An Introduction to VPN Technology

1
An Introduction to VPN Technology

• QTS Ongoing Education Series

2
Check Point Facts

• History
• Founded June 1993
• IPO June 1996
• Strong growth in revenues and profits
• Global market leadership
• 62 VPN market share (Datamonitor, 2001)
• 42 firewall market share (1 Position - IDC,
  2000)
• De-facto standard for Internet security
• Strong business model
• Technology innovation and leadership
• Technology partnerships
• Strong and diversified channel partnerships

Check Point Software
3
Check Points Solid Foundation

• Financial Strength
• Last 12 Months
• Revenues of 543M
• Profit of 313M
• Strong Balance Sheet
• Market Leadership
• 220,000 Installations
• 100,000 VPN Gateways
• 83 Million VPN Clients
• 81,000 Customers
• 1,500 Channel Partners
• 300 OPSEC Partners

10 in IT 1 in Software
100
4
Platform Choice - Open

• Open Systems
• Attractive Price/Performance
• Wide Variety of Platforms
• 60-80 of the Market
• Flexibility

• Dedicated Appliances(Check Point Pioneered the
  market)
• Entry Level
• Easy set up
• Enterprise Class
• Network Grade
• Data Center ISPs
• High Performance / Carrier Class

• Future Platforms
• Consumer Small Business
• Cable DSL
• Wireless
• GPRS, 2.5G-3G Infrastructure
• Multi-Subscriber
• Service Providers Network Services

5
OPSEC Partners
The Open Platform for Security

• Open framework for security integration - The
  Security OS
• Over 270 partners
• Breadth of solutions
• Choice
• Certification
• www.OPSEC.com

Voted 1 Partner Alliance Program
6
Enhanced Management Capabilities

• SecureUpdate for OPSEC Partners
• Central management of software install for OPSEC
  applications
• OPSEC Application monitoring
• Central monitoring of OPSEC applications
  alongside Check Point products
• Open Management repository
• Import/Export objects from management database

7
Agenda

• What is a Virtual Private Network (VPN)?
• VPN deployment situations
• Why use VPNs?
• Types of VPN protocols
• IPSec VPNs
• Components
• A sample session
• Deployment questions

8
What is a VPN?
Acme Corp

• A VPN is a private connection over an open
  network
• A VPN includes authentication and encryption to
  protect data integrity and confidentiality

Internet
Acme Corp Site 2
9
Types of VPNs

• Remote Access VPN
• Provides access to internal corporate network
  over the Internet
• Reduces long distance, modem bank, and technical
  support costs

Corporate Site
Internet
10
Types of VPNs
Corporate Site

• Remote Access VPN
• Site-to-Site VPN
• Connects multiple offices over Internet
• Reduces dependencies on frame relay and leased
  lines

Internet
Branch Office
11
Types of VPNs
Corporate Site

• Remote Access VPN
• Site-to-Site VPN
• Extranet VPN
• Provides business partners access to critical
  information (leads, sales tools, etc)
• Reduces transaction and operational costs

Internet
Partner 2
Partner 1
12
Types of VPNs

• Remote Access VPN
• Site-to-Site VPN
• Extranet VPN
• Client/Server VPN
• Protects sensitive internal communications
• Most attacks originate within an organization

Database Server
LAN clients
Internet
LAN clients with sensitive data
13
Alternate Technologies

• Site-to-site/extranets
• Frame relay, leased lines
• Remote access
• Dial up modem banks

14
Why Use Virtual Private Networks?

• More flexibility
• Leverage ISP point of presence
• Use multiple connection types (cable, DSL, T1,
  T3)

15
Why Use Virtual Private Networks?

• More flexibility
• More scalability
• Add new sites, users quickly
• Scale bandwidth to meet demand

16
Why Use Virtual Private Networks?

• More flexibility
• More scalability
• Lower costs
• Reduced frame relay/leased line costs
• Reduced long distance
• Reduced equipment costs (modem banks,CSU/DSUs)
• Reduced technical support

17
VPN-1 Return on Investment
Case History Professional Services Company

• 5 branch offices, 1 large corporate office, 200
  remote access users.
• Payback 1.04 months. Annual Savings 88

18
VPN ROI Calculator
Tool URL http//www.checkpoint.com/products/vpn1/
roi_calculators/index.html
19
Components of a VPN

• Encryption
• Message authentication
• Entity authentication
• Key management

20
Point-to-Point Tunneling Protocol

• Layer 2 remote access VPN distributed with
  Windows product family
• Addition to Point-to-Point Protocol (PPP)
• Allows multiple Layer 3 Protocols
• Uses proprietary authentication and ancryption
• Limited user management and scalability
• Known security vulnerabilities

Corporate Network
Remote PPTP Client
PPTP RAS Server
ISP Remote Access Switch
21
Layer 2 Tunneling Protocol (L2TP)

• Layer 2 remote access VPN protocol
• Combines and extends PPTP and L2F (Cisco
  supported protocol)
• Weak authentication and encryption
• Does not include packet authentication, data
  integrity, or key management
• Must be combined with IPSec for enterprise-level
  security

Corporate Network
Remote L2TP Client
L2TP Server
ISP L2TP Concentrator
22
Internet Protocol Security (IPSec)

• Layer 3 protocol for remote access, intranet, and
  extranet VPNs
• Internet standard for VPNs
• Provides flexible encryption and message
  authentication/integrity
• Includes key management

23
Components of an IPSec VPN

• Encryption
• Message Authentication
• Entity Authentication
• Key Management

• DES, 3DES, and more
• HMAC-MD5, HMAC-SHA-1, or others
• Digital Certificates, Shared Secrets,Hybrid Mode
  IKE
• Internet Key Exchange (IKE), Public Key
  Infrastructure (PKI)

All managed by security associations (SAs)
24
Security Associations

• An agreement between two parties about
• Authentication and encryption algorithms
• Key exchange mechanisms
• And other rules for secure communications
• Security associations are negotiated at least
  once per session possibly more often for
  additional security

25
Encryption Explained

• Used to convert data to a secret code for
  transmission over an untrusted network

Encrypted Text
Clear Text
Encryption Algorithm
The cow jumped over the moon
4hsd4e3mjvd3sd a1d38esdf2w4d
26
Symmetric Encryption

• Same key used to encrypt and decrypt message
• Faster than asymmetric encryption
• Used by IPSec to encrypt actual message data
• Examples DES, 3DES, RC5, Rijndael

Shared Secret Key
27
Asymmetric Encryption

• Different keys used to encrypt and decrypt
  message (One public, one private)
• Provides non-repudiation of message or message
  integrity
• Examples include RSA, DSA, SHA-1, MD-5

Bob
Alice
Alice Public Key Encrypt
Alice Private Key Decrypt
28
Key Management

• Shared Secret
• Simplest method does not scale
• Two sites share key out-of-band (over telephone,
  mail, etc)
• Public Key Infrastructure
• Provides method of issuing and managing
  public/private keys for large deployments
• Internet Key Exchange
• Automates the exchange of keys for scalability
  and efficiency

29
What are Keys?

• An Encryption Key is
• A series of numbers and letters
• used in conjunction with an encryption
  algorithm
• to turn plain text into encrypted text and back
  into plain text
• The longer the key, the stronger the encryption

30
What is Key Management?

• A mechanism for distributing keys either manually
  or automatically
• Includes
• Key generation
• Certification
• Distribution
• Revocation

31
Internet Key Exchange (IKE)

• Automates the exchange of security associations
  and keys between two VPN sites
• IKE provides
• Automation and scalability
• Improved security
• Encryption keys be changed frequently
• Hybrid IKE
• Proposed standard designed by Check Point
• Allows use of existing authentication methods

32
Different Types of VPN/Firewall Topologies

VPN device is vulnerable to attack eg. denial of
service Two connections to the firewall for
every communication request Bypasses security
policy Denial of service
33
Different Types of VPN/Firewall Topologies

VPN device is vulnerable to attack eg. denial of
service Two connections to the firewall for
every communication request Bypasses security
policy Denial of service
34
Protecting Remote Access VPNs

• The Problem
• Remote access VPN clients can be hijacked
• Allows attackers into internal network
• The Solution
• Centrally managed personal firewall on VPN
  clients

Attacker
Cable or xDSL
Internet
35
Summary

• Virtual Private Networks have become
  mission-critical applications
• IPSec is the leading protocol for creating
  enterprise VPNs
• Provides encryption, authentication, and data
  integrity
• Organizations should look for
• Integrated firewalls and VPNs
• Centralized management of VPN client security
• A method to provide VPN QoS