1 / 22

Virtual Private Network

Chapter 4. Virtual Private Network. Objectives. VPN Overview Tunneling Protocol Deployment models Lab Demo. Overview of VPN. VPN Concept. Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network.

rowena
Télécharger la présentation

Virtual Private Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 4 Virtual Private Network

  2. Objectives • VPN Overview • Tunneling Protocol • Deployment models • Lab Demo Lecturer : Trần Thị Ngọc Hoa

  3. Overview of VPN Lecturer : Trần Thị Ngọc Hoa

  4. VPN Concept • Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network

  5. VPN Deployment Scenarios • Remote Access VPN

  6. VPN Deployment Scenarios • Extranet VPN ( Site to Site, Router to Router )

  7. VPN Deployment Scenarios • Mixed VPN with Firewall

  8. Tunneling • Tunneling is a process of encapsulating a payload protocol into another protocol • Provide a secure path through an untrusted network or an incompatible network. Lecturer : Trần Thị Ngọc Hoa

  9. Tunneling Protocol • GRE • Generic Routing Encapsulation • Cisco Proprietry Tunneling Protocol • PPTP ( with/without MPPE ) • Point to Point Tunneling Protocol • Microsoft proprietry tunneling protocol • L2TP ( with/without IPSec ) • Layer 2 Tunneling Protocol • Created by Cisco and Microsoft Lecturer : Trần Thị Ngọc Hoa

  10. IP Security • IP Security Overview • Algorithms • IPSec Protocols Lecturer : Trần Thị Ngọc Hoa

  11. IP Security Overview • Open standard developed by IETF’s IPSec working group. • Security Architecture for the Internet Prototol • Designed to work at Layers 3 and 4 of the OSI model. • IPSec protects data by providing the following services : • Data Authentication • Data integrity • Data origin authentication between • A pair of gateways • A pair of hosts • A host and its gateway • Relay protection • Encryption • Many different types of algorithm are used in IPSec • 2 primary protocols • AH – Authentication Header - 51 • ESP – Encryption Security Payload - 50 Lecturer : Trần Thị Ngọc Hoa

  12. Encryption Algorithms • Designed for data confidentiality assurance • 2 different methods • Symmetrical • Asymmetrical Lecturer : Trần Thị Ngọc Hoa

  13. Symmetrical Algorithms • DES – Data Encryption Standard • 56 bit key – 64 data bit block • No of Key = 72,000,000,000,000,000 • 3DES • Three phases Encrypt – Decrypt – Encrypt • 168 bit key – 64 data bit block • AES – Advanced Encryption Standard • 128-192-256 bit key Session key Session key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa

  14. Asymmetric Algorithms • 2 different but related keys are required. • RSA -Rivest, Shamir, and Adelman • ElGamal Public key Private key Encrypt Decrypt Data Data #$ad^&* Lecturer : Trần Thị Ngọc Hoa

  15. Hashing Algorithms • Hashing algorithms are used for authentication and integrity assurance for data • They are based on some type of one-way hashing function. • SHA • 128 bits output • MD5 • 160 bits output • Collision : 2 different inputs => the same output • SHA is prefered than MD5 Lecturer : Trần Thị Ngọc Hoa

  16. Hashing Example Lecturer : Trần Thị Ngọc Hoa

  17. Key Exchange Problem • Question :How to get the key from one device to the other ? • If the key is sent across an untrusted network, you run the risk of it being sniffed and captured by a hacker. • If you phone the technician at the other end, you run the risk of phone tapping. • Answer :Diffie Hellman Lecturer : Trần Thị Ngọc Hoa

  18. Diffie Hellman Key Exchange • The Diffe-Hellman key exchange is used for automatic secure key exchange of • Symmetrical keys • Other types of keys • Algorithm Description • Step 1 : A and B pour their favourite drink into the glass • Step 2 : A and B pour the same liquid into the glass • Step 3 : A and B exchange their own glass.Then pickup the other liquid and mixed with their own one Lecturer : Trần Thị Ngọc Hoa

  19. IPSec Protocols • AH • Provide • Data integrity • Data authentication • Antireplay protection (optionally) • Not provide any form of encryption to the payload of the packet. • ESP • Provide payload encryption • Provide authentication and integrity Lecturer : Trần Thị Ngọc Hoa

  20. Security Mode • Both ESP and AH can operate in two different modes • Tunnel Mode : • The entire packet is encrypted then encapsulated with a new, unprotected IP header. • Transport Mode : • Default mode • The original IP header is reused with the new packet • The current IP header has been used in the hashing algorithm and therefore cannot be changed from sender to receiver. Lecturer : Trần Thị Ngọc Hoa

  21. Security Associations • A set of policy and key(s) used to protect data before an IPSec tunnel can be created. • Each SA gets a unique 32-bit Security Parameter Index number – SPI – that is sent in every packet pertaining to the specific SA. • The SA keeps track of general information such as the following: • Source IP address • Destination IP address • IPSec protocols used • SPI number • Encryption and authentication algorithms • Key lifetime (sets the amount of time and/or byte count that a key is valid for; the longer the time, the more vulnerable your data is) Lecturer : Trần Thị Ngọc Hoa

  22. Internet Key Exchange • Internet Key Exchange (IKE) is used to establish all the information needed – SA – for a tunnel. • 2 phases • Main mode – IKE Phase 1 • Quick mode – IKE Phase 2 Lecturer : Trần Thị Ngọc Hoa

More Related