Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Private Networks (VPN)

Published byRodney Perkins Modified over 5 years ago

Similar presentations

Presentation on theme: "Virtual Private Networks (VPN)"— Presentation transcript:

1 Virtual Private Networks (VPN)
Generic Routing Encapsulation (GRE) TLS (SSL-VPN) CN8814: Network Security

2 1. Generic Routing Encapsulation (GRE)
Tunneling Encapsulation with delivery header The addresses in the delivery header are the addresses of the head-end and the tail-end of the tunnel Delivery header / GRE / / tunnel Private network site Private network site /16 /16 Public Network CN8816: Network Security Virtual Private Networks (VPN)

3 1. Generic Routing Encapsulation (GRE)
Structure of a GRE encapsulated packet CN8816: Network Security Virtual Private Networks (VPN)

4 1. Generic Routing Encapsulation (GRE)
IP access of the tunnel through the tunnel interface / GRE / Gateway Gateway Internet serial 0/0 serial 0/0 tunnel 0 tunnel 0 / e0 e0 / / /16 /16 Customer Sites CN8816: Network Security Virtual Private Networks (VPN)

5 1. Generic Routing Encapsulation (GRE)
Tunneling mechanism at IP Outbound traffic Routing table of R1 / /16 e0 /30 s0 /16 tunnel0 /0 s0 (6) (3) IP GRE (7) (4) (5) (2) (8) s0 e0 Tunnel0 (9) (1) / [ / ] / CN8816: Network Security Virtual Private Networks (VPN)

6 1. Generic Routing Encapsulation (GRE)
Inbound traffic Routing table of R2 /16 e0 /30 s0 /16 tunnel0 /0 s0 (6) (3) IP GRE (5) (2) (4) (7) / s0 e0 Tunnel (8) (1) / [ / ] / CN8816: Network Security Virtual Private Networks (VPN)

7 1. Generic Routing Encapsulation (GRE)
Example interface tunnel0 ip unnumbered s0 tunnel source s0 tunnel destination ! ip route tunnel0 interface tunnel0 ip unnumbered s0 tunnel source s0 tunnel destination ! ip route tunnel0 Routing table of R1 /16 e0 /30 s0 /16 tunnel0 /0 s0 CN8816: Network Security Virtual Private Networks (VPN)

8 1. Generic Routing Encapsulation (GRE)
GRE tunneling with routing Routing updates (subnets of /8) CN8816: Network Security Virtual Private Networks (VPN)

9 Virtual Private Networks (VPN)
3. IP Security (IPsec) IPsec and Dynamic Routing IPsec-protected traffic must be pre-defined IPsec only supports static routing The IPsec tunnel is setup for the traffic between /16 and /16 IPsec tunnel /16 /16 /16 The tunnel will not support the traffic to the new site New site CN8816: Network Security Virtual Private Networks (VPN)

10 Virtual Private Networks (VPN)
3. IP Security (IPsec) IPsec/GRE GRE defines a tunnel interface IPsec transport mode provides the security Routing table / inside /8 outside / tunnel0 (4) IP GRE (5) /16 tunnel0 IPsec (transport) (2) (1) (3) (6) outside inside Tunnel0 / / Ipsec_protected / CN8816: Network Security Virtual Private Networks (VPN)

11 Virtual Private Networks (VPN)
3. IP Security (IPsec) Virtual Tunnel Interface Provide secure tunnel by associating the virtual interface with IPsec Routing table / Protected packet / inside /8 outside / tunnel0 (5) IP IPsec /16 tunnel0 (2) (3) (6) (4) inside outside Tunnel0 / / CN8816: Network Security Virtual Private Networks (VPN)

12 2. Transport-Layer Security (TLS)
TLS architecture Provide security connection between two application entities Error and alert reporting -Authentication -Cipher suit negotiation -Keys generation Encryption, MIC & Compression CN8816: Network Security Virtual Private Networks (VPN)

13 2. Transport-Layer Security
TLS Record protocol Four connection states: current read and write states, and the pending read and write states Security parameters: Connection end (client/server) Bulk encryption algorithm: type, key_size, … MAC algorithm: hash_size Compression algorithm Master Secret Client random, Nc Server random, Ns Keys Client_MAC_Write, Server_MAC_Write, Client_Write_Key, Server_Write_Key, IVs CN8816: Network Security Virtual Private Networks (VPN)

14 2. Transport-Layer Security
Messages are processed using the current read or write states Type Version Length Write/read MAC secret Fragment (Compressed) Write/read Key ICV Padding (for CBC block cipher) Pad length CN 8816: Network Security Virtual Private Networks (VPN)

15 2. Transport-Layer Security
Key Generation Master_secret = PRF(gxy mod N, “master secret”, Nc+Ns) x and y are the DE parameters Nc and Ns are the nonces generated by the client and the server, respectively Master_secret is always 48 bytes PRF(secret, label, seed) = P_hash(secret, label+seed) P_hash(secret, seed) = HMAC(secret, A(1)+seed) + HMAC(secret, A(2)+seed) + … + HMAC(secret, A(n)+seed) A(0) = seed A(i) = HMAC(secret, A(i-1) CN 8816: Network Security Virtual Private Networks (VPN)

16 2. Transport-Layer Security
By default, the hash used in HMAC is SHA-256 Need two HMAC iterations to generate the Master secret Key generation Key_block = PRF(Master_secret, “key expansion”, Ns+Nc) Truncated (16 bytes) Master secret (48 bytes) MAC client Write (Kmc) MAC server Write (Kms) Client Write Key (Kwc) Server Write Key (Kws) IVs (options) CN 8816: Network Security Virtual Private Networks (VPN)

17 2. Transport-Layer Security
Handshake protocol Client hello and server response phase Client Server Client Hello: session ID, Nc, cipher suit list, compression alg. list Server Hello: Ns, cipher suit, compression alg. Server Certificate O+ Key Exchange: Signature O+ Certificate request O- Server Hello Done O+ => Often; O- => Less often CN 8816: Network Security Virtual Private Networks (VPN)

18 2. Transport-Layer Security
Client reponse and change-cipher specification phase Client Server Client Certificate O- Key exchange O- Certificate verify: signature Change cipher specification Finished: session authentication Change cipher specification Finished: session authentication Application Data CN 8816: Network Security Virtual Private Networks (VPN)

19 2. Transport-Layer Security
The handshake protocol allows quick setup of new TLS connection using the old session master secret The master secret is allowed to be kept for 24 hours Client Server Client Hello: session ID, Nc Generate keys Server Hello: Ns Generate keys Change cipher spec Finished Change cipher spec Finished Data CN 8816: Network Security Virtual Private Networks (VPN)

20 2. Transport-Layer Security
Change Cipher Spec Protocol invoke the transition from the pending states to current states Client Server Pending states Kmc, Kwc Kmc, Kwc Pending states Kms, Kws Kms, Kws (1) ChangeCipherSpecs ChangeCipher Specs Protocol (1) (4) ChangeCipher Specs Protocol (5) (2) (4) ChangeCipherSpecs (3) (3) finished (3) Handshake Handshake (6) (6) finished (6) Current states Current states CN8816: Network Security Virtual Private Networks (VPN)

21 2. Transport-Layer Security
Alert Protocol Alert messages convey the severity of the message and a description of the alert Alert levels: warning or fatal Alert messages with a level of fatal result in the immediate termination of the connection Alert types: Close notification Error alerts CN8816: Network Security Virtual Private Networks (VPN)

22 2. Transport-Layer Security
SSL (TLS) VPN Tunnel interface is used to support secure tunnel connection SSL-VPN client Upload of SSL-VPN client SSL-VPN web server Appl. Web browser (1) (9) (3) (17) (5) (2) TLS handshake protocol TLS TLS (18) (10) (16) TCP/UDP TCP/UDP (15) (6) (11) (8) IP IP (19) (7) (12) (14) (20) (13)TLS protected datagram tun0 eth0 Outside Inside tun0 CN8816: Network Security Virtual Private Networks (VPN)

Download ppt "Virtual Private Networks (VPN)"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols

Internet Security Protocols
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 8 Web Security.

Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)

CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Similar presentations

Ads by Google