Sundar B. VPN - Motivation Edge Security Goal: Separate a private network (LAN) from the public network. Typical mechanisms: Firewalls, Gateways, Proxies Works when edge (i.e. boundary) is clearly defined. In-Out or Out-In flow regulated systematically. Does not work when there is (geographical) segmentation of (logical) private network Mobility (of users/clients) – external access, roaming access.
Sundar B. VPN Motivation Both segmentation and mobility are familiar scenarios: Subnetting to VLAN Differences (between VLANs and VPNs): Segmentation in subnetting scenario happens within a (more) trusted private network whereas segmentation in private networks happens across an untrusted public network (the Internet). The primary motive of VLANs was traffic isolation – between subnets – not security. Subnets and subnet boundaries are L-2 artifacts whereas private-public boundaries are L-3
Sundar B. Virtual Private Networks Primary Purposes: Handling segmentation across the public network Site-to-Site VPNs Handling external access / roaming access Remote Access VPNs In summary, a VPN enables logical extension of private network(s) over the Internet using service provider backbones. Since the Internet (including the service provider) cannot be trusted (or inviolate in terms of security) VPNs need a security cover.
Sundar B. IPSEC IPSEC loosely refers to a phalanx of protocols for supporting Confidentiality, integrity and authenticity for IP datagrams between endpoints (of a VPN) Client to VPN termination point (a.ka. Server) in a remote-access VPN VPN server to VPN server in a site-to-site VPN The main components: IPSEC proper defines IP packet encapsulation for confidentiality, integrity and authentication as well as data encryption. Internet Key Exchange (IKE) automates key management and protocol negotiation bet. endpts
Sundar B. IPSEC modes Tunneling mode Encapsulates a complete IP packet including header i.e. header is hidden; A new IP header is added for forwarding the encrypting router’s IP address is used. Transport mode Uses underlying tunneling protocol (e.g. Cisco’s GRE)
Sundar B. IPSEC Headers IPSEC adds new header info. to an IP datagram: Authentication Header (AH) Provides integrity and authenticity for the packet including the invariant fields in the outer IP header Uses keyed hashing Encapsulating Security Payload (ESP) Provides confidentiality, integrity and authenticity of the data only (i.e. header info. Not included) Either or both the headers can be used. No restriction on encryption algorithms – can be negotiated bet. endpoints
Sundar B. Site-to-Site Topologies Fully-meshed topology Complete (logical) graph Very robust Cost saving compared to leased lines (or wide area networks) between sites. Hub-and-spoke topology Radial graph – spoke sites connect to a hub site. Hub site would require tunnel aggregation (routers) Useful when traffic is asymmetric i.e. mostly directed toward the hub Otherwise large transcription overhead at the hub
Sundar B. Site-to-Site Topologies Fully meshed on-demand topology w/ Tunnel End Discovery Complete Graph w/ dynamic IP addresses Tunnel end is discovered dynamically Dynamic Multipoint topology Allows both Spoke-Hub, as well as Spoke-Spoke tunneling. More flexible.
Sundar B. Pros and Cons Reduced cost compared to leased lines or WAN without compromising security Performance Penalties: Protocol overheads Additional burden in routing and forwarding – specialized solutions needed IP Address partitioning mechanisms are not always clean.