1 / 30

An Introduction to VPN Technology

An Introduction to VPN Technology. Agenda. What is a Virtual Private Network (VPN)? VPN deployment situations Why use VPNs? Types of VPN protocols IPSec VPNs Components A sample session Deployment questions. VPN . VPN . What is a VPN?. Acme Corp.

lew
Télécharger la présentation

An Introduction to VPN Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to VPN Technology

  2. Agenda • What is a Virtual Private Network (VPN)? • VPN deployment situations • Why use VPNs? • Types of VPN protocols • IPSec VPNs • Components • A sample session • Deployment questions

  3. VPN VPN What is a VPN? Acme Corp • A VPN is a private connection over an open network • A VPN includes authentication and encryption to protect data integrity and confidentiality Internet Acme Corp Site 2

  4. Types of VPNs • Remote Access VPN • Provides access to internal corporate network over the Internet • Reduces long distance, modem bank, and technical support costs Corporate Site Internet

  5. Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Connects multiple offices over Internet • Reduces dependencies on frame relay and leased lines Internet Branch Office

  6. Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Provides business partners access to critical information (leads, sales tools, etc) • Reduces transaction and operational costs Internet Partner #2 Partner #1

  7. Types of VPNs • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Client/Server VPN • Protects sensitive internal communications • Most attacks originate within an organization Database Server LAN clients Internet LAN clients with sensitive data

  8. Alternate Technologies • Site-to-site/extranets • Frame relay, leased lines • Remote access • Dial up modem banks

  9. Why Use Virtual Private Networks? • More flexibility • Leverage ISP point of presence • Use multiple connection types (cable, DSL, T1, T3)

  10. Why Use Virtual Private Networks? • More flexibility • More scalability • Add new sites, users quickly • Scale bandwidth to meet demand

  11. Why Use Virtual Private Networks? • More flexibility • More scalability • Lower costs • Reduced frame relay/leased line costs • Reduced long distance • Reduced equipment costs (modem banks,CSU/DSUs) • Reduced technical support

  12. Non-VPN Savings with VPN-1 Solution Solution VPN Startup Costs Existing; (Hardware $51,965 sunk costs = and Software) $0 Site-to-Site $41,180 /yr $30,485 $71,664 Frame relay Annual Cost RAS $556,800 /yr $48,000 $604,800 Dial-in costs Annual Cost Combined $597,980 /yr $78,485 $676,464 Annual Cost VPN-1 Return on Investment Case History – Professional Services Company • 5 branch offices, 1 large corporate office, 200 remote access users. • Payback: 1.04 months. Annual Savings: 88%

  13. VPN ROI Calculator Tool URL: http://www.checkpoint.com/products/vpn1/roi_calculators/index.html

  14. Components of a VPN • Encryption • Message authentication • Entity authentication • Key management

  15. Internet Point-to-Point Tunneling Protocol • Layer 2 remote access VPN distributed with Windows product family • Addition to Point-to-Point Protocol (PPP) • Allows multiple Layer 3 Protocols • Uses proprietary authentication and encryption • Limited user management and scalability • Known security vulnerabilities Corporate Network Remote PPTP Client PPTP RAS Server ISP Remote Access Switch

  16. Internet Layer 2 Tunneling Protocol (L2TP) • Layer 2 remote access VPN protocol • Combines and extends PPTP and L2F (Cisco supported protocol) • Weak authentication and encryption • Does not include packet authentication, data integrity, or key management • Must be combined with IPSec for enterprise-level security Corporate Network Remote L2TP Client L2TP Server ISP L2TP Concentrator

  17. Internet Protocol Security (IPSec) • Layer 3 protocol for remote access, intranet, and extranet VPNs • Internet standard for VPNs • Provides flexible encryption and message authentication/integrity • Includes key management

  18. Components of an IPSec VPN • Encryption • Message Authentication • Entity Authentication • Key Management • DES, 3DES, and more • HMAC-MD5, HMAC-SHA-1, or others • Digital Certificates, Shared Secrets,Hybrid Mode IKE • Internet Key Exchange (IKE), Public Key Infrastructure (PKI) All managed by security associations (SAs)

  19. Security Associations • An agreement between two parties about: • Authentication and encryption algorithms • Key exchange mechanisms • And other rules for secure communications • Security associations are negotiated at least once per session – possibly more often for additional security

  20. Encryption Explained • Used to convert data to a secret code for transmission over an untrusted network Encrypted Text Clear Text Encryption Algorithm “The cow jumped over the moon” “4hsd4e3mjvd3sd a1d38esdf2w4d”

  21. Symmetric Encryption • Same key used to encrypt and decrypt message • Faster than asymmetric encryption • Used by IPSec to encrypt actual message data • Examples: DES, 3DES, RC5, Rijndael Shared Secret Key

  22. Asymmetric Encryption • Different keys used to encrypt and decrypt message (One public, one private) • Provides non-repudiation of message or message integrity • Examples include RSA, DSA, SHA-1, MD-5 Bob Alice Alice Private Key Decrypt Alice Public Key Encrypt

  23. Key Management • Shared Secret • Simplest method; does not scale • Two sites share key out-of-band (over telephone, mail, etc) • Public Key Infrastructure • Provides method of issuing and managing public/private keys for large deployments • Internet Key Exchange • Automates the exchange of keys for scalability and efficiency

  24. What are Keys? • An Encryption Key is: • A series of numbers and letters… • …used in conjunction with an encryption algorithm… • …to turn plain text into encrypted text and back into plain text • The longer the key, the stronger the encryption

  25. What is Key Management? • A mechanism for distributing keys either manually or automatically • Includes: • Key generation • Certification • Distribution • Revocation

  26. Internet Key Exchange (IKE) • Automates the exchange of security associations and keys between two VPN sites • IKE provides: • Automation and scalability • Improved security • Encryption keys be changed frequently • Hybrid IKE • Proposed standard designed by Check Point • Allows use of existing authentication methods

  27. Internet Internet Internet VPN Firewall Firewall VPN Internet VPN Firewall Different Types of VPN/Firewall Topologies VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service

  28. Internet Internet Internet VPN Firewall Only integrated VPN/firewall solutions can deliver full access control and consistent security policy enforcement Firewall VPN Internet VPN Firewall Different Types of VPN/Firewall Topologies VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service

  29. Protecting Remote Access VPNs • The Problem: • Remote access VPN clients can be “hijacked” • Allows attackers into internal network • The Solution: • Centrally managed personal firewall on VPN clients Attacker Cable or xDSL Internet

  30. Summary • Virtual Private Networks have become mission-critical applications • IPSec is the leading protocol for creating enterprise VPNs • Provides encryption, authentication, and data integrity • Organizations should look for: • Integrated firewalls and VPNs • Centralized management of VPN client security • A method to provide VPN QoS

More Related