* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download FIRE: Flexible Intra-AS Routing Environment
Point-to-Point Protocol over Ethernet wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer security wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wireless security wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Deep packet inspection wikipedia , lookup
Packet switching wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Authentication wikipedia , lookup
Privacy Issues in Virtual Private Networks Tim Strayer BBN Technologies What is a VPN? • Private network running over shared network infrastructure (Internet) Allows interconnection of different corporate network sites Allows remote users to access the corporate network Allows controlled access between different corporate networks 2 Why VPNs? Frame Relay Or Intranet ATM Or Dial-Up Service Intranet Headquarters Private Public “Intranet” Internet Network Headquarters Remote Site Intranet Remote Site 3 VPN Rationale • Private Networks Costly Inflexible Multiple Infrastructures • Virtual Private Networks Inexpensive Configurable Single Infrastructure 4 The First VPN • 1975, BBN delivered the first Private Line Interface (PLI) to the Navy • Created secure network communication over the ARPANET • Used a proprietary encryption and manual keying system 5 VPN Technologies • Tunneling Overlay facilitates sharing common infrastructure IPsec, PPTP, L2TP, MPLS • Security Authentication: PKI, RADIUS, Smartcard Access Control: Directory Servers, ACLs Data Security: Confidentiality, Integrity • Provisioning QoS Traffic Engineering 6 Island Metaphor “Hello!” “Hello!” SS Encapsulator “Hello!” SS Encapsulator “Oh! Hi! “???” “Hello!” SS Encapsulator 7 Tunneling Inner Packet Outer Header Trailer For target network For transport network • Usually layers are inverted 2 3 4 7 Ethernet IP TCP FTP 2 3 2 3 Ethernet IP PPP IP 8 Tunnels at Layer 2 • Point-to-Point Tunneling Protocol (PPTP) Integrated into Microsoft DUN and RAS Authentication/encryption provided by PPP 3 4 2 3 IP GREv2 PPP IP/IPX • Layer 2 Tunneling Protocol (L2TP) Combines PPTP with Cisco L2F Layer 2 tunneling, UDP encapsulation 3 4 2 3 IP UDP PPP IP/IPX/IPsec 9 IPsec Protocol Suite • Data encryption and authentication Two protocols • Encapsulating Security Payload (ESP) assures data privacy and party authentication • Authentication Header (AH) assures only party authentication Cryptographic key management • Works well with Public Key Infrastructure and X.509 Certificates • Transport and tunnel modes of operation • IPsec VPNs use tunnel mode and ESP 10 IPsec Tunneling New IP Header Sequence Number Encrypted Authenticated Security Parameter Index Original IP Header Original IP Payload Original IP Packet ESP Trailer ESP Authentication 11 MPLS “Tunneling” • Multi-Protocol Label Switching High speed switching technology Tunnel any layer Built into edge/core routers and switches No authentication/encryption Label IP Header IP Payload Original Packet 12 IPsec vs. MPLS • Two dominant VPN technologies • Let’s compare them viz. their approaches to privacy 13 What is meant by Private? • No one can see your stuff Emphasis is on security Confidentiality, integrity, authentication, authorization, access control • Carve out a piece of a shared network for your own use Emphasis is on availability Traffic engineering 14 Evolution of IPsec • First defined as a security mode for IPv6 • “Ported” to IPv4 • Combines tunneling with security Orthogonal services • Complex key management 15 Evolution of MPLS • ATM’s VCI/VPI used for cut-through switching Separates routing from forwarding Supports resource allocation • MPLS IP cut-through switching using label Routers switch on preestablished label Routers don’t care what’s behind the label Originally proposed to accelerate routing 16 A Protocol Looking for a Use • Fast routing argument lost with new routing technology Switching technology applied to IP header • MPLS for traffic engineering “Connection” oriented Stateful – keeps tracks resource allocation and usage RSVP adapted for signaling • Hot router selling feature 17 MPLS-VPN Security • Label Switch Routers will drop packets that do not belong to the VPN based on label • BGP guards against injected routes using MD-5 authentication • Note: No data confidentiality Weak authentication BGP is not sufficient to prevent fake routes 18 Why MPLS-VPN? • Embed label switching in routers Sell more routers • Replace Frame Relay and ATM with something that looks like these services No profit in Frame Relay or ATM anymore • Control provisioning at the edge of ISP Sell value added service • ISP dependent Keeps customers within provider’s network 19 Why IPsec-VPN? • No changes to core routers Security gateway/tunnel endpoint placed anywhere that is appropriate • Separation through obfuscation Real data confidentiality Real authentication • Routing protocol agnostic No (more than current) reliance on well-behaved protocols • ISP agnostic 20 Guarding “Privates” • What separates a VPN’s traffic from all other traffic? IPsec: data encryption MPLS: different labels, forwarding tables • Who is responsible for separation? IPsec: • ISPs, but not necessarily • Corporate IT group and even individuals MPLS: ISPs 21 Dichotomy of Assumptions • IPsec assumes goal is: IP delivery No trust of intermediate systems • MPLS assumes goal is: Engineered delivery Trust entities in the middle • Begged question: Is leaving security to someone else a good thing? 22 Which is the Right Way? • Depends on what control you are willing to cede to service providers What SLAs you demand What you want to “black box” • Depends on what you mean by “private” No one is supposed to use your resources No one is able to see your stuff 23 Trends in VPNs • IPsec is being built into routers, gateways, and firewalls, and can run at very high speeds • Layer 2 tunneled through MPLS Martini Draft • Combining MPLS and IPsec IP tunneled through IPsec tunneled through MPLS Best of both worlds 24 There’s more to it • Establishing a VPN is much more than just building a set of tunnels between sites Authentication Access Control Data Confidentiality Data Integrity Remote Access 25 Where does “Private” go? • Virtual Private Network Makes sense What the designers had in mind • Virtual Private Network What happens if you’re not careful 26 More about me • This talk and other information at http://www.ir.bbn.com/~strayer 27