1. Virtual Private Network

2. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay

3. ATHENA VPN tunnel concept for site to site intranet VPN

4. ATHENA Mechanism of site to site intranet VPN  PC1 with ip address 10.2.2.2 sent a packet to web server with ip address 10.1.1.1  Router in the branch office encrypt the packet, add some VPN header, add another IP header that public ip address. After that it forward the packet.  A man in the midle copies the packet but cannot change and read the content of the packet.

5. ATHENA Past Activities of site to site intranet VPN  Device in the main office (ASA), receive the packet, confirm the authenticity of the sender, confirm the packet has not been changed, then decrypts the original packet.  Web server receive the unencrypted packet.

6. ATHENA Types of VPN  Intranet VPN.  Extranet VPN.  Access VPN.

7. ATHENA Types of VPN

8. ATHENA Tunnel Protocols  Layer 2 Forwarding (L2F) is a intial Cisco proprietary protocols. First time it is used for private dial up network (VPDN). L2F was replaced by L2TP.  Point to Point Tunnel Protocols (PPTP) Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network.

9. ATHENA Tunnel Protocols  Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTPinto one tunneling protocol.  Generic routing encapsulation (GRE) is another Cisco Proprietary tunneling protocol. It forms virtual point-to-point links, allowing for a variety of protocols to be encapsulated in IP tunnels.

10. ATHENA Which components are needed for building a VPN network ?  Router: Main function of router is packet forwarding. However it can provide VPN functions. Router can have special add on card that perform encryption more quickly.  ASA: Cisco securiy appliance that can be configure for many security function, including VPN.  PIX: Older cisco firewall that can perform VPN function, new installation today would instead use ASA.

11. ATHENA Which components need for building a VPN network ?  VPN concertrator: Older product line from Cisco, that specially perform VPN tunnel. new installation today would instead use ASA.  VPN client: for access VPN, users need software VPN client.

12. ATHENA IPSEC VPNs  IPSEC is an architecture or framework for security services for IP networks.  Function of IPSEC:authentication, encryption, rules regarding to each those of functions.  IPSEC allow to use many protocol option for each VPN feature.  The structure of IPSEC packets can be changed or added over time to improve the security.

13. ATHENA IPSec Encryption  IPSec encryption that use a pair of encryption algorithms. One to hide (encrypt) the data. Another to re-create (decrypt) the original data from the encrypted data.  Beside a pair of encryption algorithms. There is a encryption key that will be used with two formular.

14. ATHENA IPSec Encryption  Formulars can be used consist of following: DES (Data Encryption Standard): older version and less seucre than the others. 3DES: applied three different 56 bit DES that stronger than DES. AES (Advanced Encryption Standard): the best encryption and less computation than 3DES.

15. ATHENA IPSec Encryption

16. ATHENA Mechanism of IPSec encryption  The sending VPN device feeds the originate packet and the session key into the formula. After that encrypted data.  The sending device encapsulates the encrypted data into packet. Which includes a new IP header and VPN header.

17. ATHENA Mechanism of IPSec encryption  The sending device sends this new packet to the destination device.  Destination device receive the packet. After that runs the corresponding decryption formula. Using the encrypted data and session key – having the originate packet.

18. ATHENA IPSec Key Exchange  Why must we use Key during encryption and authentication ?  There are two kinds of Key: Pre-shared key. Dynamic key.

19. ATHENA IPSec Key Exchange  Pre-shared key Configured manually in both of devices. It is easy to configure but key is constantly during operating. Weakness security.

20. ATHENA IPSec Key Exchange  Dynamic Key Exchange Frequently change the key to encrypt data. Allow device to make up and exchange securely. Preventing anyone who can see the message from deviring the key value. Reduce the amount of lost data.  Algorithm is Diffie_Hellman. There are three options DH-1: 768 bit DH-2: 1024 bit DH-3: 1536 bit

21. ATHENA Internet Key Exchange (IKE)  ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) is a protocol framework that defines the payload format, the mechanics of implementing a key exchange protocol, and the negotiation of an SA.  IKE gives us the goods in the following six ways.

22. ATHENA Internet Key Exchange (IKE)  It eliminates the need to manually specify all the IPSec security parameters in the crypt maps at both peers.  It allows you to specify a lifetime for the IPSec security SA.  It allows encryption keys to change during IPSec sessions.  It allows IPSec to provide anti-replay services.  It permits certification authority (CA) support for a manageable, scalable IPSec implementation.  It allows dynamic authentication of peers.

23. ATHENA IPSec Authentication and Message Integrity  Authentication prefers a process by which receive device can confirm that a receive packet that was really sent by a trusted peers.  Authentication can use public and private key.  A packet can be encrypted with private key of sender. This packet can be also decrypted with sender’s public key.

24. ATHENA IPSec Authentication and Message Integrity

25. ATHENA IPSec Authentication and Message Integrity  Message integrity means how to a receiver can get a data from sender. And it was not change in the transit.  Message integrity can be performed by IPSec Athentication Header protocols using shared key.

26. ATHENA IPSec Authentication and Message Integrity  Sender will use a hash function that calculate a small number and put it VPN header.  Receiver will also use hash function and shared key to recompute a small number. And compare two numbers.

27. ATHENA IPSec Authentication and Message Integrity  Function can be used in message integrity HMAC-MD5 (Hash based message authentication code message digest algorithm 5) : 128 bit hash value HMAC-SHA (Hash based message authentication code secure hash algorithm): SHA-1 160 bit, SHA-256 256 bit, SHA-512 512 bit

28. ATHENA The ESP and AH security protocols  ESP and AH security protocols are two kind of IPSec VPN.  ESP define rule for performing the main four function of VPN. Those are authentication, message integrity, encryption, antireplay.  AH can do two functions that authentication, message integrity.

29. ATHENA IPSec Encapsulation  IPSec encapsulate the packet through use ESP and AH.  IPSec encapsule data by one of two methods Transport Mode. Tunnel Mode.

30. ATHENA Transport Mode  Transport mode encapsulation uses the original IP header and inserts the header for ESP and/or AH.  In transport mode, the original IP header must contain a routable IP address.

31. ATHENA Transport Mode  Packet format using ESP in transport mode

32. ATHENA Transport Mode  Packet format using AH in transport mode

33. ATHENA Transport Mode  Packet format using ESP and AH in transport mode

34. ATHENA Tunnel Mode  Tunnel mode encapsulation, the original IP header doesn’t transport the packet.  A new IP header is created using the IP addresses of the IPSec peers as the source and destination of the packet.  Addresses of the originating devices can be private, so they’re less vulnerable to unwanted access.  Tunnel mode uses ESP and/or AH.

35. ATHENA Tunnel Mode  Packet format using ESP in tunnel mode

36. ATHENA Tunnel Mode  Packet format using AH in tunnel mode

37. ATHENA Tunnel Mode  Packet format using ESP and AH in tunnel mode