Virtual Private Networks

1
Virtual Private Networks
2
Internet Threats

• Data integrity
• The contents of a packet can be accidentally or
  deliberately modified.
• Identity spoofing
• The origin of an IP packet can be forged.
• Anti-replay attacks
• Unauthorized data can be retransmitted.
• Loss of privacy
• The contents of a packet can be examined in
  transit.

3
VPNs

• VPNs are designed to provide many of the
  advantages of a leased line via a multiaccess
  network
• Privacy
• Authentication
• Data integrity
• Antireplay

4
VPN Example
VPN Device
VPN Device
5
Intranet, Extranet and Access

• Intranet connects all computers at two sites of
  the same organization with a VPN access device at
  each site
• Extranet connects all the computers a two sites
  of different organizations with a VPN access
  device at each site
• Access connects individual users to enterprise
  network

6
Security at What Level?
Application Layer
PGP, Kerberos, SSH, etc.
Transport Layer
Transport Layer Security (TLS)
Network Layer
IP Security
Data Link Layer
Hardware encryption
7
IPSec Security Services

• Connectionless integrity
• Assurance that received traffic has not been
• modified. Integrity includes anti-reply defenses.
• Data origin authentication
• Assurance that traffic is sent by legitimate
  party or parties.
• Confidentiality (encryption)
• Assurance that users traffic is not examined by
  non-authorized parties.
• Access control
• Prevention of unauthorized use of a resource.

8
IPSec Modes of Operation

• Transport Mode protect the upper layer protocols

IP Header
TCP Header
Data
Original IP Datagram
 
Transport Mode protected packet
IP Header
TCP Header
IPSec Header
Data
protected

• Tunnel Mode protect the entire IP payload

Tunnel Mode protected packet
New IP Header
TCP Header
IPSec Header
Data
Original IP Header
protected
9
Tunnel Mode

• Host-to-Network, Network-to-Network

Protected Data
Application Layer
Protected Data
Application Layer
Transport Layer
Transport Layer
Internet
IP Layer
IP Layer
IPSec
IPSec
Host B
Host A
IP Layer
IP Layer
SG
SG
SG Security Gateway
10
Transport Mode

• Host-to-Host

Application Layer
Application Layer
Transport Layer
Transport Layer
IPSec
IPSec
IP Layer
IP Layer
Data Link Layer
Data Link Layer
Host B
Host A
11
IPSec Security Protocols

• Authentication Header (AH)
• Encapsulating Security Payload (ESP)

12
IPSec Security Protocols

• Authentication Header (AH) provides
• - Connectionless integrity
• - Data origin authentication
• - Protection against replay attacks
• Encapsulating Security Payload (ESP) provides
• - Confidentiality (encryption)
• - Connectionless integrity
• - Data origin authentication
• - Protection against reply attacks
• Both protocols may be used alone or applied in
  combination with each other.

13
Tunneling Protocols

• Tunneling protocols encrypt the data and transmit
  via existing protocols
• Layer 2 Forwarding (L2F) Cisco protocol for
  dial up connections
• Point-to-Point Tunneling Protocol (PPTP)
  Created by Microsoft
• Layer 2 Tunneling Protocol (L2TP) Cisco and
  Microsoft protocol
• Generic Routing Encapsulation (GRE) Cisco
  protocol

14
SSL VPNs

• Secure Sockets Layer is an encryption protocol
  used for HTTP traffic
• Cisco supports SSL VPNs with a feature called Web
  VPN

15
VPN Encryption Algorithms
16
Exchanging Keys

• Pre-Shared Keys (PSK)
• Manually sharing keys
• Internet Key Exchange (IKE)
• Devices create keys and exchange them securely
• DH-1 768-bit key
• DH-2 1024-bit key
• DH-3 1536-bit key