Andreas Steffen, , SNK_VPNapp.ppt 2 Zürcher Hochschule Winterthur Virtual Private Networks Internet Head Quarters Subsidiary Road Warrior VPN Tunnel VPN Gateway VPN Gateway VPN Client / /
Andreas Steffen, , SNK_VPNapp.ppt 3 Zürcher Hochschule Winterthur Road Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP. The Road Warrior Remote Access Case Internet Home Network IPsec Tunnel VPN Gateway /16 Road Warrior x.x Dynamic IP Virtual IP Authentication is usually based on RSA public keys and X.509 certificates issued by the home network. Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.
Andreas Steffen, , SNK_VPNapp.ppt 4 Zürcher Hochschule Winterthur Internet Drafts: draft-ietf-ipsec-udp-encaps-04.txt draft-ietf-ipsec-nat-t-ike-04.txt Supported by SSH Sentinel and Linux FreeS/WAN NAT box (e.g. ADSL modem) with IPsec-Passthrough NAT-Traversal (IPsec over UDP) ESP and IKE from a single VPN client NAT box (e.g. ADSL modem) with NAT-Traversal ESP encapsulated in UDP (port 4500) NAT-keepalive packets needed
Andreas Steffen, , SNK_VPNapp.ppt 5 Zürcher Hochschule Winterthur Intranet VPNs Internet Private Intranet Wireless Intranet User VPN Tunnel /0 VPN Gateway / Firewall VPN Client Intranet Server WLAN Access Point DMZ Interface Wireless VPN clients tunnel 100% of their IP traffic over the insecure air link using the peer network subnet mask /0.
Andreas Steffen, , SNK_VPNapp.ppt 6 Zürcher Hochschule Winterthur Example – University of Freiburg, Germany 44 WLAN access points, 1 Linux VPN gateway 202 active and 88 revoked X.509 certificates FreeS/WAN Linux clients / SSH Sentinel Windows clients Further information: IPsec throughput at VPN gateway Active VPN tunnels Campus
Andreas Steffen, , SNK_VPNapp.ppt 7 Zürcher Hochschule Winterthur Extranet VPNs Internet Partner Network Customer VPN Tunnel VPN Client Customer Access Private Network Partner Access VPN Gateway Network access must be partitioned and tightly controlled Flexible and dynamic setup of Extranet VPN connections Extranet VPN spans multiple administrative trust domains
Andreas Steffen, , SNK_VPNapp.ppt 8 Zürcher Hochschule Winterthur Sichere Netzwerkkommunikation (SNK) Linux FreeS/WAN Security Gateway
Andreas Steffen, , SNK_VPNapp.ppt 9 Zürcher Hochschule Winterthur Available from / OpenSource IPsec stack for Linux 2.2 and 2.4 kernels X.509 certificate support developed by ZHW !!! Easy installation via RedHat/SuSE/Debian/Mandrake RPMs Number of VPN tunnels is limited by hardware resources, only. Linux Free/SWAN can also be used as a VPN client Road Warrior and Virtual IP support using X.509 certificates: conn road-warrior right=%any rightrsasigkey=%cert rightsubnetwithin= /16 left=%defaultroute leftsubnet= /16 leftcert=gwCert.pem auto=add Simple configuration Linux FreeS/WAN as a VPN Gateway leftright leftsubnet gwCert %cert
Andreas Steffen, , SNK_VPNapp.ppt 11 Zürcher Hochschule Winterthur On Oct , the symmetric block cipher Rijndael invented by the Belgian researchers J. Daemen and V. Rijmen was declared the new Advanced Encryption Standard (AES) by NIST (www.nist.gov/aes). One year later on Nov , AES was officially published as the U.S. Federal Information Processing Standard FIPS PUBS 197. AES works on a block size of 128 bits and can be used with key lengths of 128, 192 or 256 bits. AES is much faster than its predecessor 3DES. A 1 GHz Pentium III processor running under a Linux 2.4 kernel achieves the following constant IPsec throughput: 3DES: 1000 MHz / 25 = 40 Mbit/s AES: 1000 MHz / 11 = 91 Mbit/s (can saturate a Fast Ethernet link) SSH Sentinel and PGPvpn have built-in AES support. AES patch for Linux FreeS/WAN: Advanced Encryption Standard (AES)
Andreas Steffen, , SNK_VPNapp.ppt 13 Zürcher Hochschule Winterthur VPN Client - Windows 2000/XP Windows 2000/XP comes with a built-in IPsec stack Configuration via the mmc management console is tiresome! OpenSource tool from loads text-based configuration directly into Windows registry: conn client-gateway left=%any # insert client IP right= # gateway IP rightsubnet= /16 # home network rightca=C=CH,O=strongSec GmbH, CN=strongSec CA network=lan # lan/ras/auto auto=start WLAN clients can tunnel whole IP traffic to VPN gateway conn wlan-gateway... rightsubnet=*... 3DES encryption only. Virtual IP not supported.
Andreas Steffen, , SNK_VPNapp.ppt 14 Zürcher Hochschule Winterthur VPN Client – SSH Sentinel Available from Free for non-commercial use. Runs on all Windows platforms: Win 95/98/ME/NT/2000/XP Features Encryption algorithms: AES, 3DES, Twofish, Blowfish, CAST Virtual IP support: - static - DHCP-over-IPsec - IPsec config mode NAT-Traversal (IPsec over UDP) WLAN clients: Supports tunneling of /0 Personal firewall included: Pre- and Post-IPsec packet filters Easy configuration via GUI
Andreas Steffen, , SNK_VPNapp.ppt 15 Zürcher Hochschule Winterthur Other Windows-based VPN Clients SafeNet/Soft-Remote (www.safenet-inc.com) Simple and straight-forward configuration 3DES encryption only Comes with personal firewall (Zone Alarm) PGPvpn (www.pgpi.org / Freeware Version PGP IPsec transport mode only - OpenPGP certificates or pre-shared keys only Professional Version PGP Desktop Security IPsec tunnel mode - X.509 certificates, with personal firewall Network Associates (NAI) closed down PGP Security Inc. last year. PGP Corporation founded with venture capital bought back the intellectual property rights from NAI in June PGP 8.0 for Windows and Macintosh released in December 2002.
Andreas Steffen, , SNK_VPNapp.ppt 16 Zürcher Hochschule Winterthur IPsec using IKE has become a mature technology, but still a large amount of fine-tuning is needed to achieve interoperability. The Interoperability Tests at the IPsec 2001 Global Summit in Paris have shown that with authentication based on X.509 certificates a full mesh among the following VPN gateways can be established: Linux FreeS/WAN, OpenBSD, NetScreen, Cisco IOS/PIX/VPN3000 Nortel Contivity, 6WIND (IPv6), Netcelo, Netasq Interoperability Issues Interoperability with other VPN products have been reported: Checkpoint VPN-1, BinTec Router Many low-end VPN products support pre-shared keys, only: Symantec Firewall/VPN Appliance, ZyWall, SonicWall (basic version)