Presentation is loading. Please wait.

Presentation is loading. Please wait.

VPN Lab Zutao Zhu 03/26/2010. Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs.

Published byOmari Wheelock Modified over 9 years ago

Similar presentations

Presentation on theme: "VPN Lab Zutao Zhu 03/26/2010. Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs."— Presentation transcript:

1 VPN Lab Zutao Zhu 03/26/2010

2 Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs

3 VPN Virtual Private Network –Create a private scope of computer communication –Provide a secure extension of a private network into an unsecure network, Internet –Built on IPSec or Secure Socket Layer (SSL)

4 VPN Three types –Host-to-Host Tunnel –Host-to-Gateway Tunnel –Gateway-to-Gateway Tunnel

5 Tun/tap Interface virtual network kernel drivers software-only interfaces, that is, they exist only in the kernel no physical hardware component Have a special file descriptors a tap interface outputs (and must be given) full ethernet frames a tun interface outputs (and must be given) "raw" IP packets

6 Tun/tap Interface (cont.) When a program is attached to a TUN/TAP interface, the IP packets that the computer sends to this interface will be piped into the program; the IP packets that the program sends to the interface will be piped into the computer, as if they came from the outside through this virtual network interface

7 Tun/tap Interface (cont.) IP addresses can be assigned traffic can be analyzed routes pointing to it can be established

8 Tun/tap Setup Call tun_alloc() to create the tun/tap interface in program Configure the tun/tap interface (ifconfig) Enable the tun/tap interface (ifconfig) Set the routing rules (route add) Use the tunnel (any tool, like ping, ssh, etc.)

9 Your First Task Build a UDP tunnel Explain why TCP over TCp is not good

10 Host-to-Host Tunnel Use UDP

11 Host-to-Gateway Tunnel Use two physical machines, one acting as a host, the other acting as the gateway, which has many other virtual machines Use Port Forwarding to make certain port of the VM accessible to the outside VMWare Setup Gateway Setup Host Setup

12 VMWare Port Forwarding on the host machine of Gateway

13 Gateway Setup On one physical machine, we use one virtual machine as the gateway, the others as the internal hosts Gateway Setup –Add another interface –Enable IP forwarding feature –Configure the routing table for gateway

14 Add Another Interface for Gateway

15 IP forwarding $ sudo sysctl net.ipv4.ip_forward=1

16 Add Routing Rules man route – read the route manual page Use route add, example $ sudo route add -net 10.0.10.0 netmask 255.255.255.0 gw 10.0.20.1

17 Host Setup You have to configure the routing table by yourself Similar with the previous slide

18 Your second task Make sure Host-to-Gateway tunnel works On host in one physical machine, you can ping/telnet/ssh/ftp any IP behind the Gateway on the other physical machine

19 Gateway-to-Gateway Tunnel

20 Your third task Make sure Gateway-to-Gateway tunnel works On one host behind the Gateway in one physical machine, you can ping/telnet/ssh/ftp any IP behind the Gateway on the other physical machine

21 OpenSSL Prepare work –apt-get source openssl –./config –make –make install Directory of headers and libraries –/usr/local/ssl/include –/usr/local/ssl/lib

22 What OpenSSL does Encrypt/decrypt Hash Create certificates APIs

23 Demo Client/server program with OpenSSL

24 Header Files /* OpenSSL headers */ #include "openssl/bio.h" #include "openssl/ssl.h" #include "openssl/err.h" /* Initializing OpenSSL */ SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms();

25 Creating and opening a connection BIO * bio; bio = BIO_new_connect("hostname:port"); if(bio == NULL) { /* Handle the failure */ } if(BIO_do_connect(bio) <= 0) { /* Handle failed connection */ }

26 Reading from the connection int x = BIO_read(bio, buf, len); if(x == 0) { /* Handle closed connection */ } else if(x < 0) { if(! BIO_should_retry(bio)) { /* Handle failed read here */ } /* Do something to handle the retry */ }

27 Writing to the connection if(BIO_write(bio, buf, len) <= 0) { if(! BIO_should_retry(bio)) { /* Handle failed write here */ } /* Do something to handle the retry */ }

28 Closing the connection /* To reuse the connection, use this line */ BIO_reset(bio); /* To free it from memory, use this line */ BIO_free_all(bio);

29 Setting up a secure connection Secure connections require a handshake after the connection is established. the server sends a certificate to the client the client then verifies against a set of trust certificates It also checks the certificate to make sure that it has not expired a trust certificate store be loaded prior to establishing the connection The client will send a certificate to the server only if the server requests one

30 Setting up the SSL pointers if(! SSL_CTX_load_verify_locations(ctx, "/path/to/TrustStore.pem", NULL)) { /* Handle failed load here */ }

31 Preparing a certificate folder and using it /* Use this at the command line */ c_rehash /path/to/certfolder /* Then call this from within the application */ if(! SSL_CTX_load_verify_locations(ctx, NULL, "/path/to/certfolder")) { /* Handle error here */ }

32 Setting up the BIO object bio = BIO_new_ssl_connect(ctx); BIO_get_ssl(bio, & ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

33 Opening a secure connection /* Attempt to connect */ BIO_set_conn_hostname(bio, "hostname:port"); /* Verify the connection opened and perform the handshake */ if(BIO_do_connect(bio) <= 0) { /* Handle failed connection */ }

34 Checking if a certificate is valid if(SSL_get_verify_result(ssl) != X509_V_OK) { /* Handle the failed verification */ }

35 Cleaning up the SSL context SSL_CTX_free(ctx);

36 References http://waldner.netsons.org/d2-tuntap.php http://www.mjmwired.net/kernel/Document ation/networking/tuntap.txthttp://www.mjmwired.net/kernel/Document ation/networking/tuntap.txt http://waldner.netsons.org/d2-tuntap.php http://sites.inka.de/~W1011/devel/tcp- tcp.htmlhttp://sites.inka.de/~W1011/devel/tcp- tcp.html http://waldner.netsons.org/d3-ssh- tuntap.phphttp://waldner.netsons.org/d3-ssh- tuntap.php http://www.madboa.com/geek/openssl/

37 Reference http://www.securityfocus.com/infocus/1466 http://www.ibm.com/developerworks/linux/l ibrary/l-openssl.htmlhttp://www.ibm.com/developerworks/linux/l ibrary/l-openssl.html http://www.securityfocus.com/infocus/1388 http://www.securityfocus.com/infocus/1462

38

Download ppt "VPN Lab Zutao Zhu 03/26/2010. Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs."

Similar presentations

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)

Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
VPN Lab 2 Zutao Zhu 04/02/2010. Outline How a packet traverse in VPN How to write socket program Certificate.

VPN Lab 2 Zutao Zhu 04/02/2010. Outline How a packet traverse in VPN How to write socket program Certificate.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Scaling Service Requests Linux: ipvsadm & iptoip.

Scaling Service Requests Linux: ipvsadm & iptoip.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Printer Installation Ben Wu A&S IT 09/18/2007. Outline  Preparation  Local Printer Installation  Network Printer Installation  Printer Sharing  Other.

Printer Installation Ben Wu A&S IT 09/18/2007. Outline  Preparation  Local Printer Installation  Network Printer Installation  Printer Sharing  Other.

Similar presentations

Ads by Google