Overview

1. Overview • VPN • VPN requirements • Encryption • VPN-Types • Protocols • VPN and Firewalls Computer Net Lab/Praktikum Datenverarbeitung 2

2. VPN - Definition • VPNs (Virtual Private Networks) allow secure data transmission over insecure connection. • VPNs connect computer and/or networks (on various locations) to a common network by use of public communication structures. Computer Net Lab/Praktikum Datenverarbeitung 2

3. Internet VPN Scheme LAN LAN VPN-Tunnel VPN VPN Client Client Computer Net Lab/Praktikum Datenverarbeitung 2

4. VPN - terms • Virtual, due to the usage of a public communication infrastructure there is no permanent physical connection but a logical one. If there are some data to transmit then the bandwith is occupied and data is transmitted according the routing information. • Private, because only valid users should have access to the network respectively the data. Additionally all data have to be transmitted confidential. Computer Net Lab/Praktikum Datenverarbeitung 2

5. VPN requirements • Data security must ensure ConfidentialityIntegrityAuthentication • Quality of ServiceGuarantees availability of connectivitySupport of all applications • Additional requirementsReasonable administration effortEffectiveness and extendibility Computer Net Lab/Praktikum Datenverarbeitung 2

6. Confidentiality • means that no unauthorized person, who got illegal access to data, is able to read respectively understand data. • Is realized by encryption. The data are coded by an encryption algorithm and an encryption key. Only owner of the appropriate decryption key are able to decrypt the coded data. Computer Net Lab/Praktikum Datenverarbeitung 2

7. Integrity • means that no data has been changed/manipulated during transmission. • is realised by checksum of transferred data. By use of a mathematical function a checksum is build over the data which has to be transmitted. This checksum is unique. The checksum together with the data is sent to the recipient. Computer Net Lab/Praktikum Datenverarbeitung 2

8. Authentication • means that a recipient of a message is able to ensure that he got the message from the right person and not from a person who pretend to be the right one. • is realized by use of digital signatures. Digital signatures are like a „normal“ signature in a document which unambiguously identifies the author. Computer Net Lab/Praktikum Datenverarbeitung 2

9. Symmetric Encryption • Each communication partner has the same key • N (N-1)/2 keys, for N communication partner which communicate pair wise • High effort for Key maintenance • Key length with 128 Bit are said to be sure, typical values 40,56,128 • Fast Method • DES, Triple DES, Blowfish Computer Net Lab/Praktikum Datenverarbeitung 2

10. Asymmetric Encryption • Distinction between private (my) and public keys (for others) • Communication with N participants means N public keys • Key length higher than symetric keystypical length: 512,1024,2048 • Slower than symmetric encryption • Example: PGP, RSA Computer Net Lab/Praktikum Datenverarbeitung 2

11. Tunnel • Tunneling means the embedding of a complete data package (header and payload) within the payload segment of an other protocol in the same protocol level. Advantage: Data can be coded/encrypted Orig IP Hdr TCP Hdr Data New IP Hdr Orig IP Hdr TCP Hdr Data Computer Net Lab/Praktikum Datenverarbeitung 2

12. Internet End-to-End Constellation Computer 1 Computer 2 Computer Net Lab/Praktikum Datenverarbeitung 2

13. Internet End-to-Site Constellation Dial-up mobilecomputer ISP Intranet ISP VPN Gateway Dial-up mobilecomputer Computer Net Lab/Praktikum Datenverarbeitung 2

14. Internet Site-to-Site Constellation Intranet 1 Intranet 2 VPN Gateway 1 VPN Gateway 2 Computer Net Lab/Praktikum Datenverarbeitung 2

15. VPN-Types Application-Layer encryption Application-level(Layer 5-7) Network-Layer encryption Transport-/network level(Layer 3-4) Link-/physical level(Layer 1-2) Link-Layerencryption Link-Layerencryption Computer Net Lab/Praktikum Datenverarbeitung 2

16. VPN and ISO/OSI Layer Application SSH, Kerberos, Virusscans, Content Screening, IPSEC (IKE)… Transport SSL, Socks V5, TLS Network IPSEC (AH, ESP),Paket Filtering, NAT Link Tunneling Protocols (L2TP,PPTP, L2F), CHAP, PAP,… Computer Net Lab/Praktikum Datenverarbeitung 2

17. IP- Header GRE (IP 47) Header PPP Header PPP Payload PPTP-Protocol • Point To Point Tunneling, widespread because simple • Layer-2 Protocol • Only user authentification => Security = Password • Set up of communication: • PPP connection with user –Authentification • Link and control (TCP Port 1723) • Tunnel: IP-Adresses Client+Server, => NAT and dynam. IP-Adresses ok opt. with MPPE (RC4) encrypted Computer Net Lab/Praktikum Datenverarbeitung 2

18. PPTP-Protocol 2 Computer Net Lab/Praktikum Datenverarbeitung 2

19. IPSec 1 • Internet Protocol Security is a protocol family • Allows encryption and integrity check • integrity check (Authentication Header Protocol): • encryption (Encapsulating Security Payload Protocol): • Open for enhancements, encryption method is not fixed • Authentification: Diffie-Hellmann key exchange • confidentiality: Triple,-DES, IDEA, Blowfish • Integrity by use of Hash building: MD5 und SHA • Two mode of operation modes • Tunnel mode protects address information and payload • Transport mode protects only payload Computer Net Lab/Praktikum Datenverarbeitung 2

20. IPSec AH AH allows only check of integrity Original packet: Orig IP Hdr TCP Hdr Data Tunnel mode: New IP Hdr AH Header Orig IP Hdr TCP Hdr Data Transportmode: Orig IP Hdr AH Header TCP Hdr Data Computer Net Lab/Praktikum Datenverarbeitung 2

21. New IP Hdr ESP Hdr Orig ESP Trailer ESP Auth IPSec ESP ESP allows encryption Original packet: Orig IP Hdr TCP Hdr Data Tunnel mode: Transportmode: Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Computer Net Lab/Praktikum Datenverarbeitung 2

22. VPN and Firewall • Idea of the FirewallThe Firewall is the only connection to the Internet. All other computers (even the VPN-Gateway) are located behind the Firewall. • ProblemThe firewall ist not able to analyze the data because they are encrypted. Computer Net Lab/Praktikum Datenverarbeitung 2

23. Internet VPN behind Firewall LAN (branch office) LAN (center) VPN-Gateway decryptedData VPN Firewall VPN Client Computer Net Lab/Praktikum Datenverarbeitung 2

24. Internet VPN and Firewall together LAN (center) Firewall andVPN-Gateway LAN (branch office) decryptedDaten VPN VPN Client Computer Net Lab/Praktikum Datenverarbeitung 2

25. Internet VPN Gateway in DMZ LAN (branch office) LAN (center) VPN-Gateway DMZ decryptedData VPN Internet VPN client inner Firewall outer Firewall Computer Net Lab/Praktikum Datenverarbeitung 2

26. Internet NAT • Nat = Network Adress Translation • Allows through mapping the assignment of official IP-Addresses to private one. Therefore it is possible to gain access to the internet with private IP-Addresses. Sender-IP 192.168.0.10 New Sender-IP 134.91.90.70 Webbrowser New Target-IP 192.168.0.10 Target-IP 134.91.90.70 NAT Computer Net Lab/Praktikum Datenverarbeitung 2

27. IP • It carries the transport protocols TCP and UDP. • It builds IP-Packages out of the data which have to be transmitted. • It adds additional information, the IP-Header. It contains source and destination address. Computer Net Lab/Praktikum Datenverarbeitung 2

28. TCP • TCP (Transmission Control Protocol) confirms every received data package. • TCP repeats each data package until its receiving is confirmed. • TCP is reliable, that means the transmission is guaranteed. Computer Net Lab/Praktikum Datenverarbeitung 2

29. IP-Forwarding VPNGateway Firewall private, local Net IP-Paket withtarget: 192.168.1.1 IP-Forwarding IP-Paket withTarget: 134.91.90.70 Port 1723 or Gre-Protocol 47 Computer Net Lab/Praktikum Datenverarbeitung 2

30. Internet Firewall Firewall VPN-Gateway VPN-Gateway private, local net private, local net =Tunnel VPN-Practical training Computer Net Lab/Praktikum Datenverarbeitung 2