Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer security wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Chapter 4 Virtual Private Network Objectives VPN Overview Tunneling Protocol Deployment models Lab Demo Lecturer : Trần Thị Ngọc Hoa 2 Overview of VPN Lecturer : Trần Thị Ngọc Hoa 3 VPN Concept Virtual Private Networks are logical network that allows users to securely connect through the internet to a remote private network VPN Deployment Scenarios Remote Access VPN VPN Deployment Scenarios Extranet VPN ( Site to Site, Router to Router ) VPN Deployment Scenarios Mixed VPN with Firewall Tunneling Tunneling is a process of encapsulating a payload protocol into another protocol Provide a secure path through an untrusted network or an incompatible network. Lecturer : Trần Thị Ngọc Hoa 8 Tunneling Protocol GRE PPTP ( with/without MPPE ) Generic Routing Encapsulation Cisco Proprietry Tunneling Protocol Point to Point Tunneling Protocol Microsoft proprietry tunneling protocol L2TP ( with/without IPSec ) Layer 2 Tunneling Protocol Created by Cisco and Microsoft Lecturer : Trần Thị Ngọc Hoa 9 IP Security IP Security Overview Algorithms IPSec Protocols Lecturer : Trần Thị Ngọc Hoa 10 IP Security Overview Open standard developed by IETF’s IPSec working group. Security Architecture for the Internet Prototol Designed to work at Layers 3 and 4 of the OSI model. IPSec protects data by providing the following services : Data Authentication Data integrity Data origin authentication between A pair of gateways A pair of hosts A host and its gateway Relay protection Encryption Many different types of algorithm are used in IPSec 2 primary protocols AH – Authentication Header - 51 ESP – Encryption Security Payload - 50 Lecturer : Trần Thị Ngọc Hoa 11 Encryption Algorithms Designed for data confidentiality assurance 2 different methods Symmetrical Asymmetrical Lecturer : Trần Thị Ngọc Hoa 12 Symmetrical Algorithms Session key Data Session key Encrypt Decrypt Data #$ad^&* DES – Data Encryption Standard 3DES 56 bit key – 64 data bit block No of Key = 72,000,000,000,000,000 Three phases Encrypt – Decrypt – Encrypt 168 bit key – 64 data bit block AES – Advanced Encryption Standard 128-192-256 bit key Lecturer : Trần Thị Ngọc Hoa 13 Asymmetric Algorithms Public key Data Private key Encrypt Decrypt Data #$ad^&* 2 different but related keys are required. RSA -Rivest, Shamir, and Adelman ElGamal Lecturer : Trần Thị Ngọc Hoa 14 Hashing Algorithms Hashing algorithms are used for authentication and integrity assurance for data They are based on some type of one-way hashing function. SHA MD5 128 bits output 160 bits output Collision : 2 different inputs => the same output SHA is prefered than MD5 Lecturer : Trần Thị Ngọc Hoa 15 Hashing Example Lecturer : Trần Thị Ngọc Hoa 16 Key Exchange Problem Question : How to get the key from one device to the other ? If the key is sent across an untrusted network, you run the risk of it being sniffed and captured by a hacker. If you phone the technician at the other end, you run the risk of phone tapping. Answer : Diffie Hellman Lecturer : Trần Thị Ngọc Hoa 17 Diffie Hellman Key Exchange The Diffe-Hellman key exchange is used for automatic secure key exchange of Symmetrical keys Other types of keys Algorithm Description Step 1 : A and B pour their favourite drink into the glass Step 2 : A and B pour the same liquid into the glass Step 3 : A and B exchange their own glass.Then pickup the other liquid and mixed with their own one Lecturer : Trần Thị Ngọc Hoa 18 IPSec Protocols AH Provide Data integrity Data authentication Antireplay protection (optionally) Not provide any form of encryption to the payload of the packet. ESP Provide payload encryption Provide authentication and integrity Lecturer : Trần Thị Ngọc Hoa 19 Security Mode Both ESP and AH can operate in two different modes Tunnel Mode : The entire packet is encrypted then encapsulated with a new, unprotected IP header. Transport Mode : Default mode The original IP header is reused with the new packet The current IP header has been used in the hashing algorithm and therefore cannot be changed from sender to receiver. Lecturer : Trần Thị Ngọc Hoa 20 Security Associations A set of policy and key(s) used to protect data before an IPSec tunnel can be created. Each SA gets a unique 32-bit Security Parameter Index number – SPI – that is sent in every packet pertaining to the specific SA. The SA keeps track of general information such as the following: Source IP address Destination IP address IPSec protocols used SPI number Encryption and authentication algorithms Key lifetime (sets the amount of time and/or byte count that a key is valid for; the longer the time, the more vulnerable your data is) Lecturer : Trần Thị Ngọc Hoa 21 Internet Key Exchange Internet Key Exchange (IKE) is used to establish all the information needed – SA – for a tunnel. 2 phases Main mode – IKE Phase 1 Quick mode – IKE Phase 2 Lecturer : Trần Thị Ngọc Hoa 22