4 What is a VPN? Short video about VPN from Teracom Training Institute.
5 What is a VPN?A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. (
13 VPN GatewaysVPN gateways can be categorized as Standalone or Integrated.Standalone VPNs incorporate purpose-built devices between - the source of data and WAN link or between the modem and a data source in a remote office.Integrated implementations add VPN functionality to existing devices such as routers, firewalls.
14 Gateway SolutionsRouter based VPNs – adding encryption support to existing router(s) can keep the upgrade costs of VPN low.Firewall based VPNs – workable solution for small networks with low traffic volume.Software based VPNs – good solution for better understanding a VPN, software runs on existing servers and share resources with them
15 2 main VPN architectures: There are products based on IPSec and Point to Point Tunneling Protocol (PPTP) or L2TP (Layer 2 Tunneling Protocol)Although IP sec has become the de facto standard for LAN to LAN VPN’s, PPTP and L2TP are heavily used for single client to LAN connections.Therefore, many VPN products support IPSec, PPTP and L2TP.
16 Benefits of using VPNLower costs – remote access costs have reduced by 80 percent while LAN-to-LAN connectivity costs is reduced by percent.VPN provides low-cost alternative to backbone equipment, in-house terminal equipment and access modems.Connectivity Improvements – VPN based links are easy and inexpensive ways to meet changing business demands.
17 Benefits of VPNAnywhere anytime access – ubiquitous public internet offers transparent access to central corporate systems i.e. , directories, internal-external web-sites.VPN technology is improving rapidly and promises a bright future for data communication, its cost-effective, and high returns on investment will outweigh any skittishness in investing in new technology.
18 Disadvantages of VPNThe availability and performances of VPN networks are difficult to controlVPN speeds are much slower than those experienced with a traditional connectionVPN technologies from different creators may work poorly together. With time, this may improve. For now, however, this can cause frustration when implementing a VPN.One of the VPN's weakest links its users.When a remote telecommuter or an employee connects to his or her corporate office using a VPN from a laptop or home computer, security threats may result. This is because employees or telecommuters may use their personal computers for a variety of other applications in addition to connecting to the office via a VPN. As such, the corporate network may be vulnerable to attack because of security weaknesses on the employee's personal computer.
20 Tunneling Protocols What is tunneling IPSec PPP Point-to-Point Tunneling Protocol (PPTP)Layer 2 Tunneling Protocol (L2TP)Layer 2 Forwarding (L2F)
21 Tunneling ProtocolsA tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted.A packet based on one protocol is wrapped, or encapsulated, in a second packet based on a different protocol
22 What is tunneling? Example of situation where Tunneling is used: An Ethernet network is connected to an FDDI backbone, that FDDI network does not understand the Ethernet frame formatTwo networks use IPX and need to communicate across the Internet
24 What is tunneling?Tunneling is the main ingredient to a VPN, tunneling is used by VPN to creates its connectionThree main tunneling protocols are used in VPN connections:PPTPL2TPIPSec
25 IPSec (Internet Protocol Security) Provides a method of setting up a secure channel for protected data exchange between two devices.More flexible and less expensive than end-to end and link encryption methods.Employed to establish virtual private networks (VPNs) among networks across the Internet.
26 IPSec (Internet Protocol Security) IPSec uses two basic security protocols:Authentication Header (AH): It is the authenticating protocolEncapsulating Security Payload (ESP): ESP is an authenticating and encrypting protocol that provide source authentication, confidentiality, and message integrity.
27 IPSec (Internet Protocol Security) IPSec can work in one of two modes:Transport mode, in which the payload of the message is protectedTunnel mode, in which the payload and the routing and header information are protected.
28 IPSec (Internet Protocol Security) CISSP Certification All in One Exam Guide pg 610
29 Point-to-Point Tunneling Protocol (PPTP) PPTP is a Microsoft protocol which allows remote users to set up a PPP connection to a local ISP and then create a secure VPN to their destination
30 Point-to-Point Tunneling Protocol (PPTP) CISSP Certification All in One Exam Guide pg 612
31 Point-to-Point Tunneling Protocol (PPTP) In PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MS-CHAP or EAP-TLS.The keys used in encrypting this data are generated during the authentication process between the user and the authentication server.
32 Point-to-Point Tunneling Protocol (PPTP) CISSP Certification All in One Exam Guide pg 613
33 Point-to-Point Tunneling Protocol (PPTP) One limitation of PPTP is that it can work only over IP networks, Other protocols must be used to move data over frame relay, X.25, and ATM links
34 Layer 2 Transport Protocol L2TP provides the functionality of PPTP, but it can work over networks other than just IPL2TP does not provide any encryption or authentication services.It needs to be combined with IPSec if encryption and authentication services are required.
35 Layer 2 Transport Protocol The processes that L2TP uses for encapsulation are similar to those used by PPTP
36 Layer 2 Transport Protocol PPTP can run only within IP networks.L2TP, on the can run within other protocols such as frame relay, X.25, and ATM.PPTP is an encryption protocol and L2TP is notL2TP supports TACACS+ and RADIUS, while PPTP does not.
37 Summary of tunneling Point-to-Point Tunneling Protocol (PPTP): Designed for client/server connectivitySets up a single point-to-point connection between two computersWorks at the data link layerTransmits over IP networks only
38 Summary of tunneling Layer 2 Tunneling Protocol (L2TP) Sets up a single point-to-point connection between two computersWorks at the data link layerTransmits over multiple types of networks, not just IPCombined with IPSec for security
39 Summary of tunneling IPSec: Handles multiple connections at the same timeProvides secure authentication and encryptionSupports only IP networks
42 AuthenticationWhat is authentication? The process of determining that you are whom you say you are. “It provides identification and authentication of the user who is attempting to access a network from a remote system.” (CISSP Certification all-in-one exam guide, pg. 614)
43 Authentication How does one get authenticated? By username/password, token, etc. validation.If valid, then the user is granted access.If not valid, no access is provided.
44 Password Authentication Protocol (PAP) Used by remote users to authenticate over PPP lines.Users enter username and password before Authentication.The password and the username are sent over the network to the authentication server.The username and password are compared to the database that is stored on the authentication server.If username and password matches access is granted. Else access is denied.
45 Password Authentication Protocol (PAP) PAP Authentication process
46 Password Authentication Protocol (PAP) Problem!!!!PAP is very insecure.Credentials are sent in cleartext. This limitation allows for a sniffer software to obtain you credentials.
47 Challenge Handshake Authentication Protocol (CHAP) Uses a challenge/response mechanism to authenticate the user instead of a password.A challenge is a random value that is encrypted with the use of a predefined password as an encryption key.
48 Challenge Handshake Authentication Protocol (CHAP) The authentication processThe host computer sends the authentication server a logon request.The server sends the user a random valued challenge.This challenge is encrypted with the use of a predefined password as an encryption key.The encrypted challenge value is returned to the server.
49 Challenge Handshake Authentication Protocol (CHAP) The Authentication process (con’t)The authentication server uses the predefined password as the encryption key to decrypt the challenge value.The Server compares the received value with the one stored in its database.If the results are the same, the server authenticates the user and grants access. Else, access will be denied.
50 Challenge Handshake Authentication Protocol (CHAP) Challenge Handshake Process
51 PAP vs CHAP PAP Sends credentials in cleartext during transmission Use has decreased because it does not provide a high level of securitySupported by most networks NSAsCHAPUsed the same way PAP is used but provides a higher degree of security.Authenticates using a challenge/response method.Used by remote users, routers, and NASs to provide authentication before providing connectivity.
52 Extensible Authentication Protocol (EAP) An authentication protocol which supports multiple authentication mechanisms.Used for PPP and 802.X connections.
53 Extensible Authentication Protocol (EAP) EAP support authentication schemes such as:Generic Token CardAn example is secure ID. D:\VPN\Token card.jpgOne Time Password (OTP)Message Digest 5 (MD5)-Challenge.Transport Layer Security (TLS) for smart card and digital certificate-based authenticationSecurID is a hardware token card product (or software emulation thereof) produced by RSA Security, which is used for end-user authentication.MD5 (Message-Digest algorithm 5) is a widely used, insecure cryptographic hash function with a 128-bit hash value.
54 Extensible Authentication Protocol (EAP) Authentication Process:Peers negotiate to perform EAP during the connection authentication phase.When the connection authentication phase is reached, the peers negotiate the use of a specific EAP authentication. (After Negotiation, the client and server exchange messages between themselves.Authentication messages consist of requests and responses.
55 Extensible Authentication Protocol (EAP) EAP Authentication Process (
57 Remote Access Guidelines Users should be identified and authenticated.Utilize a strong level of security for authentication/authorization.Users’ activities should be audited to ensure no malicious activity is taking place.Users’ privileges should be reviewed periodically.Security policies should be presented and available to all remote users.
58 References http://www.uniforum.chi.il.us/slides/baker-vpn/vpn.ppt ap/eap.mspxCISSP Certification All in One Exam Guide.