What Is Needed to Build a VPN? - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

What Is Needed to Build a VPN?

Description:

What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN concentrators ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 32
Provided by: pflynn
Category:

less

Transcript and Presenter's Notes

Title: What Is Needed to Build a VPN?


1
What Is Needed to Build a VPN?
  • An existing network with servers and workstations
  • Connection to the Internet
  • VPN gateways (i.e., routers, PIX, ASA, VPN
    concentrators) that act as endpoints to
    establish, manage, and control VPN connections
  • Software to create and manage tunnels

2
(No Transcript)
3
Overlay and Peer-to-Peer VPNs
  • Overlay VPNsService providers (SPs) are the most
    common users of the overlay VPN model.
  • The design and provisioning of virtual circuits
    (VC) across the backbone is complete prior to any
    traffic flow.
  • In the case of an IP network, this means that
    even though the underlying technology is
    connectionless, it requires a connection-oriented
    approach to provision the service.

4
L2 overlay VPN
  • L2 overlay VPNs are independent of the network
    protocol used by the customer meaning that the
    VPN is not limited to carrying IP traffic.
  • If the carrier offers the appropriate ATM
    service, the overlay VPN will carry any kind of
    information.
  • Frame Relay VPNs are normally limited to data
    applications, although voice over Frame Relay
    customer premises equipment (CPE) devices may be
    useable on some services.

5
L3 overlay VPN
  • L3 Overlay VPNs most often use an IP in IP
    tunneling scheme using Point to Point Tunneling
    Protocol (PPTP), Layer 2 Tunneling Protocol
    (L2TP), and IP security (IPsec).

6
(No Transcript)
7
CPE-Based VPN (Peer-to-Peer)
  • CPE-based VPN is another name for an L3 VPN.
  • The VPN is implemented using CPE.
  • In this way, a customer creates a VPN across an
    Internet connection without any specific
    knowledge or cooperation from the service
    provider.
  • The customer gains the advantage of increased
    privacy using an inexpensive Internet connection.

8
(No Transcript)
9
SP-Provisioned VPN
  • The introduction of Multiprotocol Label Switching
    (MPLS) combines the benefits of overlay VPNs
    (security and isolation among customers) with the
    benefits of the simplified routing of a
    peer-to-peer VPN.
  • MPLS VPN provides simpler customer routing,
    simpler service provider provisioning and a
    number of possible topologies that are hard to
    implement in either the overlay or peer-to-peer
    VPN models.
  • MPLS also adds the benefits of a
    connection-oriented approach to the IP routing
    paradigm, through the establishment of
    label-switched paths that are created based on
    topology information rather than traffic flow.

10
  • The Provider Core (P) and the Customer Edge (CE)
    routers are assumed to be unaware of any VPN
    protocols or procedures.
  • Only the Provider Edge (PE) routers need to be
    provisioned to support the VPNs.

11
3 Types of VPN
12
(No Transcript)
13
(No Transcript)
14
Characteristics of a Secure VPNs
15
VPN Security Encapsulation
  • Three different protocols that tunnelling uses
  • Carrier protocol The protocol the information is
    travelling over.
  • Encapsulating protocol The protocol (GRE, IPsec,
    L2F, PPTP, L2TP) that is wrapped around the
    original data. Not all protocols offer the same
    level of security.
  • Passenger protocol The original data (IPX,
    AppleTalk, IPv4, IPv6).

16
VPN Security IPsec and GRE
  • 1. Tunnel mode 2. Transport mode
  • Tunnel mode encrypts the header and the payload
    of each packet
  • Transport mode only encrypts the payload.
  • Only systems that are IPsec-compliant can take
    advantage of transport mode.
  • Additionally, all devices must use a common key
    and the firewalls of each network must be set up
    with very similar security policies.
  • IPsec can encrypt data between various devices,
    including router to router, firewall to router,
    PC to router, and PC to server

17
Symmetric Encryption Algorithm
  • Symmetric-key encryption, also called secret key
    encryption, works when each computer has a secret
    key (code) that the computer uses to encrypt
    information before the information is sent over
    the network to another computer.
  • Symmetric-key encryption requires that someone
    know which computers will be talking to each
    other so that the person can configure the key on
    each computer.
  • Symmetric-key encryption is a secret code, or
    key, that each of the two computers must know to
    decode the information.

18
Asymmetric Encryption Algorithm
  • Uses different keys for encryption and
    decryption.
  • Knowing one of the keys does not allow a hacker
    to deduce the second key and decode the
    information.
  • One key encrypts the message, while a second key
    decrypts the message. It is not possible to
    encrypt and decrypt with the same key.
  • Public-key encryption uses a combination of a
    private key and a public key.
  • Only the sender knows the private key.
  • The sender gives a public key to any recipient
    that the sender with whom he wants to
    communicate.
  • To decode an encrypted message, the recipient
    must use the public key, provided by the
    originating sender, and the recipients own
    private key.

19
VPN Security Authentication
  • Username and password Uses the predefined
    usernames and passwords for different users or
    systems.
  • One Time Password (OTP) (Pin/Tan) A stronger
    authentication method than username and password,
    this method uses new passwords that are generated
    for each authentication.
  • Biometric Biometrics usually refers to
    technologies that are used for measuring and
    analyzing human body characteristics such as
    fingerprints, eye retinas and irises, voice
    patterns, facial patterns, and hand measurements,
    especially for authentication purposes.
  • Pre-shared keys This method uses a secret key
    value, manually entered into each peer, and then
    used to authenticate the peers.
  • Digital certificates Use the exchange of digital
    certificates to authenticate the peers.

20
What is IPSEC?
21
IPsec Protocols
  • IKE Provides a framework for the negotiation of
    security parameters and establishes authenticated
    keys. IPsec uses symmetrical encryption
    algorithms for data protection, which are more
    efficient and easier to implement in hardware
    than other types of algorithms. These algorithms
    need a secure method of key exchange to ensure
    data protection. The IKE protocols provide the
    capability for secure key exchange.
  • AH The IP Authentication Header (AH) provides
    connectionless integrity and data origin
    authentication for IP datagrams and optional
    protection against replays. AH is embedded in the
    data that needs to be protected. ESP has replaced
    the AH protocol, and AH is no longer used very
    often in IPsec.
  • ESP Encapsulating Security Payload (ESP)
    provides a framework for encrypting,
    authenticating, and securing data. ESP provides
    data privacy services, optional data
    authentication, and anti-replay services. ESP
    encapsulates the data that needs protection. Most
    IPsec implementations use the ESP protocol.

22
Site-to-Site IPsec VPN Operations
  • Step 1 Interesting traffic initiates the IPsec
    process Traffic is deemed interesting when the
    VPN device recognizes that the traffic you want
    to send needs protection.
  • Step 2 IKE Phase 1 IKE authenticates IPsec peers
    and negotiates IKE SAs during this phase, setting
    up a secure communications channel for
    negotiating IPsec SAs in Phase 2.
  • Step 3 IKE Phase 2 IKE negotiates IPsec SA
    parameters and sets up matching IPsec SAs in the
    peers. These security parameters are used to
    protect data and messages that are exchanged
    between endpoints.
  • Step 4 Data transfer Data is transferred between
    IPsec peers based on the IPsec parameters and
    keys that are stored in the SA database.
  • Step 5 IPsec tunnel termination IPsec SAs
    terminate through deletion or by timing out.

23
Step 2 IKE Phase 1
  • First exchange The two peers negotiate and agree
    on which algorithms and hashes to use to secure
    the IKE communications.
  • Second exchange A Diffie-Hellman exchange
    generates shared secret keys and pass nonces (a
    nonce is a value used only once by a computer
    security system). A random number sent by one
    party to another party, signed, and returned to
    the first party proves the second partys
    identity. Once created, the shared secret key is
    used to generate all the other encryption and
    authentication keys.
  • Third exchange In this exchange, each peer
    verifies the identity of the other side by
    authenticating the remote peer.

24
Step 3 IKE Phase 2
  • Negotiates IPsec security parameters and IPsec
    transform sets
  • Establishes IPsec SAs
  • Periodically renegotiates IPsec SAs to ensure
    security
  • Optionally, performs an additional
    Diffie-Hellmann exchange

25
IPsec Tunnel Operation
  • The last two steps in IPsec involve transferring
    the data and then closing the connection
  • Data Transfer After IKE Phase 2 is complete and
    quick mode has established IPsec SAs, traffic is
    exchanged between Host A and Host B via a secure
    tunnel as shown in Figure . Interesting traffic
    is encrypted and decrypted according to the
    security services that are specified in the IPsec
    SA.
  • IPsec Tunnel Termination IPsec SAs terminate
    through deletion or by timing out. An SA can time
    out when a specified number of seconds has
    elapsed or when a specified number of bytes have
    passed through the tunnel. When the SAs
    terminate, the keys are also discarded.

26
Configuring a Site-to-Site IPsec VPN
  • Step 1 Configure the ISAKMP policy that is
    required to establish an IKE tunnel.
  • Step 2 Define the IPsec transform set. The
    definition of the transform set defines the
    parameters for the IPsec tunnel, such as
    encryption and integrity algorithms.
  • Step 3 Create a crypto access control list (ACL).
    The crypto ACL identifies the traffic to be
    forwarded through the IPsec tunnel.
  • Step 4 Create a crypto map. The crypto map
    combines the previously configured parameters
    together and defines the IPsec peer device.
  • Step 5 Apply the crypto map to the outgoing
    interface of the VPN device.
  • Step 6 Configure an ACL and apply the list to the
    interface. Typically, edge routers are configured
    with restrictive ACLs that could inadvertently
    block the IKE or IPsec protocols.

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com