Chapter 19VPN and NAT Nelson Azadian Victor Seletskiy Pavel Dikhtyar
VPN Overview • Why we need Virtual Private Networks. • What a Virtual Private Network consists of. • What a Virtual Private Network does. • How a Virtual Private Network does what it does. • Pro’s and Con’s of VPN’s
Imagine the Following Scenario • You are a network administrator hired by a company to create a network which is both private yet able to access the internet. • How would you do it?
You Could… • Create a network comprised of both an internal and external network. By internal we mean a network which is unavailable to those outside of the network. Conversely, by external we mean a network which is available to those outside of the network.
Example • As you can see, we have two networks. An internal network, on the right, which lacks access to the internet, i.e. is private, as well as an external network, on the left, which is allowed access to the internet, i.e. is public.
Continuing With Our Previous Scenario… • Let’s say the same company, which had previously hired you to build a network, decides to build another office building 100 miles away from their current office building. You are once again hired by the company to build a private network between the two office buildings. • How would you do it?
What Won’t Work • A LAN based private network would be out of the question due to the amount of money to both build and maintain such a network.
Continuation of What Won’t Work • We could use a WAN based network to connect both office buildings. However, problems associated with the amount of money to build and maintain such a network would once again arise. • What about Leased Lines?
What are Leased Lines? Leased Lines are connection based, rather than packet switch based, lines which a phone company or internet service provider will lease to an individual or corporation. Due to their connection based nature leased lines are guaranteed to remain private. Unfortunately, leased lines are expensive and for many companies out of their budget. What Will Work
Why We Need Virtual Private Networks • VPN or Virtual Private Networks are a cheaper and effective alternative to leased lines which, as with leased lines, allow for networks to remain private. • Unlike leased lines, VPN’s do so using packet switched networks, i.e. virtual lines.
What a Virtual Private Network Consists of • A Virtual Private Network basically consists of a router, with specialized software, which acts as a gateway between an external network, i.e. the internet, and an internal network, i.e. some private network.
What a Virtual Private Network Does • When a host on an internal, i.e. private, network needs to send a packet to a host not on its own internal network it sends the packet to the specialized router.
Continuation of What a Virtual Private Network Does • Once the specialized router receives the packet it examines the destination of the packet. • The router than encrypts the packet, places it in a datagram, and sends it off to its destination. The destination in question belongs to another specialized router, similar to our previous specialized router. This second specialized router belongs to the destined host’s VPN and acts as its gateway. • We are not initially sending the packet to the destined host.
How a Virtual Private Network Does What it Does • Virtual Private Networks use two basic techniques to allow them to remain both private, yet at the same time do so without the use of expensive connection based networks. • The two techniques in question… • Encryption • Tunneling
What is Encryption? • Simply put, encryption is the process of modifying data in such a way that it becomes unintelligible. • Take for instance the following example, “L ORYH QDFKR’V” is really “I LOVE NACHO’S” using a simple Caesar or Shift - 3 Cipher.
Why Use Encryption? • The reason is simple, in order to keep data on an internal network private we need to use some way of keeping the data on that network private. Hence, we use encryption, taking our original data and modifying it in some way as to keep its original content secret. • Examples of some Encryption Algorithms include DES, Triple DES, AES, RSA, etc.
Why Do We Encrypt the Entire Packet? • You may recall that I mentioned that the entire packet needed to be encrypted, i.e. data and header; why? • Encrypting the data portion of the packet is not enough to ensure that our private network remain private. In order for our private network to remain truly private we must not only hide the data on the network but also the topology of that network. • *Note* We still require the use of a globally valid IP address, otherwise we wouldn’t be able to send the packet over the “global” external internet. However, this globally assigned IP address is assigned only to the VPN gateway and not to any of the hosts on the internal private network.
Continuation of Why We Encrypt the Entire Packet • Let’s say we hadn’t encrypted the entire packet, i.e. we hadn’t encrypted the packet’s header only its data, and an unauthorized party was able to sniff or attain a copy of the packet using a program such as Ethereal. Though the unauthorized party would not be able to access the data, i.e. would not have the key necessary to decrypt the packet, the unauthorized party would still know the packet’s source and destination, i.e. would know which specific host on the first VPN sent the packet to which specific host on the second VPN.
What’s the Big Deal? • The big deal is that if the unauthorized party or attacker is able to find out where the packet came from as well as where it was destined to, the attacker may be able to further compromise the security of any of the two VPN’s, i.e. may be able to break into one or both of the VPN’s. • By encrypting the entire packet we keep both the data within the packet private as well as the existence, or location, of the two host’s private, i.e. we keep the topology of the internal private network hidden.
What is Tunneling? • Tunneling is basically a way of specifying that datagram be sent to a specific router, rather than a specific host.
Why Specify a Router? • Question: How do we decrypt the packet the source host had originally sent? • Wrong Answer: Sending the key along with the encrypted packet is not a viable solution. • Correct Answer: Both routers must have agreed upon a key before any transmission of packets occur. Therefore, in order to agree upon a specific key both routers must have already known about each others existence, i.e. already had an entry in their routing tables for one another.
A Common Misconception About Tunneling • The word “tunneling” tends to imply that a “tunnel” is a single path, leading from one endpoint to another.
Unfortunately This is Not True • With respect to VPN’s, the word “tunneling” is used because in order to “tunnel” a packet the two endpoints of the tunnel, i.e. the routers which will encrypt or decrypt, must be known before a packet is encrypted and sent out into the internet. We do not however specify a specific route a packet must follow, merely the last or first router to receive or send the encrypted packet.
Pro’s of Virtual Private Network’s • Practically guarantee network and data privacy. • Are a cheap and effective alternative to WAN’s or Leased Lines. • Easily map onto an existing network with little modification.
Con’s of Virtual Private Network’s • Unlike most routers, VPN gateway router tables are not dynamic, i.e. must be input by a network administrator. • If a VPN gateway goes down, it’s very possible that the entire private network will lose connectivity to the external internet. • Absolute privacy is not guaranteed, the reason being that no current encryption algorithm is 100% full proof.
NAT Overview • VPN Types • Tunneling Types • Application Gateway • NAT
VPN Implementation There are two common VPN implementations: • Client-to-Site (Remote Access VPN) • Site-to-Site
Remote Access • Mobile user access from public network to private network, who needs to connect to secure materials remotely, or need access to secure remote management portal.
Remote Access Continued • It secures a path to the site's LAN, allowing the client to access a private network address ( RFC 1918). • The client-to-site VPN is a many-to-one VPN tunnel. • One or more clients can initiate a secure VPN connection to the VPN server, thus securely accessing internal data from an insecure remote location.
Site-to-Site • When office requires sharing information across multiple LANs. The typical example of this is a company that has offices in two different geographical locations.
Site-to-Site Continued • Allows LANs to share information across Internet without fearing that outsiders could view the content of the data stream. • The site-to-site VPN is a one-to-one VPN tunnel. Two servers or routers set up an encrypted IP tunnel to securely pass packets back and forth over the Internet. The VPN servers create a logical point-to-point connection over the Internet.
Tunneling in Detail Tunneling requires three different protocols: • Carrier protocol - The protocol used by the network that the information is traveling over for example, PPP is used as the carrier protocol in IP-based transit networks. • Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data • Passenger protocol - The original data (IPX, NetBeui, IP) being carried
Tunneling Protocols • PPTP • (Point-to-Point Tunneling Protocol) • L2TP • (Layer 2 Tunneling Protocol) • IPSec • Tunneling Mode • SSL/TLS • (Secure Sockets Layer/Transport Layer Security)
VPN via PPTP • Point-to-Point Tunneling Protocol • Data is first encapsulated inside PPP packets • PPP packets are then encapsulated in GRE packets and sent over the link • Weak Security • Low Performance • Was integrated in L2TP that combines PPTP & L2F
IPSec • Internet Protocol Security (IPSec) • For Site-to-Site and Remote-Access VPNs • Features encryption modes • Tunnel • Encrypts data header and payload • Transport • Encrypts payload only • Encrypts data between various devices • Router to router • Firewall to router • PC to router • PC to server
IPSec Tunneling IPsec = AH + ESP + IPcomp + IKE • IP Encapsulation Security Payload (ESP) Provides message integrity and privacy using DES or EAS It also includes anti-replay mechanism. • Internet Key Exchange (IKE) AH and ESP needs shared secret key between peers. IKE defines an automatic means of negotiation and authentication for security associations (SA). Security associations are security policies defined for communication between two or more entities
SSL / TLC • The SSL (Secure Sockets Layer) is a protocol designed by Netscape Communications to enables secure data transfer between two devices over a public network. SSL protects applications running over TCP, and is mostly utilized to protect HTTP transactions. SSL has been replaced by Transport Layer Security (TLS). • To convert SSL/TLS into a remote access VPN, firms install an SSL/TLS VPN gateway at each site. The client establishes an SSL/TLS connection with this gateway, rather than to individual hosts within the site.
SSL / TLC • In many cases, the SSL/TLS VPN gateway simply connects the client PC to a webserver. This is the traditional use of SSL/TLS in VPNs. However, the SSL/TLS gateway decrypts client traffic coming into the network. This allows a firewall to check the traffic right after the VPN/SSL firewall.
SSL / TLC Continued • In other cases, the VPN gateway connects the client PC to a database server or other server that cannot communicate with a browser natively. The VPN gateway then intercepts messages from the • server to the client PC. The VPN gateway webifiesthese messages (converts them into webpages).
SSL / TLC Continued • In yet other cases, the SSL/TLS VPN gateway connects the client PC to a subnet of the network. The client can then connect to any host on the subnet.
SSL / TLS Client Question: What does the client need to have? • For basic operation, the client only needs to have a browser that works with SSL/TLS. It is difficult to find a computer that does not have a browser or whose browser cannot work with SSL/TLS. Consequently, SSL/TLS can work with any client PC connected to the Internet. This makes SSL/TLS extremely attractive as a remote access VPN.
IPSec vs. SSL VPN • Communication Compared to IPSec, SSL is an application level transport protocol that transmits data over a standard TCP port (typically TCP port 443). IPSec provides application-transparent communication over layer 3, IP, network traffic while SSL was designed to encrypt application traffic. • Information Exposure Only designated people /computers are allowed access by IPSec, while SSL allows access from everywhere (e.g. internet kiosks). Information can be left behind (intentionally or unintentionally) • Software Required IPSec requires client software, while SSL needs only Standard Web browser
IPSec vs. SSL VPN Continued • SSL allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access. • Connectivity IPSec connectivity can be adversely affected by firewalls or other devices between the client and gateway (i.e. firewall or NAT devices) while SSL operates transparently across NAT, proxy, and most firewalls (most firewalls allow SSL traffic) • Security SSL provides limited control over information access and client environment; good for accessing less-sensitive information
Private Address Protection VPN must protect internal information and prevent any direct connection between a trusted server or client and an un-trusted host. It gives improved security because without knowing the true IP address of a host, it is harder for an intruder to attack that machine.
Private Address Protection Continued SSL & IPSec and other VPN's use two general communication schemes to ensure private network security: • Application Gateways • NAT
Application Gateways The application gateway acts as an intermediary between the two endpoints. When a client issues a request from the untrusted network, a connection is established with the application gateway. The proxy determines if the request is valid and then sends a new request on behalf of the client to the destination. By using this method, a direct connection is never made from the trusted network to the untrusted network and the request appears to have originated from the application gateway.
Advantages of the Application Level • Application-specific proxies accept only packets generated by services they are designed to copy, forward, and filter without offering IP- level access. • Only packets generated by these services could pass through the firewall. All other services would be blocked. • If a network relies only on an application-level gateway, incoming and outgoing packets cannot access services for which there is not a proxy. • For example, only a Telnet proxy can copy, forward, and filter Telnet traffic. • Able to work without changes to the underlying infrastructure or addressing. • It can, for instance, tell the difference between a piece of e-mail containing text and a piece of e-mail containing a graphic image or the difference between a webpage using Java and a webpage without.
Advantages of the Application Level • Application-level Filtering • examine and filter individual packets, rather than simply copying them and blindly forwarding them across the gateway. • check each packet that passes through the gateway, verifying the contents of the packet up through the application layer. • can filter particular kinds of commands or information in the application protocols (e.g., FTP GET but not PUT; no retrieving HTTP objects ending in .exe)
Disadvantages of the Application Level • Lack of generality: each application gateway handles only one specific service; multiple gateways are required for multiple services. • Performance: significant disadvantage of application gateways is the impact it can have on performance. Since all incoming and outgoing traffic is inspected at the application level, they are typically slower All traffic must pass through all seven layers of the OSI model prior to being inspected.