, integrity, optional anti-replay service
NextHdrPad length
SPI ( security paramenter index – identifies the sec. Assoc.)
Sequence no
Authentication Data
Up to 256 bytes of Playload data (Initialization Vector)
top related