Kingdome of Saudi Arabia Ministry of Higher Education Princess Nora Bint Abdul Rahman University Faculty of Computer & Information Science Networking and Communication Systems Department
المملكة العربية السعودية
وزارة التعليم العالي جامعة األميرة نورة بنت عبد الرحمن كلية علوم الحاسب والمعلومات قسم الشبكات وأنظمة االتصاالت
Network Security Protocols NET 412D 1
2
TCP/IP security components VIRTUAL PRIVATE NETWORKS (VPN)
3
Firewall protection, types of firewalls (packet filter, proxy server, stateful filter), Firewall architectures (dual-homed host, screened host), VPN, • Advantages of VPNs, • Types VPNs, • Architecture of VPNs (point to point tunneling protocol, layer 2 forwarding ), • VPN models (Nas-initiated VPN, client-initiated VPN) 4
Traditional Connectivity
What is VPN? Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate. • VPN stands for "Virtual Private Network" or "Virtual Private Networking." A VPN is a private network in the sense that it carries controlled information, protected by various security mechanisms, between known parties. VPNs are only "virtually" private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.
What is a VPN? • A virtual network overlaid on top of the ubiquitous interconnection of the Internet • and a private network for confidential communications and exclusive usage.
Virtual Private Network • VPN is a collection of technologies that create secure connections between a group of computer via the Internet. • Provide an encrypted channel between users over a public network. • Accommodate the needs of remote employees and distant offices.
CSC1720 – Introduction to Internet
All copyrights reserved by C.C. Cheung 2003.
8
VPN Example Virtual Private Network Encrypted Channel Tunneling
Secured channel
Secured channel
Home PC Internet CSC1720 – Introduction to Internet
All copyrights reserved by C.C. Cheung 2003.
Office Network 9
Real VPN
CSC1720 – Introduction to Internet
All copyrights reserved by C.C. Cheung 2003.
10
Virtual private networks • Problem: You have several geographically separated local area networks that you would like to have connected securely
• A virtual private network is a way to simulate a private network over a public network (Internet). • Temporary connections (no real physical presence) are used. • Secure virtual connections are created between two machines, a machine and a network, or two different networks. • Service appears to users as if they were connected directly over a private network
Virtual private networks
Virtual private networks • A VPN solution should provide at least all of the following: – User authentication: verify the user’s ID and restrict VPN access to authorized users.
– Address management: assign a client’s address on the private network and ensure that private addresses are kept private. – Data encryption: for ensuring confidentiality. – Key management: generate and refresh encryption keys. – Multiprotocol support: handle common protocols used in the public network.
Private Networks vs. Virtual Private Networks Employees can access the network (Intranet) from remote locations. Secured networks. The Internet is used as the backbone for VPNs Saves cost tremendously from reduction of equipment and maintenance costs. Scalability
Brief Overview of How it Works Two connections – one is made to the Internet and the second is made to the VPN. Datagrams – contains data, destination and source information. Firewalls – VPNs allow authorized users to pass through the firewalls. Protocols – protocols create the VPN tunnels.
Four Critical Functions Authentication – validates that the data was sent from the sender. Access control – limiting unauthorized users from accessing the network. Confidentiality – preventing the data to be read or copied as the data is being transported. Data Integrity – ensuring that the data has not been altered
Virtual Private Network • Operates at layer 2 or 3 of OSI model – Layer 2 frame – Ethernet – Layer 3 packet – IP
• Tunneling – allows senders to encapsulate their data in IP packets that hide the routing and switching infrastructure of the Internet – to ensure data security against unwanted viewers, or hackers.
Tunneling A virtual point-to-point connection made through a public network. It transports encapsulated datagrams. Original Datagram Encrypted Inner Datagram Datagram Header
Outer Datagram Data Area
Data Encapsulation [From Comer]
Virtual private networks • Tunneling basics: – Tunneling is a method to transfer data from one network over another. – It encapsulates the frame in an additional header. – Encapsulated packets are then routed between tunnel endpoints over the internetwork. – Tunnel= logical path.
Virtual private networks
Tunneling How tunneling works ? • Both of the tunnel endpoints must agree to the tunnel and must negotiate about configuration variables, such as address assignement or encryption parameters. • Once the tunnel is established, encapsulated data are sent. • Tunnel server accepts the packet, removes the header and forms data to the target network.
Tunneling Tunnel types:
• Voluntary tunnels: a user or a client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the user’s computer is a tunnel endpoint and acts as the tunnel client. • Compulsory tunnels: the user’s computer is not a tunnel endpoint. Another device, the remote access server, between the user’s computer and the tunnel server is the tunnel endpoint.
Tunneling
Compulsory tunnels
Tunneling Protocols cont. • PPTP – Uses IP datagrams for encapsulation – Uses TCP for tunnel maintenance – Uses encryption and compression
• L2TP – Encapsulation in IP, ATM, Frame Relay, X.25 • IP when going over internet
– UDP used for tunnel maintenance
Advantages • PPTP: – No certificate infrastructure – Can be used on more operating systems – Can operate behind NATs
• L2TP: – More tools to guarantee packet integrity and data security – Require user and computer certificates – PPP authentication is encrypted (takes place after IP security check)
Tunneling Protocols cont. • Each are built on PPP (Point to Point Protocol) – 4 Phases • 1) Link Establishment - a physical link between ends • 2) User Authentication – Password protocols used – PAP, CHAP, MS-CHAP
• 3) Call Back Control – optional – Disconnects and server calls back after authentication
• 4) Data Transfer Phase – exactly what it sounds like
Types of VPN • Two main types of VPNs – – Remote-Access – Site-to-Site
Types of VPN? (cont…) • Remote-Access – The typical example of this is a dial-up connection from home or for a mobile worker, who needs to connect to secure materials remotely
• Site-to-Site – The typical example of this is a company that has offices in two different geographical locations, and wants to have a secure network connection between the two ECE 4112 - Internetwork Security
Remote Access VPN • Essentially provides LAN access through dialup connection – Typically done by purchasing a NAS (Network Access Server) with a toll free number – Can instead be done through normal ISP connection using the VPN software to make a virtual connection to the LAN
Remote-Access Example
Mobile User
VPN over Internet Network A
VPN Enabled Gateway
Home User
ECE 4112 - Internetwork Security
Remote Access VPN • There are two types of remote access VPNs: – Client-Initiated – Remote users use clients to establish a secure tunnel across a shared ISP network to the enterprise. – Network Access Server-initiated – Remote users dial in to an ISP. • The NAS establishes a secure tunnel to the enterprise private network that might support multiple remote user-initiated sessions. 31
Client Initiated VPN
• Remote-access VPNs are an extension of dial networks. • Remote access VPNs can terminate on head-end devices such as Cisco Routers, PIX Firewalls or VPN Concentrators. • Remote access clients can include Cisco routers and VPN clients. 32
Site to Site VPN • Connects two LANs over local ISP connections • Very useful if you need to connect a branch to a main hub (Big business) • Much less expensive than purchasing one dedicated line between the hub and branch • Intranet connects remote locations from one company Extranet connects two companies (partners) into one shared Private Network
Site to Site Connection
Virtual Private Networks (VPN) Basic Architecture
VPN Advantages – better network performance – Easy to add/remove users – reduced cost – Mobility - Improved Security
VPN Disadvantages – Lack of standards – Understanding of security issues – Unpredictable Internet traffic – Difficult to accommodate products from different vendors
VPN Components • Protocols • Security • Appliances
VPN Components: Protocols • IP Security (IPSec) IPSec? IP Security, a set of standards for the Internet security; also implementations of VPN using the set of standards for Internet security – Transport mode – Tunnel mode
• Point-to-Point Tunneling Protocol (PPTP) PPTP? MS Point-to-Point Tunneling Protocol – Voluntary tunneling method – Uses PPP (Point-to-Point Protocol)
VPN Components: Protocols • Layer 2 Tunneling Protocol (L2TP) L2TP? Layer2 Tunneling Protocol from Cisco and Microsoft. – Exists at the data link layer of OSI – Composed from PPTP and L2F (Layer 2 Forwarding) – Compulsory tunneling method
VPN Components: Security • Encryption – Technique for scrambling and unscrambling information – Unscramble – called clear-text – Scrambled information – cipher-text
VPN Components: Security • Keys – Secret code that the encryption algorithm uses to create a unique version of cipher-text – 8-bits keys = 256 combinations or two to the eighth power – 16-bits keys = 65,536 combinations or two to the 16th power – 56-bits keys = 72,057,594,037,927,900 or two to the 56th power – 168-bits keys …
VPN Components: Security • Authentication – Determine if the sender is the authorized person and if the data has been redirect or corrupted – User/System Authentication – Data Authentication
VPN Components: Appliances • Intrusion detection firewalls – Monitors traffic crossing network parameters and protects enterprises from unauthorized access – Packet-level firewall checks source and destination – Application-level firewall acts as a host computer between the organization’s network and the Internet
1. ‘Cryptography and Network Security: Principles and practice’, William Stallings Fifth edition, 2011.
45
2-
• 1. List Essential References Materials (Journals, Reports, etc.) • ’ Computer Network Security’, Joseph Migga Rizza, ISBN-1 3: 97803872-0473-4, Springer Publisher , 2005. •
2. ‘Network Security, Firewalls, and VPNS’, Michael Stewart, 2nd Edition. ISBN: 9781284047431
• 3. ‘Data Communications and Networking’, Bahrouz A.Forouzan, Fourth Edition, 2000. • 4http://www.wiley.com/legacy/compbooks/press/0471348201_09.pdf
Multi-university sites.
46
46
47