3The „Road Warrior“ Remote Access Case InternetVirtual IPHome NetworkIPsec Tunnel55.66.x.xDynamic IP/16VPN GatewayRoad WarriorRoad Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP.Authentication is usually based on RSA public keys and X.509 certificates issued by the home network.Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.
4NAT-Traversal (IPsec over UDP) Internet Drafts: draft-ietf-ipsec-udp-encaps-04.txt draft-ietf-ipsec-nat-t-ike-04.txtSupported by SSH Sentinel and Linux FreeS/WANNAT box (e.g. ADSL modem) with IPsec-PassthroughESP and IKE from a single VPN clientNAT box (e.g. ADSL modem) with NAT-TraversalESP encapsulated in UDP (port 4500)NAT-keepalive packets needed
5Wireless Intranet User Intranet VPNsWireless VPN clients tunnel 100% of their IP traffic over the insecure air link using the peer network subnet mask /0.VPN ClientVPN Tunnel /0Wireless Intranet UserWLAN Access PointDMZ InterfaceInternetPrivate IntranetIntranet ServerVPN Gateway / Firewall
6Example – University of Freiburg, Germany IPsec throughput at VPN gatewayCampusActive VPN tunnels44 WLAN access points, 1 Linux VPN gateway202 active and 88 revoked X.509 certificatesFreeS/WAN Linux clients / SSH Sentinel Windows clientsFurther information:
7Extranet VPNsCustomerVPN ClientCustomer AccessInternetPrivate NetworkVPN TunnelPartner NetworkPartner AccessVPN TunnelVPN GatewayVPN GatewayNetwork access must be partitioned and tightly controlledFlexible and dynamic setup of Extranet VPN connectionsExtranet VPN spans multiple administrative trust domains
8Sichere Netzwerkkommunikation (SNK) Linux FreeS/WAN Security Gateway
9Linux FreeS/WAN as a VPN Gateway Available from /OpenSource IPsec stack for Linux 2.2 and 2.4 kernelsX.509 certificate support developed by ZHW !!!Easy installation via RedHat/SuSE/Debian/Mandrake RPMsNumber of VPN tunnels is limited by hardware resources, only.Linux Free/SWAN can also be used as a VPN clientRoad Warrior and Virtual IP support using X.509 certificates: conn road-warrior right=%any rightrsasigkey=%cert rightsubnetwithin= /16 left=%defaultroute leftsubnet= /16 leftcert=gwCert.pem auto=addSimple configurationleftrightleftsubnetgwCert%cert
11Advanced Encryption Standard (AES) On Oct , the symmetric block cipher Rijndael invented by the Belgian researchers J. Daemen and V. Rijmen was declared the new Advanced Encryption Standard (AES) by NIST (www.nist.gov/aes). One year later on Nov , AES was officially published as the U.S. Federal Information Processing Standard FIPS PUBS 197.AES works on a block size of 128 bits and can be used with key lengths of 128, 192 or 256 bits.AES is much faster than its predecessor 3DES. A 1 GHz Pentium III processor running under a Linux 2.4 kernel achieves the following constant IPsec throughput:3DES: MHz / 25 = 40 Mbit/sAES: MHz / 11 = 91 Mbit/s (can saturate a Fast Ethernet link)SSH Sentinel and PGPvpn have built-in AES support.AES patch for Linux FreeS/WAN:
13VPN Client - Windows 2000/XP Windows 2000/XP comes with a built-in IPsec stackConfiguration via the mmc management console is tiresome!OpenSource tool from loads text-based configuration directly into Windows registry: conn client-gateway left=%any # insert client IP right= # gateway IP rightsubnet= /16 # home network rightca=”C=CH,O=strongSec GmbH, CN=strongSec CA” network=lan # lan/ras/auto auto=startWLAN clients can tunnel whole IP traffic to VPN gateway conn wlan-gateway rightsubnet=* ...3DES encryption only. Virtual IP not supported.
14VPN Client – SSH Sentinel Available from Free for non-commercial use.Runs on all Windows platforms: Win 95/98/ME/NT/2000/XPFeaturesEncryption algorithms: AES, 3DES, Twofish, Blowfish, CASTVirtual IP support: - static - DHCP-over-IPsec - IPsec config modeNAT-Traversal (IPsec over UDP)WLAN clients: Supports tunneling of /0Personal firewall included: Pre- and Post-IPsec packet filtersEasy configuration via GUI
15Other Windows-based VPN Clients SafeNet/Soft-Remote (www.safenet-inc.com)Simple and straight-forward configuration3DES encryption onlyComes with personal firewall (Zone Alarm)PGPvpn (www.pgpi.org /Freeware Version PGP IPsec transport mode only - OpenPGP certificates or pre-shared keys onlyProfessional Version PGP Desktop Security IPsec tunnel mode - X.509 certificates, with personal firewallNetwork Associates (NAI) closed down PGP Security Inc. last year. PGP Corporation founded with venture capital bought back the intellectual property rights from NAI in June 2002.PGP 8.0 for Windows and Macintosh released in December 2002.
16Interoperability Issues IPsec using IKE has become a mature technology, but still a large amount of fine-tuning is needed to achieve interoperability.The Interoperability Tests at the IPsec 2001 Global Summit in Paris have shown that with authentication based on X.509 certificates a full mesh among the following VPN gateways can be established:Linux FreeS/WAN, OpenBSD, NetScreen, Cisco IOS/PIX/VPN3000Nortel Contivity, 6WIND (IPv6), Netcelo, NetasqInteroperability with other VPN products have been reported:Checkpoint VPN-1, BinTec RouterMany low-end VPN products support pre-shared keys, only:Symantec Firewall/VPN Appliance, ZyWall, SonicWall (basic version)