Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Guide to Network Defense and Countermeasures Chapter 7.

Published byAgatha Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Guide to Network Defense and Countermeasures Chapter 7."— Presentation transcript:

1 1 Guide to Network Defense and Countermeasures Chapter 7

2 2 Chapter 7 - Setting up a Virtual Private Network Explain the “what, why, and how” of virtual private networks (VPNs) Understand the tunneling protocols that enable secure VPN connections Describe the encryption schemes used by VPNs Know how to adjust packet filtering rules for VPNs

3 3 A VPN provides a way for two computers or networks to communicate securely using the same public channels available on the Internet The “V” in VPN means virtual; rather than a direct network cable connection, a combination of Internet- based routers and network segments are used The “P” means private; only the designated end points of the VPN connection (tunnel) participate The “N” means network; it connects one group of computers to another, and extends the network’s boundaries Exploring VPNs: What, Why, and How

4 4 VPN components: VPN server, or host is a computer configured to accept connections from clients who either dial in or connect directly using a broadband connection VPN client, or guest can be a router that serves as the end-point of a gateway-to-gateway connection, or can be a computer configured as an endpoint Tunnel - the connection through which data is sent VPN protocols are standardized communication settings that hardware and software use to encrypt data that is sent along the VPN, including IPSec, PPTP, and L2TP Exploring VPNs: What, Why, and How

5 5 Two types of VPNs: Site-to-site links two or more networks Client-to-site allows network access to dial-in users Hardware vs. software VPNs: Hardware-based VPNs connect one gateway to another; typically the gateways are routers that encrypt/decrypt, but could be a VPN appliance Software-based VPNs are usually integrated with firewalls, and as a result, increase network security; software solutions offer maximum flexibility Exploring VPNs: What, Why, and How

6 6

7 7

8 8

9 9 VPN combinations: Combining VPN hardware or software with other hardware and software adds network security; one useful combination is a VPN bundled with a firewall, since VPNs do not replace firewall functionality VPN core activity #1: Encapsulation Data encapsulation means that a packet is enclosed within another one that has different IP addressing data to provide a higher degree of protection Data packets are encapsulated within packets that use the source/destination of the VPN gateway Exploring VPNs: What, Why, and How

10 10

11 11 VPN core activity #2: Encryption Encryption is the process of rendering information unreadable by all but the intended recipient VPN endpoints encrypt/decrypt data by exchanging keys, or blocks of encoded data; the key is part of an electronic document called a digital signature VPN core activity #3: Authentication Authentication is the process of identifying a user or computer as being authorized to access a network Authentication uses digital certificates; the tunneling protocol determines the type of authentication Exploring VPNs: What, Why, and How

12 12

13 13

14 14 Why establish a VPN? The need for private business transactions drives an increasing number of organizations to adopt VPNs; e-commerce popularity provides an incentive as well; government and military agencies share more information in order to provide homeland security Budgetary considerations have always made VPNs attractive to businesses; also, many businesses employ remote users who need network access Another incentive for creating a VPN is the need to establish a high level of security in an extranet Exploring VPNs: What, Why, and How

15 15

16 16 Advantages and disadvantages of VPNs VPNs provide a high level of security, but if a VPN is poorly configured or a remote user at an endpoint disables their firewall by mistake and lets in a hacker, the normal protection can be undone VPNs can be complex to configure and the hardware can represent a substantial investment By focusing on Internet-based technologies, VPNs simplify a network overall Running a VPN means better opportunity to maximize network uptime Exploring VPNs: What, Why, and How

17 17

18 18 How to configure VPNs: To set up a VPN, define a VPN domain A VPN domain is a set of one or more computers that is handled by the VPN hardware and software as a single entity, and that uses the VPN to communicate with another domain Besides defining a VPN domain, determine whether the network gateway will be included in that domain; that, in turn, depends on whether the network has a site-to-site or client-to-site type of VPN configuration Exploring VPNs: What, Why, and How

19 19

20 20 Single and multiple-entry point configurations Smaller networks that use VPNs often have single entry point configurations, where all traffic to and from the network passes through a single gateway such as a router or firewall or both Large organizations have networks that require multiple-entry point configurations, in which multiple gateways are used, each with a tunnel connecting a different location In multiple-entry point configurations, it is important to exclude the gateway itself from the VPN domain Exploring VPNs: What, Why, and How

21 21

22 22

23 23 VPN topology configurations: In a mesh topology, all the participants in the VPN have Security Associations (SAs) with one another; full mesh is where every subnet is connected to every other; partial mesh is where any subnet may or may not be connected to the other subnets In a star topology, the VPN gateway is the hub, and other participating networks are called rim subnets As organizations with VPNs grow to include new computers and new branch offices, they naturally evolve from a mesh or hub-and-spoke to a hybrid system that combines the two topologies Exploring VPNs: What, Why, and How

24 24

25 25

26 26 IPSec/IKE: Internet Protocol Security (IPSec) was developed for enabling secure communications in the Internet IPSec has become the standard set of protocols for VPN security because: it works at the Network layer; it has the ability to encrypt the entire TCP/IP packet; it can work with IPv6; it provides authentication of source and destination computers The biggest advantage to using IPSec is the fact that it has gone through the standardization process and is supported by a wide variety of VPN hardware and software Understanding Tunneling Protocols

27 27

28 28

29 29 Secure Shell (SSH): Secure Shell (SSH) provides for authentication and encryption of TCP/IP packets over a VPN SSH works with UNIX-based systems and creates a secure Transport layer connection, and makes use of public key cryptography Socks V.5: Socks provides proxy services for applications that don’t normally support proxying; Socks Version 5 adds encrypted authentication and UDP support Understanding Tunneling Protocols

30 30 Point-to-point tunneling protocol (PPTP): Point-to-point tunneling protocol (PPTP) is a VPN configuration for users who need to dial in to a server using a modem connection on a computer running an older operating system PPTP encapsulates TCP/IP packets and uses a proprietary Microsoft technology called MPPE Layer 2 tunneling protocol (L2TP): Layer 2 tunneling protocol (L2TP) provides a higher level of security than PPTP through IPSec support Understanding Tunneling Protocols

31 31

32 32 Triple-data encryption standard (Triple- DES): Most VPNs make use of Triple-data encryption standard (Triple-DES) encryption Triple-DES is strong because it uses three separate 64-bit keys to process data Secure Sockets Layer (SSL): Secure Sockets Layer (SSL) enables Web servers and browsers to exchange encrypted information SSL sessions make use of both symmetric and asymmetric keys to encrypt data Encryption Schemes used by VPNs

33 33

34 34 Kerberos: Kerberos is a system for authentication of individual network users that was developed at MIT Kerberos uses an authentication method called authentication by assertion - the computer that connects to a server and requests services asserts that it is acting on behalf of an approved user Instead of digital certificates, Kerberos issues tickets; accessing an application protected by Kerberos requires a ticket Encryption Schemes used by VPNs

35 35 VPNs need to be used with firewalls VPNs can be located in front of existing firewalls, or placed in DMZs in parallel to an existing firewall Packet filtering rules make use of three IP packet header fields: the source address; the destination address; the Protocol Identifier (Protocol ID) Conduct packet filtering based on any or all of these fields; block all packets from an address with the source address; route entered packets with the destination address; refer to protocols (ICMP, TCP, UDP, ESP, AH) with the Protocol ID Adjusting Packet Filtering Rules for VPNs

36 36 PPTP filters For PPTP traffic to pass through a firewall, set up packet filtering rules that permit it PPTP uses two protocols: TCP and Generic Routing Encapsulation (GRE) L2TP and IPSec filters If L2TP is used, rules must be set up that permit IPSec traffic Adjusting Packet Filtering Rules for VPNs

37 37

38 38

39 39 Chapter Summary This chapter discussed issues involved in configuring a Virtual Private Network (VPN) and the role that the VPN plays in a network defense strategy VPNs are virtual in that they do not make use of proprietary leased lines. Rather, they connect computers and networks through the public Internet. VPNs are private because they send data through a secure tunnel that leads from one endpoint to another. Each endpoint is terminated by VPN hardware or software that encrypts and encapsulates the data. VPNs are networks that connect one network to one or more networks, one computer to another, or one computer to a network

40 40 Chapter Summary VPNs consist of various components. These include VPN servers, which are configured to accept connections from client computers; VPN clients; the tunnels through which data passes, and protocols that determine how the tunneled data is to be encrypted, such as IPSec. A site-to- site VPN uses such components to connect to networks. A client-to-site VPN connects a remote user to a network. VPN endpoints can be terminated by VPN hardware, software, or a combination of both

41 41 Chapter Summary VPNs perform three core activities. Encapsulation encloses one packet of digital information within another one to conceal the original packet’s source and destination IP address and to protect the contents. Encryption makes the contents of the packet - not only its data, but its header information as well - unreadable by all but the intended recipient. Authentication ensures that the computers participating in a VPN are authorized users

42 42 Chapter Summary Because VPNs can be complex to configure, the reasons for establishing them should be understood.The need to keep critical business communications private and secure drives the adoption of VPNs. The cost-effectiveness of using the Internet for VPN communications also makes VPNs attractive. On the other hand, the encryption performed by VPNs can slow down data transfer rates. Reliance on the Internet, which is often unpredictable, can result in the VPN going down along with ISP connections

43 43 Chapter Summary A VPN is often configured by establishing a VPN domain, a group of computers that are handled as one entity. Networks that use VPNs can have single entry point configurations, in which all traffic to and from the network passes through a single gateway. Some VPNs are part of multiple- entry point configurations, in which more than one gateway is used. Whether single or multiple entry points are in place in one network, that network can then be connected to other VPN participants using a mesh or star configuration, or a combination of both

44 44 Chapter Summary VPNs make use of standard instruction sets called protocols that secure tunneled communications between endpoints. IPSec combined with IKE is one of the most popular protocols because of its wide support in the industry and high degree of security through AH and ESP encryption. SSH is a protocol used to authenticate and encrypt packets in a UNIX- based environment. Version 5 of the Socks protocol can also provide security for VPN transactions, though it is not widely used. PPTP and L2TP enable remote users to dial in to a computer over a secure VPN connection

45 45 Chapter Summary Encryption is one of the techniques that make VPNs possible. Most VPNs today use Triple-DES encryption, a variation of DES in which three separate keys are used to process information. However, some VPNs use SSL encryption when Web-based applications need to be connected securely. Another system, Kerberos, is used in Windows and other OSs to give employees access to network resources for relatively short periods of time through the issuance of “tickets”

46 46 Chapter Summary VPNs need to be used in conjunction with firewalls. For the two devices to work together, packet filtering rules need to be set up. The rules cover such protocols as PPTP, L2TP, and IPSec. The have as their ultimate goal the filtering of packets so that only traffic to and from VPN endpoints passes through the VPN, and other traffic is filtered by the firewall to reach specific destinations on the network

Download ppt "1 Guide to Network Defense and Countermeasures Chapter 7."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 Setting Up a Virtual Private Network

11 Setting Up a Virtual Private Network
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Similar presentations

Ads by Google