Virtual Private Networks (VPN) - PowerPoint PPT Presentation

About This Presentation
Title:

Virtual Private Networks (VPN)

Description:

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN) CN8814: Network Security * * * * Virtual Private Networks (VPN) CN8816: Network ... – PowerPoint PPT presentation

Number of Views:178
Avg rating:3.0/5.0
Slides: 23
Provided by: bma126
Category:

less

Transcript and Presenter's Notes

Title: Virtual Private Networks (VPN)


1
Virtual Private Networks (VPN)
  • Generic Routing Encapsulation (GRE)
  • TLS (SSL-VPN)

2
1. Generic Routing Encapsulation (GRE)
  • Tunneling
  • Encapsulation with delivery header
  • The addresses in the delivery header are the
    addresses of the head-end and the tail-end of the
    tunnel

Delivery header
10.1.1.1/10.2.1.1
GRE
20.1.1.1/30.1.1.1
20.1.1.1
30.1.1.1
10.1.1.1/10.2.1.1
tunnel
Private network site
Private network site
10.1.0.0/16
10.2.0.0/16
Public Network
10.1.1.1
10.2.1.1
3
1. Generic Routing Encapsulation (GRE)
  • Structure of a GRE encapsulated packet

4
1. Generic Routing Encapsulation (GRE)
  • IP access of the tunnel through the tunnel
    interface

20.1.1.1/30.1.1.1 GRE 10.1.1.1/10.2.1.1
Gateway
Gateway
Internet
serial 0/0
serial 0/0
20.1.1.1
30.1.1.1
tunnel 0
tunnel 0
10.1.1.1/10.2.1.1
e0
e0
10.1.1.1/10.2.1.1
10.1.1.1/10.2.1.1
10.2.0.0/16
10.1.0.0/16
Customer Sites
5
1. Generic Routing Encapsulation (GRE)
  • Tunneling mechanism at IP
  • Outbound traffic

Routing table of R1
20.1.1.1/30.1.1.1
10.1.0.0/16 e0 20.1.1.1/30 s0 10.2.0.0/16 tunnel0
0.0.0.0/0 s0
(6)
(3)
GRE
IP
(7)
(4)
(5)
(2)
(8)

s0
e0
Tunnel0
(9)
(1)
10.1.1.1/10.2.1.1
20.1.1.1/30.1.1.1 10.1.1.1/10.2.1.1
6
1. Generic Routing Encapsulation (GRE)
  • Inbound traffic

Routing table of R2
10.2.0.0/16 e0 30.1.1.1/30 s0 10.2.0.0/16 tunnel0
0.0.0.0/0 s0
(6)
(3)
GRE
IP
(5)
(4)
(2)
(7)
10.1.1.1/10.2.1.1

s0
e0
Tunnel 0
(8)
(1)
20.1.1.1/30.1.1.1 10.1.1.1/10.2.1.1
10.1.1.1/10.2.1.1
7
1. Generic Routing Encapsulation (GRE)
  • Example

interface tunnel0 ip unnumbered s0 tunnel
source s0 tunnel destination 30.1.1.1 ! ip
route 10.2.0.0 255.255.0.0 tunnel0
interface tunnel0 ip unnumbered s0 tunnel
source s0 tunnel destination 20.1.1.1 ! ip
route 10.1.0.0 255.255.0.0 tunnel0
Routing table of R1
10.1.0.0/16 e0 20.1.1.1/30 s0 10.2.0.0/16 tunnel0
0.0.0.0/0 s0
8
1. Generic Routing Encapsulation (GRE)
  • GRE tunneling with routing

Routing updates (subnets of 10.0.0.0/8)
9
3. IP Security (IPsec)
  • IPsec and Dynamic Routing
  • IPsec-protected traffic must be pre-defined
  • IPsec only supports static routing

The IPsec tunnel is setup for the traffic between
10.1.0.0/16 and 10.2.0.0/16
IPsec tunnel
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
The tunnel will not support the traffic to the
new site
New site
10
3. IP Security (IPsec)
  • IPsec/GRE
  • GRE defines a tunnel interface
  • IPsec transport mode provides the security

Routing table
10.1.0.0/16 inside 30.0.0.0/8
outside 10.2.0.0/16 tunnel0
(4)
IP
GRE
(5)
10.3.0.0./16 tunnel0
IPsec (transport)
(2)
(1)
(3)
(6)
inside
outside
Tunnel0
10.1.1.1/10.2.1.1
Ipsec_protected
20.1.1.1/30.1.1.1
10.1.1.1/10.3.1.1
11
3. IP Security (IPsec)
  • Virtual Tunnel Interface
  • Provide secure tunnel by associating the virtual
    interface with IPsec

Protected packet
20.1.1.1/30.1.1.1
Routing table
10.1.0.0/16 inside 30.0.0.0/8
outside 10.2.0.0/16 tunnel0
(5)
IP
IPsec
10.3.0.0./16 tunnel0
(3)
(2)
(6)
(4)
inside
outside
Tunnel0
10.1.1.1/10.2.1.1
10.1.1.1/10.3.1.1
12
2. Transport-Layer Security (TLS)
  • TLS architecture
  • Provide security connection between two
    application entities

Error and alert reporting
-Authentication -Cipher suit negotiation -Keys
generation
Encryption, MIC Compression
13
2. Transport-Layer Security
  • TLS Record protocol
  • Four connection states current read and write
    states, and the pending read and write states
  • Security parameters
  • Connection end (client/server)
  • Bulk encryption algorithm type, key_size,
  • MAC algorithm hash_size
  • Compression algorithm
  • Master Secret
  • Client random, Nc
  • Server random, Ns
  • Keys
  • Client_MAC_Write, Server_MAC_Write,
    Client_Write_Key, Server_Write_Key, IVs

14
2. Transport-Layer Security
  • Messages are processed using the current read or
    write states

Type
Version
Length
Write/read MAC secret
Fragment
(Compressed)
Write/read Key
ICV
Padding (for CBC block cipher)
Pad length
15
2. Transport-Layer Security
  • Key Generation
  • Master_secret PRF(gxy mod N, master secret,
    NcNs)
  • x and y are the DE parameters
  • Nc and Ns are the nonces generated by the client
    and the server, respectively
  • Master_secret is always 48 bytes
  • PRF(secret, label, seed) P_hash(secret,
    labelseed)
  • P_hash(secret, seed) HMAC(secret, A(1)seed)
  • HMAC(secret, A(2)seed)
  • HMAC(secret, A(n)seed)
  • A(0) seed
  • A(i) HMAC(secret, A(i-1)

16
2. Transport-Layer Security
  • By default, the hash used in HMAC is SHA-256
  • Need two HMAC iterations to generate the Master
    secret
  • Key generation
  • Key_block PRF(Master_secret, key expansion,
    NsNc)

Truncated (16 bytes)
Master secret (48 bytes)
MAC client Write (Kmc)
MAC server Write (Kms)
Client Write Key (Kwc)
Server Write Key (Kws)
IVs (options)

17
2. Transport-Layer Security
  • Handshake protocol
  • Client hello and server response phase

Client
Server
Client Hello session ID, Nc, cipher suit list,
compression alg. list
Server Hello Ns, cipher suit, compression alg.
Server Certificate
O
Key Exchange Signature
O
Certificate request
O-
Server Hello Done
O gt Often O- gt Less often
18
2. Transport-Layer Security
  • Client reponse and change-cipher specification
    phase

Client
Server
Client Certificate
O-
Key exchange
Certificate verify signature
O-
Change cipher specification
Finished session authentication
Change cipher specification
Finished session authentication
Application Data
19
2. Transport-Layer Security
  • The handshake protocol allows quick setup of new
    TLS connection using the old session master
    secret
  • The master secret is allowed to be kept for 24
    hours

Client
Server
Client Hello session ID, Nc
Generate keys
Server Hello Ns
Generate keys
Change cipher spec
Finished
Change cipher spec
Finished
Data
20
2. Transport-Layer Security
  • Change Cipher Spec Protocol
  • invoke the transition from the pending states to
    current states

Client
Server
Pending states
Pending states
Kmc, Kwc
Kmc, Kwc
Kms, Kws
Kms, Kws
(1) ChangeCipherSpecs
(4)
ChangeCipher Specs Protocol
(1)
ChangeCipher Specs Protocol
(5)
(2)
(4) ChangeCipherSpecs
(3)
(3) finished
(3)
Handshake
Handshake
(6)
(6)
(6) finished
Current states
Current states
21
2. Transport-Layer Security
  • Alert Protocol
  • Alert messages convey the severity of the message
    and a description of the alert
  • Alert levels warning or fatal
  • Alert messages with a level of fatal result in
    the immediate termination of the connection
  • Alert types
  • Close notification
  • Error alerts

22
2. Transport-Layer Security
  • SSL (TLS) VPN
  • Tunnel interface is used to support secure tunnel
    connection

SSL-VPN web server
SSL-VPN client
  1. Upload of SSL-VPN client

Web browser
Appl.
(1)
(3)
(9)
(17)
(2) TLS handshake protocol
(5)
TLS
TLS
(18)
(10)
(16)
TCP/UDP
TCP/UDP
(15)
(6)
(11)
(8)
IP
IP
(19)
(7)
(12)
(14)
(20)
(13)TLS protected datagram
eth0
tun0
Inside
Outside
tun0
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Virtual Private Networks (VPN)" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!