VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Similar documents
CSC 6575: Internet Security Fall 2017

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CSCE 715: Network Systems Security

Firewalls, Tunnels, and Network Intrusion Detection

Cryptography and Network Security. Sixth Edition by William Stallings

IPSec. Overview. Overview. Levente Buttyán

IP Security. Have a range of application specific security mechanisms

IPsec NAT Transparency

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Virtual Private Network

Configuring Security for VPNs with IPsec

Internet security and privacy

The IPsec protocols. Overview

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CSE509: (Intro to) Systems Security

IPsec NAT Transparency

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Table of Contents 1 IKE 1-1

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Manual Key Configuration for Two SonicWALLs

Chapter 6/8. IP Security

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Sharing IPsec with Tunnel Protection

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

IP Security IK2218/EP2120

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T

Network Encryption 3 4/20/17

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Sample excerpt. Virtual Private Networks. Contents

Pre-Fragmentation for IPSec VPNs

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Lecture 13 Page 1. Lecture 13 Page 3

IP Security. Cunsheng Ding HKUST, Kong Kong, China

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Chapter 11 The IPSec Security Architecture for the Internet Protocol

AIT 682: Network and Systems Security

VPN Ports and LAN-to-LAN Tunnels

Configuring L2TP over IPsec

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Chapter 5: Network Layer Security

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Lecture 9: Network Level Security IPSec

The IPSec Security Architecture for the Internet Protocol

IPSec implementation for SCTP

CSC 4900 Computer Networks: Security Protocols (2)

Virtual Private Networks (VPN)

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Cryptography and Network Security

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Network Security: IPsec. Tuomas Aura

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

SFO17-406: IPsec Full Offload Support in OpenDataPlane. Bill Fischofer

Lecture 12 Page 1. Lecture 12 Page 3

Service Managed Gateway TM. Configuring IPSec VPN

How to Configure IPSec Tunneling in Windows 2000

Securing Networks with Cisco Routers and Switches

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

COSC4377. Chapter 8 roadmap

Virtual Private Networks

Virtual Private Networks

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

VPN Overview. VPN Types

Remote Access via Cisco VPN Client

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

IBM i Version 7.2. Security Virtual Private Networking IBM

Virtual Private Networks

Chapter 8 Network Security

KB How to Configure IPSec Tunneling in Windows 2000

VPNs and VPN Technologies

8. Network Layer Contents

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Cisco IP Fragmentation and PMTUD

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Virtual Tunnel Interface

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuring IPsec on Cisco Routers Mario Baldi Politecnico di Torino (Technical University of Torino)

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Transcription:

VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009

What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A typical VPN consists of two or more private intranets connected by logical tunnels using a public network. These tunnels enables the two ends to exchange data similar to point to point communication.

Site to Site VPN

VPN Components Security Mechanisms: Payload Encryption User Authentication Resource Authorization VPN Tunnelling Protocols: IP Security (IPsec) Point to Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP)

Encryption The process of converting data into a form that can be read only by the intented receiver. Public key encryption: Sender uses the receiver's public key to encrypt the message Receiver uses its private key to decrypt the the encoded message Pretty Good Privacy (PGP), Data Encryption Standared (DES)

Authentication To verify the identity of the user. Username / password Secret key encryption Public key encryption

Authorization Granting or denying access to resources to a user. The user must be identified and authenticated. Access to resource can be based on source and destination IP addresses, port addresses, and group affiliations time, day, date, application, service, authentication method, etc.

IPSec Internet Protocol Security (IPSec) RFC 2401 Open Internet Standard Transmission security (data encryption) User authentication Operate at the Network Layer

PPTP Point to Point Tunneling Protocol: Microsoft, 3COM and Ascend Communications Proposed as an alternative to IPSec Operate at Layer 2 (Data Link Layer) Used for secure transmission of Windows based traffic RFC 1171

L2TP Layer 2 Tunneling Protocol: Cisco Systems A combination of Layer 2 forwarding and PPTP Offer strong encryption of data

Tunneling Components Target network network that contains resources for remote access Initiator node remote client or server that initiates the VPN session HA (home agent) software at the network access node (router) in the target network. FA (foreign agent) software at the initiator node or at the network access node (router) of the network to which the initiator node belongs

Tunnel Operations The initiator sends a connection request to the FA FA authenticate the user FA forwards request to the HA of the target network HA verify the supply information and sends back information for FA to establish a tunnel The initiator starts forwarding data packets to FA

Tunnel operation 2 FA creates the tunnel header and the routable protocol header for the data packet FA encrypts the data and appends tunnel header and routable protocol header to the data FA forward the resulting packet to HA HA strips off the headers and decrypts the data HA forward the original data packet to the intended destination node.

Tunneled Packet

What is IPSec? IPSec (Internet Protocol Security) refers to a suite of protocols: AH Authentication Header Protocol ESP Encapsulating Security Payload Protocol IKE (or ISAKMP/Oakley) Internet Key Exchange or Internet Security Association and Key Management Protocol

IPSec SA Security Association (SA) is fundamental to IPSec. An SA is a unidirectional (simplex) logical connection between two IPsec systems. An SA consists of: Security parameter index (SPI) IP Destination Address Security Protocol

Security Association Security parameter index (SPI) A 32 bit vlaue used to identify different Sas with the same destination address and security protocol. The SPI is carried in the header of the security protocol (AH or ESP) IP Destination Address This address can be a unicast, broadcast or multicast IP address. Current SA management mechanism is defined only forunicast addresses. Security Protocol This can be either AH or ESP

IPSec SA Databases An IPSec SA uses two databases: The Security Association Database (SAD) maintains the information related to each SA. This information includes the algorithm keys, SA lifespan, and sequence numbers. The Security Policy Database (SPD), maintains the information about security services along with an ordered list of inbound and outbound policy entries.much like firewall rules and packet filters, these entries define what traffic must be processed and what traffic must be ignored per IPSec standards.

Authentication Header AH is used to provide integrity and authentication to IP datagrams Replay protection is alos possible AH is used in two modes: transport mode and tunnel mode AH is identified by protocol number 51

Encapsulating Security Payload ESP is used to provide integrity check, authentication, and encryption to IP datagrams Optional replay protection is also possible ESP is used in two modes: Transport mode and tunnel mode ESP is identified by protocol number 50

AH format

ESP Format

Transport Mode

Transport Mode

Tunnel Mode

Tunnel Mode

Internet Key Exchange Protocol Previousely referred to as ISAKMP/Oakley Supports automated negotiation of Security Associations Supports automated generation and refresh of crypotographic keys Uses parts of ISAKMP and prarts of Oakley and SKEME key exchange protocols to provide management of keys and security associations for the IPSec AH and ESP protocols.

IKE Version 1 RFC 2409 The Internet Key Exchange RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2412 The OAKLEY Key Determination Protocol RFC 2411 IP Security Document Roadmap

IKE Phases Internet Key Exchange negotiation operates in two separate phases: Phase 1 Authenticating the other IPsec gateway Negotiating an IKE SA with the other gateway Setup a secure two way tunnel for IPSec using ISAKMP to handle phase 2 negotiation (Internet Security Association and Key Management Protocol)

IKE Phase 2 Phase 2 Using the ISAKMP SA, negotiate the set of Security Paramenters for the IPSec (ESP and/or AH) tunnel (ESP/AH keys are unidirectional) Creating the IPSec tunnel Both phases use UDP port 500 for their negotiations ESP and AH protocols do not have ports

Free/Open IPSec Implementation FreeS/WAN http://www.freeswan.org (no longer active) OpenSWAN http://www.openswan.org (based on FreeS/WAN)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback