Virtual Private Network

Slides:



Advertisements
Similar presentations
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
A Brief Taxonomy of Firewalls
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Chapter 6: Packet Filtering
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Chapter 13 – Network Security
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 3: TCP/IP Architecture.
Internet Security and Firewall Design Chapter 32.
Linux Operations and Administration Chapter Eight Network Communications.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
An Analysis on NAT Security
Security fundamentals
Chapter4 Packet and Protocol.
Chapter 11 User Datagram Protocol
Chapter 9: Transport Layer
Virtual Private Networks
Instructor Materials Chapter 9: Transport Layer
Introduction to Networking
Introduction to Networking
TCP Transport layer Er. Vikram Dhiman LPU.
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Computer Networks 9/17/2018 Computer Networks.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
* Essential Network Security Book Slides.
Access Control Lists CCNA 2 v3 – Module 11
Internet Control Message Protocol (ICMP)
TCP/IP Networking An Example
Setting Up Firewall using Netfilter and Iptables
Firewalls Routers, Switches, Hubs VPNs
Introduction to Network Security
Chapter 11: Network Address Translation for IPv4
Cengage Learning: Computer Networking from LANs to WANs
(DNS – Domain Name System)
Computer Networks Protocols
Exceptions and networking
Lecture 36.
Lecture 36.
Presentation transcript:

Virtual Private Network

Introduction Networks primarily intended for internal use are called private network. If we grant access from outside to the private network, the attack surface will significantly broaden. If the internal resources still use IP address as the basis for authorization, it is not difficult for attackers to access the protected resources

Virtual Private Network VPN allows users to create a secure, private network over a public network such as the Internet. This is achieved by: Having a designated host (VPN server) on the network Outside computers have to go through the VPN server to reach the hosts inside a private network via authentication. VPN server is exposed to the outside and the internal computers are still protected, via firewalls or reserved IP addresses.

A Typical Setup This is a typical VPN setup where the “Client” machine wants to connect with machine “V” on a private network. “Client” uses the “VPN Server” to get authenticated to the private network IP Tunneling

IP Tunneling Tunnel End A Tunnel End B Traffics inside the tunnel are protected Tunnel End A Tunnel End B The tunnel goes through a public network, such as the Internet. The actual packet between the two ends of the tunnel The payload carries another IP packet, which is the packet that needs to be protected, such as packets to/from a private network

Two Types of IP Tunneling IPSec Tunneling: Utilizes the Internet Protocol Security protocol IPSec has a mode called Tunneling mode, where the original IP packet is encapsulated and placed into a new IP packet TLS/SSL Tunneling: Tunneling done outside the kernel, at the application level Idea is to put each VPN-bound IP packet inside a TCP or UDP packet The other end of the tunnel will extract the IP packet from the TCP/UDP payload To secure the packets, both ends will use TLS/SSL protocol on top of TCP/UDP

Two Types of IP Tunneling IPSec Tunneling TLS/SSL Tunneling (we will focus on this type)

An Overview of How TLS/SSL VPN Works Question: How can the Tunnel application get an IP packet? This is just a normal TCP or UDP based SSL connection VPN Client and Server must : Establish a secure tunnel between them Forward IP packets that need to go to the other private network After receiving an IP packet, release it into the private network

TUN/TAP Interface Question: How can the Tunnel application get an IP packet? Typically, applications interact with kernel using socket Using socket, kernel only gives the data part of a packet to applications Applications need to use a different way to interact with kernel Socket Interface

TUN/TAP Interface Most operating systems have two types of network interfaces: Physical: Corresponds to the physical Network Interface Card (NIC) Virtual: It is a virtualized representation of computer network interfaces that may or may not correspond directly to the NIC card. Example: loopback device TUN Virtual Interface Work at OSI layer 3 or IP level Sending any packet to TUN will result in the packet being delivered to user space program TAP Virtual Interfaces Work at OSI layer 2 or Ethernet level Used for providing virtual network adapters for multiple guest machines connecting to a physical device of the host machine The primary task for the tunnel application is to establish a TLS/SSL channel, get IP packets from the system and send them over the channel Establishing the SSL channel will be talked about in Chapter 19 We will focus on how the tunnel application gets the IP packets from the system TUN/TAP interfaces can be seen as a point-to-point network device, which connects two computers

Creating a TUN Interface The flag IFF_TUN specifies that we are creating a TUN interface A user program can create an TUN/TAP interface and attach itself to the virtual network interface To the operating system, it appears that the packets come from an external source through the virtual network interface It is important to note that in Linux, we create network devices, including TUN/TAP devices, a process to be either root or have the CAP_NET_ADMIN capability

Configure the TUN Interface Find the TUN interface Assign an IP address to the TUN interface and bring it up

Set UP the Routing Routing packets to the tunnel

Set UP the Routing Packets to this destination should be routed to the tun0 interface, i.e., they should go through the tunnel. All other traffic will be routed to this interface, i.e., they will not go through the tunnel

Experiment: Reading From TUN Interface We did an experiment by sending a ping packet to 10.0.8.32. The packet was sent to the TUN interface and then to our program. We use “xxd” to read from the interface and convert the into hexdump. 0a00 0863: Source IP (128.0.8.99) IP Header We can see that the output includes the IP header : 45 is usually the starting octet for most IPv4 It should be noted that “<& 3” in the above command redirects the standard input device to file descriptor 3 0a00 0820: Destination IP (128.0.8.32)

Experiment: Writing To TUN Interface We can write data to TUN interfaces. We can create a valid packet using the same “xxd” command. Copy-paste the xxd output from the previous slide into a file called “hexfile” and run “xxd –r hexfile > packetfile”. Now we write the packetfile to the interface: We should be able to observe the packet using Wireshark. It should be noted that “>& 3” in the above command redirects the standard output device to file descriptor 3

Establish a Transport-Layer Tunnel A tunnel is just a TLS/SSL connection. Two applications (VPN client and server applications) just establish a TLS/SSL connection between themselves. Traffics inside are protected by TLS/SSL What makes this TLS/SSL connection a tunnel? The payloads inside are IP packets That is why it is called IP tunnel

How to Send/Receive Packets via Tunnel Sending a packet via the tunnel Get an IP packet from the TUN interface Encrypt it (also add MAC) Send it as a payload to the other end of the tunnel Receiving a packet from the tunnel Get a payload from the tunnel Decrypt it and verify its integrity We get the actual packet Write the packet to the TUN interface

Monitoring Both Interfaces Each tunnel application has two interfaces: socket and TUN Need to monitor both Forward packets between these two interfaces

Implementation (TUN  Socket) Note: the encryption step is omitted from the code (for the sake of simplicity)

Implementation (Socket  TUN) Note: the decryption step is omitted from the code (for the sake of simplicity)

Implementation (Monitoring the 2 Interfaces) select() will be blocked until one of the interfaces has data.

Case Study: Configuring a VPN

Configure VPN Server On VPN Server, we first run the server program. Configure the tun0 interface. We use 10.4.2.0/24 as IP prefix for the TUN interface (for both VPN Client and VPN Server) The following two commands assign the IP address to the tun0, bring it up and then add a corresponding route to routing table.

Configure VPN Client On VPN Client, we first run the client program. Add route for the 10.4.2.0/24 network. Add a route, so that all the packets for 192.168.60.0/24 are routed to the tun0 interface. The server program creates a TUN interface (tun0) and waits for a tunnel connection request from a client. The IP address assigned to the TUN interface on VPN server is 10.4.2.5. The client program creates a TUN interface (tun0) and sends a “hello” message to VPN Server to establish a VPN tunnel. The IP address assigned to the TUN interface on the client side is 10.4.2.99. We also need to tell VPN Client that all the traffic to private network 192.168.60.0/24 should go through the tunnel. From tun0 interface the packets will be sent through the vpn tunnel.

Configure Host V The reply packets should go back via the same VPN tunnel, so that they are protected. To ensure that, route all packets for the 10.4.2.0/24 network toward the tunnel. For Host V, we route such packets to VPN Server. Add the following routing entry to Host V: Host V connects to the 10.4.2.0/24 network via the eth1 network interface

Testing VPN: ping Testing Ping Host V from Host U and we see the following result: The following figure shows the packets generated when we ping Host V (192.168.0.6). After the VPN is setup and starts working, Host U can access Host V. All the network traffic between Host U and Host V will go through a tunnel between VPN Client and VPN Server To do the ping testing, we ping Host V from Host U. Before the VPN is established there would be no response from Host V because it is not reachable from Host U Packet No 1: generated by the ping command. Due to the routing setup, the ICMP packet is routed to the TUN interface (reason why the source IP is 10.4.2.99->assigned to tun0 Packet No 2: the tunnel application gets the ICMP packet, and then feeds it into its tunnel->put it inside a UDP packet towards the VPN Server (10.0.2.5). Packet No 3: the return UDP packet from VPN Server->inside it is an encapsulated ICMP echo reply packet from 192.168.60.6 Packet No 4: The tunnel application on VPN Client gets this UDP packet, and takes out the encapsulated ICMP packet, and gives it to kernel via the tun0 interface. Packet No 5 to 8: triggered by another ICMP echo request message.

Testing VPN: telnet Testing The following result shows that we can successfully connect to the telnet server on Host V inside the private network

Testing VPN: telnet Testing Let us break the tunnel and see what happens Observation: the telnet connection is not broken. TCP will keep resending packets, but they cannot be delivered because the tunnel is broken. Whatever we type in telnet will be buffered by TCP, not lost, but we can’t see anything. As soon as we reconnect the tunnel, everything that we have typed will show up. Telnet is still working but since the packets it sends out via the broken VPN tunnel goes no where, TCP will keep resending the packets. VPN Server will drop UDP packets and send back ICMP error messages, telling VPN Client that the port is not reachable. That is why we see multiple ICMP error messages. Whatever was typed into the telnet are actually not lost, they are buffered, waiting to be sent to the telnet server. When the server receives a character, it echo's the character back to the telnet client, which will print them to the terminal. Due to TCP transmission, when we reconnect the VPN tunnel, all the blindly typed characters will show up on the client side.

Bypassing Firewalls using VPN

Bypassing Firewall using VPN: the Main Idea Send our Facebook-bound packets to the TUN interface towards VPN server VPN server will release our Facebook-bound packets to the Internet Facebook’s reply packets will be routed to the VPN server (question: why) VPN server sends the reply packets back to us via the tunnel Question: why would Facebook reply packets be routed to the VPN server, not directly to User? Answer: The source IP address on the TUN interface (on the VPN client) belongs to the VPN server’s network. This IP address is the source IP address of the packet from User to Facebook. That is why the reply packets will be routed to the VPN server’s network, which will further route the packet to VPN server.

Experiment: Network Setup

Setting UP Firewall Setup firewall to block User from accessing Facebook We run the following command to get the list of IP prefixes owned by Facebook: We can also get IP addresses returned by Facebook’s DNS server by running the following command (this IP address can change): dig www.facebook.com VPN was developed for security purpose, but now used to defeat another security solution -> bypassing firewall. Organizations or countries conduct egress filtering on their firewall to prevent their internal users from accessing certain websites. These firewalls inspect the destination address of each outgoing packet; if the address is on their blacklist, the packet will be dropped. VPN becomes natural solution for this purpose because it can hide a disallowed packet inside a packet that is allowed. The actual packet becomes the encrypted payload inside the allowed packet.

Blocking Facebook Facebook becomes unreachable One of the IP prefixes belong to Facebook Facebook becomes unreachable

Bypassing the Firewall We add a routing entry to the user machine, changing the route for all Facebook traffic. Instead of going through eth6, we use the TUN interface: The Facebook-bound packets are going through our tunnel. The Facebook-bound packets are hidden inside a packet going to the VPN server, so it does not get blocked. VPN server will release the packet to the Internet. Replies from Facebook will come back to VPN server, which will forward it back to us via the tunnel.

Summary What is VPN? IP tunneling IP tunneling using TLS/SSL TUN/TAP interface Building a VPN using TUN/TAP interface Using VPN to bypass firewalls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.