VPN Virtual Private Networks

Similar documents
Virtual Private Networks.

Virtual private networks

Virtual Private Networks (VPNs)

Secure VPNs for Enterprise Networks

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Analysis of VPN Protocols

Configuring L2TP over IPsec

Cisco How Virtual Private Networks Work

1.4 VPN Processing Principle and Communication Method

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

IPSec. Overview. Overview. Levente Buttyán

Tunnel within a network

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

VPN Overview. VPN Types

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

The IPsec protocols. Overview

Network Security and Cryptography. December Sample Exam Marking Scheme

IBM i Version 7.2. Security Virtual Private Networking IBM

CLIENT SERVER SYNERGY USING VPN

Virtual Private Networks

Firewalls, Tunnels, and Network Intrusion Detection

CTS2134 Introduction to Networking. Module 08: Network Security

Cryptography and Network Security. Sixth Edition by William Stallings

Service Managed Gateway TM. Configuring IPSec VPN

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

based computing that takes place over the Internet, basically a step on from Utility Computing.

Virtual Private Networks

By VPNet Technologies. What s a VPN Anyway? A Virtual Private Networking Primer

L2F Case Study Overview

RADIUS Tunnel Attribute Extensions

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

Remote Maintenance with WinCC flexible Communication via a Wide Area Network (WAN) Communication via an ISDN Modem Issue 12/04

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

System i. Version 5 Release 4

Alcatel OmniAccess 200 Series

Remote Connectivity for SAP Solutions over the Internet Technical Specification

SIMATIC. PCS 7 Process Control System Support and Remote Dialup. Security information 1. Preface 2. Support and Remote Dialup 3.

Intranets and Virtual Private Networks (VPNs)

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Exam: : VPN/Security. Ver :

Network Services Internet VPN

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Configuration of an IPSec VPN Server on RV130 and RV130W

So Your Customer Wants a VPN. Howard C. Berkowitz

Network Security and Cryptography. 2 September Marking Scheme

Sample excerpt. Virtual Private Networks. Contents

How to use VPN L2TP over IPsec

1.264 Lecture 23. Telecom Enterprise networks MANs, WANs

CSC 4900 Computer Networks: Security Protocols (2)

A-B I N D E X. backbone networks, fault tolerance, 174

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

WAN Technology & Design. Dr. Nawaporn Wisitpongphan

1. Ultimate Powerful VPN Connectivity

NetPro. from Wireless Logic. Available on a per SIM license basis. No CAPEX. Retain your Airtime Contracts with your existing providers

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Network Security Protocols NET 412D

Managing Site-to-Site VPNs: The Basics

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Virtual Private Networks (VPN)

Scalability Considerations

FAQ about Communication

VPN. Virtual Private Network. Mario Baldi Luigi Ciminiera. Politecnico di Torino. VPN - 1 M. Baldi L. Ciminiera: see page 2

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Firepower Threat Defense Site-to-site VPNs

Private Voice & Data Extra Annex to BT One Phone Schedule

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

Virtual Private Network

KNX Secure. KNX Position Paper on Data Security and Privacy

Access Control List Network Solution for Cleveland Branch Offices Kevin O Neal DeVry University NETW208: Accessing the WAN

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Authentication, Encryption, Transport, IP Version and VPN Routing

VPNs and VPN Technologies

AN INTRODUCTION TO PPPOE

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

H3C SR6600 Routers DVPN Configuration Example

VPN Tracker for Mac OS X

A device that bridges the wireless link on one side to the wired network on the other.

VPN. The Remote Access Solution. A Comprehensive Guide to Evaluating: Security Administration Implementation. the virtual leader

Intelligent Solutions for the Highest IT Security Requirements

Using Mobile Computers Lesson 12

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Index. Numerics 3DES (triple data encryption standard), 21

The Internet Advanced Research Projects Agency Network (ARPANET) How the Internet Works Transport Control Protocol (TCP)

RADIUS Tunnel Preference for Load Balancing

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

1-intro.fm Page 3 Tuesday, March 27, :04 PM. Introduction. To learn something new, and review it from time to time, is quite joyful.

Transcription:

VPN Virtual Private Networks Mathias Schäfer WS 2003/2004

Overview 2 Overview Why VPNs VPN-use-cases Requirements Security Performance Conclusion

Why VPNs 3 Why VPNs In business-solutions VPN-technology gains in weight Enterprises are acting more and more on global range There is the need of cost-effective solutions to integrate satillite workplaces, like branch offices suppliers field services into an enterprise-network

VPN-use-cases 4 VPN-use-cases Enterprises are usually composed of Head office Branch offices Outdoor staff additionally there are suppliers which are not really part of the company

VPN-use-cases 5 VPN-use-cases To reflect business-processes in the companys network structure all components of the whole enterprise need to be integrated VPN-types are classified similar to the use cases Remote-Access-VPN - field services Branch-Office-VPN - Branch offices Extranet-VPN - Suppliers

6 Conventional solutions mostly use wired or dial-in connections between both endpoints These connections get very expensive in case of long distance or international linking On central office side lots of connection interfaces are needed to fulfil all connection requests

7 VPN-technology concretely Internet-VPN- or IP-VPN-technology uses the available Internet to split long-distance connections Instead of establishing connections between endpoints there is only the need of connecting endpoints to the nearest Internet-node Decrease of distance and fees

8 Remote-Access In case of Remote-Access for outdoor staff, there are many connections needed Usually there are ppp-dial-in connections used to establish links between outdoor staff and head office A Remote-Access-Concentrator (RAC) is used to terminate connections on head office side Normally the RAC is connected to the providers telephone-network using PMX

9 Remote-Access

10 Remote-Access-VPN In case of Internet-VPN-technology usage, the outdoor staff connects to the Internet via any link-technology which is provided by local ISP Head office is connected to the Internet via one broadband link, there is a VPN-Concentrator instead of the RAC The data link connection is implemented as a tunnelconnection through the Internet, and is terminated inside the VPN-Concentrator

11 Remote-Access-VPN

12 Branch-Office Conventional connection-types for the link between branch-office-networks and the head-office-network, are normally based on wired technology, ATM or Frame Relay Router-equipment on both sides of this connection terminates the link Similar to Remote-Access the costs of this solution depend on the distance and get very high in case of international connections

13 Branch-Office

14 Branch-Office-VPN In case of Branch-Office-VPN the router-equipment is replaced by VPN-gateways which terminate the virtual tunnel-connection between the endpoints Both endpoints are physically connected only to the Internet not to their opposite

15 Branch-Office-VPN

16 Extranet-VPN To allow faster reaction it is advisable to integrate suppliers into the companys network They should have limited access, because they are not really part of the company Usally Firewalls limit the access to the Intranet, apart from that the structure is similar to a Branch-Office- VPN

17 Extranet-VPN

Requirements 18 Requirements Security Confidential information Transmitted information has to be protected against unauthorized access Integrity of information Transmitted information must not be altered during transmission Authentification Authenticity of communication-partners has to be proved and warranted during connection-time

Requirements 19 Requirements Availability There has to be a guaranted availability of service Maximum downtime or minimum uptime percentages are agreed by contract with service provider in SLAs

Requirements 20 Requirements Performance Minimum bandwith and maximum latency are the main performance aspects of a connection In case of Internet-VPNs it is normally not possible for a service provider to guarantee these parameters SLAs mostly declare contractual penaltys

21 Principle Tunnling is implemented by encapsulation of datapakets during transmission

22 -models There are differentiated tunneling-models End-to-End-Model No service provider is involved in the tunneling process, except for providing the internet-connection Intra-Provider-Model The company is not involved in the tunneling process Provider-Enterprise-Model Mixed configuration, one side is provided by the service provider, the other side belongs to the company

23 End-to-End-Model

24 Intra-Provider-Model

25 Provider-Enterprise-Model

26 IP-Security-Protocol IPSec IPSec was developed for security reasons, so there are many security-options to choose As an option there is an IPSec-tunneling-mode, with the ability of tunneling exclusively IP-Pakets The connection-partners use unidirectional SAs which represent the configuration of an established IPSec-link

27 IP-Security-Protocol IPSec IPSec uses symmetric encryption, where the key-exchange is done with the Internet-Key-Exchange Protocol For authentification IPSec supports Pre-Shared-Secret procedures Public Key methods Certification proceedings IPSec hides the structure of the internal network by encrypting the internal ip-header

28 IP-Security-Protocol IPSec IPSec's primary tunneling-model is the end-to-end-model, so the client needs an IPSec-implementation Software-implementations are available for nearly all operation systems

29 IP-Security-Protocol IPSec

30 Layer 2 Protocol L2TP L2TP encapsulates PPP-Frames, that allows tunneling of all layer 3 pakettypes which are supported by PPP L2TP is designed as a tunneling protocol, not for security reasons, it supports only weak CHAP-like authentification and encryption of the control-channel As the consequence, security has to be implemented on other levels

31 Layer 2 Protocol L2TP The Provider-Enterprise-Model for Remote-Access is the primary model used for L2TP-implementations Instead of the normal RAC a L2TP Access Concentrator is used

32 Layer 2 Protocol L2TP Decisions how to handle incoming calls are made by called number or by prefix or suffix of the user-id If indicated a tunnel to the enterprise-sided L2TP Network Server is established by the LAC This enables compulsory tunneling

33 Layer 2 Protocol L2TP

34 Layer 2 Protocol L2TP If used in the end-to-end-model, the functionality of LAC is implemented in client-side software This implicits voluntary tunneling

35 IPSec secured L2TP L2TP/IPSec Combining L2TP and IPSec enables securityoptions supplied by IPSec and pakettype-flexibility of L2TP This causes a lot of overhead, which forces the decision to change over to IP-based applications to enable usage of IPSec without L2TP

36 IPSec secured L2TP L2TP/IPSec

37 IPSec secured L2TP L2TP/IPSec Also other combinations are possible and suggestive of IPSec in end-to-end-model inside L2TP in provider-enterprise-model for example enables compulsatory tunneling with IPSec security

Security 38 Security If security-opions are needed, IPSec is the protocol to choose The used cryptographic algorithms are considered as secure nowadays IPSec's security-functionality offers Encryption Authentification Paketintegrity Hiding of internal networkstructures Protection from Replay- and Denial-of-Service-Attacks If additionally other pakettypes than IP are used, IPSec/L2TP is the only mechanism that fulfills both needs

Performance 39 Performance In addition to the provider- and connection-dependent performance-aspects, the used hardware is also relevant to the performance of VPNs In case of IPSec the cryptographic algorithms need a lot of computing power Dedicated VPN-Equipment often uses specialized cryptographic processing units, which offering much better performance than normal cpu's

Performance 40 Performance In case of L2TP there are a lot of PPP-sessions which have to be terminated primarily at L2TP Network Servers There are components which are constructed as scalable, so that they can fulfil increased needs If L2TP/IPSec is used, increased attention has to be payed to performance-aspects

Conclusion 41 Conclusion Internet-VPN-technology offers cost-effective solutions if planned in detail If all components are well choosed, IPSec offers highsecurity solutions, also for major projects Most important milestone on the way to implement VPNs is a detailed analysis of needs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback