Download Chapter19-Presentation v2

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
Document related concepts

Computer security wikipedia , lookup

AppleTalk wikipedia , lookup

Net neutrality law wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Peering wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wireless security wikipedia , lookup

Internet protocol suite wikipedia , lookup

Computer network wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Net bias wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Chapter 19
VPN and NAT
Nelson Azadian
Victor Seletskiy
Pavel Dikhtyar
VPN Overview
• Why we need Virtual Private
Networks.
• What a Virtual Private Network
consists of.
• What a Virtual Private Network
does.
• How a Virtual Private Network
does what it does.
• Pro’s and Con’s of VPN’s
Imagine the Following Scenario
• You are a network administrator hired by a
company to create a network which is both
private yet able to access the internet.
• How would you do it?
You Could…
• Create a network comprised of both an internal
and external network. By internal we mean a
network which is unavailable to those outside
of the network. Conversely, by external we
mean a network which is available to those
outside of the network.
Example
• As you can see, we have two networks. An internal
network, on the right, which lacks access to the
internet, i.e. is private, as well as an external
network, on the left, which is allowed access to the
internet, i.e. is public.
Continuing With Our Previous Scenario…
• Let’s say the same company, which had
previously hired you to build a network,
decides to build another office building 100
miles away from their current office building.
You are once again hired by the company to
build a private network between the two office
buildings.
• How would you do it?
What Won’t Work
• A LAN based private network would be out of the
question due to the amount of money to both build
and maintain such a network.
Continuation of What Won’t Work
• We could use a WAN based network to
connect both office buildings. However,
problems associated with the amount of money
to build and maintain such a network would
once again arise.
• What about Leased Lines?
What Will Work
• What are Leased Lines?
– Leased Lines are connection based, rather than
packet switch based, lines which a phone company
or internet service provider will lease to an
individual or corporation.
– Due to their connection based nature leased lines
are guaranteed to remain private.
– Unfortunately, leased lines are expensive and for
many companies out of their budget.
Why We Need Virtual Private Networks
• VPN or Virtual Private Networks are a cheaper
and effective alternative to leased lines which,
as with leased lines, allow for networks to
remain private.
• Unlike leased lines, VPN’s do so using packet
switched networks, i.e. virtual lines.
What a Virtual Private Network Consists of
• A Virtual Private Network basically consists of a
router, with specialized software, which acts as a
gateway between an external network, i.e. the
internet, and an internal network, i.e. some private
network.
What a Virtual Private Network Does
• When a host on an internal, i.e. private, network
needs to send a packet to a host not on its own
internal network it sends the packet to the specialized
router.
Continuation of What a Virtual Private Network
Does
• Once the specialized router receives the packet it examines the
destination of the packet.
• The router than encrypts the packet, places it in a datagram,
and sends it off to its destination. The destination in question
belongs to another specialized router, similar to our previous
specialized router. This second specialized router belongs to
the destined host’s VPN and acts as its gateway.
• We are not initially sending the packet to the destined host.
How a Virtual Private Network Does What it
Does
• Virtual Private Networks use two basic
techniques to allow them to remain both
private, yet at the same time do so without the
use of expensive connection based networks.
• The two techniques in question…
– Encryption
– Tunneling
What is Encryption?
• Simply put, encryption is the process of
modifying data in such a way that it becomes
unintelligible.
• Take for instance the following example, “L
ORYH QDFKR’V” is really “I LOVE
NACHO’S” using a simple Caesar or
Shift - 3 Cipher.
Why Use Encryption?
• The reason is simple, in order to keep data on
an internal network private we need to use
some way of keeping the data on that network
private. Hence, we use encryption, taking our
original data and modifying it in some way as
to keep its original content secret.
• Examples of some Encryption Algorithms
include DES, Triple DES, AES, RSA, etc.
Why Do We Encrypt the Entire Packet?
• You may recall that I mentioned that the entire packet needed to be
encrypted, i.e. data and header; why?
• Encrypting the data portion of the packet is not enough to ensure that our
private network remain private. In order for our private network to remain
truly private we must not only hide the data on the network but also the
topology of that network.
• *Note* We still require the use of a globally valid IP address, otherwise we
wouldn’t be able to send the packet over the “global” external internet.
However, this globally assigned IP address is assigned only to the VPN
gateway and not to any of the hosts on the internal private network.
Continuation of Why We Encrypt the Entire
Packet
• Let’s say we hadn’t encrypted the entire packet, i.e.
we hadn’t encrypted the packet’s header only its data,
and an unauthorized party was able to sniff or attain a
copy of the packet using a program such as Ethereal.
Though the unauthorized party would not be able to
access the data, i.e. would not have the key necessary
to decrypt the packet, the unauthorized party would
still know the packet’s source and destination, i.e.
would know which specific host on the first VPN sent
the packet to which specific host on the second VPN.
What’s the Big Deal?
• The big deal is that if the unauthorized party or
attacker is able to find out where the packet came
from as well as where it was destined to, the attacker
may be able to further compromise the security of
any of the two VPN’s, i.e. may be able to break into
one or both of the VPN’s.
• By encrypting the entire packet we keep both the data
within the packet private as well as the existence, or
location, of the two host’s private, i.e. we keep the
topology of the internal private network hidden.
What is Tunneling?
• Tunneling is basically a way of specifying that
datagram be sent to a specific router, rather than a
specific host.
Why Specify a Router?
• Question: How do we decrypt the packet the source host had
originally sent?
• Wrong Answer: Sending the key along with the encrypted
packet is not a viable solution.
• Correct Answer: Both routers must have agreed upon a key
before any transmission of packets occur. Therefore, in order
to agree upon a specific key both routers must have already
known about each others existence, i.e. already had an entry in
their routing tables for one another.
A Common Misconception About Tunneling
• The word “tunneling” tends to imply that a “tunnel”
is a single path, leading from one endpoint to another.
Unfortunately This is Not True
• With respect to VPN’s, the word “tunneling” is
used because in order to “tunnel” a packet the
two endpoints of the tunnel, i.e. the routers
which will encrypt or decrypt, must be known
before a packet is encrypted and sent out into
the internet. We do not however specify a
specific route a packet must follow, merely the
last or first router to receive or send the
encrypted packet.
Pro’s of Virtual Private Network’s
• Practically guarantee network and data
privacy.
• Are a cheap and effective alternative to WAN’s
or Leased Lines.
• Easily map onto an existing network with little
modification.
Con’s of Virtual Private Network’s
• Unlike most routers, VPN gateway router tables are
not dynamic, i.e. must be input by a network
administrator.
• If a VPN gateway goes down, it’s very possible that
the entire private network will lose connectivity to the
external internet.
• Absolute privacy is not guaranteed, the reason being
that no current encryption algorithm is 100% full
proof.
NAT Overview
• VPN Types
• Tunneling Types
• Application Gateway
• NAT
VPN Implementation
There are two common VPN implementations:
• Client-to-Site (Remote Access VPN)
• Site-to-Site
Remote Access
Mobile User
VPN over Internet
Network A
VPN Enabled
Gateway
Home User
• Mobile user access from public network to private
network, who needs to connect to secure materials
remotely, or need access to secure remote management
portal.
Remote Access Continued
Mobile User
VPN over Internet
Network A
VPN Enabled
Gateway
Home User
• It secures a path to the site's LAN, allowing the client to access a
private network address ( RFC 1918).
• The client-to-site VPN is a many-to-one VPN tunnel.
• One or more clients can initiate a secure VPN connection to the VPN
server, thus securely accessing internal data from an insecure remote
location.
Site-to-Site
VPN over Internet
Network A
VPN Enabled
Gateway
VPN Enabled
Gateway
Network B
• When office requires sharing information across multiple
LANs. The typical example of this is a company that has
offices in two different geographical locations.
Site-to-Site Continued
VPN over Internet
Network A
VPN Enabled
Gateway
VPN Enabled
Gateway
Network B
• Allows LANs to share information across Internet without fearing
that outsiders could view the content of the data stream.
• The site-to-site VPN is a one-to-one VPN tunnel.
Two servers or routers set up an encrypted IP tunnel to securely
pass packets back and forth over the Internet. The VPN servers
create a logical point-to-point connection over the Internet.
Tunneling in Detail
Tunneling requires three different protocols:
• Carrier protocol - The protocol used by the network that the
information is traveling over for example, PPP is used as the
carrier protocol in IP-based transit networks.
• Encapsulating protocol - The protocol (GRE, IPSec, L2F,
PPTP, L2TP) that is wrapped around the original data
• Passenger protocol - The original data (IPX, NetBeui, IP)
being carried
Tunneling Protocols
• PPTP
– (Point-to-Point Tunneling Protocol)
• L2TP
– (Layer 2 Tunneling Protocol)
• IPSec
– Tunneling Mode
• SSL/TLS
– (Secure Sockets Layer/Transport Layer Security)
VPN via PPTP
• Point-to-Point Tunneling Protocol
– Data is first encapsulated inside PPP packets
– PPP packets are then encapsulated in GRE packets and sent
over the link
– Weak Security
– Low Performance
– Was integrated in L2TP that combines PPTP & L2F
IPSec
• Internet Protocol Security (IPSec)
– For Site-to-Site and Remote-Access VPNs
– Features encryption modes
– Tunnel
• Encrypts data header and payload
– Transport
• Encrypts payload only
• Encrypts data between various devices
– Router to router
– Firewall to router
– PC to router
– PC to server
IPSec Tunneling
IPsec = AH + ESP + IPcomp + IKE
• IP Encapsulation Security Payload (ESP)
Provides message integrity and privacy using DES or EAS
It also includes anti-replay mechanism.
• Internet Key Exchange (IKE)
AH and ESP needs shared secret key between peers. IKE defines
an automatic means of negotiation and authentication for security
associations (SA). Security associations are security policies
defined for communication between two or more entities
SSL / TLC
• The SSL (Secure Sockets Layer) is a protocol designed by
Netscape Communications to enables secure data transfer
between two devices over a public network. SSL protects
applications running over TCP, and is mostly utilized to
protect HTTP transactions. SSL has been replaced by
Transport Layer Security (TLS).
• To convert SSL/TLS into a remote access VPN, firms install
an SSL/TLS VPN gateway at each site. The client establishes
an SSL/TLS connection with this gateway, rather than to
individual hosts within the site.
How SSL Works
SSL / TLC
• In many cases, the SSL/TLS VPN gateway simply connects the client PC
to a webserver. This is the traditional use of SSL/TLS in VPNs. However,
the SSL/TLS gateway decrypts client traffic coming into the network. This
allows a firewall to check the traffic right after the VPN/SSL firewall.
SSL / TLC Continued
•
•
In other cases, the VPN gateway connects the client PC to a database server or
other server that cannot communicate with a browser natively. The VPN gateway
then intercepts messages from the
server to the client PC. The VPN gateway webifies these messages (converts them
into webpages).
SSL / TLC Continued
• In yet other cases, the SSL/TLS VPN gateway
connects the client PC to a subnet of the network. The
client can then connect to any host on the subnet.
SSL / TLS Client
Question: What does the client need to have?
• For basic operation, the client only needs to have a browser
that works with SSL/TLS. It is difficult to find a computer that
does not have a browser or whose browser cannot work with
SSL/TLS. Consequently, SSL/TLS can work with any client
PC connected to the Internet. This makes SSL/TLS extremely
attractive as a remote access VPN.
IPSec vs. SSL VPN
• Communication
Compared to IPSec, SSL is an application level transport protocol that
transmits data over a standard TCP port (typically TCP port 443). IPSec
provides application-transparent communication over layer 3, IP,
network traffic while SSL was designed to encrypt application traffic.
• Information Exposure
Only designated people /computers are allowed access by IPSec, while
SSL allows access from everywhere (e.g. internet kiosks). Information
can be left behind (intentionally or unintentionally)
• Software Required
IPSec requires client software, while SSL needs only Standard Web
browser
IPSec vs. SSL VPN Continued
• SSL allow more precise access control.
First of all they provide tunnels to specific applications rather than to
the entire corporate LAN. So, users on SSL VPN connections can only
access the applications that they are configured to access rather than the
whole network. Second, it is easier to provide different access rights to
different users and have more granular control over user access.
• Connectivity
IPSec connectivity can be adversely affected by firewalls or other
devices between the client and gateway (i.e. firewall or NAT devices)
while SSL operates transparently across NAT, proxy, and most firewalls
(most firewalls allow SSL traffic)
• Security
SSL provides limited control over information access and client
environment; good for accessing less-sensitive information
Private Address Protection
VPN must protect internal information and
prevent any direct connection between a
trusted server or client and an un-trusted host.
It gives improved security because without knowing the true
IP address of a host, it is harder for an intruder to attack that
machine.
Private Address Protection Continued
SSL & IPSec and other VPN's use two general
communication schemes to ensure private
network security:
– Application Gateways
– NAT
Application Gateways
The application gateway acts as an
intermediary between the two endpoints.
When a client issues a request from the
untrusted network, a connection is established
with the application gateway. The proxy
determines if the request is valid and then sends
a new request on behalf of the client to the
destination. By using this method, a direct
connection is never made from the trusted
network to the untrusted network and the
request appears to have originated from the
application gateway.
Advantages of the Application Level
• Application-specific proxies accept only packets generated by services they
are designed to copy, forward, and filter without offering IP- level access.
– Only packets generated by these services could pass through the
firewall. All other services would be blocked.
– If a network relies only on an application-level gateway, incoming and
outgoing packets cannot access services for which there is not a proxy.
– For example, only a Telnet proxy can copy, forward, and filter Telnet
traffic.
– Able to work without changes to the underlying infrastructure or
addressing.
– It can, for instance, tell the difference between a piece of e-mail
containing text and a piece of e-mail containing a graphic image or the
difference between a webpage using Java and a webpage without.
Advantages of the Application Level
• Application-level Filtering
– examine and filter individual packets, rather than simply
copying them and blindly forwarding them across the
gateway.
– check each packet that passes through the gateway,
verifying the contents of the packet up through the
application layer.
– can filter particular kinds of commands or information in
the application protocols (e.g., FTP GET but not PUT; no
retrieving HTTP objects ending in .exe)
Disadvantages of the Application Level
• Lack of generality: each application gateway
handles only one specific service; multiple gateways
are required for multiple services.
• Performance: significant disadvantage of application
gateways is the impact it can have on performance.
Since all incoming and outgoing traffic is inspected at
the application level, they are typically slower All
traffic must pass through all seven layers of the OSI
model prior to being inspected.
NAT
•
Network Address Translation – provide IP – level access between hosts at a site
and the rest of the Internet without requiring each host at the site to have a globally
valid IP address
•
One valid IP address – requires site to have a single connection to the global
Internet and at least one globally valid IP address.
•
NAT box – runs NAT software, all datagram's pass through it as they travel from
site out to the Internet or from Internet into the site
NAT Continued
• Outgoing traffic replaces source IP address
• Incoming traffic replaces destination IP address
Translation Table
• It identifies correct host to which the datagram
should be forwarded.
• Has Two values
– Internal host IP address
– External host IP address
Translation Table
• Table Initialization
– Manual
• A manager configures the translation table manually before
any communication occurs. Provides permanent mapping and
allows IP datagrams to be send in either direction.
– Outgoing datagram's
• NAT uses the outgoing datagram to create a translation table
entry that records the source and destination addresses. It is
automatic, but does not allows communication to be initiated
from outside.
– Incoming name lookups
• The table is build as side effect of handling domain name lookups.
When a host on the Internet looks up the domain name of an
internal host, and then creates an entry in the NAT translation table
to forward incoming datagrams to the correct internal host.
NAT and ICMP Overview
• Port Mapped NAT
• Interaction between NAT and ICMP
• Interaction between NAT and Applications
• NAT in the presence of Fragmentation
• Conceptual Address Domains
• Implementations of NAT
Port-Mapped NAT
• NAPT – Network Address Port Translation
– Provides concurrency by translating port numbers
as well as addresses.
– Expands on NAT translation table to contain:
• Source and destination IP addresses (NAT)
• Source and destination port numbers
• Protocol port number (used by NAT router)
NAPT Diagram
Port-Mapped NAT Continued
• In the process of communications NAPT assigns a unique port
number to each communication that is used on the internet.
• After NAPT translation, the receiving computer receives
datagram's with NAPT box global address and NAPT port
number.
• Biggest advantage is the amount of generality NAPT achieves
with one global IP address.
• Biggest disadvantage is that NAPT restricts communications
to TCP or UDP only.
NAPT Process
Operation Of Port-Based NAT
•
Inside Client Generates Request And Sends To NAT Router:
– Device generates an HTTP request to the server.
– The datagram is sent to the NAT-capable router that connects the organization's internal network to the
Internet.
•
NAT Router Translates Source Address And Port And Sends To Outside Server:
– The router substitutes the inside global address and also chooses a new source port number for this
request.
– The destination address and port are not changed.
– The NAT router puts the address and port mapping into its translation table. It sends the modified
datagram out, which arrives at the outside server.
•
Outside Server Generates Response And Sends Back To NAT Router:
– The outside server generates an HTTP response.
– it sends back the response to the NAT router
•
NAT Router Translates Destination Address And Port And Delivers Datagram To Inside Client:
– The NAT router consults its translation table and knows who this datagram is intended for.
– The destination address and port are changed but not the source.
– The router delivers the datagram back to the originating client.
Interaction between NAT and ICMP
•
Unexpected side effects of NAT.
– NAT changes IP address of the from field.
– NAT must handle higher layer protocols.
• Must handle ICMP (one of the most important ones).
• Determines if ICMP should be handled locally or sent to an internal host.
• If sending to an internal host NAT must translate the ICMP message.
•
ICMP message translation example.
– Example message: destination unreachable.
• Message contains header from a datagram D that caused error.
• Since NAT translated the address in header of D before sending it, NAT
must open the ICMP message and translate the address in D header back to
the original hosts address.
• NAT must also re-compute the checksum of the D header and of the ICMP
message.
Interaction Between NAT and Applications
• NAT Effect on application protocols.
– In general NAT will not work with any application that sends IP
addresses or protocol ports as data.
– Example application protocol: FTP.
• Part of FTP protocol is one machine obtaining the port number of
another machine over a TCP connection.
• In FTP protocol the port number is sent as data.
• In order for this protocol to function properly through NAPT, the
port number in the data stream must be changed to agree with the
NAPT port number.
• NAT recognition of application protocols.
– Implementations of NAT have been created that recognize popular
protocols such as FTP and make the necessary changes in the data
stream.
Interaction Between NAT and Applications
Continued
•
Custom application protocols nonfunctional with NAT.
– NAT affects ICMP and higher level protocols.
– An application protocol that passes IP addresses or protocol port
numbers as data will not operate correctly across NAT.
•
Changing items in a data stream increases the complexity of NAPT. (making
application protocols work)
– NAPT must have detailed knowledge of each application that transfers
such information.
– If items are represented in ASCII (FTP protocol) changing the value can
change the number of octets transferred.
• Inserting or removing octets in the data stream is difficult because
all octets have a sequence number in a stream.
• Sender and receiver don’t know that octet number has been
changed and they will get out of sync.
• NAT will have to translate the sequence numbers in each outgoing
segment and each incoming acknowledgement.
NAT in the Presence of Fragmentation
• Assumptions about IP.
– In describing NAT an assumption was made that NAT system receives
complete IP datagram's and not fragments.
• Fragmentation creates added complexity in NAPT (widely used version of
NAT)
– NAPT uses information (port numbers) from the transport header.
– Only the first fragment of a datagram carries the transport protocol
header.
– Before NAPT can operate on a datagram, it must receive and examine
the first fragment of the datagram.
• Resolutions of the NAPT Datagram Fragmentation Problem
– Slow speed networks save fragments and reassemble the datagram.
– Other networks reject fragmented datagram's.
Conceptual Address Domains
•
Standard NAT use is to connect a private network to a global internet.
•
NAT can be used to interconnect any two address domains.
– It can be used between two corporations that use the same private address space. (10.0.0.0)
•
NAT can also be used at two levels.
– It can be used between customer’s private domain and ISP’s private address domain.( first level)
– It can also be used between ISP’s address domain and global internet. (second level)
•
Combination of NAT and VPN.
– Hybrid architecture can be created in which private addresses are used within the organization and
NAT is used to provide connectivity between each site and to the global internet.
•
Example of multiple levels of NAT:
– Employee working from several computers at home connected to a LAN.
– He can assign private addresses to his machines and use NAT between home and corporate intranet.
– Corporation can assign private addresses to their intranet and use NAT between their intranet and
global internet.
Slirp and IP Tables
•
There are 2 most popular implementations of NAT
– Slirp (derived from 4.4 BSD)
• Combines PPP and NAT.
• Is used in a dialup architecture.
– One valid global IP address.
– Permanent internet connection.
– One or more dialup modems.
• Implements NAPT. (uses protocol numbers)
• Multiple computers can access internet at the same time.
• Main advantage is that it can use a general UNIX account with internet
access.
– IP-Tables (Linux operating system)
• Combination of tools for packet rewriting and fire-walling.
• Provides stateful packet inspection.
• NAT or NAPT can be formed using specific sets of IP-Tables rules.
Summary
• VPN offers low cost alternative that allows an organization to use the
global internet to securely interconnect multiple sites.
• Two technologies exist that provide communication between the hosts in
different address domains.
• Application gateways act as a proxy by receiving a request from a host in
one domain, forwarding it to another domain, and later returning the result
to an original host.
• Network Address Translation provides transparent IP-level access to the
internet from a host with a private address.
• Most NAT implementation perform Network Address and Port Translation.
(NAPT)
References
• http://computer.howstuffworks.com/vpn.htm
• http://www.tcpipguide.com/free/t_IPNATPortBasedOverloadedOp
erationNetworkAddressPor-2.htm
• IPSec vs. SSL VPNs for Secure Remote Access
http://www.ajoomal.com/descargas/aventail/IPSec_vs1%20_SSL
_VPNs_For_Secure_Remote_Access_-_English_(A4).pdf
• http://penguin.dcs.bbk.ac.uk/academic/networks/transportlayer/nat/
• Virtual private networks / Charlie Scott
• Internetworking with TCP/IP – Principles, Protocols, and Architecture
Volume 1 – Fifth Edition. Author: Douglas E. Comer. Publisher:
Pearson Prentice Hall
Questions
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
Network Address Translation (NAT)
Network Address Translation (NAT)
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
What is a VPN? A VPN (Virtual Private Network) is a private
What is a VPN? A VPN (Virtual Private Network) is a private
Virtual Private Network(VPN)
Virtual Private Network(VPN)
Network Address Translation (NAT)
Network Address Translation (NAT)
The University of Oklahoma Virtual Private Network
The University of Oklahoma Virtual Private Network
Networking in Linux
Networking in Linux
Document
Document
Interpreters and Compilers
Interpreters and Compilers
PPT - Microsoft Research
PPT - Microsoft Research
Secure Mobility - Grand Rapids ISSA
Secure Mobility - Grand Rapids ISSA