Virtual Private Networks (VPN) - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Virtual Private Networks (VPN)

Description:

Title: Web Security Author: Andrew Yang Last modified by: Yang Created Date: 8/25/2005 3:09:39 AM Document presentation format: On-screen Show Company – PowerPoint PPT presentation

Number of Views:266
Avg rating:3.0/5.0
Slides: 22
Provided by: Andrew687
Category:

less

Transcript and Presenter's Notes

Title: Virtual Private Networks (VPN)


1
Virtual Private Networks(VPN)
Chapters 10, 11, 12
2
Outline
  • The Concept of VPNs ch. 10
  • VPNs defined
  • Types
  • Generic Routing Encapsulation (GRE) ch. 11
  • Layer 2 Tunneling Protocol (L2TP) ch. 12
  • IPsec VPNs ch. 13
  • Other types of VPNs?

3
What is VPN?
  • A VPN is a means of carrying private traffic over
    a public network.
  • Often used to connect two private networks, over
    a public network, to form a virtual network
  • The word virtual means that, to the users on
    either end, the two private networks seem to be
    seamlessly connected to each other.
  • That is, they are part of a single virtual
    private network (although physically they are two
    separate networks).
  • ? implication? connectivity, security, privacy
  • The VPN should provide the same connectivity and
    privacy you would find on a typical local private
    network.

4
Different Types of VPNs
  • Based on encryption
  • Encrypted VPNs
  • Nonencrypted VPNs
  • Based on OSI model
  • Data link layer VPNs
  • Network layer VPNs
  • Application layer VPNs
  • Based on business functionality
  • Intranet VPNs
  • Extranet VPNs
  • Question How do we classify SSL VPNs and
    IPsec VPNs?
  • see OpenVPN and SSL VPN Revolution (or local copy)

5
Encrypted vs Nonencrypted VPNs
  • In encrypted VPNs, encryption mechanisms are used
    to secure the traffic across the public network.
  • Example IPsec VPNs
  • In nonencrypted VPNs, either data security is not
    ensured at all, or is ensured by other means
    (including encryption at higher layers).
  • Examples
  • MPLS VPNs (Multiprotocol Label Switching)
  • cisco white paper
  • GRE-based VPNs (ch. 11)
  • Uses higher layer encryption for confidentiality

6
VPNs at different OSI layers
  • The layer where VPN is constructed affects its
    functionality.
  • Example In encrypted VPNs, the layer where
    encryption occurs determines
  • how much traffic gets encrypted
  • the level of transparency for the end users
  • Data link layer VPNs (Layer-2)
  • Example protocols Frame Relay, ATM
  • Drawbacks
  • Expensive - Requires dedicated Layer 2 pathways
  • may not have complete security mainly
    segregation of the traffic, based on types of
    Layer 2 connection
  • Q Is L2TP a layer 2 VPN?

7
VPNs at different OSI layers
  • Network layer VPNs (Layer-3)
  • Created using layer 3 tunneling and/or encryption
  • Q difference between encapsulation and tunneling
    ?
  • See http//computing-dictionary.thefreedictionary.
    com/tunneling20protocol
  • Example IPsec, GRE, L2TP (tunneling layer 2
    traffic by using the IP layer to do that)
  • Advantages
  • A proper layer
  • Low enough transparency
  • High enough IP addressing
  • Cisco focuses on this layer for its VPNs.

8
VPNs at different OSI layers
  • Application layer VPNs
  • Created to work specifically with certain
    applications
  • Example
  • SSL-based VPNs (providing encryption between web
    browsers and servers running SSL)
  • SSH (encrypted and secure login sessions to
    network devices)
  • Drawbacks
  • May not be seamless (transparency issue)
  • Counter-argument OpenVPN and SSL VPN Revolution
    (Hosner, 2004)
  • The myth that Secure Socket Layer (SSL) Virtual
    Private Network devices (VPNs) are used to
    connect applications together is not true.
  • A VPN is a site-to-site tunnel.
  • There is a terrible misunderstanding in the
    industry right now that pigeon-holes SSL VPNs
    into the same category with SSL enabled web
    servers and proxy servers.
  • A VPN, or Virtual Private Network, refers to
    simulating a private network over the public
    Internet by encrypting communications between the
    two private end-points.
  • A VPN device is used to create an encrypted,
    non-application oriented tunnel between two
    machines that allows these machines or the
    networks they service to exchange a wide range of
    traffic regardless of application or protocol.
    This exchange is not done on an application by
    application basis. It is done on the entire link
    between the two machines or networks and
    arbitrary traffic may be passed over it.

9
Other Classification of VPNs ?
  • Intranet VPNs vs Extranet VPNs
  • Remote Access VPNs vs Site-to-site VPNs

10
Generic Routing Encapsulation(GRE)
  • Provides low overhead tunneling (often between
    two private networks)
  • Does not provide encryption
  • Used to encapsulate an arbitrary layer protocol
    over another arbitrary layer protocol
  • delivery header GRE header payload packet
  • Mostly IPv4 is the delivery mechanism for GRE
    with any arbitrary protocol nested inside
  • e.g., IP protocol type 47 GRE packets using
    IPv4 headers
  • RFCs
  • RFC1701 Generic Routing Encapsulation (GRE) S.
    Hanks, T. Li, D. Farinacci, P. Traina, October
    1994 (INFORMATIONAL)
  • RFC2784 Generic Routing Encapsulation (GRE) D.
    Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina,
    March 2000 (PROPOSED STANDARD)
  • RFC2890 Key and Sequence Number Extensions to
    GRE G. Dommety, September 2000 (PROPOSED STANDARD)

11
Generic Routing Encapsulation
  • GRE Header (based on RFC1701, deprecated) Figure
    11-2
  • GRE Header (based on RFC 2784 2890) Figure 11-4
  • C 1, checksum present
  • Checksum to ensure the integrity of the GRE
    header and the payload packet contains a
    checksum of the GRE header and the payload packet
  • Key
  • contains a number to prevent misconfiguration of
    packets
  • may be used to identify individual traffic flow
    within a tunnel
  • Not the same as a cryptographic key

12
Generic Routing Encapsulation
  • Summary
  • GRE mainly perform tunneling.
  • Does not provide a means to securely encrypt its
    payload
  • Often relies on application layer to provide
    encryption
  • May be used together with a network layer
    encryption (such as IPsec)
  • Example 1 use GRE to encapsulate non-IP traffic
    and then encrypt the GRE packet using IPsec
  • Example 2 use GRE to encapsulate multicast
    traffic, and then encrypt the GRE packet using
    IPsec
  • Question Why not simply use IPsec?

13
Generic Routing Encapsulation
  • Case Studies
  • A GRE tunnel connecting two private networks
    Figure 11-5
  • GRE between multiple sites Figure 11-6
  • GRE between two sites running IPX

14
Layer 2 Tunneling Protocol(L2TP)
  • An example of network layer VPN use IP packets
    to encapsulate Layer 2 frames
  • RFCs
  • RFC2661 Layer Two Tunneling Protocol L2TP W.
    Townsley, A. Valencia, A. Rubens, G. Pall, G.
    Zorn, B. Palter. August 1999 (PROPOSED STANDARD)
  • a standard method for tunneling Point-to-Point
    Protocol (PPP) RFC1661 sessions.
  • L2TP has since been adopted for tunneling a
    number of other L2 protocols (e.g., Ethernet,
    Frame Relay, etc).
  • RFC3931 Layer Two Tunneling Protocol - Version 3
    (L2TPv3) J. Lau, Ed., M. Townsley, Ed., I.
    Goyret, Ed. March 2005 (PROPOSED STANDARD)
  • L2TPv3 defines the base control protocol and
    encapsulation for tunneling multiple Layer 2
    connections between two IP nodes.
  • L2TPv3 consists of
  • the control protocol for dynamic creation,
    maintenance, and teardown of L2TP sessions, and
  • the L2TP data encapsulation to multiplex and
    demultiplex L2 data streams between two L2TP
    nodes across an IP network.

15
Layer 2 Tunneling Protocol
  • PPP RFC1661
  • PPP defines an encapsulation mechanism for
    transporting multiprotocol packets across layer 2
    (L2) point-to-point links. ? That is, a tunneling
    protocol
  • Used to tunnel PPP over a public network using IP
  • Typically, a user obtains a L2 connection to a
    Network Access Server (NAS) using one of a number
    of techniques (e.g., dialup POTS, ISDN, ADSL,
    etc.) and then runs PPP over that connection.
  • In such a configuration, the L2 termination point
    and PPP session endpoint reside on the same
    physical device (i.e., the NAS).
  • L2TP
  • L2TP extends the PPP model by allowing the L2 and
    PPP endpoints to reside on different devices
    interconnected by a packet-switched network.
  • With L2TP, a user has an L2 connection to an L2TP
    access concentrator (LAC, e.g., modem bank, ADSL
    DSLAM, etc.), and the concentrator then tunnels
    individual PPP frames to the NAS. (See Fig.
    12-1)
  • This allows the actual processing of PPP packets
    to be divorced from the termination of the L2
    circuit.

16
Layer 2 Tunneling Protocol
  • L2TP (according to TheFreeDictionary,
    http//computing-dictionary.thefreedictionary.com/
    L2TP)
  • A protocol from the IETF that allows a PPP
    session to travel over multiple links and
    networks.
  • L2TP is used to allow remote users access to the
    corporate network.
  • PPP is used to encapsulate IP packets from the
    user's PC to the ISP, and L2TP extends that
    session across the Internet.
  • L2TP was derived from Microsoft's Point-to-Point
    Tunneling Protocol (PPTP) and Cisco's Layer 2
    Forwarding (L2F) technology.

17
Layer 2 Tunneling Protocol
  • From Access Concentrator to Network Server
  • The "L2TP Access Concentrator" (LAC) encapsulates
    PPP frames with L2TP headers and sends them over
    the Internet as UDP packets (or over an ATM,
    frame relay or X.25 network).
  • At the other end, the "L2TP Network Server" (LNS)
    terminates the PPP session and hands the IP
    packets to the LAN. L2TP software can also be run
    in the user's PC.
  • Carriers also use L2TP to offer remote points of
    presence (POPs) to smaller ISPs. Users in remote
    locations dial into the carrier's local modem
    pool, and the carrier's LAC forwards L2TP traffic
    to the ISP's LNS.
  • L2TP and IPsec
  • L2TP does not include encryption (as does PPTP),
    but is often used with IPsec in order to provide
    virtual private network (VPN) connections from
    remote users to the corporate LAN.

18
Layer 2 Tunneling Protocol
  • Types of L2TP Tunnels
  • Compulsory L2TP Tunneling
  • The client is completely unaware of the presence
    of an L2TP connection.
  • The L2TP Access Concentrator (LAC) is aware of
    L2TP.
  • Figure 12-3 (client) ? PPP Data ? (LAC) ?
    L2TP Data ? (LNS)
  • Voluntary L2TP Tunneling
  • The client is aware of the presence of an L2TP
    connection.
  • The LAC is unaware of L2TP.
  • Figure 12-4 (client) ? PPP L2TP Data ? (LAC)
    ? L2TP Data ? (LNS)

19
L2TP Operations
  • Assumptions Compulsory tunneling
  • The Procedure
  • The Client initiates a PPP connection to the LAC.
  • The LAC does LCP negotiation with the client, and
    challenges the client for authentication
    credentials.
  • The client supplies the credentials (such as user
    name, domain name, password).
  • The LAC uses the domain name to ascertain which
    LNS it needs to contact (in the case of multiple
    domains).
  • The LAC begins establishing an L2TP tunnel with
    the LNS.
  • Two Stages of L2TP Tunnel Setup
  • Set up a control session between the LAC and the
    LNS.
  • Set up the actual L2TP tunnel for passing the
    data (aka. creating the session)
  • Notes
  • Between a pair of LAC and LNS, there may exist
    multiple tunnels.
  • Across a single L2TP tunnel, there may exist
    multiple sessions.

20
L2TP Operations
  • Control Connection Establishment
  • Figure 12-5
  • Session Establishment
  • Figure 12-6
  • Figure 12-8 Transaction Flow for L2TP
    Establishment
  • Header Format of L2TP Packets
  • Figure 12-9

21
L2TP Operations
  • Case Studies
  • Setting up compulsory L2TP Tunneling
  • Figure 12-10
  • Protecting L2TP Traffic using IPsec in a
    compulsory tunneling setup
  • Figure 12-11
Write a Comment
User Comments (0)
About PowerShow.com