Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Third Edition

Published byColin Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Network Defense and Countermeasures Third Edition"— Presentation transcript:

1 Guide to Network Defense and Countermeasures Third Edition
Chapter 11 Virtual Private Network (VPN) Concepts

2 Objectives Explain basic VPN concepts Describe encapsulation in VPNs
Describe encryption in VPNs Describe authentication in VPNs Summarize the advantages and disadvantages of VPNs Guide to Network Defense and Countermeasures, Second Edition

3 Objectives (contd.) Explain design considerations for a VPN
Describe options for VPN configuration Explain how to set up VPNs with firewalls Explain how to adjust packet-filtering rules for VPNs Describe guidelines for auditing VPNs and VPN policies Guide to Network Defense and Countermeasures, Second Edition

4 Understanding VPN Concepts
Virtual Private Network (VPN) enables computers to Communicate securely over insecure channels Exchange private encrypted messages that others cannot decipher Guide to Network Defense and Countermeasures, Second Edition

5 What VPNs Are VPN Endpoints Virtual network connection
Uses the Internet to establish a secure connection Secure tunnel Extends an organization’s network Endpoints Specified computers, users, or network gateways Guide to Network Defense and Countermeasures, Second Edition

6 Guide to Network Defense and Countermeasures, Second Edition

7 Why Establish a VPN? Business incentives driving VPN adoption
VPNs are cost-effective VPNs provide secure connection for remote users Contractors Traveling employees Partners and suppliers VPN Components VPN server or host Configured to accept connections from clients VPN client or guest Endpoints connecting to a VPN Guide to Network Defense and Countermeasures, Second Edition

8 Why Establish a VPN? (continued)
VPN Components Tunnel Connection through which data is sent VPN protocols Sets of standardized communication settings Used to encrypt data sent along the VPN Types of VPNs Site-to-site VPN Gateway-to-gateway VPN Client-to-site VPN Remote access VPN Guide to Network Defense and Countermeasures, Second Edition

9 Why Establish a VPN? (continued)
Hardware versus software VPNs Hardware-based VPNs Connect one gateway to another Routers at each network gateway encrypt and decrypt packets VPN appliance Designed to serve as VPN endpoint Join multiple LANs Benefits Scalable Better security Guide to Network Defense and Countermeasures, Second Edition

10 Guide to Network Defense and Countermeasures, Second Edition

11 Guide to Network Defense and Countermeasures, Second Edition

12 Why Establish a VPN? (continued)
Hardware versus software VPNs (continued) Software-based VPNs Integrated with firewalls Appropriate when participating networks use different routers and firewalls Benefits More cost-effective Offer maximum flexibility Guide to Network Defense and Countermeasures, Second Edition

13 Guide to Network Defense and Countermeasures, Second Edition

14 Why Establish a VPN? (continued)
VPN combinations Combining VPN hardware with software adds layers of network security One useful combination is a VPN bundled with a firewall VPNs do not eliminate the need for firewalls Provide flexibility and versatility Guide to Network Defense and Countermeasures, Second Edition

15 Why Establish a VPN? (continued)
VPN combinations (continued) Points to consider when selecting VPNs Compatibility Scalability Security Cost Vendor support Guide to Network Defense and Countermeasures, Second Edition

16 VPN Core Activity 1: Encapsulation
Core set of activities Encapsulation Encryption Authentication Encloses a packet within another That has different IP source and destination Protects integrity of the data Guide to Network Defense and Countermeasures, Second Edition

17 Guide to Network Defense and Countermeasures, Second Edition

18 Understanding Tunneling Protocols
Point-to-Point Tunneling Protocol (PPTP) Used when you need to dial in to a server with a modem connection On a computer using an older OS version Encapsulates TCP/IP packets Header contains only information needed to route data from the VPN client to the server Uses Microsoft Point-to-Point Encryption (MPPE) Encrypt data that passes between the remote computer and the remote access server L2TP uses IPSec encryption More secure and widely supported Guide to Network Defense and Countermeasures, Second Edition

19 Understanding Tunneling Protocols (continued)
Layer 2 Tunneling Protocol (L2TP) Provides better security through IPSec IPSec enables L2TP to perform Authentication Encapsulation Encryption Guide to Network Defense and Countermeasures, Second Edition

20 Guide to Network Defense and Countermeasures, Second Edition

21 Understanding Tunneling Protocols (continued)
Secure Shell (SSH) Provides authentication and encryption Works with UNIX-based systems Versions for Windows are also available Uses public-key cryptography Socks V. 5 Provides proxy services for applications That do not usually support proxying Socks version 5 adds encrypted authentication and support for UDP Guide to Network Defense and Countermeasures, Second Edition

22 IPSec/IKE Internet Protocol Security (IPSec) Characteristics
Set of standard procedures Developed by the Internet Engineering Task Force (IETF) Enables secure communications on the Internet Characteristics Works at layer 3 Can encrypt an entire TCP/IP packet Originally developed for use with IPv6 Provides authentication of source and destination computers Guide to Network Defense and Countermeasures, Second Edition

23 IPSec/IKE (continued)
Widely supported Security Association (SA) Relationship between two or more entities Describes how they will use security services to communicate Used by IPSec to track all the particulars of a communication session SAs are unidirectional Guide to Network Defense and Countermeasures, Second Edition

24 IPSec/IKE (continued)
Components Internet Security Association Key Management Protocol (ISAKMP) Internet Key Exchange (IKE) Oakley IPSecurity Policy Management IPSec Driver IPSec core components Authentication Header (AH) Encapsulation Security Payload (ESP) Guide to Network Defense and Countermeasures, Second Edition

25 IPSec/IKE (continued)
Authentication Header (AH) Provides authentication of TCP/IP packets Ensures data integrity Packets are signed with a digital signature Adds a header calculated by the values in the datagram Creating a messages digest of the datagram AH in tunnel mode Authenticates the entire original header Places a new header at the front of the original packet AH in transport mode Authenticates the payload and the header Guide to Network Defense and Countermeasures, Second Edition

26 Guide to Network Defense and Countermeasures, Second Edition

27 Guide to Network Defense and Countermeasures, Second Edition

28 IPSec/IKE (continued)
Encapsulation Security Payload (ESP) Provides confidentiality for messages Encrypts different parts of a TCP/IP packet ESP in tunnel mode Encrypts both the header and data part of each packet Data cannot pass through a firewall using NAT ESP in transport mode Encrypts only data portion of the packet Data can pass through a firewall IPSec should be configured to work with transport mode Guide to Network Defense and Countermeasures, Second Edition

29 Guide to Network Defense and Countermeasures, Second Edition

30 VPN Core Activity 2: Encryption
Process of rendering information unreadable by all but the intended recipient Components Key Digital certificate Certification Authority (CA) Key exchange methods Symmetric cryptography Asymmetric cryptography Internet Key Exchange FWZ Guide to Network Defense and Countermeasures, Second Edition

31 Guide to Network Defense and Countermeasures, Second Edition

32 Encryption Schemes Used by VPNs
Triple Data Encryption Standard (3DES) Used by many VPN hardware and software 3DES is a variation on Data Encryption Standard (DES) DES is not secure 3DES is more secure Three separate 64-bit keys to process data 3DES requires more computer resources than DES Guide to Network Defense and Countermeasures, Second Edition

33 Guide to Network Defense and Countermeasures, Second Edition

34 Encryption Schemes Used by VPNs (continued)
Secure Sockets Layer (SSL) Developed by Netscape Communications Corporation Enables Web servers and browsers to exchange encrypted information Characteristics Uses public and private key encryption Uses sockets method of communication Operates at network layer (layer 3) of the OSI model Widely used on the Web Only supports data exchanged by Web-enabled applications Unlikely to replace IPSec Guide to Network Defense and Countermeasures, Second Edition

35 Encryption Schemes Used by VPNs (continued)
Secure Sockets Layer (SSL) (continued) Steps Client connects to Web server using SSL protocol Two machines arrange a “handshake” process Client sends its preferences for encryption method, SSL version number, and a randomly generated number Server responds with SSL version number, its own cipher preferences, and its digital certificate Client verifies date and other information on the digital certificate Client generates and send a “pre-master” code Guide to Network Defense and Countermeasures, Second Edition

36 Encryption Schemes Used by VPNs (continued)
Secure Sockets Layer (SSL) (continued) Steps Server uses its private key to decode pre-master code Generates a master secret key Client and server use it to generate session keys Server and client exchange messages saying handshake is completed SSL session begins Guide to Network Defense and Countermeasures, Second Edition

37 VPN Core Activity 3: Authentication
Identifying a user or computer as authorized to access and use network resources Types of authentication methods used in VPNs IPSec MS-CHAP Both computers exchange authentication packets and authenticate one another VPNs use digital certificates to authenticate users Guide to Network Defense and Countermeasures, Second Edition

38 Guide to Network Defense and Countermeasures, Second Edition

39 Advantages and Disadvantages of VPNs
Guide to Network Defense and Countermeasures, Second Edition

40 Designing a VPN Assess organization’s needs and goals
Type of business How many employees it has Infrastructure already in place Security required Enforce security on the client side of the VPN tunnel Most difficult aspect of the design process Guide to Network Defense and Countermeasures, Second Edition

41 Business Needs Business processes
Determine how you will implement a VPN strategy Careful analysis of the existing infrastructure Helps you integrate the VPN with minimal disruption VPNs can be classified as site-to-site or client-to-site Can offer cost-effective, secure connectivity Legal implications to failing to secure access to a remote network Guide to Network Defense and Countermeasures, Second Edition

42 Business Needs (continued)
Nature of the business What does it do? What product or service does it sell? Who are its customers? Cost is usually a key factor Narrows the choices of hardware and software Guide to Network Defense and Countermeasures, Second Edition

43 Business Needs (continued)
Nature of the business A secure VPN design should address: Secure connectivity Availability Authentication Secure management Reliability Scalability Performance Guide to Network Defense and Countermeasures, Second Edition

44 Client Security Several ways to increase VPN client security
Split tunneling Describes multiple paths One path goes to the VPN server and is secured Another unauthorized and unsecured path permits users to connect to the Internet While still connected to the corporate VPN Leaves the VPN server and internal LAN vulnerable to attack Guide to Network Defense and Countermeasures, Second Edition

45 Guide to Network Defense and Countermeasures, Second Edition

46 Guide to Network Defense and Countermeasures, Second Edition

47 Client Security (continued)
Planning VPN deployment Consider the existing infrastructure Make a network map Decide on the placement of VPN servers Research hardware and software to use Decide whether you need new hardware or software Sometimes you can reconfigure existing resources to support a VPN Develop a list of requirements When you meet a vendor so nothing is overlooked Follow security policy guidelines Guide to Network Defense and Countermeasures, Second Edition

48 VPN Topology Configurations
How components in a network are connected physically to one another Determines how gateways, networks, and clients are related to each other Corresponds to the basic physical and logical topologies of any network Guide to Network Defense and Countermeasures, Second Edition

49 VPN Topology Configurations (continued)
Mesh topology All participants in the VPN have Security Associations (SAs) with one another Types of mesh arrangements Full mesh Every subnetwork is connected to all other subnets in the VPN Complex to manage Partial mesh Any subnet in the VPN may or may not be connected to the other subnets Guide to Network Defense and Countermeasures, Second Edition

50 Guide to Network Defense and Countermeasures, Second Edition

51 VPN Topology Configurations (continued)
Star topology Also known as a hub-and-spoke configuration VPN gateway is the hub Networks that participate in the VPN are called rim subnetworks Separate SAs are made between the hubs of each rim subnetwork in the star configuration Central VPN router is at organization’s central office Any LANs or computers that want to participate need to connect only to the central server Guide to Network Defense and Countermeasures, Second Edition

52 Guide to Network Defense and Countermeasures, Second Edition

53 VPN Topology Configurations (continued)
Hybrid topology Combines two different network topologies Central core uses a mesh topology Mesh topologies tend to operate more efficiently Branch offices can be connected using a star topology Benefits from strengths of each topology Scalability (of the star topology) Speed (of the mesh configuration) Guide to Network Defense and Countermeasures, Second Edition

54 Guide to Network Defense and Countermeasures, Second Edition

55 Using VPNs with Firewalls
VPNs do not reduce the need for a firewall Always use a firewall as part of VPN security design Install VPN software on the firewall itself Firewall allows outbound access to the Internet Firewall prevents inbound access from the Internet VPN service encrypts traffic to remote clients or networks Guide to Network Defense and Countermeasures, Second Edition

56 Using VPNs with Firewalls (continued)
Install VPN software on the firewall itself Advantages Control all network access security from one server Fewer computers to manage Use the same tools for VPN and firewall Disadvantages Single point of failure Must configure routes carefully Internet access and VPN traffic compete for resources on the server Guide to Network Defense and Countermeasures, Second Edition

57 Guide to Network Defense and Countermeasures, Second Edition

58 Using VPNs with Firewalls (continued)
Set up VPN parallel to your firewall inside the DMZ Advantages No need to modify firewall settings to support VPN traffic Configuration scales more easily Can deal with congested servers Disadvantages VPN server is connected directly to the Internet If VPN server becomes compromised, attacker will have direct access to your internal network Cost of supporting a VPN increases with new servers Guide to Network Defense and Countermeasures, Second Edition

59 Guide to Network Defense and Countermeasures, Second Edition

60 Using VPNs with Firewalls (continued)
Set up VPN server behind the firewall connected to the internal network Advantages VPN server is completely protected from the Internet Firewall is the only device controlling access VPN traffic restrictions are configured on VPN server Disadvantages VPN traffic must travel through the firewall Firewall must handle VPN traffic Firewall might not know what to do with IP protocols other than ICMP, TCP, and UDP Guide to Network Defense and Countermeasures, Second Edition

61 Guide to Network Defense and Countermeasures, Second Edition

62 Adjusting Packet-Filtering Rules for VPNs
Perimeter firewall filters packets VPN sends or receives Packet filtering is based on header fields of inbound and outbound packets IP packet header fields used by packet filtering Source address Destination address Protocol identifier You can conduct packet filtering based on any or all of these header fields Guide to Network Defense and Countermeasures, Second Edition

63 PPTP Filters PPTP First widely supported VPN protocol
Supports legacy authentication methods Does not require PKI Might be only option when VPN connections pass through NAT PPTP uses two protocols TCP GRE Guide to Network Defense and Countermeasures, Second Edition

64 Guide to Network Defense and Countermeasures, Second Edition

65 L2TP and IPSec Filters Need to set up rules that permit IPSec traffic
IKE uses protocol ID 171 and UDP on port 500 ESP uses protocol ID 50 AH uses protocol ID 51 Guide to Network Defense and Countermeasures, Second Edition

66 Guide to Network Defense and Countermeasures, Second Edition

67 Auditing VPNs and VPN Policies
Auditing needed to make sure organizations have a well-define VPN policy Access policies define standards for connecting to the organization’s network Must be integrated with the security policy Policies should be defined for different levels of restrictions VPN endpoints are as vulnerable as internal network computers Endpoints should also use antivirus software and personal firewalls Guide to Network Defense and Countermeasures, Second Edition

68 Auditing VPNs and VPN Policies (continued)
Test each client that will connect to your LAN Helps prevent network threats You can standardize VPN client for remote users Third-party solutions Cisco Secure VPN Client Nokia VPN Client SonicWALL VPN Client Verify everything is working according to your policies Guide to Network Defense and Countermeasures, Second Edition

69 Summary Business nature helps determine your VPN requirements
Decide placement of VPN servers Research hardware and software to use Establish a VPN domain VPN configurations Single entry point configurations Multiple entry point configurations VPNs need to be used with firewalls Guide to Network Defense and Countermeasures, Second Edition

70 Summary (continued) Adjust packet-filtering rules
To allow PPTP, L2TP, and IPSec traffic Auditing VPNs and VPN policies After you have installed and configured your VPN Work with a knowledgeable remote user Helps determine a baseline for future auditing, testing, and troubleshooting Guide to Network Defense and Countermeasures, Second Edition

71 Summary VPNs do not make use of dedicated leased lines
VPNs send data through a secure tunnel that leads from one endpoint to another VPNs keep critical business communications private and secure VPN components VPN servers VPN clients Protocols Guide to Network Defense and Countermeasures, Second Edition

72 Summary (continued) VPN types
Site-to-site Client-to-site Encapsulation encloses one packet within another Conceals the original information VPN protocols Secure Shell (SSH) Socks version 5 Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) Guide to Network Defense and Countermeasures, Second Edition

73 Summary (continued) IPSec/IKE
Encryption makes the contents of the packet unreadable Authentication ensures participating computers are authorized users Kerberos: strong authentication system VPN advantages High level of security at low cost VPN disadvantages Can introduce serious security risks Guide to Network Defense and Countermeasures, Second Edition

Download ppt "Guide to Network Defense and Countermeasures Third Edition"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 Setting Up a Virtual Private Network

11 Setting Up a Virtual Private Network
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Similar presentations

Ads by Google