Virtual Private Networks - PowerPoint PPT Presentation

About This Presentation
Title:

Virtual Private Networks

Description:

Used to connect two private networks together via the Internet ... This could be done by opening your ... Blowfish, Free S/WAN, PPP over SSL, PPTP, L2TP ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 19
Provided by: lockh8
Category:

less

Transcript and Presenter's Notes

Title: Virtual Private Networks


1
Virtual Private Networks
  • CS-480b
  • Dick Steflik

2
Virtual Private Networks (VPNs)
  • Used to connect two private networks together via
    the Internet
  • Used to connect remote users to a private network
    via the Internet
  • This could be done by opening your firewall to
    the LAN networking protocols (NETBIOS, NFS
    NetWare, AppleTalk))
  • But it would also make those protocols available
    to any one on the Internet and they could come
    into your LAN at will
  • Effectively make the whole Internet your LAN
  • Exposes all of your data
  • Anyone can easily take advantage of
    vulnerabilities in your internal hosts
  • No privacy
  • Better solution is to use a VPN in conjunction
    with your firewall

3
VPNs
  • Since we all understand that IP is used to
    transport information between LANs if we add some
    security stuff to IP then this transport can be
    made more secure
  • Can be done two ways
  • At the network level using IPSec
  • Currently the most widely used method
  • But requires special client installation on each
    workstation (more IT )
  • At the Transport level using SSL
  • Quickly gaining popularity because there are no
    special software installation requirements for
    end user workstations
  • All thats required is a browser with SSL support
  • Mozilla
  • Internet Explorer
  • Netscape
  • Opera

4
IP Based VPNs
  • Fundamental Components
  • IP Encapsulation
  • Cryptographic based authentication
  • Secret Key Encryption
  • Single shared secret key for encrypt and decrypt
  • Public Key Encryption
  • Unidirectional keys
  • Encrypt or decrypt (not both)
  • Data Payload Encryption
  • Encrypt payload but not header (method depends on
    OEM/Vendor solution)
  • IP/IP Encapsulation
  • Makes remotely located LANs appear to be adjacent
  • Makes non-routable addresses (10.a.b.c a,d
    192.168.c.d) routable

5
VPN Characteristics
  • Cheaper than WANs
  • dedicated leased lines are very expensive
  • Easier to establish than WANs
  • ISPs will usually help make the initial IP
    connection
  • hours for VPNs vs. weeks for WANs
  • slower than LANs
  • encryption/dectyption takes time
  • typical LANS are 10-100 Mbps
  • endpoints connected by VPM may go through many
    router hops
  • minimize by using same ISP for everything
  • dial in users are going to be typically 56Kbps
  • less reliable than WANs
  • with WANs routers are under your control and
    performance is negotiated with provider, not so
    with VPN you only control initial IP connection
  • less secure than isolated LANs or WANs
  • because Internet is used hackers can find you
  • VPN protocol is one more thing to be attacked

6
Types of VPNs
  • Server based
  • Firewall based
  • Router based (including VPN appliances

7
Server based
  • Windows
  • Routing and Remote Access Service
  • NT supports only PPTP, W/2000 supports PPTP, L2TP
    and IPSec
  • comes with everything needed to establish a VPN
  • Linux
  • Blowfish, Free S/WAN, PPP over SSL, PPTP, L2TP
  • with IP masquerading/IP Chains and additional
    open source software can be used to create a very
    robust VPN
  • UNIX
  • many incorporating IPSec into their TCP/IP stacks
  • Be aware that VPN traffic leaving your LAN
    traverses the LAN twice
  • once to the RRAS service as regular LAN traffic,
    once encapsulated to the firewall

8
Firewall based VPNs
  • Since firewalls already do all kinds of packet
    analysis, adding IP tunneling is relatively easy
  • Rapid acceptance of IPSec and IKE are making
    VPNing at the firewall more common
  • not all vendors versions of IPSecIKE work
    together
  • make sure that remote clients software works with
    your firewall VPN

9
Router based VPNs
  • Typically used on big networks
  • specialized devices for to isolate internal LAN
    traffic and quickly convey inter-LAN traffic
  • IBM 2210
  • CISCO Routers running IOS
  • Ascends MAX switches

10
VPN Architectures
  • Mesh
  • each participant has a direct security
    relationship with every other user
  • Hub and spoke
  • each participant has a single security
    association with a single VPN router that has a
    security association with every VPN device
  • Hybrid
  • combination of both
  • mesh of hubs
  • star of hubs

11
Implementations
  • IPSec Tunnel Mode
  • RFC 2401
  • Point-to-Point Tunneling Protocol (PPTP)
  • RFC 2637
  • Layer 2 Tunneling Protocol (L2TP)
  • RFC 2661
  • Point-to-Point Protocol over Secure Sockets Layer
    (PPP/SSL) or Point-to-Point Protocol over Secure
    Shell (PPP/SSL)
  • considered to be hacks not standards

12
VPN Best Practices
  • Use a real firewall
  • Secure the base operating system
  • Use a single ISP
  • minimize routing hops and insure cooperation
  • Use packet filtering to reject unknown hosts
  • Use public-key encryption and secure
    Authentication
  • Compress before you encrypt
  • stream compression will help overall performance
  • Secure remote hosts

13
NIAP
  • National Information Assurance Partnership
    (NIAP)
  • U.S. Government initiative originated to meet
    the security testing needs of both information
    technology (IT) consumers and producers.
  • NIAP is a collaboration between the National
    Institute of Standards and Technology (NIST) and
    the National Security Agency (NSA)
  • in fulfilling their respective responsibilities
    under PL 100-235 (Computer Security Act of 1987).
  • combines the extensive IT security experience of
    both agencies to promote the development of
    technically sound security requirements for IT
    products and systems and appropriate measures for
    evaluating those products and systems.

14
NIAP Goals
  • The long-term goal of NIAP is to help increase
    the level of trust consumers have in their
    information systems and networks through the use
    of cost-effective security testing, evaluation,
    and validation programs. In meeting this goal,
    NIAP seeks to
  • Promote the development and use of evaluated IT
    products and systems
  • Champion the development and use of national and
    international standards for IT security
  • Foster research and development in IT security
    requirements definition, test methods, tools,
    techniques, and assurance metrics
  • Support a framework for international recognition
    and acceptance of IT security testing and
    evaluation results and
  • Facilitate the development and growth of a
    commercial security testing industry within the
    U.S.

15
CCEVS
  • Common Criteria Evaluation and Validation Scheme
  • jointly managed activity of NIST and NSA (NIAP)
  • the validation body
  • focus of the CCEVS is to establish a national
    program for the evaluation of information
    technology products for conformance to the
    International Common Criteria for Information
    Technology Security Evaluation.
  • Common Criteria Testing Laboratory (CCTL)
  • an approved testing laboratory
  • Validation body reviews products tested by CCTL
  • awards certification (or not)
  • maintains a list of validated products (VPL)

16
Evaluation Assurance Levels
  • EAL1 Functionally tested
  • EAL2 Structurally tested
  • EAL3 Methodically tested and checked
  • EAL4 Methodically designed, tested and reviewed
  • EAL5 Semi formally designed and tested
  • EAL6 Semi formally verified design and tested
  • EAL7 Formally verified design and tested

17
SSL Based VPNs
  • Browser based
  • PositivePRO Positive Networks Connectra
    Checkpoint Software
  • No special client needed
  • can be used on any device that is web enabled
    that supports SSL (PDA, Cell phones...)
  • OS independent
  • Cant access desktop applications
  • Netifice
  • Browser based
  • Java Agent Based
  • SSL Windows client for desktop access
  • SSL-Explorer Open Source

18
SSL Based VPNs
  • Non-browser based
  • OpenVPN
  • requires client software be installed for each
    user
  • Open Source (free)
  • very good track record (Since 2002)
  • Runs on most OSs
  • compatible with with
  • SSL/TLS
  • RSA Certificates
  • X509 PKI
  • NAT
  • DHCP
  • TUN/TAP virtual devices
Write a Comment
User Comments (0)
About PowerShow.com