Virtual Private Networks (VPN)

Similar documents
IPSec. Overview. Overview. Levente Buttyán

The IPsec protocols. Overview

CSCE 715: Network Systems Security

CSC 6575: Internet Security Fall 2017

IP Security. Have a range of application specific security mechanisms

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Configuration of an IPSec VPN Server on RV130 and RV130W

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Lecture 13 Page 1. Lecture 13 Page 3

Virtual Private Network

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IP Security. Cunsheng Ding HKUST, Kong Kong, China

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Lecture 12 Page 1. Lecture 12 Page 3

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Firewalls, Tunnels, and Network Intrusion Detection

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

VPN Overview. VPN Types

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Virtual Private Networks

Manual Key Configuration for Two SonicWALLs

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Time Synchronization Security using IPsec and MACsec

VPN Ports and LAN-to-LAN Tunnels

Configuring IPSec tunnels on Vocality units

Network Encryption 3 4/20/17

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Hillstone IPSec VPN Solution

NCP Secure Enterprise macos Client Release Notes

Pre-Fragmentation for IPSec VPNs

The EN-4000 in Virtual Private Networks

Virtual Private Network. Network User Guide. Issue 05 Date

IPSec Transform Set Configuration Mode Commands

Performance Evaluation of Software Routers with VPN Features

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Sample excerpt. Virtual Private Networks. Contents

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

FAQ about Communication

Cryptography and Network Security. Sixth Edition by William Stallings

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring L2TP over IPsec

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

IPSec Transform Set Configuration Mode Commands

VPNS BY RICK FREY.

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Lecture 9: Network Level Security IPSec

Case 1: VPN direction from Vigor2130 to Vigor2820

Virtual Tunnel Interface

Chapter 11 The IPSec Security Architecture for the Internet Protocol

IP Security IK2218/EP2120

CIT 480: Securing Computer Systems

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

IPSECv6 Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

IPSec Site-to-Site VPN (SVTI)

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

CSC 4900 Computer Networks: Security Protocols (2)

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Configuring Security for VPNs with IPsec

NCP Secure Entry macos Client Release Notes

The IPSec Security Architecture for the Internet Protocol

Configuring a Hub & Spoke VPN in AOS

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Network Security: IPsec. Tuomas Aura

IKE and Load Balancing

IBM i Version 7.2. Security Virtual Private Networking IBM

NCP Secure Managed Android Client Release Notes

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Parallelizing IPsec: switching SMP to On is not even half the way

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

COSC4377. Chapter 8 roadmap

Computer Networks Security: intro. CS Computer Systems Security

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Virtual Private Cloud. User Guide. Issue 03 Date

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Network Security. Thierry Sans

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

Configuring LAN-to-LAN IPsec VPNs

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Transcription:

CYBR 230 Jeff Shafer University of the Pacific Virtual Private Networks (VPN)

2 Schedule This Week Mon September 4 Labor Day No class! Wed September 6 VPN Project 1 Work Fri September 8 IPv6? Project 1 Work Next Week Mon September 11 Instructor Busy No class! Wed September 13 Project 1 Due Fri September 15 TBD Secure Software Systems

3 VPN

4 Use Case 1 Site-to-Site VPN Remote Site 1 Remote Site 2 Internet Corporate LAN Remote Site 3

5 Use Case 2 Remote Access VPN User 1 User 2 Internet Corporate LAN User 3

6 VPN Design Considerations Security Addressing Routing Interoperability Performance

7

8 Wishful Thinking? Legacy Systems Security

9 VPN Design - Security Confidentiality, Integrity, Availability Best Practice if no legacy systems: IPSec with SHA2 hashing + AES encryption + Internet Key Exchange (IKE) v2 IPSec goals Verify sources of IP packets (authentication) Protect integrity and/or confidentiality of IP packets (encryption) Prevent replaying of old packets Operate at IP layer

10 IPSec Architectures Host-to-host Secure communication with single host Host-to-network (or host-to-gateway) Remote access VPN Network-to-network (or gateway-to-gateway) Site to site VPN

11 IPSec Protocol Suite Authentication Header (AH) RFC 4302 Prevents spoofing (source authentication) + protects data integrity from tampering + prevents replay attacks NO encryption (confidentiality), not recommended for VPN) Encapsulating Security Payload (ESP) RFC 4303 All features of AH, plus. Symmetric key encryption to provide confidentiality Internet Key Exchange (IKE) RFC 4306 Dynamically generates and distributes cryptographic keys for AH and ESP no more pre-shared keys

12 Encapsulating Security Payload Authentication algorithms (cryptographic hash) SHA2 (256, 512) (recommended) SHA1 MD5 (weak, not recommended / disable) Encryption algorithms AES (recommended) Blowfish (deprecated), Twofish (newer, not patent encumbered, lacks hardware acceleration) Camellia (Japanese) 3DES (not hardware accelerated, not recommended) DES (weak, not recommended, disable)

13 Transport vs Tunnel Mode Transport mode Secure communication between two endpoints Encapsulates IP payload only Tunnel mode Used for VPNs Entire original IP packet is encapsulated New packet header added ESP protection applies to entire inner IP packet, outer header is unprotected

14 Transport vs Tunnel Mode No IPSec: Ethernet IP Header TCP Header Payload IPSec, Transport Mode: Protected Ethernet IP Header IPSec Header TCP Header Payload IPSec, Tunnel Mode: Protected Ethernet IP Header (Gateway) IPSec Header IP Header (Original) TCP Header Payload

15 VPN Design - Addressing VPNs are (typically) not broadcast domains Where is broadcast used? VPN software/hardware acts as a router Thus, VPN clients should receive addresses in a new, VPN-specific subnet

16 VPN Design - Routing If I connect to site VPN, does all my traffic goes through the VPN? Advantage Simple design Or only traffic destined to the corporate network? Advantage Higher performance (potentially), company doesn t support both inbound and outbound traffic for employee ESPN.com usage

17 VPN Design - Interoperability Do you need to support legacy clients? Windows IKEv2 support in Windows 7+ Mac OS IKEv2 support in 10.11+ ios IKEv2 support in ios 8+ (config profile only) or ios 9+ (full GUI support) Android Still no native IKEv2 support as-of 2017 strongswan Android VPN client Linux varies by distribution Older operating systems quickly revert back to legacy/insecure algorithms MD5 identity algorithm, DES/3DES encryption, pre-shared key Windows example: https://technet.microsoft.com/enus/library/dd125380(v=ws.10).aspx

18 VPN Design - Performance Are your encryption / hashing algorithms hardware accelerated on gateway? (affects throughput) Do you load balance your VPN endpoints? (affects availability and scalability) Do you have to fragment frames to fit within Ethernet frame limits? Always a tunneling headache

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback