Download A Security Pattern for a Virtual Private Network

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Internet protocol suite wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer network wikipedia , lookup

Wireless security wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
A Security Pattern for a
Virtual Private Network
Ajoy Kumar and Eduardo B. Fernandez
Dept. of Computer Science and Eng.
Florida Atlantic University
Boca Raton, FL , USA
Secure Systems Research Group – Florida Atlantic University
Introduction
• Virtual Private Networks (VPN) make use
of public network resources to access
internal nodes of an enterprise. Within the
VPN, the transmission is protected by
security mechanisms to provide
confidentiality and integrity. So a “private”
network is established. Since this network
exists only in a virtual sense, it has been
termed a virtual private network.
Secure Systems Research Group – Florida Atlantic University
VPN
• VPN uses a technique called tunneling, in
which data is transmitted across a public
network in a cryptographic tunnel that
simulates an end to end connection. The
end connections could be both private or
one end private with the other end being a
public domain.
Secure Systems Research Group – Florida Atlantic University
VPN
R1 – Router at Site A.
R2 – Router at Site B.
Secure Systems Research Group – Florida Atlantic University
Figure 2. Network Layers and
Patterns
•
FireWall
IDS
VPN
Protocol
Application
XML FW
XML IDS
XML VPN
SAML
TCP
Proxy FW
TCP IDS
TLS/SSL VPN
TLS
IP
Packet FW
Packet IDS
IPSec VPN
IPSec
A
U
T
H
E
N
T
I
C
A
T
I
O
N
Secure Systems Research Group – Florida Atlantic University
S
E
C
R
E
C
Y
A
U
T
H
O
R
I
Z
A
T
I
O
N
I
D
E
N
T
I
F
I
C
A
T
I
O
N
Pattern Diagram for VPN
VPN
TLS VPN
TLS
IP VPN
XML VPN
IPSec
Authentication
Secure Channel
Secure Systems Research Group – Florida Atlantic University
Problem
• In today’s world, a lot of people work
remotely. They need a secure connection
to their company network. We need to
develop a secure architecture so that
confidential work can be performed. Many
companies have offices distributed all over
the globe. The employees of such
companies need to communicate securely.
Secure Systems Research Group – Florida Atlantic University
Forces
• The number of users remotely connected may
be growing; the system should be scalable.
• The system should be flexible enough to
accommodate different ways of providing
security.
• We should restrict access to the system to only
authorized users.
• We need to use the Internet or public networks
to reduce the cost; in turn subjecting the private
network established within the public network to
numerous threats faced by the public networks
such as Denial of Services and other attacks.
Secure Systems Research Group – Florida Atlantic University
Solution
• A secure VPN connection is established
between the end user and the local
network. A cryptographic tunnel is set up
between the end user and the local
network This VPN Tunnel may provide
data integrity and confidentiality if properly
implemented. The network is able to
authenticate a user accessing an end
point.
Secure Systems Research Group – Florida Atlantic University
Class Diagram
Network
VPN
*
*
Network
End Point
1
1
*
Authenticator
Secure Channel
1
Identity Base
*
Identity
Secure Systems Research Group – Florida Atlantic University
Sequence Diagram
:End
Point
:VPN
:Identity
:Identity Base
:Secure Channel
:Network
RequestAuth
authenticate
check
authenticated
Establish Secure Channel
Established
VPN Connection
Established
Secure Systems Research Group – Florida Atlantic University
Variants
• Virtual Priivate Networks can be
established at the Application layer, IP
Layer or the TCP layer. XML VPN are
established at the application layer and IP
VPN are established at the IP Layer and
TSL VPN are established at the TCP
Layer.
Secure Systems Research Group – Florida Atlantic University
Known Uses
• Ctrix provides a site to site SSL VPN
connection for remote users to log into the
secure network as well as access
applications on the company (secure)
network. [Cit]
• Cisco VPN on the other hand uses a
IPSec VPN. [Cis]
• Nokia VPN provides VPN connection for
Nokia Mobile Users. [Nok]
Secure Systems Research Group – Florida Atlantic University
Advantages
• Users are authenticated by the system to
control their access to the VPN.
• We could add a logging system for the
users logging in at the end points for future
audits.
• If we use secure encryption, we can
provide data confidentiality and integrity
for the messages sent through the VPN.
Secure Systems Research Group – Florida Atlantic University
Disadvantages
• If the VPN connection is compromised, the
attacker could get full access to the internal
network.
• Because of encryption, VPN traffic is invisible to
IDS monitoring. If the IDS probe is outside the
VPN server, as is often the case, then the IDS
cannot see the traffic within the VPN tunnel.
Therefore if a hacker gains access to the VPN,
he can attack the internal systems without being
detected by the IDS.
Secure Systems Research Group – Florida Atlantic University
Disadvantages (Contd…)
• In case of VPN with a private end user, the
remote computer used by the private user
is vulnerable to outside attacks which in
turn can attack the network it is connected
to.
• The VPN Tunnel is only as strong as the
cryptographic protocol used.
Secure Systems Research Group – Florida Atlantic University
Related Patterns
• Firewalls can be added to each network
layer to make the network layer more
secure. [Fer03]
• IDS can also coexist in each of these
network layers to detect attack. [Fer05]
• Secure Channel and Authenticator
establishes the security mechanisms.
Secure Systems Research Group – Florida Atlantic University
Conclusions
• A VPN is a basic component in network
architectures. We presented here a
pattern for its architecture and security
properties. Future work will integrate this
pattern with other patterns shown in Figure
3.
Secure Systems Research Group – Florida Atlantic University
Q&A
• Suggestions
• Modifications
• Corrections
Secure Systems Research Group – Florida Atlantic University
Related documents
Virtual Private Network(VPN)
Virtual Private Network(VPN)
XP Road Warrior Connection
XP Road Warrior Connection
Solution: Virtual Private Network (VPN)
Solution: Virtual Private Network (VPN)
Virtual Private Network
Virtual Private Network
Virtual Private Networks - Mathematics and Computer Science
Virtual Private Networks - Mathematics and Computer Science
Commercial Sales
Commercial Sales
VPN
VPN
Virtual Private Network (VPN)
Virtual Private Network (VPN)
pptx
pptx
Part II. Project Information, to be completed by the proposer (Faculty
Part II. Project Information, to be completed by the proposer (Faculty
Protocols used by the virtual private network.
Protocols used by the virtual private network.
The Central Limit Theorem (CLT)
The Central Limit Theorem (CLT)