Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP)
Objectives of VPNs Earlier Companies used leased links from communication vendors to connect their gobal branches Each segment was private and could not be eavesdropped Longer distances are very expensive, smaller firms could not afford those luxury links Solution Cost reduction by using public networks such as the internet Concerns (raised by people selling VPN equipment) Sharing lines with anyone else is potentially dangerous Protection is needed
VPN Functions of a VPN Connecting at least two endpoints or multiple networks and thus creating a common address range Usually combined with encryption and authentication Two main kinds of VPNs 1. Host-to-Gateway VPN - remote user of corporate resources 2. Gateway-to-Gateway VPN - create an encrypted tunnel between two gateways
Gateway-to-gateway VPN
Host-to-gateway VPN
Variants of host-to-gateway VPNs Voluntary tunneling Users have the option of connecting to the Internet or other network resources not using the VPN - user makes distinction Advantage Fewer resources needed because not all the traffic has to pass the VPN gateway Disadvantages User is connected to inner and outer network at the same time User is not protected by any security means around the inner network Voluntary tunneling requires more trust in the nomadic user, client computer has to be protected
Variants of host-to-gateway VPNs Compulsory tunneling All traffic is forwarded to the VPN gateway, user is not able to access the outer network directly Advantage User is protected by security means around the inner network Disadvantage More traffic at the VPN gateway Client computers could be considered part of the internal network, if bypassing the VPN is denied
Tunneling on packet level Tunneling protocol Network protocol which encapsulates one protocol into another Outer protocol is being threated as data link layer for inner protocol Examples L2TP PPPoE IPSec 802.1Q SSL / TLS
Tunneling on packet level L2TP RFC 2661 Commonly used to carry PPP packets Does neither provide encryption nor authentication by itself (other protocols are used for that) Two logical channels, packets on the tunnel are either control or data L2TP terminology LAC (L2TP Access Concentrator) - initiating endpoint of a tunnel LNS (L2TP Network Server) - receiving endpoint L2TP session - connection established for each inner protocol (such as PPP)
Tunneling on packet level L2TP sessions LAC initiates tunnel LAC or LNS can established new sessions Each session is isolated (multiple virtual networks over one tunnel are possible) L2TP and voluntary tunnel model Tunnel is created by the user (through an LAC) The user will send L2TP packets through the outer network to the LNS (transparently for provider of outer network) to create a session Other traffic is bypassing the LAC The tunnel extends across the entire PPP session from the L2TP client to the LNS
Tunneling on packet level L2TP and compulsory tunnel model (incoming) LAC is typically provided by the ISP, ISP has to be capable to handle L2TP A tunnel is created between LAC and the LNS (as always) The company may provide the remote user with VPN login Tunnel extends only from the LAC to the LNS, first segment from client to LAC is not tunneled L2TP and compulsory tunnel model (dial-out) LNS requests the LAC to call the client Multi-Hop L2TP Chains of tunnels, each gateway repackages the payload
Tunneling on packet level PPPoE RFC 2516 Point-to-Point Protocol over Ethernet, PPP packets are encapsulated in ethernet frames PPPoE offers PPP features such as authentication, encryption, and compression PPPoE messages (packets) PADI PPPoE Active Discovery Initiation The client does not know the MAC address of the AC (access concentrator), it sends out a PADI packet via an Ethernet broadcast. PADI packet contains the MAC address of the computer sending it
Tunneling on packet level PADO PADR PADS PADT PPPoE Active Discovery Offer Contains MAC or multiple MACs of AC PPPoE Active Discovery Request User selects one of the offered MACs PPPoE Active Discovery Session-confirmation Connection is finally established, PADR packet is confirmed by the AC, and a Session ID is given out PPPoE Active Discovery Termination Terminates the connection to the POP
Tunneling on packet level IPSec Encryption and authentication of all IP packets Key exchange is also defined IPSec supports two modes - transport mode and tunnel mode IPSec transport mode IP payload is encrypted IPSec tunnel mode Entire IP packet is encrypted and has to be encapsulated
Tunneling on packet level 802.1Q Used to create VLANs Ethernet frames can be tagged with generic information, mainly with name of the VLAN SSL / TLS SSL provides endpoint authentication and privacy on transport layer Phases Peer negotiation PKE-based key exchange and certificate-based authentication Symmetric traffic encryption
Tunneling on packet level PPTP Published as RFC 2637 Regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol Second session is used to initiate and manage the GRE session
Attacks against VPNs Attacks against encrypted packets and against authentication Requires cryptoanalytics and expert knowledge Most encryption algorithms are rigorously reviewed and considered to be generally safe Attacks against client Attacker wants to gain access after decryption or before encryption through trojans or similar programs Attacks against VPN gateway Spoofing
Benefits of VPN Security Authentication Encryption Deployment speed No need to wait for new line Cost effectiveness Use of existing networks Sharing of networks
Disadvantages of VPN Overhead Processing Tunneling / encapsulation Implementation VPN has to be integrated into existing network environments Addresses, MTU, firewalls Troubleshooting / packet filtering / traffic shaping Encrypted packets cannot be examined
VPN design considerations Authentication Each packet has to be authenticated by itself in order to prevent session hijacking Integrity Data to be encrypted has to be checked for integrity before encryption Firewalls A VPN alone does not provide firewall functionality A firewall cannot examine encrypted traffic
Summary VPNs provide a cost effective solution for connecting two networks. VPNs provide security. Precautions have to be considered when implementing a VPN.