1. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia University  FFaculty Of Administrative & Financial Sciences  BBusiness Networking & System Management Department  RRoom Number 32406  EE-mail Address: ahmad4_2_69@hotmail.com

2. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20112 Contents  Relation to SSL & SSH  Virtual Private Network  Three Types of VPNs  The Concept of Tunneling  General IPTunneling  Look at the stack  GRE & PPTP  Generic Routing Encapsulation  PPTP  Ipsec  Encapsulating Security Payload

3. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20113 Relation to SSL & SSH  Recall SSL is the secure socket layer –It provides an encrypted and authenticated TCP connection between a client and a server. –It does not hide your network because you still use standard IP visible to all.

4. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20114 Virtual Private Network  Why? –Institutions are distribted –They need to protect themselves –Old Days Buy your own phone lines and build a physically private network. –VPN Use the internet as a “carrier” of your private traffic.

5. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20115 Three Types of VPNs  Remote access –A company uses a dial-up system to allow remote workers to connect and establish secure connections to the company network  Site-to-site –Intranet Connect two different, but remote LANS to form a single network –Extranet Two different companies want to establish a private connection

6. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20116 Reasons and Requirements  Typical Reasons for wanting a VPN –Extend geographic connectivity –Improve security –Reduce operational costs versus traditional WAN –Improve productivity –Simplify network topology –Provide global networking opportunities –Provide telecommuter support  Requirements for a Good VPN –Security –Reliability –Scalability –Network management –Policy management

7. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20117 The Concept of Tunneling  tunneling - the process of placing an entire packet within another packet and sending it over a network.  Tunneling requires three different protocols: –Carrier protocol: The protocol used by the network that the information is traveling over –Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data –Passenger protocol: The original data (IPX, NetBeui, IP) being carried

8. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20118 Tunneling  Key idea: allow packets to move from one point to another point without being directly touched by internet routers 1. Passenger packet goes to gateway 3. Internet (carrier protocol) 2. Gateway wraps passenger with Encapsulation protocol 4. Passenger unwrapped and sent on its way

9. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20119 General IPTunneling R1 Internet 124.32.45.3121.101.27.42 R1 Network 1 Network 2 Host 10.0.2.22 Host 10.0.1.15 To: 10.0.2.22 From: 10.0.1.15 IP payload To: 10.0.2.22 From: 10.0.1.15 IP payload To: 10.0.2.22 From: 10.0.1.15 IP payload To: 121.101.27.42 From: 124.32.45.3 IP Payload

10. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201110 Look at the stack  Tunneling can layer a complete stack and address space on top of the existing one! –Almost exactly what we did with our XKernel which was tunneled over the regular IP stack. –For Site-to-Site use Generic Routing Encapsulation (GRE) IPsec –For remote access PPTP (point-to-point tunneling protocol) L2TP (layer 2 tunneling protocol) Ethernet or PPP or … IP GRE encrypt IP TCP application IPsec

11. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201111 GRE & PPTP  GRE –Very simple encapsulation frame that tells you what type of thing is encapsulated, a sequence number and an ack number.  PPTP –Protocol that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.

12. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201112 Generic Routing Encapsulation  Runs over IP at port 47.  It is a protocol for wrapping other protocols. Protocol Family protocol type Reserved 0000 SNA 0004 OSI network layer 00FE XNS 0600 IP 0800 Chaos 0804 Frame Relay ARP 0808 VINES 0BAD DECnet (Phase IV) 6003 Transparent Ethernet Bridging 6558 Raw Frame Relay 6559 Apollo Domain 8019 Ethertalk (Appletalk) 809B Novell IPX 8137 RFC 1144 TCP/IP compression 876B IP Autonomous Systems 876C protocol checksumoffset key Sequence number Routing information data

13. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201113 PPTP  For a dial-up client –First establish a PPP connection to the server –Set up a TCP connection on port 1723 for control messages Session management command-replies Handles calls and keep-alive messages –Over the PPP one runs IP and TCP.  In other cases use existing IP level.

14. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201114 PPTP data packets  The carrier network delivers GRE packets –Sliding window used to provide flow control  GRE packet contains a PPP packet.  PPP has an encryption protocol that is used to encrypt the contents of each frame.  The content frame is the tunneled IP packet. Carrier IP packet GRE packet PPP packet IP packet

15. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201115 IPsec  A General Framework for IP security –NOTE: SSL is at the TCP level –IPSec is designed to be at the IP level  Two Components –Two protocols for security A header for authentication (AH) A header for secure encapsulation (ESP) –Internet Security Assoc. and Key Mgmt Protocl  A Security Association (SA) is a one way connection between two hosts/routers that is based on a choice of AH/ESP and Key protocol.

16. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201116 IPSec Authentication NextHdrPayload lengthreserved SPI ( security paramenter index – identifies the sec. Assoc.) Sequence no Authentication Data

17. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201117 IPSec Authentication NOTE: The authentication data is the cryptographic signature of this packet. It is not authentication of source identity  NextHdr is a pointer to the end of this packet.  SPI is an identifier which in combination with the IP address of the packet completely identifies the secruity association.  Sequence number prevents “replay attacks”

18. Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-201118 Encapsulating Security Payload  This follows IP header (both v4 and v6) and before the encripted payload. –The payload data is often part of an “initialization vector” for the encrypted payload that follows  provides –confidentiality (encryption), data origin authentication, integrity, optional anti-replay service NextHdrPad length SPI ( security paramenter index – identifies the sec. Assoc.) Sequence no Authentication Data Up to 256 bytes of Playload data (Initialization Vector)