1 / 20

Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs). Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.

rhogg
Télécharger la présentation

Virtual Private Networks (VPNs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Virtual Private Networks(VPNs) • Source: VPN Technologies: Definitions and Requirements.VPN Consortium, July 2008. • a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. 

  2. VPN • Source: http://tools.ietf.org/html/rfc2828 • A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. • For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by • using encrypted tunnels to connect from firewall to firewall across the Internet and • not allowing any other traffic through the firewalls. • A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. Network Security

  3. Characteristics of VPNs • End-to-end communications btwn two end points • End points: Routers, firewalls, servers, hosts • Virtual • Private • Networks • Shared ? Network Security

  4. Alternative Definition of VPN? • A VPN is a means of carrying private traffic over a public network. • Often used to connect two private networks, over a public network, to form a virtual network • The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other. • That is, they are part of a single virtual private network (although physically they are two separate networks).  implication? connectivity, security, privacy The VPN should provide the same connectivity and privacy you would find on a typical local private network. Network Security

  5. Classifications of VPNs • Based on encryption: • Encrypted VPNs • Nonencrypted VPNs • Based on OSI model: • Data link layer VPNs • Network layer VPNs • Application layer VPNs • Based on business functionality: • Intranet VPNs • Extranet VPNs Network Security

  6. VPNs at different OSI layers • The layer where VPN is constructed affects its functionality. • Example: In encrypted VPNs, the layer where encryption occurs determines • how much traffic gets encrypted • the level of transparency for the end users • Data link layer VPNs (Layer-2) • Example protocols: Frame Relay, ATM • Drawbacks: • Expensive - Requires dedicated Layer 2 pathways • may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection • Q: Is L2TP a layer 2 VPN? Network Security

  7. VPNs at different OSI layers • Network layer VPNs (Layer-3) • Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol • Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that) • Advantages: • A ‘proper’ layer • Low enough: transparency • High enough: IP addressing • Cisco focuses on this layer for its VPNs. Network Security

  8. VPNs at different OSI layers • Application layer VPNs • Created to “work” specifically with certain applications • Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH(encrypted and secure login sessions to network devices) • Drawbacks: • May not be seamless (transparency issue) • Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) • “The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … • A VPN is a site-to-site tunnel. … • There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … • A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … • A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” Network Security

  9. Other Classification of VPNs ? • Intranet VPNs vs Extranet VPNs • Remote Access VPNs vs Site-to-site VPNs Network Security

  10. Types of VPNs • Trusted • non-Cryptographic • Data move over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. • Examples: Layer 2 frames over MPLS (multiprotocol Label Switching) • Secure • Cryptographic • Examples: • IPSec with encryption, SSL with encryption, L2TP over IPSec, PPTP over MPPE • Hybrid Network Security

  11. Why Hybrid VPNs? • Secure VPNs provide security but no assurance of paths. • Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. • A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. Network Security

  12. Requirements forSecure VPNs • All traffic on the secure VPN must be encrypted and authenticated. • The security properties of the VPN must be agreed to by all parties in the VPN. • Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel. • No one outside the VPN can affect the security properties of the VPN. Network Security

  13. Requirements forTrusted VPNs • No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. • No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. • Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. • The routing and addressing used in a trusted VPN must be established before the VPN is created. Network Security

  14. Requirements forHybrid VPNs • The address boundaries of the secure VPN within the trusted VPN must be extremely clear.  • In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. • For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN. Network Security

  15. VPN Deployments • Internet VPNs • Intranet VPNs • Extranet VPNs Network Security

  16. VPN Technologies • Trusted • MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs") • Transport of layer 2 frames over MPLS ("layer 2 VPNs") • Generic Routing Encapsulation (GRE) • Secure • IPSec with encryption • SSL with encryption (esp. secure remote access) • L2TP over IPSec • Hybrid • A secure VPN technology running over a trusted VPN technology Network Security

  17. Generic Routing Encapsulation(GRE) • Provides low overhead tunneling (often between two private networks) • Does not provide encryption • Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet • Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested inside e.g., IP protocol type 47: GRE packets using IPv4 headers • RFCs: • RFC1701Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL) • RFC2784Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD) • RFC2890Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD) Network Security

  18. Generic Routing Encapsulation • GRE Header (based on RFC1701, deprecated): Figure 11-2 • GRE Header (based on RFC 2784 & 2890): Figure 11-4 • C = 1, checksum present • Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet • Key: • contains a number to prevent misconfiguration of packets; • may be used to identify individual traffic flow within a tunnel • Not the same as a cryptographic key Network Security

  19. Generic Routing Encapsulation • Summary: • GRE mainly perform ‘tunneling’. • Does not provide a means to securely encrypt its payload • Often relies on application layer to provide encryption • May be used together with a network layer encryption (such as IPsec) Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using IPsec Example 2: use GRE to encapsulate multicast traffic, and then encrypt the GRE packet using IPsec Question: Why not simply use IPsec? Network Security

  20. Generic Routing Encapsulation • Case Studies: • A GRE tunnel connecting two private networks: Figure 11-5 • GRE between multiple sites: Figure 11-6 • GRE between two sites running IPX Network Security

More Related