A Quick Trip Through VPN

1
A Quick Trip Through VPN

• The purpose of this presentation is to
  define VPNs in general, to briefly describe some
  technologies used in VPNs, and to introduce major
  industry vendors together with the VPN solution
  of CISCO Systems

• Sklenar Petr, 2-20-2003

2
CONTENT

• 1-a VPN Definitions
• 1-b VPN Segmented
• 1-c VPN Market
• 2a Technology Overview
• 2-b Layer-2 Tunnels
• 2-c Layer-3 Tunnels
• 2-d Upper-Layer Systems
• 3a CISCO Enterprise Solution
• 3-b VPN Future
• 3-c Resources

3
VPN DEFINITIONS
1-a

• VPNs combine two concepts
• virtual networks in which geographically or
  topographically distributed users and computers
  interact and are managed as a single (flat)
  network
• - private networks in which data is protected
  from eavesdropping and the identities of users
  and nodes on the network are trusted
• VPNs - an alternative to WAN infrastructure
• - deployed on a shared infrastructure employ the
  same security and management as applied in
  private networks
• can utilize the most pervasive transport
  technologies of today (the public Internet, ISPs
  IP backbones, service providers ATM and Frame
  Relay networks)
• cost effective, flexible (no need to pay for
  leased lines, extendable to everywhere)

4
VPN DEFINITIONS
1-a

• VPNs based on IP tunnels
• Encapsulate a data packet within a normal IP
  packet for forwarding over an IP-based network.
  The encapsulated packet does not need to be IP,
  and could, in fact, be any protocol such as IPX,
  AppleTalk, SNA or DECnet.
• The encapsulated packet does not need to be
  encrypted and authenticated however, with most
  IP based VPNs, especially those running over the
  public Internet, encryption is used to ensure
  privacy and authentication to ensure integrity of
  data.
• Mainly self-deployed users buy connections from
  an ISP and install VPN equipment which they
  configure and manage themselves, relying on the
  ISP only for the physical connections.

5
VPN DEFINITIONS
1-a

• VPNs based on ISDN, Frame Relay or ATM
• - Very different from VPNs based on IP tunnels.
• - Use public switched data network services and
  use ISDN B channels, PVCs, or SVCs to separate
  traffic from other users. Single or multiple B
  channels, PVCs, or SVCs may be used between sites
  with additional features such as backup and
  bandwidth on demand.
• - Data packets do not need to be IP, nor do they
  need to be encrypted. Due to more wide-spread
  awareness about security issue, many users now
  choose to encrypt their data.

6
VPN SEGMENTED
1-b

• VPNs ARE SEGMENTED INTO THREE CATEGORIES
• Remote access
• Intranets
• - Extranets

7
VPN SEGMENTED
1-b

• Remote access
• Connects telecommuters, mobile users, smaller
  remote offices to the enterprise LAN with minimal
  traffic to the corporate computing resources.

8
VPN SEGMENTED
1-b

• Site-to-Site services (Intranets)
• Connect fixed locations, branch offices, and home
  offices, within an enterprise WAN.
• VPN services offered to entire LAN / WAN or just
  to selected set of authorized hosts.

9
VPN SEGMENTED
1-b

• Business-to-Business services (Extranets)
• Extend limited access of enterprise computing
  resources to business partners, such as suppliers
  or customers, enabling access to shared
  information.
• Use both topologies Site-to-Site and Remote
  Access.
• According to research and consulting
  companies and to real-time observations, 100
  percent of enterprises are expected to supplement
  their WAN infrastructures with VPNs in relatively
  short time.

10
VPN MARKET
1-c

• The tech market is bursting at the seams with HW
  based
• VPNs, and vendors are filling out product lines
  to target
• the smallest of SOHOs all the way to the
  worlds largest
• companies. The result is a dizzying number of
  choices
• from a dizzying number of competitors.
• The VPN market hit approximately 1.4 billion in
  2001.
• Currently, four vendors are carving the lions
  share of the market
• Check Point (www.checkpoint.com)
• Nortel Networks (www.nortelnetworks.com)
• NetScreen Technologies (www.netscreen.com)
• Cisco Systems (www.cisco.com)

11
VPN MARKET
1-c

• WHY CISCO VPNs?
• One-stop shop for problem solutions encompass
  all
• segments of the networking infrastructure
  platforms,
• security, network services and appliances, and
  management.
• Relatively an easy upgrade of the existing CISCO
  
• infrastructure - a smooth migration path to a
  VPN
• environment by installing VPN modules.
• - Low-cost options offered with expanding the
  product line of
• PIX firewall / VPN appliances to target small
  enterprises and
• remote offices.
• Acceptance and development of IPSec the next
  generation
• network layer crypto platform for Ciscos
  security platforms.

12
TECHNOLOGY OVERVIEW
2-a

• THE MOST COMMON VPN TECHNOLOGIES
• Layer-2 tunnels carry point-to-point data link
  (PPP) connections between tunnel endpoints in
  remote access VPNs.
• - Compulsory mode
• - Voluntary mode
• Layer-3 tunnels provide IP-based virtual
  connections. Packets routed between tunnel
  endpoints wrapped by IETF defined headers that
  provide message integrity and confidentiality.
• Secure Shell to forward any application
  protocol over an
• authenticated and encrypted client-server
  connection
• Secure Sockets Layer to secure application
  protocols transaction over network

13
LAYER-2 TUNNELS
2-b

• LAYER-2 THE MOST COMMONLY USED TUNNELING
  PROTOCOLS
• PPTP one of the first protocols, designed by
  Microsoft
• - widely deployed since included with NT,95,98
• builds on functionality of PPP, encapsulates
  PPP by using the GRE (generic routing
  encapsulation) protocol, and, as a layer-2
  protocol, handles other than IP traffic (IPX,
  NetBEUI)
• supports authentication for dial-in user (PAP or
  CHAP)
• L2F developed in the early stages of VPN by
  CISCO Systems
• can use other media (ATM, frame-relay) and its
  tunnels can support more than one connection
• support for more authentication systems (RADIUS,
  TACACS)
• L2FT being designed by IETF, as the heir
  apparent to PPTP and L2F, with support for
  various authentication systems and transport
  media

14
LAYER-3 TUNNELS
2-c

• All of the layer-2 systems provide some level of
  encryption of the encapsulated data. To achieve a
  total protection, they call for Layer-3 protocols
  to strengthen the encryption, confidentiality
  and message integrity.
• IPsec THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
• Multivendor and supported by all major OSs
• Scalable (designed with large enterprises in
  mind)
• General solution protects any protocol running
  above IP
• and any medium running below
• Designed to secure IP links between machines
  cannot
• provide the same end-to-end (user-to-user)
  security as
• systems working at the upper levels (i.e. PGP)
• - IPsec gateways can be installed whereever they
  are required
• - on firewalls, routers or servers

15
LAYER-3 TUNNELS
2-c

• A list of ICSA Labs certified IPsec products
  www.icsalabs.com
• THE CORE PROTOCOLS OF IPsec
• ESP (Encapsulating Security Payload) encrypts
  and/or
• authenticates data
• AH (Authentication Header) provides a packet
  authentication
• service
• IKE (Internet Key Exchange) negotiates
  connection parameters
• including keys
• IPsec vs. NAT an interesting complication
• Any attempt to perform NAT operations on IPsec
  packets between the IPsec gateways creates a
  basic conflict. In the following scenario,
  guests VPN client will try to access its VPN
  server.

16
2-c
- IPsec wants to authenticate packets and ensure
they are unaltered on a gateway-to-gateway
basis - NAT rewrites packet headers as they go
by - IPsec authentication fails if packets are
rewritten anywhere between the gateways
17
LAYER-3 TUNNELS
2-c

An example of GUI router configuration of IPsec
18
2-c

Configure IKE
Advanced IKE
19
LAYER-3 TUNNELS
2-c
To protect the contents of an IP datagram, the
data is transformed using cryptography. Two main
transformation types form the building blocks
of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two
modes, transport and tunnel. AH and ESP can also
be combined. The transformations are configured
in a data structure called a security
association (SA).

20
UPPER-LAYER SYSTEMS
2-d

• Secure Sockets Layer (SSL)
• - developed by Netscape and RSA (public-private
  key encryption) to transmit private documents via
  the Internet
• - uses a program layer located between HTTP and
  TCP layers to secure transmission
• handles the encryption part of a secure HTTP
  transaction, a Digital Certificate is necessary
  to provide server authentication
• Whereas SSL creates a secure connection between a
  client and a server, over which any amount of
  data can be sent securely,
• S-HTTP was designed to transmit individual
  messages securely.
• SSL evolved in TLS (Transport Layer Security)
  IETF standard
• SSL and TSL clients are integral part of several
  Web browsers
• - TLS Record Protocol provides encrypted
  connection
• - TLS Handshake Protocol allows the server and
  client to authenticate each other and to
  negotiate an encryption algorithm and
  cryptographic keys before data is exchanged.

21
UPPER-LAYER SYSTEMS
2-d
An example of authentication via self-issued
Digital Certificate

22
UPPER-LAYER SYSTEMS
2-d
After authentication and login, I can control
my firewall logs from anywhere

23
UPPER-LAYER SYSTEMS
2-d

and finally, perhaps to run a few useful
commands thanks to SSH
24
UPPER-LAYER SYSTEMS
2-d

• Secure Shell (SSH)
• developed by SSH Communications Security Ltd. to
  log into another computer over a network, to
  execute commands in a remote machine, and to move
  files from one machine to another - provides
  strong authentication and encryption over
  insecure channels
• an inexpensive method of providing trusted users
  with secure remote access to a single
  application, but requires installing SSH client
  software
• SSH2 a powerful protocol suite developed by
  IETF
• SSHD2 (Secure Shell Deamon) server for SSH2
• SCP2 (Secure Copy) - to copy files over the
  network securely
• SFTP2 - ftp-like client used for secure file
  transfer
• APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS
  SSH)
• THAT DO NOT MAKE USE OF OR DEPEND ON IP
  ADDRESSES WILL WORK CORRECLTY IN THE PRESENCE OF
  NAT

25
UPPER-LAYER SYSTEMS
2-d
E-mail-protection systems S/MIME and OpenPGP

26
CISCO ENTERPRISE SOLUTION
3-a

http//www.cisco.com/univercd/cc/td/doc/product/vp
n/index.htm
27
VPN FUTURE
2-d

• integration of multimedia and VoIP - the focus
  falling on delivery of quality of service
  (QoS) and class of service (CoS) over IP
  networks as part of a VPN
• - voice and data services merging into one (voice
  over IP, IP fax), and new network services being
  developed to offer the QoS/CoS required for
  data, telephony and fax - all communication
  devices becoming IP addressable - providing
  voice, fax, video and data to the desktop using
  VPN security protocol
• - name servers becoming very useful for
  configuring and reconfiguring VPNs - work being
  in progress to extend the use of DNS servers to
  provide a secure (IP Security-based) mechanism
  for routers to find peer routers and for clients
  to find servers

28
RESOURCES
3-b
www.networkmagazine.com www.cisco.com www.sans.or
g www.freeswan.org www.iec.org Petr
Sklenar sklenarp_at_hotmail.com