Presentation is loading. Please wait.

Presentation is loading. Please wait.

CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)

Published byJayson Wells Modified over 8 years ago

Similar presentations

Presentation on theme: "CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)"— Presentation transcript:

1 CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)

2 Virtual Private Networks (VPN) CN8816: Network Security2 1. Generic Routing Encapsulation (GRE) Tunneling Encapsulation with delivery header The addresses in the delivery header are the addresses of the head-end and the tail-end of the tunnel 10.1.1.1/10.2.1.1 GRE20.1.1.1/30.1.1.1 tunnel Delivery header 10.1.1.1 10.2.1.1 10.1.0.0/16 10.2.0.0/16 20.1.1.130.1.1.1 Public Network Private network site Private network site

3 Virtual Private Networks (VPN) CN8816: Network Security3 1. Generic Routing Encapsulation (GRE) Structure of a GRE encapsulated packet

4 1. Generic Routing Encapsulation (GRE) IP access of the tunnel through the tunnel interface Virtual Private Networks (VPN) CN8816: Network Security4 serial 0/0 tunnel 0 serial 0/0 tunnel 0 20.1.1.130.1.1.1 Internet 10.1.0.0/16 10.2.0.0/16 Gateway Customer Sites 10.1.1.1/10.2.1.1 20.1.1.1/30.1.1.1 GRE 10.1.1.1/10.2.1.1 e0

5 Virtual Private Networks (VPN) CN8816: Network Security5 1. Generic Routing Encapsulation (GRE) Tunneling mechanism at IP Outbound traffic IP … s0e0Tunnel0 Routing table of R1 10.1.0.0/16e0 20.1.1.1/30s0 10.2.0.0/16tunnel0 0.0.0.0/0s0 10.1.1.1/10.2.1.1 (1) (2) (3) (4) GRE (5) (6) 20.1.1.1/30.1.1.1 (7) (8) 20.1.1.1/30.1.1.1 [10.1.1.1/10.2.1.1] (9)

6 Virtual Private Networks (VPN) CN8816: Network Security6 1. Generic Routing Encapsulation (GRE) Inbound traffic IP … s0e0Tunnel 0 Routing table of R2 10.2.0.0/16e0 30.1.1.1/30s0 10.2.0.0/16tunnel0 0.0.0.0/0s0 GRE 20.1.1.1/30.1.1.1 [10.1.1.1/10.2.1.1] (1) (2) (3) 10.1.1.1/10.2.1.1 (4) (5) (6) (7) 10.1.1.1/10.2.1.1 (8)

7 Virtual Private Networks (VPN) CN8816: Network Security7 1. Generic Routing Encapsulation (GRE) Example interface tunnel0 ip unnumbered s0 tunnel source s0 tunnel destination 30.1.1.1 ! ip route 10.2.0.0 255.255.0.0 tunnel0 interface tunnel0 ip unnumbered s0 tunnel source s0 tunnel destination 20.1.1.1 ! ip route 10.1.0.0 255.255.0.0 tunnel0 Routing table of R1 10.1.0.0/16e0 20.1.1.1/30s0 10.2.0.0/16tunnel0 0.0.0.0/0s0

8 GRE tunneling with routing Virtual Private Networks (VPN) CN8816: Network Security8 1. Generic Routing Encapsulation (GRE) Routing updates (subnets of 10.0.0.0/8)

9 3. IP Security (IPsec) IPsec and Dynamic Routing IPsec-protected traffic must be pre-defined IPsec only supports static routing Virtual Private Networks (VPN) CN8816: Network Security9 10.1.0.0/1610.2.0.0/16 The IPsec tunnel is setup for the traffic between 10.1.0.0/16 and 10.2.0.0/16 10.3.0.0/16 The tunnel will not support the traffic to the new site New site IPsec tunnel

10 3. IP Security (IPsec) IPsec/GRE GRE defines a tunnel interface IPsec transport mode provides the security Virtual Private Networks (VPN) CN8816: Network Security10 IP insideoutside Tunnel0 Routing table 10.1.0.0/16 inside 30.0.0.0/8 outside 10.2.0.0/16 tunnel0 GRE 10.1.1.1/10.2.1.1 (4) (5) (6) IPsec (transport) Ipsec_protected20.1.1.1/30.1.1.1 (1) (2) (3) 10.3.0.0./16 tunnel0 10.1.1.1/10.3.1.1

11 3. IP Security (IPsec) Virtual Tunnel Interface Provide secure tunnel by associating the virtual interface with IPsec Virtual Private Networks (VPN) CN8816: Network Security11 IP insideoutside Tunnel0 Routing table 10.1.0.0/16 inside 30.0.0.0/8 outside 10.2.0.0/16 tunnel0 IPsec 10.1.1.1/10.2.1.1 (4) (5) (6) Protected packet20.1.1.1/30.1.1.1 (2) (3) 10.3.0.0./16 tunnel0 10.1.1.1/10.3.1.1

12 Virtual Private Networks (VPN) CN8816: Network Security12 2. Transport-Layer Security (TLS) TLS architecture Provide security connection between two application entities -Authentication -Cipher suit negotiation -Keys generation Encryption, MIC & Compression Error and alert reporting

13 Virtual Private Networks (VPN) CN8816: Network Security13 2. Transport-Layer Security TLS Record protocol Four connection states: current read and write states, and the pending read and write states Security parameters: Connection end (client/server) Bulk encryption algorithm: type, key_size, … MAC algorithm: hash_size Compression algorithm Master Secret Client random, Nc Server random, Ns Keys Client_MAC_Write, Server_MAC_Write, Client_Write_Key, Server_Write_Key, IVs

14 2. Transport-Layer Security Virtual Private Networks (VPN) CN 8816: Network Security14 Messages are processed using the current read or write states Fragment TypeVersionLength ICV Padding (for CBC block cipher) Pad length Write/read MAC secret Write/read Key (Compressed)

15 2. Transport-Layer Security Key Generation Master_secret = PRF(g xy mod N, “master secret”, Nc+Ns) x and y are the DE parameters Nc and Ns are the nonces generated by the client and the server, respectively Master_secret is always 48 bytes PRF(secret, label, seed) = P_hash(secret, label+seed) P_hash(secret, seed) = HMAC(secret, A(1)+seed) + HMAC(secret, A(2)+seed) + … + HMAC(secret, A(n)+seed) A(0) = seed A(i) = HMAC(secret, A(i-1) Virtual Private Networks (VPN) CN 8816: Network Security15

16 2. Transport-Layer Security By default, the hash used in HMAC is SHA-256 Need two HMAC iterations to generate the Master secret Key generation Key_block = PRF(Master_secret, “key expansion”, Ns+Nc) Virtual Private Networks (VPN) CN 8816: Network Security16 Master secret (48 bytes) Truncated (16 bytes) MAC client Write (Kmc) MAC server Write (Kms) Client Write Key (Kwc) Server Write Key (Kws) IVs (options)…

17 2. Transport-Layer Security Handshake protocol Client hello and server response phase Virtual Private Networks (VPN) CN 8816: Network Security17 ClientServer Client Hello: session ID, Nc, cipher suit list, compression alg. list Server Hello: Ns, cipher suit, compression alg. Server Certificate O+ Key Exchange: Signature O+ Certificate request O- Server Hello Done O+ => Often; O- => Less often

18 2. Transport-Layer Security Client reponse and change-cipher specification phase Virtual Private Networks (VPN) CN 8816: Network Security18 ClientServer Client Certificate Key exchange Certificate verify: signature Change cipher specification Finished: session authentication Change cipher specification O- Finished: session authentication Application Data

19 The handshake protocol allows quick setup of new TLS connection using the old session master secret The master secret is allowed to be kept for 24 hours Virtual Private Networks (VPN) CN 8816: Network Security19 2. Transport-Layer Security Client Server Client Hello: session ID, Nc Server Hello: Ns Change cipher spec Finished Change cipher spec Finished Data Generate keys

20 Virtual Private Networks (VPN) CN8816: Network Security20 2. Transport-Layer Security Change Cipher Spec Protocol invoke the transition from the pending states to current states ClientServer Current states Current states Pending states Pending states ChangeCipher Specs Protocol K mc, K wc K ms, K ws (1) (1) ChangeCipherSpecs (2) Handshake (3) (3) finished Handshake (3) ChangeCipher Specs Protocol (4) (4) ChangeCipherSpecs (5) (6)(6) finished (6)

21 Virtual Private Networks (VPN) CN8816: Network Security21 2. Transport-Layer Security Alert Protocol Alert messages convey the severity of the message and a description of the alert Alert levels: warning or fatal Alert messages with a level of fatal result in the immediate termination of the connection Alert types: Close notification Error alerts

22 SSL (TLS) VPN Tunnel interface is used to support secure tunnel connection Virtual Private Networks (VPN) CN8816: Network Security22 2. Transport-Layer Security Web browser SSL-VPN web server TLS TCP/UDP TLS TCP/UDP IP eth0tun0InsideOutsidetun0 SSL-VPN client Appl. (1) (2) TLS handshake protocol (3) (4)Upload of SSL- VPN client (5) (6) (7) (8) (9) (10) (11) (12) (13)TLS protected datagram (14) (15) (16) (17) (18) (19) (20)

Download ppt "CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security

Cryptography and Network Security
Secure Sockets. Overview of Lecture We covered an overview of authenticated key exchange protocols In this lecture we will –Look at issues related to.

Secure Sockets. Overview of Lecture We covered an overview of authenticated key exchange protocols In this lecture we will –Look at issues related to.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Similar presentations

Ads by Google