Title: A Quick Trip Through VPN
1 A Quick Trip Through VPN
- The purpose of this presentation is to
define VPNs in general, to briefly describe some
technologies used in VPNs, and to introduce major
industry vendors together with the VPN solution
of CISCO Systems
2CONTENT
- 1-a VPN Definitions
- 1-b VPN Segmented
- 1-c VPN Market
- 2a Technology Overview
- 2-b Layer-2 Tunnels
- 2-c Layer-3 Tunnels
- 2-d Upper-Layer Systems
- 3a CISCO Enterprise Solution
- 3-b VPN Future
- 3-c Resources
-
3VPN DEFINITIONS
1-a
- VPNs combine two concepts
- virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network - - private networks in which data is protected
from eavesdropping and the identities of users
and nodes on the network are trusted - VPNs - an alternative to WAN infrastructure
- - deployed on a shared infrastructure employ the
same security and management as applied in
private networks - can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks) - cost effective, flexible (no need to pay for
leased lines, extendable to everywhere)
4VPN DEFINITIONS
1-a
- VPNs based on IP tunnels
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet. - The encapsulated packet does not need to be
encrypted and authenticated however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data. - Mainly self-deployed users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
5VPN DEFINITIONS
1-a
- VPNs based on ISDN, Frame Relay or ATM
- - Very different from VPNs based on IP tunnels.
- - Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between sites
with additional features such as backup and
bandwidth on demand. - - Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
6VPN SEGMENTED
1-b
-
- VPNs ARE SEGMENTED INTO THREE CATEGORIES
- Remote access
- Intranets
- - Extranets
7VPN SEGMENTED
1-b
- Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
8VPN SEGMENTED
1-b
- Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN. - VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
9VPN SEGMENTED
1-b
-
- Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information. - Use both topologies Site-to-Site and Remote
Access. - According to research and consulting
companies and to real-time observations, 100
percent of enterprises are expected to supplement
their WAN infrastructures with VPNs in relatively
short time.
10VPN MARKET
1-c
- The tech market is bursting at the seams with HW
based - VPNs, and vendors are filling out product lines
to target - the smallest of SOHOs all the way to the
worlds largest - companies. The result is a dizzying number of
choices - from a dizzying number of competitors.
- The VPN market hit approximately 1.4 billion in
2001. - Currently, four vendors are carving the lions
share of the market - Check Point (www.checkpoint.com)
- Nortel Networks (www.nortelnetworks.com)
- NetScreen Technologies (www.netscreen.com)
- Cisco Systems (www.cisco.com)
11VPN MARKET
1-c
- WHY CISCO VPNs?
- One-stop shop for problem solutions encompass
all - segments of the networking infrastructure
platforms, - security, network services and appliances, and
management. - Relatively an easy upgrade of the existing CISCO
- infrastructure - a smooth migration path to a
VPN - environment by installing VPN modules.
- - Low-cost options offered with expanding the
product line of - PIX firewall / VPN appliances to target small
enterprises and - remote offices.
- Acceptance and development of IPSec the next
generation - network layer crypto platform for Ciscos
security platforms.
12TECHNOLOGY OVERVIEW
2-a
- THE MOST COMMON VPN TECHNOLOGIES
- Layer-2 tunnels carry point-to-point data link
(PPP) connections between tunnel endpoints in
remote access VPNs. - - Compulsory mode
- - Voluntary mode
- Layer-3 tunnels provide IP-based virtual
connections. Packets routed between tunnel
endpoints wrapped by IETF defined headers that
provide message integrity and confidentiality. - Secure Shell to forward any application
protocol over an - authenticated and encrypted client-server
connection - Secure Sockets Layer to secure application
protocols transaction over network
13LAYER-2 TUNNELS
2-b
- LAYER-2 THE MOST COMMONLY USED TUNNELING
PROTOCOLS - PPTP one of the first protocols, designed by
Microsoft - - widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates
PPP by using the GRE (generic routing
encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX,
NetBEUI) - supports authentication for dial-in user (PAP or
CHAP) - L2F developed in the early stages of VPN by
CISCO Systems - can use other media (ATM, frame-relay) and its
tunnels can support more than one connection - support for more authentication systems (RADIUS,
TACACS) - L2FT being designed by IETF, as the heir
apparent to PPTP and L2F, with support for
various authentication systems and transport
media
14LAYER-3 TUNNELS
2-c
- All of the layer-2 systems provide some level of
encryption of the encapsulated data. To achieve a
total protection, they call for Layer-3 protocols
to strengthen the encryption, confidentiality
and message integrity. - IPsec THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in
mind) - General solution protects any protocol running
above IP - and any medium running below
- Designed to secure IP links between machines
cannot - provide the same end-to-end (user-to-user)
security as - systems working at the upper levels (i.e. PGP)
- - IPsec gateways can be installed whereever they
are required - - on firewalls, routers or servers
15LAYER-3 TUNNELS
2-c
- A list of ICSA Labs certified IPsec products
www.icsalabs.com - THE CORE PROTOCOLS OF IPsec
- ESP (Encapsulating Security Payload) encrypts
and/or - authenticates data
- AH (Authentication Header) provides a packet
authentication - service
- IKE (Internet Key Exchange) negotiates
connection parameters - including keys
- IPsec vs. NAT an interesting complication
- Any attempt to perform NAT operations on IPsec
packets between the IPsec gateways creates a
basic conflict. In the following scenario,
guests VPN client will try to access its VPN
server.
162-c
- IPsec wants to authenticate packets and ensure
they are unaltered on a gateway-to-gateway
basis - NAT rewrites packet headers as they go
by - IPsec authentication fails if packets are
rewritten anywhere between the gateways
17LAYER-3 TUNNELS
2-c
An example of GUI router configuration of IPsec
182-c
Configure IKE
Advanced IKE
19LAYER-3 TUNNELS
2-c
To protect the contents of an IP datagram, the
data is transformed using cryptography. Two main
transformation types form the building blocks
of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two
modes, transport and tunnel. AH and ESP can also
be combined. The transformations are configured
in a data structure called a security
association (SA).
20UPPER-LAYER SYSTEMS
2-d
- Secure Sockets Layer (SSL)
- - developed by Netscape and RSA (public-private
key encryption) to transmit private documents via
the Internet - - uses a program layer located between HTTP and
TCP layers to secure transmission - handles the encryption part of a secure HTTP
transaction, a Digital Certificate is necessary
to provide server authentication - Whereas SSL creates a secure connection between a
client and a server, over which any amount of
data can be sent securely, - S-HTTP was designed to transmit individual
messages securely. - SSL evolved in TLS (Transport Layer Security)
IETF standard - SSL and TSL clients are integral part of several
Web browsers - - TLS Record Protocol provides encrypted
connection - - TLS Handshake Protocol allows the server and
client to authenticate each other and to
negotiate an encryption algorithm and
cryptographic keys before data is exchanged.
21UPPER-LAYER SYSTEMS
2-d
An example of authentication via self-issued
Digital Certificate
22UPPER-LAYER SYSTEMS
2-d
After authentication and login, I can control
my firewall logs from anywhere
23UPPER-LAYER SYSTEMS
2-d
and finally, perhaps to run a few useful
commands thanks to SSH
24UPPER-LAYER SYSTEMS
2-d
- Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to
log into another computer over a network, to
execute commands in a remote machine, and to move
files from one machine to another - provides
strong authentication and encryption over
insecure channels - an inexpensive method of providing trusted users
with secure remote access to a single
application, but requires installing SSH client
software - SSH2 a powerful protocol suite developed by
IETF -
- SSHD2 (Secure Shell Deamon) server for SSH2
- SCP2 (Secure Copy) - to copy files over the
network securely - SFTP2 - ftp-like client used for secure file
transfer -
- APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS
SSH) - THAT DO NOT MAKE USE OF OR DEPEND ON IP
ADDRESSES WILL WORK CORRECLTY IN THE PRESENCE OF
NAT
25UPPER-LAYER SYSTEMS
2-d
E-mail-protection systems S/MIME and OpenPGP
26CISCO ENTERPRISE SOLUTION
3-a
http//www.cisco.com/univercd/cc/td/doc/product/vp
n/index.htm
27VPN FUTURE
2-d
- integration of multimedia and VoIP - the focus
falling on delivery of quality of service
(QoS) and class of service (CoS) over IP
networks as part of a VPN - - voice and data services merging into one (voice
over IP, IP fax), and new network services being
developed to offer the QoS/CoS required for
data, telephony and fax - all communication
devices becoming IP addressable - providing
voice, fax, video and data to the desktop using
VPN security protocol - - name servers becoming very useful for
configuring and reconfiguring VPNs - work being
in progress to extend the use of DNS servers to
provide a secure (IP Security-based) mechanism
for routers to find peer routers and for clients
to find servers
28RESOURCES
3-b
www.networkmagazine.com www.cisco.com www.sans.or
g www.freeswan.org www.iec.org Petr
Sklenar sklenarp_at_hotmail.com