1 / 23

Outline

Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014. Outline. Another aspect of the perimeter defense problem Virtual private networks What are they? How do they handle this problem? Their practical use. Another Aspect of the Problem.

noelle-bell
Télécharger la présentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Perimeter Defense in Networks: Virtual Private NetworksAdvanced Network Security Peter ReiherAugust, 2014

  2. Outline • Another aspect of the perimeter defense problem • Virtual private networks • What are they? • How do they handle this problem? • Their practical use

  3. Another Aspect of the Problem What if you need to work across the Internet? You want to get the same protection on both ends that firewalls would give But those running the Internet won’t install firewalls for you So there’s an untrusted hole in your perimeter

  4. Illustrating the Problem NOT SAFE! SAFE! SAFE! Your Los Angeles firewall No firewall Your Saigon firewall Your Los Angeles office Your Saigon office The Internet

  5. Cryptography to the Rescue • We can’t ensure bad guys don’t see the packets we send outside our firewalls • But we can ensure they don’t understand them and can’t alter them • We can use cryptography to do that • Essentially, a different way to provide perimeter defense • When physical boundaries don’t apply

  6. How To Do That? • Encrypt all traffic between our trusted endpoints • Literally everything • For preference, even hide sender and receiver information • To prevent attackers from knowing details of our networks

  7. Virtual Private Networks • VPNs • The formal name for the solution we just outlined • A dedicated virtual closed network • Running across an untrusted open network • Security provided by cryptography

  8. Encryption and Virtual Private Networks • Use encryption to convert a shared line to a private line • Set up a firewall at each installation’s network • Set up shared encryption keys between the firewalls • Encrypt all traffic using those keys

  9. Actual Use of Encryption in VPNs • VPNs run over the Internet • Internet routers can’t handle fully encrypted packets • Obviously, VPN packets aren’t entirely encrypted • They are encrypted in a tunnel mode • Often using IPSec • Gives owners flexibility and control

  10. Key Management and VPNs • All security of the VPN relies on key secrecy • How do you communicate the key? • In early implementations, manually • Modern VPNs use IKE or proprietary key servers • How often do you change the key? • Better be often • And better be largely automated

  11. Some Other VPN Issues • Interactions between VPNs and firewalls • New models of VPN deployment

  12. VPNs and Firewalls • VPN encryption is typically done between firewall machines • VPN often integrated into firewall product • Do I need the firewall for anything else? • How much do I trust the remote office . . .? • Remember, you must not only trust honesty • You must also trust caution

  13. Placing the Firewall Outside the VPN • Placing the firewall “outside” the VPN is pointless • Traffic is encrypted, at that point • Also, true IP addresses, ports, etc. are hidden by the tunneling • Can’t usefully analyze packets here

  14. Placing the Firewall Inside the VPN • Meaning, after the VPN encryption has been removed • And the tunneling undone • Allows firewall to analyze the packets that would actually be delivered • “Inside” means “later in same box” usually • One machine handles both VPN and firewalls

  15. New Models of VPNs • Original model sets up VPN between two endpoints • Static endpoints • Semi-permanent VPN • Modern needs have suggested other ways to use VPNs

  16. VPNs and Portable Computing • Increasingly, workers connect to offices remotely • While on travel • Or when working from home • We can use VPNs to offer a secure solution

  17. Securing the Mobile Worker Set up VPN software on his computer Capturing all incoming/outgoing packets Applying encryption Using a key shared with the home office Wherever the user goes, his VPN endpoint goes with him

  18. Temporary VPNs What if a group of users want to communicate securely? They’ve never done so before They might never do so again They will never meet in person They want it set up quickly

  19. Arranging a Temporary VPN Get the same VPN software to all participants Securely set up a key distributed to all of them For the period of the conversation, send just relevant packets through VPN Throw it all away when you’re done

  20. Practical Use of Temporary VPNs • Often set up by video/teleconferencing companies • Using a web interface for • Administration • Software distribution • Key distribution • Requires customers to trust that company • SW could be bogus • Key distribution could be bugged • They claim, of course, they don’t do that

  21. Major Security Issues for Temporary VPNs • Key distribution • Typically want to distribute same symmetric key to all • Authentication • How does everyone know that the other participants are proper • Bogus software • Compromised user machines

  22. How It Usually Works • Clients get access from any machine • Using downloaded code • Connect to web server, download VPN applet, away you go • Crypto usually leverages existing SSL code • Authentication via user ID/password • Implies you trust the applet . . .

  23. Conclusion • VPNs offer a reasonable way to get some degree of perimeter defense across the Internet • VPNs are really just a case of applied cryptography • If you use one, think about what components you’re trusting • Should you trust them?

More Related