250 likes | 488 Vues
VPN. Virtual Private Network A connection between private networks over a public network Most likely encrypted Two types of VPN Remote access (transport mode) Allows access to the private network for mobile or home users. An extension of the traditional dial-up network
E N D
VPN • Virtual Private Network • A connection between private networks over a public network • Most likely encrypted • Two types of VPN • Remote access (transport mode) • Allows access to the private network for mobile or home users. • An extension of the traditional dial-up network • Site-to-site (tunnel mode) • Used to connect remote corporate networks • Replaces leased and frame relay lines
IPSec • IPSec is used by most VPN providers, it is not used by Microsoft in it’s point to point VPN. • A framework of open standards that provides: • Data confidentiality • Encryption • Intercepted communications is useless • Data integrity • Data was not changed in transmission • Origin authentication • Did this packet of info actually come from the sender • Anti-replay protection • Makes sure that a packet received is unique and not just a replaying of a packet sequence. • Not bound by any encryption algorithm • Tells how to use encryption but not what encryption to use. Allowing it to implement newer and better algorithms in the future
Data Confidentiality • Current IPSec implementations use one of the following encryption methods: DES, 3DES, AES, or RSA • These are all asymmetric encryption methods, thus… you need a shared key. • To get a shared key, IPSec uses the Diffy Helman (DH) key exchange. • DH has 7 different groups, reflecting 7 different key sizes.
Data Integrity • IPSec uses HMAC (Hashed Message Authentication Code) • Take a message append a secret key then hash. • Send the hash and the message to the remote site. • The remote site takes the message appends the secret key and hashes then compares the hashes • If the hashes compare the packet was not altered in transit. • IPSec currently uses HMAC-MD5 or HMAC-SHA-1 • HMAC-MD5 uses a 128 bit shared key and outputs a 128 bit hash • HMAC-SHA-1 uses a 160 bit shared key and outputs a 160 bit hash • Considered a stronger hash
Origin Authentication • IPSec uses digital signatures to confirm the origin of the message • Take a shared key • Hash • Sign with your private key (or pre-shared key) • Send the encrypted hash and your signed certificate to the remote site • The remote site hashes the shared key and decrypts the sent hash with your public key from the signed certificate (or pre-shared key) • Compares…if they compare the message came from you. • IPSec currently supports RSA and DSA signatures • RSA is used common in commercial applications • DSA is used by the government
Anti-Replay • It makes sure that each packet received is unique • IPSec keeps track of the sliding window on the remote machine as well as it’s own sliding window. • If a packet comes in that is outside of the origins of it’s own window the packet is discarded.
IPSec Security Protocols • IPSec uses two protocols to send data • Authentication Header (AH) • Used when confidentiality is not an issue • Ensures data integrity • Provides origin authentication • Provides anti-replay protection • Encapsulating Security Payload (ESP) • Provides encryption, plus all the protection in AH • There are two modes for ESP • Transport mode • Used between two hosts • Secures the higher layer protocols only • Tunnel mode • Provides confidentiality by encrypting the ip header itself • Used between two security gateways (vpn router, firewall, concentrator) • Secures the entire ip packet
Authentication Header (AH) • Take an ip packet • Take the ip header, the data in the ip packet and a shared key and hash it. This hash becomes part of an AH header. • If transport mode • Create another ip packet • Same ip header • Data is AH header plus the original ip packet • If tunnel mode • Create another ip packet • New ip header • Data is AH header plus the whole original ip packet • Send to the remote host • The remote host takes the ip header, the data, and the shared key and hashes • Then compares the AH to the hash…if they compare the data is considered good.
Authentication Header (AH)Transport Mode Ip Packet AH Packet
Authentication Header (AH)Tunnel Mode Ip Packet AH Packet
ESP Transport mode • Take an ip packet • Take the data in the ip packet and encrypt • Create another ip packet with the data being a ESP header plus the encrypted data plus a hash of the encrypted data
ESP Transport mode ESP Header IP Packet AH Packet Encrypt
ESP Tunnel Mode • Take an ip packet • Take the entire ip packet and encrypt • Create another ip packet with the data being a ESP header plus the encrypted data plus a hash of the encrypted data • Because the entire IP packet is encrypted the outside works has no idea about the design and layout of the LAN. Nor do you know what machine it came from or where its going to.
ESP Tunnel Mode IP Packet AH Packet Encrypt
IPSec • There are 5 steps in setting up the VPN • 1) Determine what data needs to go through the vpn • 2) IKE (internet key exchange) Phase 1 • Negotiate policy sets • Authenticate peers • Setup the secure channel between peers • 3) IKE phase 2 • Negotiate security parameters used in the IPsec tunnel • 4) IPSec session • Data is sent to the peer • 5) Tunnel termination
Step 1 • Rules must be setup in the firewall to determine if a packet needs to be protected by IPSec. • If there are multiple vpn tunnels then each tunnel will have it’s own protocols, modes, and algorithms • The firewall will configure the packet according to the tunnel requirements
Step 2 – IKE Phase 1 • There are 3 exchanges that happens between the initiator and the receiver • 1st: algorithms and hashes used to secure the IKE communications are agreed upon • What IPSec Protocol (ESP or AH) • What encryption method (DES, 3DES, AES, RSA…) • What hash (MD5, SHA) • Where version of key exchange (DH1…7) • To make these negotiations easier, VPN equipment groups these settings and calls them Transforms and gives the transforms a number. • 2nd: Generate a shared key using DH • 3rd: Verify the other side’s identity
Step 3 – IKE Phase 2 • Negotiates IPSec security parameters for the actual communications. • Identify the transforms to use in the communications • This info is entered into a security policy database • The information includes the encryption and hash algorithms, destination ip address, transport mode, lifetime, shared secret key, and so on. • This info is also referred to as a security association (SA) • Because two SAs are usually required (one inbound, one out bound), the SAs are given a number: Security Parameter Index (SPI) • SPIs are sent with each packet to index back to the transform information • Periodically renegotiate the security association to ensure security • SAs have a lifetime based on time and/or the amount of data passed through. If an SA is expired then the SA is renegotiated. • Optionally perform and addition DH key exchange.
Step 4 – VPN • Data is sent to the remote site using the negotiated SA info
Step 5 – Termination • SA info is removed • The shared key is removed. • If more data is needed to be communicated, the vpn restarts at step 2.