Download Chapter4_VPN-2

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Computer security wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wireless security wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

IEEE 1355 wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
Chapter 4
Virtual Private Network
Objectives




VPN Overview
Tunneling Protocol
Deployment models
Lab Demo
Lecturer : Trần Thị Ngọc Hoa
2
Overview of VPN
Lecturer : Trần Thị Ngọc Hoa
3
VPN Concept

Virtual Private Networks are logical network that allows
users to securely connect through the internet to a remote
private network
VPN Deployment Scenarios

Remote Access VPN
VPN Deployment Scenarios

Extranet VPN ( Site to Site, Router to Router )
VPN Deployment Scenarios

Mixed VPN with Firewall
Tunneling


Tunneling is a process of encapsulating a
payload protocol into another protocol
Provide a secure path through an untrusted
network or an incompatible network.
Lecturer : Trần Thị Ngọc Hoa
8
Tunneling Protocol

GRE



PPTP ( with/without MPPE )



Generic Routing Encapsulation
Cisco Proprietry Tunneling Protocol
Point to Point Tunneling Protocol
Microsoft proprietry tunneling protocol
L2TP ( with/without IPSec )


Layer 2 Tunneling Protocol
Created by Cisco and Microsoft
Lecturer : Trần Thị Ngọc Hoa
9
IP Security



IP Security Overview
Algorithms
IPSec Protocols
Lecturer : Trần Thị Ngọc Hoa
10
IP Security Overview




Open standard developed by IETF’s IPSec working group.
Security Architecture for the Internet Prototol
Designed to work at Layers 3 and 4 of the OSI model.
IPSec protects data by providing the following services :

Data Authentication


Data integrity
Data origin authentication between







A pair of gateways
A pair of hosts
A host and its gateway
Relay protection
Encryption
Many different types of algorithm are used in IPSec
2 primary protocols


AH – Authentication Header - 51
ESP – Encryption Security Payload - 50
Lecturer : Trần Thị Ngọc Hoa
11
Encryption Algorithms


Designed for data confidentiality assurance
2 different methods


Symmetrical
Asymmetrical
Lecturer : Trần Thị Ngọc Hoa
12
Symmetrical Algorithms
Session
key
Data
Session
key
Encrypt
Decrypt
Data
#$ad^&*

DES – Data Encryption Standard



3DES



56 bit key – 64 data bit block
No of Key = 72,000,000,000,000,000
Three phases Encrypt – Decrypt – Encrypt
168 bit key – 64 data bit block
AES – Advanced Encryption Standard

128-192-256 bit key
Lecturer : Trần Thị Ngọc Hoa
13
Asymmetric Algorithms
Public key
Data
Private key
Encrypt
Decrypt
Data
#$ad^&*



2 different but related keys are required.
RSA -Rivest, Shamir, and Adelman
ElGamal
Lecturer : Trần Thị Ngọc Hoa
14
Hashing Algorithms



Hashing algorithms are used for authentication and
integrity assurance for data
They are based on some type of one-way hashing
function.
SHA


MD5



128 bits output
160 bits output
Collision : 2 different inputs => the same output
SHA is prefered than MD5
Lecturer : Trần Thị Ngọc Hoa
15
Hashing Example
Lecturer : Trần Thị Ngọc Hoa
16
Key Exchange Problem

Question : How to get the key from one
device to the other ?



If the key is sent across an untrusted network, you
run the risk of it being sniffed and captured by a
hacker.
If you phone the technician at the other end, you
run the risk of phone tapping.
Answer : Diffie Hellman
Lecturer : Trần Thị Ngọc Hoa
17
Diffie Hellman Key Exchange

The Diffe-Hellman key exchange is used for
automatic secure key exchange of



Symmetrical keys
Other types of keys
Algorithm Description



Step 1 : A and B pour their favourite drink into the glass
Step 2 : A and B pour the same liquid into the glass
Step 3 : A and B exchange their own glass.Then pickup
the other liquid and mixed with their own one
Lecturer : Trần Thị Ngọc Hoa
18
IPSec Protocols

AH

Provide
Data integrity
 Data authentication
 Antireplay protection (optionally)



Not provide any form of encryption to the payload of
the packet.
ESP


Provide payload encryption
Provide authentication and integrity
Lecturer : Trần Thị Ngọc Hoa
19
Security Mode


Both ESP and AH can operate in two different
modes
Tunnel Mode :


The entire packet is encrypted then encapsulated with a
new, unprotected IP header.
Transport Mode :



Default mode
The original IP header is reused with the new packet
The current IP header has been used in the hashing
algorithm and therefore cannot be changed from sender to
receiver.
Lecturer : Trần Thị Ngọc Hoa
20
Security Associations



A set of policy and key(s) used to protect data before an IPSec
tunnel can be created.
Each SA gets a unique 32-bit Security Parameter Index
number – SPI – that is sent in every packet pertaining to the
specific SA.
The SA keeps track of general information such as the
following:






Source IP address
Destination IP address
IPSec protocols used
SPI number
Encryption and authentication algorithms
Key lifetime (sets the amount of time and/or byte count that a key
is valid for; the longer the time, the more vulnerable your data is)
Lecturer : Trần Thị Ngọc Hoa
21
Internet Key Exchange


Internet Key Exchange (IKE) is used to establish all the information
needed – SA – for a tunnel.
2 phases


Main mode – IKE Phase 1
Quick mode – IKE Phase 2
Lecturer : Trần Thị Ngọc Hoa
22
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
Networking in Linux
Networking in Linux
ATTENTION PLEASE Dr. Muralikrishnan T.R. Lecturer Selection Grade M.E.S College Marampally
ATTENTION PLEASE Dr. Muralikrishnan T.R. Lecturer Selection Grade M.E.S College Marampally
Virtual Private Network(VPN)
Virtual Private Network(VPN)
DPES 2010-19 Search for Part Time Environmental Science Lecturer
DPES 2010-19 Search for Part Time Environmental Science Lecturer
What is a VPN
What is a VPN
Hematology-Oncology Associates of CNY Hematology
Hematology-Oncology Associates of CNY Hematology
Remote Access - York Technical College
Remote Access - York Technical College
UICapture Overview - University of Iowa
UICapture Overview - University of Iowa