Chapter%2019%20VPN%20and%20NAT

1
Chapter 19VPN and NAT

• Nelson Azadian
• Victor Seletskiy
• Pavel Dikhtyar

2
VPN Overview

• Why we need Virtual Private Networks.
• What a Virtual Private Network consists of.
• What a Virtual Private Network does.
• How a Virtual Private Network does what it does.
• Pros and Cons of VPNs

3
Imagine the Following Scenario

• You are a network administrator hired by a
  company to create a network which is both private
  yet able to access the internet.
• How would you do it?

4
You Could

• Create a network comprised of both an internal
  and external network. By internal we mean a
  network which is unavailable to those outside of
  the network. Conversely, by external we mean a
  network which is available to those outside of
  the network.

5
Example

• As you can see, we have two networks. An internal
  network, on the right, which lacks access to the
  internet, i.e. is private, as well as an external
  network, on the left, which is allowed access to
  the internet, i.e. is public.

6
Continuing With Our Previous Scenario

• Lets say the same company, which had previously
  hired you to build a network, decides to build
  another office building 100 miles away from their
  current office building. You are once again hired
  by the company to build a private network between
  the two office buildings.
• How would you do it?

7
What Wont Work

• A LAN based private network would be out of the
  question due to the amount of money to both build
  and maintain such a network.

8
Continuation of What Wont Work

• We could use a WAN based network to connect both
  office buildings. However, problems associated
  with the amount of money to build and maintain
  such a network would once again arise.
• What about Leased Lines?

9
What Will Work

• What are Leased Lines?
• Leased Lines are connection based, rather than
  packet switch based, lines which a phone company
  or internet service provider will lease to an
  individual or corporation.
• Due to their connection based nature leased lines
  are guaranteed to remain private.
• Unfortunately, leased lines are expensive and for
  many companies out of their budget.

10
Why We Need Virtual Private Networks

• VPN or Virtual Private Networks are a cheaper and
  effective alternative to leased lines which, as
  with leased lines, allow for networks to remain
  private.
• Unlike leased lines, VPNs do so using packet
  switched networks, i.e. virtual lines.

11
What a Virtual Private Network Consists of

• A Virtual Private Network basically consists of a
  router, with specialized software, which acts as
  a gateway between an external network, i.e. the
  internet, and an internal network, i.e. some
  private network.

12
What a Virtual Private Network Does

• When a host on an internal, i.e. private, network
  needs to send a packet to a host not on its own
  internal network it sends the packet to the
  specialized router.

13
Continuation of What a Virtual Private Network
Does

• Once the specialized router receives the packet
  it examines the destination of the packet.
• The router than encrypts the packet, places it in
  a datagram, and sends it off to its destination.
  The destination in question belongs to another
  specialized router, similar to our previous
  specialized router. This second specialized
  router belongs to the destined hosts VPN and
  acts as its gateway.
• We are not initially sending the packet to the
  destined host.

14
How a Virtual Private Network Does What it Does

• Virtual Private Networks use two basic techniques
  to allow them to remain both private, yet at the
  same time do so without the use of expensive
  connection based networks.
• The two techniques in question
• Encryption
• Tunneling

15
What is Encryption?

• Simply put, encryption is the process of
  modifying data in such a way that it becomes
  unintelligible.
• Take for instance the following example, L ORYH
  QDFKRV is really I LOVE NACHOS using a
  simple Caesar or
• Shift - 3 Cipher.

16
Why Use Encryption?

• The reason is simple, in order to keep data on an
  internal network private we need to use some way
  of keeping the data on that network private.
  Hence, we use encryption, taking our original
  data and modifying it in some way as to keep its
  original content secret.
• Examples of some Encryption Algorithms include
  DES, Triple DES, AES, RSA, etc.

17
Why Do We Encrypt the Entire Packet?

• You may recall that I mentioned that the entire
  packet needed to be encrypted, i.e. data and
  header why?
• Encrypting the data portion of the packet is not
  enough to ensure that our private network remain
  private. In order for our private network to
  remain truly private we must not only hide the
  data on the network but also the topology of that
  network.
• Note We still require the use of a globally
  valid IP address, otherwise we wouldnt be able
  to send the packet over the global external
  internet. However, this globally assigned IP
  address is assigned only to the VPN gateway and
  not to any of the hosts on the internal private
  network.

18
Continuation of Why We Encrypt the Entire Packet

• Lets say we hadnt encrypted the entire packet,
  i.e. we hadnt encrypted the packets header only
  its data, and an unauthorized party was able to
  sniff or attain a copy of the packet using a
  program such as Ethereal. Though the unauthorized
  party would not be able to access the data, i.e.
  would not have the key necessary to decrypt the
  packet, the unauthorized party would still know
  the packets source and destination, i.e. would
  know which specific host on the first VPN sent
  the packet to which specific host on the second
  VPN.

19
Whats the Big Deal?

• The big deal is that if the unauthorized party or
  attacker is able to find out where the packet
  came from as well as where it was destined to,
  the attacker may be able to further compromise
  the security of any of the two VPNs, i.e. may be
  able to break into one or both of the VPNs.
• By encrypting the entire packet we keep both the
  data within the packet private as well as the
  existence, or location, of the two hosts
  private, i.e. we keep the topology of the
  internal private network hidden.

20
What is Tunneling?

• Tunneling is basically a way of specifying that
  datagram be sent to a specific router, rather
  than a specific host.

21
Why Specify a Router?

• Question How do we decrypt the packet the source
  host had originally sent?
• Wrong Answer Sending the key along with the
  encrypted packet is not a viable solution.
• Correct Answer Both routers must have agreed
  upon a key before any transmission of packets
  occur. Therefore, in order to agree upon a
  specific key both routers must have already known
  about each others existence, i.e. already had an
  entry in their routing tables for one another.

22
A Common Misconception About Tunneling

• The word tunneling tends to imply that a
  tunnel is a single path, leading from one
  endpoint to another.

23
Unfortunately This is Not True

• With respect to VPNs, the word tunneling is
  used because in order to tunnel a packet the
  two endpoints of the tunnel, i.e. the routers
  which will encrypt or decrypt, must be known
  before a packet is encrypted and sent out into
  the internet. We do not however specify a
  specific route a packet must follow, merely the
  last or first router to receive or send the
  encrypted packet.

24
Pros of Virtual Private Networks

• Practically guarantee network and data privacy.
• Are a cheap and effective alternative to WANs or
  Leased Lines.
• Easily map onto an existing network with little
  modification.

25
Cons of Virtual Private Networks

• Unlike most routers, VPN gateway router tables
  are not dynamic, i.e. must be input by a network
  administrator.
• If a VPN gateway goes down, its very possible
  that the entire private network will lose
  connectivity to the external internet.
• Absolute privacy is not guaranteed, the reason
  being that no current encryption algorithm is
  100 full proof.

26
NAT Overview

• VPN Types
• Tunneling Types
• Application Gateway
• NAT

27
VPN Implementation

• There are two common VPN implementations
• Client-to-Site (Remote Access VPN)
• Site-to-Site

28
Remote Access

• Mobile user access from public network to private
  network, who needs to connect to secure
  materials remotely, or need access to secure
  remote management portal.

29
Remote Access Continued

• It secures a path to the site's LAN, allowing the
  client to access a private network address ( RFC
  1918).
• The client-to-site VPN is a many-to-one VPN
  tunnel.
• One or more clients can initiate a secure VPN
  connection to the VPN server, thus securely
  accessing internal data from an insecure remote
  location.

30
Site-to-Site

• When office requires sharing information across
  multiple LANs. The typical example of this is a
  company that has offices in two different
  geographical locations.

31
Site-to-Site Continued

• Allows LANs to share information across Internet
  without fearing that outsiders could view the
  content of the data stream.
• The site-to-site VPN is a one-to-one VPN tunnel.
  Two servers or routers set up an encrypted IP
  tunnel to securely pass packets back and forth
  over the Internet. The VPN servers create a
  logical point-to-point connection over the
  Internet.

32
Tunneling in Detail

• Tunneling requires three different protocols
• Carrier protocol - The protocol used by the
  network that the information is traveling over
  for example, PPP is used as the carrier protocol
  in IP-based transit networks.
• Encapsulating protocol - The protocol (GRE,
  IPSec, L2F, PPTP, L2TP) that is wrapped around
  the original data
• Passenger protocol - The original data (IPX,
  NetBeui, IP) being carried

33
Tunneling Protocols

• PPTP
• (Point-to-Point Tunneling Protocol)
• L2TP
• (Layer 2 Tunneling Protocol)
• IPSec
• Tunneling Mode
• SSL/TLS
• (Secure Sockets Layer/Transport Layer Security)

34
VPN via PPTP

• Point-to-Point Tunneling Protocol
• Data is first encapsulated inside PPP packets
• PPP packets are then encapsulated in GRE packets
  and sent over the link
• Weak Security
• Low Performance
• Was integrated in L2TP that combines PPTP L2F

35
IPSec

• Internet Protocol Security (IPSec)
• For Site-to-Site and Remote-Access VPNs
• Features encryption modes
• Tunnel
• Encrypts data header and payload
• Transport
• Encrypts payload only
• Encrypts data between various devices
• Router to router
• Firewall to router
• PC to router
• PC to server

36
IPSec Tunneling
IPsec AH ESP IPcomp IKE

• IP Encapsulation Security Payload (ESP)
• Provides message integrity and privacy using
  DES or EAS
• It also includes anti-replay mechanism.
• Internet Key Exchange (IKE)
• AH and ESP needs shared secret key between
  peers. IKE defines an automatic means of
  negotiation and authentication for security
  associations (SA). Security associations are
  security policies defined for communication
  between two or more entities

37
SSL / TLC

• The SSL (Secure Sockets Layer) is a protocol
  designed by Netscape Communications to enables
  secure data transfer between two devices over a
  public network. SSL protects applications running
  over TCP, and is mostly utilized to protect HTTP
  transactions. SSL has been replaced by Transport
  Layer Security (TLS).
• To convert SSL/TLS into a remote access VPN,
  firms install an SSL/TLS VPN gateway at each
  site. The client establishes an SSL/TLS
  connection with this gateway, rather than to
  individual hosts within the site.

38
How SSL Works
39
SSL / TLC

• In many cases, the SSL/TLS VPN gateway simply
  connects the client PC to a webserver. This is
  the traditional use of SSL/TLS in VPNs. However,
  the SSL/TLS gateway decrypts client traffic
  coming into the network. This allows a firewall
  to check the traffic right after the VPN/SSL
  firewall.

40
SSL / TLC Continued

• In other cases, the VPN gateway connects the
  client PC to a database server or other server
  that cannot communicate with a browser natively.
  The VPN gateway then intercepts messages from the
• server to the client PC. The VPN gateway webifies
  these messages (converts them into webpages).

41
SSL / TLC Continued

• In yet other cases, the SSL/TLS VPN gateway
  connects the client PC to a subnet of the
  network. The client can then connect to any host
  on the subnet.

42
SSL / TLS Client

• Question What does the client need to have?
• For basic operation, the client only needs to
  have a browser that works with SSL/TLS. It is
  difficult to find a computer that does not have a
  browser or whose browser cannot work with
  SSL/TLS. Consequently, SSL/TLS can work with any
  client PC connected to the Internet. This makes
  SSL/TLS extremely attractive as a remote access
  VPN.

43
IPSec vs. SSL VPN

• Communication
• Compared to IPSec, SSL is an application level
  transport protocol that transmits data over a
  standard TCP port (typically TCP port 443). IPSec
  provides application-transparent communication
  over layer 3, IP, network traffic while SSL was
  designed to encrypt application traffic.
• Information Exposure
• Only designated people /computers are allowed
  access by IPSec, while SSL allows access from
  everywhere (e.g. internet kiosks). Information
  can be left behind (intentionally or
  unintentionally)
• Software Required
• IPSec requires client software, while SSL needs
  only Standard Web browser

44
IPSec vs. SSL VPN Continued

• SSL allow more precise access control.
• First of all they provide tunnels to specific
  applications rather than to the entire corporate
  LAN. So, users on SSL VPN connections can only
  access the applications that they are configured
  to access rather than the whole network. Second,
  it is easier to provide different access rights
  to different users and have more granular control
  over user access.
• Connectivity
• IPSec connectivity can be adversely affected by
  firewalls or other devices between the client and
  gateway (i.e. firewall or NAT devices) while SSL
  operates transparently across NAT, proxy, and
  most firewalls (most firewalls allow SSL traffic)
• Security
• SSL provides limited control over information
  access and client environment good for accessing
  less-sensitive information

45
Private Address Protection

• VPN must protect internal information and
  prevent any direct connection between a trusted
  server or client and an un-trusted host. It
  gives improved security because without knowing
  the true IP address of a host, it is harder for
  an intruder to attack that machine.

46
Private Address Protection Continued

• SSL IPSec and other VPN's use two general
  communication schemes to ensure private network
  security
• Application Gateways
• NAT

47
Application Gateways
The application gateway acts as an intermediary
between the two endpoints. When a client issues a
request from the untrusted network, a connection
is established with the application gateway. The
proxy determines if the request is valid and then
sends a new request on behalf of the client to
the destination. By using this method, a direct
connection is never made from the trusted network
to the untrusted network and the request appears
to have originated from the application gateway.
48
Advantages of the Application Level

• Application-specific proxies accept only packets
  generated by services they are designed to copy,
  forward, and filter without offering IP- level
  access.
• Only packets generated by these services could
  pass through the firewall. All other services
  would be blocked.
• If a network relies only on an application-level
  gateway, incoming and outgoing packets cannot
  access services for which there is not a proxy.
• For example, only a Telnet proxy can copy,
  forward, and filter Telnet traffic.
• Able to work without changes to the underlying
  infrastructure or addressing.
• It can, for instance, tell the difference between
  a piece of e-mail containing text and a piece of
  e-mail containing a graphic image or the
  difference between a webpage using Java and a
  webpage without.

49
Advantages of the Application Level

• Application-level Filtering
• examine and filter individual packets, rather
  than simply copying them and blindly forwarding
  them across the gateway.
• check each packet that passes through the
  gateway, verifying the contents of the packet up
  through the application layer.
• can filter particular kinds of commands or
  information in the application protocols (e.g.,
  FTP GET but not PUT no retrieving HTTP objects
  ending in .exe)

50
Disadvantages of the Application Level

• Lack of generality each application gateway
  handles only one specific service multiple
  gateways are required for multiple services.
• Performance significant disadvantage of
  application gateways is the impact it can have on
  performance. Since all incoming and outgoing
  traffic is inspected at the application level,
  they are typically slower All traffic must pass
  through all seven layers of the OSI model prior
  to being inspected.

51
NAT

• Network Address Translation provide IP level
  access between hosts at a site and the rest of
  the Internet without requiring each host at the
  site to have a globally valid IP address
• One valid IP address requires site to have a
  single connection to the global Internet and at
  least one globally valid IP address.
• NAT box runs NAT software, all datagram's pass
  through it as they travel from site out to the
  Internet or from Internet into the site

52
NAT Continued

• Outgoing traffic replaces source IP address
• Incoming traffic replaces destination IP address

53
Translation Table

• It identifies correct host to which the datagram
  should be forwarded.
• Has Two values
• Internal host IP address
• External host IP address

54
Translation Table

• Table Initialization
• Manual
• A manager configures the translation table
  manually before any communication occurs.
  Provides permanent mapping and allows IP
  datagrams to be send in either direction.
• Outgoing datagram's
• NAT uses the outgoing datagram to create a
  translation table entry that records the source
  and destination addresses. It is automatic, but
  does not allows communication to be initiated
  from outside.
• Incoming name lookups
• The table is build as side effect of handling
  domain name lookups. When a host on the Internet
  looks up the domain name of an internal host, and
  then creates an entry in the NAT translation
  table to forward incoming datagrams to the
  correct internal host.

55
NAT and ICMP Overview

• Port Mapped NAT
• Interaction between NAT and ICMP
• Interaction between NAT and Applications
• NAT in the presence of Fragmentation
• Conceptual Address Domains
• Implementations of NAT

56
Port-Mapped NAT

• NAPT Network Address Port Translation
• Provides concurrency by translating port numbers
  as well as addresses.
• Expands on NAT translation table to contain
• Source and destination IP addresses (NAT)
• Source and destination port numbers
• Protocol port number (used by NAT router)

57
NAPT Diagram
58
Port-Mapped NAT Continued

• In the process of communications NAPT assigns a
  unique port number to each communication that is
  used on the internet.
• After NAPT translation, the receiving computer
  receives datagram's with NAPT box global address
  and NAPT port number.
• Biggest advantage is the amount of generality
  NAPT achieves with one global IP address.
• Biggest disadvantage is that NAPT restricts
  communications to TCP or UDP only.

59
NAPT Process
60
Operation Of Port-Based NAT

• Inside Client Generates Request And Sends To NAT
  Router
• Device generates an HTTP request to the server.
• The datagram is sent to the NAT-capable router
  that connects the organization's internal network
  to the Internet.
• NAT Router Translates Source Address And Port And
  Sends To Outside Server
• The router substitutes the inside global address
  and also chooses a new source port number for
  this request.
• The destination address and port are not
  changed. 
• The NAT router puts the address and port mapping
  into its translation table. It sends the modified
  datagram out, which arrives at the outside
  server.
• Outside Server Generates Response And Sends Back
  To NAT Router
• The outside server generates an HTTP response.
• it sends back the response to the NAT router
• NAT Router Translates Destination Address And
  Port And Delivers Datagram To Inside Client
• The NAT router consults its translation table and
  knows who this datagram is intended for.
• The destination address and port are changed but
  not the source.
• The router delivers the datagram back to the
  originating client.

61
Interaction between NAT and ICMP

• Unexpected side effects of NAT.
• NAT changes IP address of the from field.
• NAT must handle higher layer protocols.
• Must handle ICMP (one of the most important
  ones).
• Determines if ICMP should be handled locally or
  sent to an internal host.
• If sending to an internal host NAT must translate
  the ICMP message.
• ICMP message translation example.
• Example message destination unreachable.
• Message contains header from a datagram D that
  caused error.
• Since NAT translated the address in header of D
  before sending it, NAT must open the ICMP message
  and translate the address in D header back to the
  original hosts address.
• NAT must also re-compute the checksum of the D
  header and of the ICMP message.

62
Interaction Between NAT and Applications

• NAT Effect on application protocols.
• In general NAT will not work with any application
  that sends IP addresses or protocol ports as
  data.
• Example application protocol FTP.
• Part of FTP protocol is one machine obtaining the
  port number of another machine over a TCP
  connection.
• In FTP protocol the port number is sent as data.
• In order for this protocol to function properly
  through NAPT, the port number in the data stream
  must be changed to agree with the NAPT port
  number.
• NAT recognition of application protocols.
• Implementations of NAT have been created that
  recognize popular protocols such as FTP and make
  the necessary changes in the data stream.

63
Interaction Between NAT and Applications Continued

• Custom application protocols nonfunctional with
  NAT.
• NAT affects ICMP and higher level protocols.
• An application protocol that passes IP addresses
  or protocol port numbers as data will not operate
  correctly across NAT.
• Changing items in a data stream increases the
  complexity of NAPT. (making application protocols
  work)
• NAPT must have detailed knowledge of each
  application that transfers such information.
• If items are represented in ASCII (FTP protocol)
  changing the value can change the number of
  octets transferred.
• Inserting or removing octets in the data stream
  is difficult because all octets have a sequence
  number in a stream.
• Sender and receiver dont know that octet number
  has been changed and they will get out of sync.
• NAT will have to translate the sequence numbers
  in each outgoing segment and each incoming
  acknowledgement.

64
NAT in the Presence of Fragmentation

• Assumptions about IP.
• In describing NAT an assumption was made that NAT
  system receives complete IP datagram's and not
  fragments.
• Fragmentation creates added complexity in NAPT
  (widely used version of NAT)
• NAPT uses information (port numbers) from the
  transport header.
• Only the first fragment of a datagram carries the
  transport protocol header.
• Before NAPT can operate on a datagram, it must
  receive and examine the first fragment of the
  datagram.
• Resolutions of the NAPT Datagram Fragmentation
  Problem
• Slow speed networks save fragments and reassemble
  the datagram.
• Other networks reject fragmented datagram's.

65
Conceptual Address Domains

• Standard NAT use is to connect a private network
  to a global internet.
• NAT can be used to interconnect any two address
  domains.
• It can be used between two corporations that use
  the same private address space. (10.0.0.0)
• NAT can also be used at two levels.
• It can be used between customers private domain
  and ISPs private address domain.( first level)
• It can also be used between ISPs address domain
  and global internet. (second level)
• Combination of NAT and VPN.
• Hybrid architecture can be created in which
  private addresses are used within the
  organization and NAT is used to provide
  connectivity between each site and to the global
  internet.
• Example of multiple levels of NAT
• Employee working from several computers at home
  connected to a LAN.
• He can assign private addresses to his machines
  and use NAT between home and corporate intranet.
• Corporation can assign private addresses to their
  intranet and use NAT between their intranet and
  global internet.

66
Slirp and IP Tables

• There are 2 most popular implementations of NAT
• Slirp (derived from 4.4 BSD)
• Combines PPP and NAT.
• Is used in a dialup architecture.
• One valid global IP address.
• Permanent internet connection.
• One or more dialup modems.
• Implements NAPT. (uses protocol numbers)
• Multiple computers can access internet at the
  same time.
• Main advantage is that it can use a general UNIX
  account with internet access.
• IP-Tables (Linux operating system)
• Combination of tools for packet rewriting and
  fire-walling.
• Provides stateful packet inspection.
• NAT or NAPT can be formed using specific sets of
  IP-Tables rules.

67
Summary

• VPN offers low cost alternative that allows an
  organization to use the global internet to
  securely interconnect multiple sites.
• Two technologies exist that provide communication
  between the hosts in different address domains.
• Application gateways act as a proxy by receiving
  a request from a host in one domain, forwarding
  it to another domain, and later returning the
  result to an original host.
• Network Address Translation provides transparent
  IP-level access to the internet from a host with
  a private address.
• Most NAT implementation perform Network Address
  and Port Translation. (NAPT)

68
References

• http//computer.howstuffworks.com/vpn.htm
• http//www.tcpipguide.com/free/t_IPNATPortBasedOve
  rloadedOperationNetworkAddressPor-2.htm
• IPSec vs. SSL VPNs for Secure Remote
  Accesshttp//www.ajoomal.com/descargas/aventail/I
  PSec_vs120_SSL_VPNs_For_Secure_Remote_Access_-_En
  glish_(A4).pdf
• http//penguin.dcs.bbk.ac.uk/academic/networks/tra
  nsport-layer/nat/
• Virtual private networks / Charlie Scott
• Internetworking with TCP/IP Principles,
  Protocols, and Architecture Volume 1 Fifth
  Edition. Author Douglas E. Comer. Publisher
  Pearson Prentice Hall

69
Questions