1 / 20

VPN

VPN. Virtual Private Network A connection between private networks over a public network Most likely encrypted Two types of VPN Remote access (transport mode) Allows access to the private network for mobile or home users. An extension of the traditional dial-up network

kort
Télécharger la présentation

VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VPN • Virtual Private Network • A connection between private networks over a public network • Most likely encrypted • Two types of VPN • Remote access (transport mode) • Allows access to the private network for mobile or home users. • An extension of the traditional dial-up network • Site-to-site (tunnel mode) • Used to connect remote corporate networks • Replaces leased and frame relay lines

  2. IPSec • IPSec is used by most VPN providers, it is not used by Microsoft in it’s point to point VPN. • A framework of open standards that provides: • Data confidentiality • Encryption • Intercepted communications is useless • Data integrity • Data was not changed in transmission • Origin authentication • Did this packet of info actually come from the sender • Anti-replay protection • Makes sure that a packet received is unique and not just a replaying of a packet sequence. • Not bound by any encryption algorithm • Tells how to use encryption but not what encryption to use. Allowing it to implement newer and better algorithms in the future

  3. Data Confidentiality • Current IPSec implementations use one of the following encryption methods: DES, 3DES, AES, or RSA • These are all asymmetric encryption methods, thus… you need a shared key. • To get a shared key, IPSec uses the Diffy Helman (DH) key exchange. • DH has 7 different groups, reflecting 7 different key sizes.

  4. Data Integrity • IPSec uses HMAC (Hashed Message Authentication Code) • Take a message append a secret key then hash. • Send the hash and the message to the remote site. • The remote site takes the message appends the secret key and hashes then compares the hashes • If the hashes compare the packet was not altered in transit. • IPSec currently uses HMAC-MD5 or HMAC-SHA-1 • HMAC-MD5 uses a 128 bit shared key and outputs a 128 bit hash • HMAC-SHA-1 uses a 160 bit shared key and outputs a 160 bit hash • Considered a stronger hash

  5. Origin Authentication • IPSec uses digital signatures to confirm the origin of the message • Take a shared key • Hash • Sign with your private key (or pre-shared key) • Send the encrypted hash and your signed certificate to the remote site • The remote site hashes the shared key and decrypts the sent hash with your public key from the signed certificate (or pre-shared key) • Compares…if they compare the message came from you. • IPSec currently supports RSA and DSA signatures • RSA is used common in commercial applications • DSA is used by the government

  6. Anti-Replay • It makes sure that each packet received is unique • IPSec keeps track of the sliding window on the remote machine as well as it’s own sliding window. • If a packet comes in that is outside of the origins of it’s own window the packet is discarded.

  7. IPSec Security Protocols • IPSec uses two protocols to send data • Authentication Header (AH) • Used when confidentiality is not an issue • Ensures data integrity • Provides origin authentication • Provides anti-replay protection • Encapsulating Security Payload (ESP) • Provides encryption, plus all the protection in AH • There are two modes for ESP • Transport mode • Used between two hosts • Secures the higher layer protocols only • Tunnel mode • Provides confidentiality by encrypting the ip header itself • Used between two security gateways (vpn router, firewall, concentrator) • Secures the entire ip packet

  8. Authentication Header (AH) • Take an ip packet • Take the ip header, the data in the ip packet and a shared key and hash it. This hash becomes part of an AH header. • If transport mode • Create another ip packet • Same ip header • Data is AH header plus the original ip packet • If tunnel mode • Create another ip packet • New ip header • Data is AH header plus the whole original ip packet • Send to the remote host • The remote host takes the ip header, the data, and the shared key and hashes • Then compares the AH to the hash…if they compare the data is considered good.

  9. Authentication Header (AH)Transport Mode Ip Packet AH Packet

  10. Authentication Header (AH)Tunnel Mode Ip Packet AH Packet

  11. ESP Transport mode • Take an ip packet • Take the data in the ip packet and encrypt • Create another ip packet with the data being a ESP header plus the encrypted data plus a hash of the encrypted data

  12. ESP Transport mode ESP Header IP Packet AH Packet Encrypt

  13. ESP Tunnel Mode • Take an ip packet • Take the entire ip packet and encrypt • Create another ip packet with the data being a ESP header plus the encrypted data plus a hash of the encrypted data • Because the entire IP packet is encrypted the outside works has no idea about the design and layout of the LAN. Nor do you know what machine it came from or where its going to.

  14. ESP Tunnel Mode IP Packet AH Packet Encrypt

  15. IPSec • There are 5 steps in setting up the VPN • 1) Determine what data needs to go through the vpn • 2) IKE (internet key exchange) Phase 1 • Negotiate policy sets • Authenticate peers • Setup the secure channel between peers • 3) IKE phase 2 • Negotiate security parameters used in the IPsec tunnel • 4) IPSec session • Data is sent to the peer • 5) Tunnel termination

  16. Step 1 • Rules must be setup in the firewall to determine if a packet needs to be protected by IPSec. • If there are multiple vpn tunnels then each tunnel will have it’s own protocols, modes, and algorithms • The firewall will configure the packet according to the tunnel requirements

  17. Step 2 – IKE Phase 1 • There are 3 exchanges that happens between the initiator and the receiver • 1st: algorithms and hashes used to secure the IKE communications are agreed upon • What IPSec Protocol (ESP or AH) • What encryption method (DES, 3DES, AES, RSA…) • What hash (MD5, SHA) • Where version of key exchange (DH1…7) • To make these negotiations easier, VPN equipment groups these settings and calls them Transforms and gives the transforms a number. • 2nd: Generate a shared key using DH • 3rd: Verify the other side’s identity

  18. Step 3 – IKE Phase 2 • Negotiates IPSec security parameters for the actual communications. • Identify the transforms to use in the communications • This info is entered into a security policy database • The information includes the encryption and hash algorithms, destination ip address, transport mode, lifetime, shared secret key, and so on. • This info is also referred to as a security association (SA) • Because two SAs are usually required (one inbound, one out bound), the SAs are given a number: Security Parameter Index (SPI) • SPIs are sent with each packet to index back to the transform information • Periodically renegotiate the security association to ensure security • SAs have a lifetime based on time and/or the amount of data passed through. If an SA is expired then the SA is renegotiated. • Optionally perform and addition DH key exchange.

  19. Step 4 – VPN • Data is sent to the remote site using the negotiated SA info

  20. Step 5 – Termination • SA info is removed • The shared key is removed. • If more data is needed to be communicated, the vpn restarts at step 2.

More Related