Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sichere Netzwerkkommunikation (SNK)

Similar presentations

Presentation on theme: "Sichere Netzwerkkommunikation (SNK)"— Presentation transcript:

1 Sichere Netzwerkkommunikation (SNK)
Virtual Private Networks Applications Prof. Dr. Andreas Steffen © Zürcher Hochschule Winterthur VPN Applications • Site-to-site VPNs • Remote access VPNs • NAT-traversal (IPsec over UDP) • Intranet VPNs • Extranet VPNs Linux FreeS/WAN Security Gateway • Features • Directory structure • AES / 3DES encryption performance Windows-based VPN Clients • Windows 2000/XP built-in IPsec stack • SSH Sentinel • SafeNet/SoftRemote • PGPvpn Interoperability Issues

2 Virtual Private Networks
„Road Warrior“ VPN Client Internet VPN Tunnel Head Quarters VPN Tunnel Subsidiary /16 /16 VPN Gateway VPN Gateway

3 The „Road Warrior“ Remote Access Case
Internet Virtual IP Home Network IPsec Tunnel 55.66.x.x Dynamic IP /16 VPN Gateway Road Warrior Road Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP. Authentication is usually based on RSA public keys and X.509 certificates issued by the home network. Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.

4 NAT-Traversal (IPsec over UDP)
Internet Drafts: draft-ietf-ipsec-udp-encaps-04.txt draft-ietf-ipsec-nat-t-ike-04.txt Supported by SSH Sentinel and Linux FreeS/WAN NAT box (e.g. ADSL modem) with IPsec-Passthrough ESP and IKE from a single VPN client NAT box (e.g. ADSL modem) with NAT-Traversal ESP encapsulated in UDP (port 4500) NAT-keepalive packets needed

5 Wireless Intranet User
Intranet VPNs Wireless VPN clients tunnel 100% of their IP traffic over the insecure air link using the peer network subnet mask /0. VPN Client VPN Tunnel /0 Wireless Intranet User WLAN Access Point DMZ Interface Internet Private Intranet Intranet Server VPN Gateway / Firewall

6 Example – University of Freiburg, Germany
IPsec throughput at VPN gateway Campus Active VPN tunnels 44 WLAN access points, 1 Linux VPN gateway 202 active and 88 revoked X.509 certificates FreeS/WAN Linux clients / SSH Sentinel Windows clients Further information:

7 Extranet VPNs Customer VPN Client Customer Access Internet Private Network VPN Tunnel Partner Network Partner Access VPN Tunnel VPN Gateway VPN Gateway Network access must be partitioned and tightly controlled Flexible and dynamic setup of Extranet VPN connections Extranet VPN spans multiple administrative trust domains

8 Sichere Netzwerkkommunikation (SNK)
Linux FreeS/WAN Security Gateway

9 Linux FreeS/WAN as a VPN Gateway
Available from / OpenSource IPsec stack for Linux 2.2 and 2.4 kernels X.509 certificate support developed by ZHW !!! Easy installation via RedHat/SuSE/Debian/Mandrake RPMs Number of VPN tunnels is limited by hardware resources, only. Linux Free/SWAN can also be used as a VPN client Road Warrior and Virtual IP support using X.509 certificates: conn road-warrior right=%any rightrsasigkey=%cert rightsubnetwithin= /16 left=%defaultroute leftsubnet= /16 leftcert=gwCert.pem auto=add Simple configuration left right leftsubnet gwCert %cert

10 FreeS/WAN Directory Structure
/etc ipsec.d cacerts ipsec.conf ipsec.secrets cacert.pem crls private crl.pem gwKey.pem certs gwCert.pem root read access only!

11 Advanced Encryption Standard (AES)
On Oct , the symmetric block cipher Rijndael invented by the Belgian researchers J. Daemen and V. Rijmen was declared the new Advanced Encryption Standard (AES) by NIST ( One year later on Nov , AES was officially published as the U.S. Federal Information Processing Standard FIPS PUBS 197. AES works on a block size of 128 bits and can be used with key lengths of 128, 192 or 256 bits. AES is much faster than its predecessor 3DES. A 1 GHz Pentium III processor running under a Linux 2.4 kernel achieves the following constant IPsec throughput: 3DES: MHz / 25 = 40 Mbit/s AES: MHz / 11 = 91 Mbit/s (can saturate a Fast Ethernet link) SSH Sentinel and PGPvpn have built-in AES support. AES patch for Linux FreeS/WAN:

12 Sichere Netzwerkkommunikation (SNK)
Windows-based VPN Clients

13 VPN Client - Windows 2000/XP
Windows 2000/XP comes with a built-in IPsec stack Configuration via the mmc management console is tiresome! OpenSource tool from loads text-based configuration directly into Windows registry: conn client-gateway left=%any # insert client IP right= # gateway IP rightsubnet= /16 # home network rightca=”C=CH,O=strongSec GmbH, CN=strongSec CA” network=lan # lan/ras/auto auto=start WLAN clients can tunnel whole IP traffic to VPN gateway conn wlan-gateway rightsubnet=* ... 3DES encryption only. Virtual IP not supported.

14 VPN Client – SSH Sentinel
Available from Free for non-commercial use. Runs on all Windows platforms: Win 95/98/ME/NT/2000/XP Features Encryption algorithms: AES, 3DES, Twofish, Blowfish, CAST Virtual IP support: - static - DHCP-over-IPsec - IPsec config mode NAT-Traversal (IPsec over UDP) WLAN clients: Supports tunneling of /0 Personal firewall included: Pre- and Post-IPsec packet filters Easy configuration via GUI

15 Other Windows-based VPN Clients
SafeNet/Soft-Remote ( Simple and straight-forward configuration 3DES encryption only Comes with personal firewall (Zone Alarm) PGPvpn ( / Freeware Version PGP IPsec transport mode only - OpenPGP certificates or pre-shared keys only Professional Version PGP Desktop Security IPsec tunnel mode - X.509 certificates, with personal firewall Network Associates (NAI) closed down PGP Security Inc. last year. PGP Corporation founded with venture capital bought back the intellectual property rights from NAI in June 2002. PGP 8.0 for Windows and Macintosh released in December 2002.

16 Interoperability Issues
IPsec using IKE has become a mature technology, but still a large amount of fine-tuning is needed to achieve interoperability. The Interoperability Tests at the IPsec 2001 Global Summit in Paris have shown that with authentication based on X.509 certificates a full mesh among the following VPN gateways can be established: Linux FreeS/WAN, OpenBSD, NetScreen, Cisco IOS/PIX/VPN3000 Nortel Contivity, 6WIND (IPv6), Netcelo, Netasq Interoperability with other VPN products have been reported: Checkpoint VPN-1, BinTec Router Many low-end VPN products support pre-shared keys, only: Symantec Firewall/VPN Appliance, ZyWall, SonicWall (basic version)

Download ppt "Sichere Netzwerkkommunikation (SNK)"

Similar presentations

Ads by Google