1 / 24

SCSC 455 Computer Security

SCSC 455 Computer Security. Virtual Private Network (VPN). How to connect LANs. There’re common demands of joining two or multiple LANs to facilitate corporate communications secure point-to-point communications The connection can only used by authenticated LANs / hosts

jadon
Télécharger la présentation

SCSC 455 Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCSC 455 Computer Security Virtual Private Network (VPN)

  2. How to connect LANs • There’re common demands of joining two or multiple LANs to facilitate corporate communications • secure point-to-point communications • The connection can only used by authenticated LANs / hosts • One solution (traditional one) is to use private leased lines • Problems: don’t scale well, cost is high, and the complexity of maintaining the leased lines • Another solution – virtual private networks

  3. VPNs • Goal of VPNs • Provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks • Functionalities of VPNs • Encapsulate and encrypt data being transmitted • Use authentication to ensure that only approved users can access the VPN • Provide a means of secure point-to-point communications over the public Internet

  4. Index • VPN components and operations • Types of VPNs • VPN setups • Tunneling protocols used with VPNs • Enabling secure remote access connections within VPNs • VPNs best practices

  5. Components within VPNS VPNs consist of two different types of components • Hardware devices • two endpoints (terminators) Encryption, authentication, and encapsulation • a (virtual) tunnel A series of connections between two endpoints than makes use of Internet-based hosts/servers • Software that performs security-related activities

  6. Essential Activities of VPNs Three essential activities of VPNs • IP encapsulation • Data payload encryption • Encrypted authentication

  7. IP Encapsulation • VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway • The benefits of encapsulating IP packets • Source and destination information of actual data packets are completely hidden • source and destination IP addresses of actual data packets can be in private reserved blocks not usually routable over the Internet

  8. Data Payload Encryption • VPNs do NOT encrypt the header within packets, only the data payload that the packets carry. • The encryption can be performed in one of two ways: • Transport method • The host encrypts traffic when it’s generated • Tunnel method • The traffic is encrypted and decrypted in transit, somewhere between the source host and destination.

  9. Encrypted Authentication • Authentication is essential Hosts in the network that receive VPN communication need to know that the host originating the communications is an approved user of the VPN • Hosts are authenticated by exchanging long blocks of code - keys • Types of keys that can be exchanged in an encrypted transaction: • Symmetric keys • Asymmetric keys

  10. Index • VPN components and operations • Types of VPNs • VPN setups • Tunneling protocols used with VPNs • Enabling secure remote access connections within VPNs • VPNs best practices

  11. Types of VPNs • Two types of VPNs • Site-to-site VPN • Links two or more networks • Client-to-site VPN • Makes a network accessible to remote users who need dial-in access • These two types VPNs are NOT mutually exclusive e.g., a large corporations’ network support both site-to-site VPN and client-to-site VPN

  12. Advantage of Using Hardware Systems

  13. Software VPN Systems • Software VPN are generally less expensive than hardware systems • Tend to scale better for fast-growing networks • Examples • F-Secure VPN+ • Novell BorderManager VPN services • Check Point FireWall-1

  14. Index • VPN components and operations • Types of VPNs • VPN setups • Tunneling protocols used with VPNs • Enabling secure remote access connections within VPNs • VPNs best practices

  15. Index • VPN components and operations • Types of VPNs • VPN setups • Tunneling protocols used with VPNs • Enabling secure remote access connections within VPNs • VPNs best practices

  16. Tunneling Protocols Used with VPNs • In the past , firewalls support VPNs used proprietary protocols • Both endpoints must use the same brand of firewall • Today the proprietary protocols are used less often. Most VPNs use standard tunneling protocols • IPSec/IKE • PPTP (Point-to-Point Tunneling Protocol) • L2TP (Layer 2 Tunneling Protocol) • PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) • PPP over SSH (Point-to-Point Protocol over Secure Shell)

  17. IPSec/IKE • IPSec provides: • Encryption of the data part of packets • Authentication • Encapsulation between two VPN hosts • Two security methods (AH and ESP) • Authenticated header is used to authenticate packets • Encapsulating Security Payload encrypts the data portions of the packet • IPSec is commonly combined with IKE as means of using public key cryptography to encrypt data • IKE provides: • Exchange of public keys • Ability to determine which encryption protocols should be used to encrypt data that flows through VPN tunnel

  18. Other tunneling protocols: PPTP PPTP is developed by Microsoft for granting VPN access to remote users over dial-up connections • Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data • Useful if support for older clients is needed • Compatible with Network Address Translation (NAT) • Replaced by L2TP

  19. Other tunneling protocols: L2TP • L2TP is an extension of Point-to-point Protocol (PPP) that enables dial-up users to establish a VPN connection to a remote access server • Uses IPSec rather than MPPE to encrypt data • provides a higher level of encryption and authentication • Incompatible with NAT

  20. Other tunneling protocols: PPP Over SSL and PPP Over SSH • PPP over SSL and PPP over SSH are two UNIX based methods for creating VPNs • Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) • SSL • Public key encryption system used to provide secure communications over the Web • SSH • UNIX secure shell that perform secure authenticated logons and encrypted communications between a client and a server.

  21. When to Use Different tunneling Protocols (important!)

More Related