Virtual Private Networks.

Similar documents
isco Cisco PPPoE Baseline Architecture for the Cisco UAC

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Firewalls, Tunnels, and Network Intrusion Detection

Tunnel within a network

PPPoE Technology White Paper

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

IPSec. Overview. Overview. Levente Buttyán

RADIUS Tunnel Attribute Extensions

Configuring L2TP over IPsec

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CLIENT SERVER SYNERGY USING VPN

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

BCRAN. Section 9. Cable and DSL Technologies

IP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER

Sample excerpt. Virtual Private Networks. Contents

CSCE 715: Network Systems Security

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM

Virtual private networks

CSC Network Security

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

CIT 480: Securing Computer Systems

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

RADIUS Tunnel Preference for Load Balancing

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Index. Numerics 3DES (triple data encryption standard), 21

Virtual Private Network

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Virtual Private Network

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

VPN Virtual Private Networks

VPN. Virtual Private Network. Mario Baldi. Synchrodyne Networks, Inc. VPN - 1 M.

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

CSE509: (Intro to) Systems Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Virtual Private Networks (VPNs)

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Network+ Guide to Networks 6 th Edition

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CTS2134 Introduction to Networking. Module 08: Network Security

HP VSR1000 Virtual Services Router

Configuring Client-Initiated Dial-In VPDN Tunneling

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

CS 356 Internet Security Protocols. Fall 2013

A-B I N D E X. backbone networks, fault tolerance, 174

PPPoE Circuit-Id Tag Processing

Network Security. Thierry Sans

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Cisco How Virtual Private Networks Work

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Firewall. Access Control, Port Forwarding, Custom NAT and Packet Filtering. Applies to the xrd and ADSL Range. APPLICATION NOTE: AN-005-WUK

Network Encryption 3 4/20/17

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

VPNS BY RICK FREY.

Networking interview questions

Virtual Private Networks

Why Firewalls? Firewall Characteristics

Virtual Private Networks (VPN)

IBM i Version 7.2. Security Virtual Private Networking IBM

xdsl OVERVIEW OF IMPORTANT DIGITAL SUBSCRIBER LINE TECHNOLOGIES xdsl Technology Peter R. Egli peteregli.net peteregli.net 1/18 Rev. 3.

Hillstone IPSec VPN Solution

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

RADIUS Tunnel Preference for Load Balancing and Fail-Over

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Configuring the PPPoE Intermediate Agent

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

Configuring the PPPoE Intermediate Agent

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Certified User Management Engineer (MTCUME) Training outline

Virtual Private Networks

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Hands-On TCP/IP Networking

Configuring PPP over Ethernet with NAT

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

Chapter 10 Security Protocols of the Data Link Layer

CSC 4900 Computer Networks: Security Protocols (2)

The IPsec protocols. Overview

Service Managed Gateway TM. Configuring IPSec VPN

Secure Communications on VoIP Networks

Review on protocols of Virtual Private Network

BIG-IP TMOS : Implementations. Version

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Managing Site-to-Site VPNs: The Basics

A Method for Transmitting PPP Over Ethernet (PPPoE)

Configuring the Cisco 827 Router as a PPPoE Client With NAT

SITE-TO-SITE LAYER 2 VPN WITH PPP BCP

Transcription:

Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP)

Objectives of VPNs Earlier Companies used leased links from communication vendors to connect their gobal branches Each segment was private and could not be eavesdropped Longer distances are very expensive, smaller firms could not afford those luxury links Solution Cost reduction by using public networks such as the internet Concerns (raised by people selling VPN equipment) Sharing lines with anyone else is potentially dangerous Protection is needed

VPN Functions of a VPN Connecting at least two endpoints or multiple networks and thus creating a common address range Usually combined with encryption and authentication Two main kinds of VPNs 1. Host-to-Gateway VPN - remote user of corporate resources 2. Gateway-to-Gateway VPN - create an encrypted tunnel between two gateways

Gateway-to-gateway VPN

Host-to-gateway VPN

Variants of host-to-gateway VPNs Voluntary tunneling Users have the option of connecting to the Internet or other network resources not using the VPN - user makes distinction Advantage Fewer resources needed because not all the traffic has to pass the VPN gateway Disadvantages User is connected to inner and outer network at the same time User is not protected by any security means around the inner network Voluntary tunneling requires more trust in the nomadic user, client computer has to be protected

Variants of host-to-gateway VPNs Compulsory tunneling All traffic is forwarded to the VPN gateway, user is not able to access the outer network directly Advantage User is protected by security means around the inner network Disadvantage More traffic at the VPN gateway Client computers could be considered part of the internal network, if bypassing the VPN is denied

Tunneling on packet level Tunneling protocol Network protocol which encapsulates one protocol into another Outer protocol is being threated as data link layer for inner protocol Examples L2TP PPPoE IPSec 802.1Q SSL / TLS

Tunneling on packet level L2TP RFC 2661 Commonly used to carry PPP packets Does neither provide encryption nor authentication by itself (other protocols are used for that) Two logical channels, packets on the tunnel are either control or data L2TP terminology LAC (L2TP Access Concentrator) - initiating endpoint of a tunnel LNS (L2TP Network Server) - receiving endpoint L2TP session - connection established for each inner protocol (such as PPP)

Tunneling on packet level L2TP sessions LAC initiates tunnel LAC or LNS can established new sessions Each session is isolated (multiple virtual networks over one tunnel are possible) L2TP and voluntary tunnel model Tunnel is created by the user (through an LAC) The user will send L2TP packets through the outer network to the LNS (transparently for provider of outer network) to create a session Other traffic is bypassing the LAC The tunnel extends across the entire PPP session from the L2TP client to the LNS

Tunneling on packet level L2TP and compulsory tunnel model (incoming) LAC is typically provided by the ISP, ISP has to be capable to handle L2TP A tunnel is created between LAC and the LNS (as always) The company may provide the remote user with VPN login Tunnel extends only from the LAC to the LNS, first segment from client to LAC is not tunneled L2TP and compulsory tunnel model (dial-out) LNS requests the LAC to call the client Multi-Hop L2TP Chains of tunnels, each gateway repackages the payload

Tunneling on packet level PPPoE RFC 2516 Point-to-Point Protocol over Ethernet, PPP packets are encapsulated in ethernet frames PPPoE offers PPP features such as authentication, encryption, and compression PPPoE messages (packets) PADI PPPoE Active Discovery Initiation The client does not know the MAC address of the AC (access concentrator), it sends out a PADI packet via an Ethernet broadcast. PADI packet contains the MAC address of the computer sending it

Tunneling on packet level PADO PADR PADS PADT PPPoE Active Discovery Offer Contains MAC or multiple MACs of AC PPPoE Active Discovery Request User selects one of the offered MACs PPPoE Active Discovery Session-confirmation Connection is finally established, PADR packet is confirmed by the AC, and a Session ID is given out PPPoE Active Discovery Termination Terminates the connection to the POP

Tunneling on packet level IPSec Encryption and authentication of all IP packets Key exchange is also defined IPSec supports two modes - transport mode and tunnel mode IPSec transport mode IP payload is encrypted IPSec tunnel mode Entire IP packet is encrypted and has to be encapsulated

Tunneling on packet level 802.1Q Used to create VLANs Ethernet frames can be tagged with generic information, mainly with name of the VLAN SSL / TLS SSL provides endpoint authentication and privacy on transport layer Phases Peer negotiation PKE-based key exchange and certificate-based authentication Symmetric traffic encryption

Tunneling on packet level PPTP Published as RFC 2637 Regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol Second session is used to initiate and manage the GRE session

Attacks against VPNs Attacks against encrypted packets and against authentication Requires cryptoanalytics and expert knowledge Most encryption algorithms are rigorously reviewed and considered to be generally safe Attacks against client Attacker wants to gain access after decryption or before encryption through trojans or similar programs Attacks against VPN gateway Spoofing

Benefits of VPN Security Authentication Encryption Deployment speed No need to wait for new line Cost effectiveness Use of existing networks Sharing of networks

Disadvantages of VPN Overhead Processing Tunneling / encapsulation Implementation VPN has to be integrated into existing network environments Addresses, MTU, firewalls Troubleshooting / packet filtering / traffic shaping Encrypted packets cannot be examined

VPN design considerations Authentication Each packet has to be authenticated by itself in order to prevent session hijacking Integrity Data to be encrypted has to be checked for integrity before encryption Firewalls A VPN alone does not provide firewall functionality A firewall cannot examine encrypted traffic

Summary VPNs provide a cost effective solution for connecting two networks. VPNs provide security. Precautions have to be considered when implementing a VPN.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback