CIT 480: Securing Computer Systems Tunneling and VPNs CIT 480: Securing Computer Systems Slide #1
Topics 1. Tunneling 1. Encapsulation 2. Security 3. SSH 2. Virtual Private Networks 1. Site-to-site 2. Remote access CIT 480: Securing Computer Systems Slide #2
Tunneling Tunneling: Encapsulation of one network protocol in another protocol Carrier Protocol: protocol used by network through which the information is travelling (usually IP). Encapsulating Protocol: protocol (GRE, IPsec, SSL) that is wrapped around original data. Passenger Protocol: protocol that carries original data (usually IP). Can be used to encrypt connections or provider other security features not available to passenger protocol. CIT 480: Securing Computer Systems Slide #3
Tunneling Encapsulation Passenger Protocol Carrier Protocol Encapsulating Protocol CIT 480: Securing Computer Systems Slide #4
Tunneling vs. Eavesdropping Client Encapsulating protocol (does end-to-end encryption and decryption) Server TCP/IP Untrusted Internet TCP/IP Payloads are encrypted here Slide #5
IPsec IPsec is a protocol suite for securing IP communications by authenticating and encrypting each packet. AH: enables recipient to identify originator of message and verify message integrity. Provides protection against replay attacks. ESP: encrypts the packet payload to protect confidentiality. IKE: protocol for endpoints to exchange encryption keys. Slide #6
IPsec Encapsulation Slide #7
SSH Tunneling CIT 480: Securing Computer Systems Slide #8
SSH Tunneling SSH can tunnel a single TCP port if SSH is available on both client and server. User has login on both client and server. SSH command to create tunnel is running. SSH calls this capability port forwarding. Tunneling protocols for an SSH tunnel: Carrier Protocol: IP Encapsulating Protocol: ssh Passenger Protocol: TCP on a specific port CIT 480: Securing Computer Systems Slide #9
POP-3 Forwarding Example Requirements Securely retrieve e-mail via POP3 from pop3svr. The default TCP port for POP3 is 110. User has account named user on pop3svr. ssh -L 110:pop3svr:110 -l user pop3svr Uses ssh to login to pop3svr as user Creates tunnel from port 110 (leftmost port #) on localhost localhost to port 110 (rightmost post #)of pop3svr User configures mail client to use localhost as POP3 server, server, then proceeds as normal CIT 480: Securing Computer Systems Slide #10
IPSec IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets Each protocol can operate in one of two modes, transport mode or tunnel mode. In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated. In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet. CIT 480: Securing Computer Systems Slide #11
Virtual Private Network (VPN) Site to Site VPN Remote Access VPN CIT 480: Securing Computer Systems Slide #12
Virtual Private Network A private network consisting of multiple networks connected by a private tunnel through a public network instead of dedicated leased lines. Requirements Confidentiality: encryption Integrity: MACs, sequencing, timestamps Firewall Interactions Tunnel all protocols via encapsulating protocol. Firewall permits encapsulating protocol through. CIT 480: Securing Computer Systems Slide #13
Types of VPNs Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet. For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself. To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication. Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks. Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. CIT 480: Securing Computer Systems Slide #14
VPN and Firewall Architecture Behind the Firewall In front of the Firewall CIT 480: Securing Computer Systems Slide #15
Key Points 1. Tunneling 1. Carrier protocol 2. Encapsulating protocol 3. Passenger protocol 2. Encapsulating protocols 1. IPsec 2. ssh 3. Virtual Private Networks 1. Site-to-site 2. Remote access 3. VPN/Firewall architecture CIT 480: Securing Computer Systems Slide #16
References 1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O Reilly & Associates, 2003. 3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. 5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2 nd edition, O Reilly & Associates, 2000. CIT 480: Securing Computer Systems Slide #17