Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Private Network

Published byAlvin Hunt Modified over 6 years ago

Similar presentations

Presentation on theme: "Virtual Private Network"— Presentation transcript:

1 Virtual Private Network
Dr. Muazzam A. Khan

2 Virtual Private Networks
Introduction What security problems do VPNs solve ? What security problems are not solved by VPNs ? VPN Principles of operation: tunneling, encapsulation, encryption and authentication VPN Technologies: Microsoft PPTP, L2TP and IPsec

3 History and background of VPNs 1
Internet multi-site organisations operated private networks using leased lines. This approach was expensive and inflexible. It became cheaper to use shared Internet than dedicated.

4 Virtual Private Networks
Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate. VPNs enabled more flexible use of larger networks by removing network geography constraints from shared-insider LAN/Intranet associations and services.

5 What problems do VPNs solve ?
Avoiding costs of fixed lines. Extending security context of LAN across sites, regardless of geography, including to mobile users. Authentication: knowing who your users are. Encryption: preventing monitoring of use of insecure client server applications at the network level.

6 What security problems do VPNs not solve ?
Traffic analysis: monitoring of packet sizes, network usage times, endpoints of conversation etc. VPNs can be used with firewalls, by encapsulating traffic prohibited by organisation policy within a firewalled perimeter which the firewall can't inspect or control.

7 Tunneling Typically a VPN consists of a set of point to point connections tunnelled over the Internet. The routers carrying this traffic over the Internet see each P2P connection externally as a sequence of packets routed between endpoints.

8 VPN Architecture ISP Access Server VPN Device leased circuits Office Telephone Line VPN Device Employee’s Home Internet Backbone VPN Tunnel VPN Tunnel Office VPN Device VPN is transparent to the users, ISP, and the Internet as a whole; It appears to be simply a stream of packets moving across the Internet Backbone

9 Encapsulation In order to achieve tunnelling,
The packets including payloads, to and from addresses, port numbers and other standard protocol packet headers are encapsulated as the payload of packets as seen by the external routers carrying the connection.

10

11 Authentication A digital signing scheme is typically used to enable verification of the VPN principals. Note that both the client and the server need to authenticate each other. Message authentication codes, hashes or checksums are typically used to authenticate message contents.

12 Encryption To protect the privacy of the connection from external snooping, the payload of the packets visible externally will be encrypted. To enable routing over conventional networks, the packet headers of the 2nd encapsulating packets are not encrypted, but the packet headers of the 1st encapsulated packets are encrypted along with their contents.

13 VPN Topology: Types of VPNs
Remote access VPN Site-to-Site VPN

14 Types of VPNs Remote Access VPN
Provides access to internal corporate network over the Internet. Reduces long distance technical support costs. Corporate Site Internet

15 Types of VPNs Site-to-Site VPN Connects multiple offices over Internet
Corporate Site Remote Access VPN Site-to-Site VPN Connects multiple offices over Internet Reduces dependencies on frame relay and leased lines Internet Branch Office

16 Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Provides business partners access to critical information (Fin, sales tools, etc) Reduces transaction and operational costs Corporate Site Internet Partner #2 Partner #1

17 LAN clients with sensitive data
Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Intranet VPN: Links corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Database Server LAN clients Internet LAN clients with sensitive data

18 VPN Topology: How it works
Operates at layer 2 or 3 of OSI model Layer 2 frame – Ethernet Layer 3 packet – IP

19 VPN Components: Protocols
IP Security (IPSec) Transport mode Tunnel mode Point-to-Point Tunneling Protocol (PPTP) Uses PPP (Point-to-Point Protocol)

20 VPN Components: Protocols
Layer 2 Tunneling Protocol (L2TP) Exists at the data link layer of OSI Composed from PPTP and L2F (Layer 2 Forwarding) Compulsory tunneling method

21 Point-to-Point Tunneling Protocol (PPTP)
Layer 2 remote access VPN distributed with Windows product family Based on Point-to-Point Protocol (PPP) Uses proprietary authentication and encryption Limited user management and scalability Corporate Network Remote PPTP Client PPTP RAS Server Internet ISP Remote Access Switch

22 PPP Point-to-Point Protocol (PPP)
PPP was created for dialing into a local RAS (Remote Access server) But the site’s RAS may be far away Long-distance calls are expensive RAS Long-Distance Call

23 PPTP Point-to-Point Tunneling Protocol (PPTP)
We would like PPP to work over the Internet to avoid long-distance telephone charges But PPP is only a data link layer protocol It is only good for transmission within a subnet (single network) RAS

24 PPTP The Point-to-Point Tunneling Protocol (PPTP) makes this possible
Created by Microsoft Widely used Access Concentrator RAS

25 PPTP PPTP Operation User dials into local PPTP access concentrator host User sends the access concentrator a PPP frame within an IP packet Access Concentrator RAS Packet

26 PPTP PPTP Operation Access concentrator places incoming IP packet within another IP packet Sends packet to the distant RAS Access Concentrator RAS Encapsulated Packet

27 PPTP PPTP Operation Distant RAS removes the original packet
Deals with the PPP frame within the packet RAS

28 PPTP PPTP Encapsulation
Access concentrator receives the original IP packet, which has the IP address of the access concentrator Adds an enhanced general routing encapsulation (GRE) header for security Adds a new IP header with the IP address of the RAS Original IP Packet Enhanced GRE Header New IP Header RAS Access Concentrator Tunnel

29

30

31 IPSec IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication confidentiality key management Applicable to use over LANs, across public & private WANs, & for the Internet IP-level security encompasses three functional areas: authentication, confidentiality, and key management. The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header, and that the packet has not been altered in transit. The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The key management facility is concerned with the secure exchange of keys. IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet.

32 IPSec Uses Transparency
Stallings Figure 16.1 illustrates a typical IP Security scenario. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN, IPSec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security. Security Associations A one-way relationship between sender & receiver that affords security for traffic flow Can be between A pair of hosts A host and a security gateway A pair of security gateways

33 Benefits of IPSec Its below transport layer, hence transparent to applications Can be transparent to end users Can provide security for individual users [MARK97] lists the benefits shown for IPSec. It also plays a vital role in the routing architecture required for internetworking.

34 Architecture & Concepts
Tunnel vs. Transport mode Security association (SA) Security parameter index (SPI) Security policy database (SPD) SA database (SAD) Authentication header (AH) Protocol Encapsulating security payload (ESP) Protocol

35 Transport Mode vs. Tunnel Mode
Transport mode: host -> host Tunnel mode: gateway->gateway Encrypted Tunnel Gateway 1 Gateway 2 Encrypted Unencrypted A Unencrypted B The difference between end-to-end (transport) mode and end-to-intermediate (tunnel) mode. Transport mode provides protection primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload. Typically, transport mode is used for end-to-end communication between two hosts. Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header. Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPSec. New IP Header AH or ESP Header TCP Data Orig IP Header

36 Transport Mode ESP protects higher layer payload only
IP header IP options IPSec header Higher layer protocol ESP Real IP destination AH ESP protects higher layer payload only AH can protect IP headers as well as higher layer payload

37 Tunnel Mode ESP applies only to the tunneled packet
Outer IP header IPSec header Inner IP header Higher layer protocol ESP Real IP destination Destination IPSec entity AH ESP applies only to the tunneled packet AH can be applied to portions of the outer header

Download ppt "Virtual Private Network"

Similar presentations

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Virtual Private Networks (VPN’s)

Virtual Private Networks (VPN’s)
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 L2TP OVERVIEW 18-May-05. 2 Agenda VPN Tunneling PPTP L2F LT2P.

1 L2TP OVERVIEW 18-May Agenda VPN Tunneling PPTP L2F LT2P.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.

Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Similar presentations

Ads by Google