1. Nelson Azadian Victor Seletskiy Pavel Dikhtyar
Chapter 19 VPN and NAT
Nelson Azadian
Victor Seletskiy
Pavel Dikhtyar

2. VPN Overview Why we need Virtual Private Networks.
What a Virtual Private Network consists of.
What a Virtual Private Network does.
How a Virtual Private Network does what it does.
Pro’s and Con’s of VPN’s

3. Imagine the Following Scenario
You are a network administrator hired by a company to create a network which is both private yet able to access the internet.
How would you do it?

4. You Could…
Create a network comprised of both an internal and external network. By internal we mean a network which is unavailable to those outside of the network. Conversely, by external we mean a network which is available to those outside of the network.

5. Example
As you can see, we have two networks. An internal network, on the right, which lacks access to the internet, i.e. is private, as well as an external network, on the left, which is allowed access to the internet, i.e. is public.

6. Continuing With Our Previous Scenario…
Let’s say the same company, which had previously hired you to build a network, decides to build another office building 100 miles away from their current office building. You are once again hired by the company to build a private network between the two office buildings.
How would you do it?

7. What Won’t Work
A LAN based private network would be out of the question due to the amount of money to both build and maintain such a network.

8. Continuation of What Won’t Work
We could use a WAN based network to connect both office buildings. However, problems associated with the amount of money to build and maintain such a network would once again arise.
What about Leased Lines?

9. What Will Work What are Leased Lines?
Leased Lines are connection based, rather than packet switch based, lines which a phone company or internet service provider will lease to an individual or corporation.
Due to their connection based nature leased lines are guaranteed to remain private.
Unfortunately, leased lines are expensive and for many companies out of their budget.

10. Why We Need Virtual Private Networks
VPN or Virtual Private Networks are a cheaper and effective alternative to leased lines which, as with leased lines, allow for networks to remain private.
Unlike leased lines, VPN’s do so using packet switched networks, i.e. virtual lines.

11. What a Virtual Private Network Consists of
A Virtual Private Network basically consists of a router, with specialized software, which acts as a gateway between an external network, i.e. the internet, and an internal network, i.e. some private network.

12. What a Virtual Private Network Does
When a host on an internal, i.e. private, network needs to send a packet to a host not on its own internal network it sends the packet to the specialized router.

13. Continuation of What a Virtual Private Network Does
Once the specialized router receives the packet it examines the destination of the packet.
The router than encrypts the packet, places it in a datagram, and sends it off to its destination. The destination in question belongs to another specialized router, similar to our previous specialized router. This second specialized router belongs to the destined host’s VPN and acts as its gateway.
We are not initially sending the packet to the destined host.

14. How a Virtual Private Network Does What it Does
Virtual Private Networks use two basic techniques to allow them to remain both private, yet at the same time do so without the use of expensive connection based networks.
The two techniques in question…
Encryption
Tunneling

15. What is Encryption?
Simply put, encryption is the process of modifying data in such a way that it becomes unintelligible.
Take for instance the following example, “L ORYH QDFKR’V” is really “I LOVE NACHO’S” using a simple Caesar or
Shift - 3 Cipher.

16. Why Use Encryption?
The reason is simple, in order to keep data on an internal network private we need to use some way of keeping the data on that network private. Hence, we use encryption, taking our original data and modifying it in some way as to keep its original content secret.
Examples of some Encryption Algorithms include DES, Triple DES, AES, RSA, etc.

17. Why Do We Encrypt the Entire Packet?
You may recall that I mentioned that the entire packet needed to be encrypted, i.e. data and header; why?
Encrypting the data portion of the packet is not enough to ensure that our private network remain private. In order for our private network to remain truly private we must not only hide the data on the network but also the topology of that network.
*Note* We still require the use of a globally valid IP address, otherwise we wouldn’t be able to send the packet over the “global” external internet. However, this globally assigned IP address is assigned only to the VPN gateway and not to any of the hosts on the internal private network.

18. Continuation of Why We Encrypt the Entire Packet
Let’s say we hadn’t encrypted the entire packet, i.e. we hadn’t encrypted the packet’s header only its data, and an unauthorized party was able to sniff or attain a copy of the packet using a program such as Ethereal. Though the unauthorized party would not be able to access the data, i.e. would not have the key necessary to decrypt the packet, the unauthorized party would still know the packet’s source and destination, i.e. would know which specific host on the first VPN sent the packet to which specific host on the second VPN.

19. What’s the Big Deal?
The big deal is that if the unauthorized party or attacker is able to find out where the packet came from as well as where it was destined to, the attacker may be able to further compromise the security of any of the two VPN’s, i.e. may be able to break into one or both of the VPN’s.
By encrypting the entire packet we keep both the data within the packet private as well as the existence, or location, of the two host’s private, i.e. we keep the topology of the internal private network hidden.

20. What is Tunneling?
Tunneling is basically a way of specifying that datagram be sent to a specific router, rather than a specific host.

21. Why Specify a Router?
Question: How do we decrypt the packet the source host had originally sent?
Wrong Answer: Sending the key along with the encrypted packet is not a viable solution.
Correct Answer: Both routers must have agreed upon a key before any transmission of packets occur. Therefore, in order to agree upon a specific key both routers must have already known about each others existence, i.e. already had an entry in their routing tables for one another.

22. A Common Misconception About Tunneling
The word “tunneling” tends to imply that a “tunnel” is a single path, leading from one endpoint to another.

23. Unfortunately This is Not True
With respect to VPN’s, the word “tunneling” is used because in order to “tunnel” a packet the two endpoints of the tunnel, i.e. the routers which will encrypt or decrypt, must be known before a packet is encrypted and sent out into the internet. We do not however specify a specific route a packet must follow, merely the last or first router to receive or send the encrypted packet.

24. Pro’s of Virtual Private Network’s
Practically guarantee network and data privacy.
Are a cheap and effective alternative to WAN’s or Leased Lines.
Easily map onto an existing network with little modification.

25. Con’s of Virtual Private Network’s
Unlike most routers, VPN gateway router tables are not dynamic, i.e. must be input by a network administrator.
If a VPN gateway goes down, it’s very possible that the entire private network will lose connectivity to the external internet.
Absolute privacy is not guaranteed, the reason being that no current encryption algorithm is 100% full proof.

26. NAT Overview
VPN Types
Tunneling Types
Application Gateway
NAT

27. VPN Implementation There are two common VPN implementations:
Client-to-Site (Remote Access VPN)
Site-to-Site

28. Remote Access
Mobile user access from public network to private network, who needs to connect to secure materials remotely, or need access to secure remote management portal.

29. Remote Access Continued
It secures a path to the site's LAN, allowing the client to access a private network address ( RFC 1918).
The client-to-site VPN is a many-to-one VPN tunnel.
One or more clients can initiate a secure VPN connection to the VPN server, thus securely accessing internal data from an insecure remote location.

30. Site-to-Site
When office requires sharing information across multiple LANs. The typical example of this is a company that has offices in two different geographical locations.

31. Site-to-Site Continued
Allows LANs to share information across Internet without fearing that outsiders could view the content of the data stream.
The site-to-site VPN is a one-to-one VPN tunnel. Two servers or routers set up an encrypted IP tunnel to securely pass packets back and forth over the Internet. The VPN servers create a logical point-to-point connection over the Internet.

32. Tunneling in Detail Tunneling requires three different protocols:
Carrier protocol - The protocol used by the network that the information is traveling over for example, PPP is used as the carrier protocol in IP-based transit networks.
Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
Passenger protocol - The original data (IPX, NetBeui, IP) being carried

33. Tunneling Protocols PPTP L2TP IPSec Tunneling Mode SSL/TLS
(Point-to-Point Tunneling Protocol)
L2TP
(Layer 2 Tunneling Protocol)
IPSec
Tunneling Mode
SSL/TLS
(Secure Sockets Layer/Transport Layer Security)

34. VPN via PPTP Point-to-Point Tunneling Protocol
Data is first encapsulated inside PPP packets
PPP packets are then encapsulated in GRE packets and sent over the link
Weak Security
Low Performance
Was integrated in L2TP that combines PPTP & L2F

35. IPSec Internet Protocol Security (IPSec)
For Site-to-Site and Remote-Access VPNs
Features encryption modes
Tunnel
Encrypts data header and payload
Transport
Encrypts payload only
Encrypts data between various devices
Router to router
Firewall to router
PC to router
PC to server

36. IPsec = AH + ESP + IPcomp + IKE
IPSec Tunneling
IPsec = AH + ESP + IPcomp + IKE
IP Encapsulation Security Payload (ESP)
Provides message integrity and privacy using DES or EAS
It also includes anti-replay mechanism.
Internet Key Exchange (IKE)
AH and ESP needs shared secret key between peers. IKE defines an automatic means of negotiation and authentication for security associations (SA). Security associations are security policies defined for communication between two or more entities

37. SSL / TLC
The SSL (Secure Sockets Layer) is a protocol designed by Netscape Communications to enables secure data transfer between two devices over a public network. SSL protects applications running over TCP, and is mostly utilized to protect HTTP transactions. SSL has been replaced by Transport Layer Security (TLS).
To convert SSL/TLS into a remote access VPN, firms install an SSL/TLS VPN gateway at each site. The client establishes an SSL/TLS connection with this gateway, rather than to individual hosts within the site.

38. How SSL Works

39. SSL / TLC
In many cases, the SSL/TLS VPN gateway simply connects the client PC to a webserver. This is the traditional use of SSL/TLS in VPNs. However, the SSL/TLS gateway decrypts client traffic coming into the network. This allows a firewall to check the traffic right after the VPN/SSL firewall.

40. SSL / TLC Continued
In other cases, the VPN gateway connects the client PC to a database server or other server that cannot communicate with a browser natively. The VPN gateway then intercepts messages from the
server to the client PC. The VPN gateway webifies these messages (converts them into webpages).

41. SSL / TLC Continued
In yet other cases, the SSL/TLS VPN gateway connects the client PC to a subnet of the network. The client can then connect to any host on the subnet.

42. SSL / TLS Client Question: What does the client need to have?
For basic operation, the client only needs to have a browser that works with SSL/TLS. It is difficult to find a computer that does not have a browser or whose browser cannot work with SSL/TLS. Consequently, SSL/TLS can work with any client PC connected to the Internet. This makes SSL/TLS extremely attractive as a remote access VPN.

43. IPSec vs. SSL VPN Information Exposure Communication
Compared to IPSec, SSL is an application level transport protocol that transmits data over a standard TCP port (typically TCP port 443). IPSec provides application-transparent communication over layer 3, IP, network traffic while SSL was designed to encrypt application traffic.
Information Exposure
Only designated people /computers are allowed access by IPSec, while SSL allows access from everywhere (e.g. internet kiosks). Information can be left behind (intentionally or unintentionally)
Software Required
IPSec requires client software, while SSL needs only Standard Web browser

44. IPSec vs. SSL VPN Continued
SSL allow more precise access control.
First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.
Connectivity
IPSec connectivity can be adversely affected by firewalls or other devices between the client and gateway (i.e. firewall or NAT devices) while SSL operates transparently across NAT, proxy, and most firewalls (most firewalls allow SSL traffic)
Security
SSL provides limited control over information access and client environment; good for accessing less-sensitive information

45. Private Address Protection
VPN must protect internal information and prevent any direct connection between a trusted server or client and an un-trusted host. It gives improved security because without knowing the true IP address of a host, it is harder for an intruder to attack that machine.

46. Private Address Protection Continued
SSL & IPSec and other VPN's use two general communication schemes to ensure private network security:
Application Gateways
NAT

47. Application Gateways
The application gateway acts as an intermediary between the two endpoints. When a client issues a request from the untrusted network, a connection is established with the application gateway. The proxy determines if the request is valid and then sends a new request on behalf of the client to the destination. By using this method, a direct connection is never made from the trusted network to the untrusted network and the request appears to have originated from the application gateway.

48. Advantages of the Application Level
Application-specific proxies accept only packets generated by services they are designed to copy, forward, and filter without offering IP- level access.
Only packets generated by these services could pass through the firewall. All other services would be blocked.
If a network relies only on an application-level gateway, incoming and outgoing packets cannot access services for which there is not a proxy.
For example, only a Telnet proxy can copy, forward, and filter Telnet traffic.
Able to work without changes to the underlying infrastructure or addressing.
It can, for instance, tell the difference between a piece of containing text and a piece of containing a graphic image or the difference between a webpage using Java and a webpage without.

49. Advantages of the Application Level
Application-level Filtering
examine and filter individual packets, rather than simply copying them and blindly forwarding them across the gateway.
check each packet that passes through the gateway, verifying the contents of the packet up through the application layer.
can filter particular kinds of commands or information in the application protocols (e.g., FTP GET but not PUT; no retrieving HTTP objects ending in .exe)

50. Disadvantages of the Application Level
Lack of generality: each application gateway handles only one specific service; multiple gateways are required for multiple services.
Performance: significant disadvantage of application gateways is the impact it can have on performance. Since all incoming and outgoing traffic is inspected at the application level, they are typically slower All traffic must pass through all seven layers of the OSI model prior to being inspected.

51. NAT
Network Address Translation – provide IP – level access between hosts at a site and the rest of the Internet without requiring each host at the site to have a globally valid IP address
One valid IP address – requires site to have a single connection to the global Internet and at least one globally valid IP address.
NAT box – runs NAT software, all datagram's pass through it as they travel from site out to the Internet or from Internet into the site

52. NAT Continued Outgoing traffic replaces source IP address
Incoming traffic replaces destination IP address

53. It identifies correct host to which the datagram should be forwarded.
Translation Table
It identifies correct host to which the datagram should be forwarded.
Has Two values
Internal host IP address
External host IP address

54. Translation Table Table Initialization Manual Outgoing datagram's
A manager configures the translation table manually before any communication occurs. Provides permanent mapping and allows IP datagrams to be send in either direction.
Outgoing datagram's
NAT uses the outgoing datagram to create a translation table entry that records the source and destination addresses. It is automatic, but does not allows communication to be initiated from outside.
Incoming name lookups
The table is build as side effect of handling domain name lookups. When a host on the Internet looks up the domain name of an internal host, and then creates an entry in the NAT translation table to forward incoming datagrams to the correct internal host.

55. NAT and ICMP Overview Port Mapped NAT Interaction between NAT and ICMP
Interaction between NAT and Applications
NAT in the presence of Fragmentation
Conceptual Address Domains
Implementations of NAT

56. Port-Mapped NAT NAPT – Network Address Port Translation
Provides concurrency by translating port numbers as well as addresses.
Expands on NAT translation table to contain:
Source and destination IP addresses (NAT)
Source and destination port numbers
Protocol port number (used by NAT router)

57. NAPT Diagram

58. Port-Mapped NAT Continued
In the process of communications NAPT assigns a unique port number to each communication that is used on the internet.
After NAPT translation, the receiving computer receives datagram's with NAPT box global address and NAPT port number.
Biggest advantage is the amount of generality NAPT achieves with one global IP address.
Biggest disadvantage is that NAPT restricts communications to TCP or UDP only.

59. NAPT Process

60. Operation Of Port-Based NAT
Inside Client Generates Request And Sends To NAT Router:
Device generates an HTTP request to the server.
The datagram is sent to the NAT-capable router that connects the organization's internal network to the Internet.
NAT Router Translates Source Address And Port And Sends To Outside Server:
The router substitutes the inside global address and also chooses a new source port number for this request.
The destination address and port are not changed. 
The NAT router puts the address and port mapping into its translation table. It sends the modified datagram out, which arrives at the outside server.
Outside Server Generates Response And Sends Back To NAT Router:
The outside server generates an HTTP response.
it sends back the response to the NAT router
NAT Router Translates Destination Address And Port And Delivers Datagram To Inside Client:
The NAT router consults its translation table and knows who this datagram is intended for.
The destination address and port are changed but not the source.
The router delivers the datagram back to the originating client.

61. Interaction between NAT and ICMP
Unexpected side effects of NAT.
NAT changes IP address of the from field.
NAT must handle higher layer protocols.
Must handle ICMP (one of the most important ones).
Determines if ICMP should be handled locally or sent to an internal host.
If sending to an internal host NAT must translate the ICMP message.
ICMP message translation example.
Example message: destination unreachable.
Message contains header from a datagram D that caused error.
Since NAT translated the address in header of D before sending it, NAT must open the ICMP message and translate the address in D header back to the original hosts address.
NAT must also re-compute the checksum of the D header and of the ICMP message.

62. Interaction Between NAT and Applications
NAT Effect on application protocols.
In general NAT will not work with any application that sends IP addresses or protocol ports as data.
Example application protocol: FTP.
Part of FTP protocol is one machine obtaining the port number of another machine over a TCP connection.
In FTP protocol the port number is sent as data.
In order for this protocol to function properly through NAPT, the port number in the data stream must be changed to agree with the NAPT port number.
NAT recognition of application protocols.
Implementations of NAT have been created that recognize popular protocols such as FTP and make the necessary changes in the data stream.

63. Interaction Between NAT and Applications Continued
Custom application protocols nonfunctional with NAT.
NAT affects ICMP and higher level protocols.
An application protocol that passes IP addresses or protocol port numbers as data will not operate correctly across NAT.
Changing items in a data stream increases the complexity of NAPT. (making application protocols work)
NAPT must have detailed knowledge of each application that transfers such information.
If items are represented in ASCII (FTP protocol) changing the value can change the number of octets transferred.
Inserting or removing octets in the data stream is difficult because all octets have a sequence number in a stream.
Sender and receiver don’t know that octet number has been changed and they will get out of sync.
NAT will have to translate the sequence numbers in each outgoing segment and each incoming acknowledgement.

64. NAT in the Presence of Fragmentation
Assumptions about IP.
In describing NAT an assumption was made that NAT system receives complete IP datagram's and not fragments.
Fragmentation creates added complexity in NAPT (widely used version of NAT)
NAPT uses information (port numbers) from the transport header.
Only the first fragment of a datagram carries the transport protocol header.
Before NAPT can operate on a datagram, it must receive and examine the first fragment of the datagram.
Resolutions of the NAPT Datagram Fragmentation Problem
Slow speed networks save fragments and reassemble the datagram.
Other networks reject fragmented datagram's.

65. Conceptual Address Domains
Standard NAT use is to connect a private network to a global internet.
NAT can be used to interconnect any two address domains.
It can be used between two corporations that use the same private address space. ( )
NAT can also be used at two levels.
It can be used between customer’s private domain and ISP’s private address domain.( first level)
It can also be used between ISP’s address domain and global internet. (second level)
Combination of NAT and VPN.
Hybrid architecture can be created in which private addresses are used within the organization and NAT is used to provide connectivity between each site and to the global internet.
Example of multiple levels of NAT:
Employee working from several computers at home connected to a LAN.
He can assign private addresses to his machines and use NAT between home and corporate intranet.
Corporation can assign private addresses to their intranet and use NAT between their intranet and global internet.

66. Slirp and IP Tables There are 2 most popular implementations of NAT
Slirp (derived from 4.4 BSD)
Combines PPP and NAT.
Is used in a dialup architecture.
One valid global IP address.
Permanent internet connection.
One or more dialup modems.
Implements NAPT. (uses protocol numbers)
Multiple computers can access internet at the same time.
Main advantage is that it can use a general UNIX account with internet access.
IP-Tables (Linux operating system)
Combination of tools for packet rewriting and fire-walling.
Provides stateful packet inspection.
NAT or NAPT can be formed using specific sets of IP-Tables rules.

67. Summary
VPN offers low cost alternative that allows an organization to use the global internet to securely interconnect multiple sites.
Two technologies exist that provide communication between the hosts in different address domains.
Application gateways act as a proxy by receiving a request from a host in one domain, forwarding it to another domain, and later returning the result to an original host.
Network Address Translation provides transparent IP-level access to the internet from a host with a private address.
Most NAT implementation perform Network Address and Port Translation. (NAPT)

68. References http://computer.howstuffworks.com/vpn.htm
IPSec vs. SSL VPNs for Secure Remote Access
Virtual private networks / Charlie Scott
Internetworking with TCP/IP – Principles, Protocols, and Architecture Volume 1 – Fifth Edition. Author: Douglas E. Comer. Publisher: Pearson Prentice Hall

69. Questions