guide to network defense and countermeasures second edition chapter 5 virtual private network (vpn)...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Guide to Network Defense and Countermeasures Second Edition
Chapter 5Virtual Private Network (VPN) Concepts
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Explain basic VPN concepts
• Describe encapsulation in VPNs
• Describe encryption in VPNs
• Describe authentication in VPNs
• Summarize the advantages and disadvantages of VPNs
Guide to Network Defense and Countermeasures, Second Edition 3
Understanding VPN Concepts
• Virtual Private Network (VPN) enables computers to– Communicate securely over insecure channels
– Exchange private encrypted messages that others cannot decipher
Guide to Network Defense and Countermeasures, Second Edition 4
What VPNs Are
• VPN– Virtual network connection – Uses the Internet to establish a secure connection
• Secure tunnel
– Extends an organization’s network• Endpoints
– Specified computers, users, or network gateways
Guide to Network Defense and Countermeasures, Second Edition 6
Why Establish a VPN?
• Business incentives driving VPN adoption– VPNs are cost-effective– VPNs provide secure connection for remote users
• Contractors• Traveling employees• Partners and suppliers
• VPN Components– VPN server or host
• Configured to accept connections from clients– VPN client or guest
• Endpoints connecting to a VPN
Guide to Network Defense and Countermeasures, Second Edition 7
Why Establish a VPN? (continued)
• VPN Components– Tunnel
• Connection through which data is sent– VPN protocols
• Sets of standardized communication settings
• Used to encrypt data sent along the VPN
– Types of VPNs• Site-to-site VPN
– Gateway-to-gateway VPN
• Client-to-site VPN
– Remote access VPN
Guide to Network Defense and Countermeasures, Second Edition 8
Why Establish a VPN? (continued)
• Hardware versus software VPNs– Hardware-based VPNs
• Connect one gateway to another• Routers at each network gateway encrypt and decrypt
packets• VPN appliance
– Designed to serve as VPN endpoint– Join multiple LANs
• Benefits– Scalable– Better security
Guide to Network Defense and Countermeasures, Second Edition 11
Why Establish a VPN? (continued)
• Hardware versus software VPNs (continued)– Software-based VPNs
• Integrated with firewalls• Appropriate when participating networks use different
routers and firewalls• Benefits
– More cost-effective– Offer maximum flexibility
Guide to Network Defense and Countermeasures, Second Edition 13
Why Establish a VPN? (continued)
• VPN combinations– Combining VPN hardware with software adds layers
of network security– One useful combination is a VPN bundled with a
firewall
– VPNs do not eliminate the need for firewalls– Provide flexibility and versatility
Guide to Network Defense and Countermeasures, Second Edition 14
Why Establish a VPN? (continued)
• VPN combinations (continued)– Points to consider when selecting VPNs
• Compatibility• Scalability• Security• Cost• Vendor support
Guide to Network Defense and Countermeasures, Second Edition 15
VPN Core Activity 1: Encapsulation
• Core set of activities– Encapsulation– Encryption– Authentication
• Encapsulation– Encloses a packet within another
• That has different IP source and destination– Protects integrity of the data
Guide to Network Defense and Countermeasures, Second Edition 17
Understanding Tunneling Protocols
• Point-to-Point Tunneling Protocol (PPTP)– Used when you need to dial in to a server with a
modem connection• On a computer using an older OS version
– Encapsulates TCP/IP packets– Header contains only information needed to route
data from the VPN client to the server– Uses Microsoft Point-to-Point Encryption (MPPE)
• Encrypt data that passes between the remote computer and the remote access server
– L2TP uses IPSec encryption• More secure and widely supported
Guide to Network Defense and Countermeasures, Second Edition 18
Understanding Tunneling Protocols (continued)
• Layer 2 Tunneling Protocol (L2TP)– Provides better security through IPSec– IPSec enables L2TP to perform
• Authentication• Encapsulation• Encryption
Guide to Network Defense and Countermeasures, Second Edition 20
Understanding Tunneling Protocols (continued)
• Secure Shell (SSH)– Provides authentication and encryption– Works with UNIX-based systems
• Versions for Windows are also available– Uses public-key cryptography
• Socks V. 5– Provides proxy services for applications
• That do not usually support proxying– Socks version 5 adds encrypted authentication and
support for UDP
Guide to Network Defense and Countermeasures, Second Edition 21
IPSec/IKE
• Internet Protocol Security (IPSec)– Set of standard procedures – Developed by the Internet Engineering Task Force
(IETF) – Enables secure communications on the Internet
• Characteristics– Works at layer 3– Can encrypt an entire TCP/IP packet– Originally developed for use with IPv6– Provides authentication of source and destination
computers
Guide to Network Defense and Countermeasures, Second Edition 22
IPSec/IKE (continued)
• Widely supported• Security Association (SA)
– Relationship between two or more entities
– Describes how they will use security services to communicate
– Used by IPSec to track all the particulars of a communication session
– SAs are unidirectional
Guide to Network Defense and Countermeasures, Second Edition 23
IPSec/IKE (continued)
• Components– Internet Security Association Key Management
Protocol (ISAKMP)– Internet Key Exchange (IKE)– Oakley– IPSecurity Policy Management– IPSec Driver
• IPSec core components– Authentication Header (AH)– Encapsulation Security Payload (ESP)
Guide to Network Defense and Countermeasures, Second Edition 24
IPSec/IKE (continued)
• Authentication Header (AH)– Provides authentication of TCP/IP packets– Ensures data integrity– Packets are signed with a digital signature– Adds a header calculated by the values in the
datagram• Creating a messages digest of the datagram
– AH in tunnel mode• Authenticates the entire original header• Places a new header at the front of the original packet
– AH in transport mode• Authenticates the payload and the header
Guide to Network Defense and Countermeasures, Second Edition 27
IPSec/IKE (continued)
• Encapsulation Security Payload (ESP)– Provides confidentiality for messages– Encrypts different parts of a TCP/IP packet– ESP in tunnel mode
• Encrypts both the header and data part of each packet• Data cannot pass through a firewall using NAT
– ESP in transport mode• Encrypts only data portion of the packet• Data can pass through a firewall
– IPSec should be configured to work with transport mode
Guide to Network Defense and Countermeasures, Second Edition 29
VPN Core Activity 2: Encryption
• Encryption– Process of rendering information unreadable by all
but the intended recipient– Components
• Key• Digital certificate• Certification Authority (CA)
– Key exchange methods• Symmetric cryptography• Asymmetric cryptography• Internet Key Exchange• FWZ
Guide to Network Defense and Countermeasures, Second Edition 31
Encryption Schemes Used by VPNs
• Triple Data Encryption Standard (3DES)– Used by many VPN hardware and software– 3DES is a variation on Data Encryption Standard
(DES)– DES is not secure– 3DES is more secure
• Three separate 64-bit keys to process data– 3DES requires more computer resources than DES
Guide to Network Defense and Countermeasures, Second Edition 33
Encryption Schemes Used by VPNs (continued)
• Secure Sockets Layer (SSL)– Developed by Netscape Communications Corporation– Enables Web servers and browsers to exchange
encrypted information– Characteristics
• Uses public and private key encryption• Uses sockets method of communication• Operates at network layer (layer 3) of the OSI model
– Widely used on the Web• Only supports data exchanged by Web-enabled
applications
• Unlikely to replace IPSec
Guide to Network Defense and Countermeasures, Second Edition 34
Encryption Schemes Used by VPNs (continued)
• Secure Sockets Layer (SSL) (continued)– Steps
• Client connects to Web server using SSL protocol• Two machines arrange a “handshake” process
– Client sends its preferences for encryption method, SSL version number, and a randomly generated number
• Server responds with SSL version number, its own cipher preferences, and its digital certificate
• Client verifies date and other information on the digital certificate
– Client generates and send a “pre-master” code
Guide to Network Defense and Countermeasures, Second Edition 35
Encryption Schemes Used by VPNs (continued)
• Secure Sockets Layer (SSL) (continued)– Steps
• Server uses its private key to decode pre-master code– Generates a master secret key– Client and server use it to generate session keys
• Server and client exchange messages saying handshake is completed
• SSL session begins
Guide to Network Defense and Countermeasures, Second Edition 36
VPN Core Activity 3: Authentication
• Authentication– Identifying a user or computer as authorized to
access and use network resources– Types of authentication methods used in VPNs
• IPSec• MS-CHAP
– Both computers exchange authentication packets and authenticate one another
– VPNs use digital certificates to authenticate users
Guide to Network Defense and Countermeasures, Second Edition 38
Kerberos
• Authentication system – Developed at the Massachusetts Institute of
Technology (MIT)• Authenticates the identity of network users
– Authentication by assertion– Computer that connects to a server and requests
services acts on behalf of an approved user
Guide to Network Defense and Countermeasures, Second Edition 40
Kerberos (continued)
• Advantages– Passwords are not stored on the system
• They cannot be intercepted
– Has a lower “network overhead” than a Public Key Infrastructure (PKI)
– Handy for single sign-on (SSO)
• Disadvantages– AS (KDC) is a single point of failure for Kerberos
Guide to Network Defense and Countermeasures, Second Edition 41
Advantages and Disadvantages of VPNs
Guide to Network Defense and Countermeasures, Second Edition 42
Summary
• VPNs do not make use of dedicated leased lines
• VPNs send data through a secure tunnel that leads from one endpoint to another
• VPNs keep critical business communications private and secure
• VPN components– VPN servers– VPN clients– Protocols
Guide to Network Defense and Countermeasures, Second Edition 43
Summary (continued)
• VPN types– Site-to-site– Client-to-site
• Encapsulation encloses one packet within another – Conceals the original information
• VPN protocols– Secure Shell (SSH)– Socks version 5– Point-to-Point Tunneling Protocol (PPTP)– Layer 2 Tunneling Protocol (L2TP)
Guide to Network Defense and Countermeasures, Second Edition 44
Summary (continued)
• IPSec/IKE
• Encryption makes the contents of the packet unreadable
• Authentication ensures participating computers are authorized users– Kerberos: strong authentication system
• VPN advantages– High level of security at low cost
• VPN disadvantages– Can introduce serious security risks