computer net lab/praktikum datenverarbeitung 2 1 overview vpn vpn requirements encryption vpn-types...
TRANSCRIPT
Computer Net Lab/Praktikum Datenverarbeitung 2 1
OverviewOverview
• VPN• VPN requirements• Encryption• VPN-Types • Protocols• VPN and Firewalls
Computer Net Lab/Praktikum Datenverarbeitung 2 2
VPN - DefinitionVPN - Definition
• VPNs (Virtual Private Networks) allow secure data transmission over insecure connection.
• VPNs connect computer and/or networks (on various locations) to a common network by use of public communication structures.
Computer Net Lab/Praktikum Datenverarbeitung 2 3
VPN SchemeVPN Scheme
Internet
Client
LAN
Client
LAN
VPNVPN
VPN-Tunnel
Computer Net Lab/Praktikum Datenverarbeitung 2 4
VPN - termsVPN - terms
• Virtual, due to the usage of a public communication infrastructure there is no permanent physical connection but a logical one. If there are some data to transmit then the bandwith is occupied and data is transmitted according the routing information.
• Private, because only valid users should have access to the network respectively the data. Additionally all data have to be transmitted confidential.
Computer Net Lab/Praktikum Datenverarbeitung 2 5
VPN requirementsVPN requirements
• Data security must ensure Confidentiality IntegrityAuthentication
• Quality of ServiceGuarantees availability of connectivitySupport of all applications
• Additional requirementsReasonable administration effortEffectiveness and extendibility
Computer Net Lab/Praktikum Datenverarbeitung 2 6
ConfidentialityConfidentiality
• means that no unauthorized person, who got illegal access to data, is able to read respectively understand data.
• Is realized by encryption. The data are coded by an encryption algorithm and an encryption key. Only owner of the appropriate decryption key are able to decrypt the coded data.
Computer Net Lab/Praktikum Datenverarbeitung 2 7
IntegrityIntegrity
• means that no data has been changed/manipulated during transmission.
• is realised by checksum of transferred data. By use of a mathematical function a checksum is build over the data which has to be transmitted. This checksum is unique. The checksum together with the data is sent to the recipient.
Computer Net Lab/Praktikum Datenverarbeitung 2 8
AAuthentication
• means that a recipient of a message is able to ensure that he got the message from the right person and not from a person who pretend to be the right one.
• is realized by use of digital signatures. Digital signatures are like a „normal“ signature in a document which unambiguously identifies the author.
Computer Net Lab/Praktikum Datenverarbeitung 2 9
Symmetric EncryptionSymmetric Encryption
• Each communication partner has the same key• N (N-1)/2 keys, for N communication partner which communicate pair
wise• High effort for Key maintenance• Key length with 128 Bit are said to be sure, typical values 40,56,128• Fast Method• DES, Triple DES, Blowfish
Computer Net Lab/Praktikum Datenverarbeitung 2 10
Asymmetric EncryptionAsymmetric Encryption
• Distinction between private (my) and public keys (for others)• Communication with N participants means N public keys• Key length higher than symetric keys
typical length: 512,1024,2048• Slower than symmetric encryption• Example: PGP, RSA
Computer Net Lab/Praktikum Datenverarbeitung 2 11
TunnelTunnel
• Tunneling means the embedding of a complete data package (header and payload) within the payload segment of an other protocol in the same protocol level. Advantage: Data can be coded/encrypted
Orig IP HdrNew IP Hdr TCP Hdr Data
Orig IP Hdr TCP Hdr Data
Computer Net Lab/Praktikum Datenverarbeitung 2 12
End-to-End ConstellationEnd-to-End Constellation
Internet
Computer 1 Computer 2
Computer Net Lab/Praktikum Datenverarbeitung 2 13
End-to-Site ConstellationEnd-to-Site Constellation
mobilecomputer
VPNGateway
Internet
ISP
ISP
Dial-up
Dial-up
mobilecomputer
Intranet
Computer Net Lab/Praktikum Datenverarbeitung 2 14
Site-to-Site ConstellationSite-to-Site Constellation
VPNGateway 1
Internet
VPNGateway 2
Intranet 1 Intranet 2
Computer Net Lab/Praktikum Datenverarbeitung 2 15
VPN-TypesVPN-Types
Application-level
(Layer 5-7)
Transport-/network level(Layer 3-4)
Link-/physical level(Layer 1-2)
Application-Layer encryption
Network-Layer encryption
Link-Layerencryption
Link-Layerencryption
Computer Net Lab/Praktikum Datenverarbeitung 2 16
VPN and ISO/OSI LayerVPN and ISO/OSI Layer
Application
Transport
Network
Link
SSH, Kerberos, Virusscans, Content Screening, IPSEC (IKE)…
SSL, Socks V5, TLS
IPSEC (AH, ESP),Paket Filtering, NAT
Tunneling Protocols (L2TP,PPTP, L2F), CHAP, PAP,…
Computer Net Lab/Praktikum Datenverarbeitung 2 17
PPTP-ProtocolPPTP-Protocol
• Point To Point Tunneling, widespread because simple• Layer-2 Protocol• Only user authentification => Security = Password• Set up of communication:
1. PPP connection with user –Authentification
2. Link and control (TCP Port 1723)
3. Tunnel:PPP PayloadPPP
HeaderGRE (IP 47)
HeaderIP-
Header
opt. with MPPE (RC4) encrypted
IP-Adresses Client+Server, => NAT and dynam. IP-Adresses ok
Computer Net Lab/Praktikum Datenverarbeitung 2 19
IPSec 1IPSec 1
• Internet Protocol Security is a protocol family• Allows encryption and integrity check
– integrity check (Authentication Header Protocol): – encryption (Encapsulating Security Payload Protocol):
• Open for enhancements, encryption method is not fixed– Authentification: Diffie-Hellmann key exchange– confidentiality: Triple,-DES, IDEA, Blowfish– Integrity by use of Hash building: MD5 und SHA
• Two mode of operation modes– Tunnel mode protects address information and payload– Transport mode protects only payload
Computer Net Lab/Praktikum Datenverarbeitung 2 20
IPSec AHIPSec AH
Orig IP HdrAH HeaderNew IP Hdr TCP Hdr Data
Orig IP Hdr TCP Hdr Data
AH allows only check of integrity
AH Header
Orig IP Hdr TCP Hdr DataOriginal packet:
Tunnelmode:
Transportmode:
Computer Net Lab/Praktikum Datenverarbeitung 2 21
IPSec ESPIPSec ESP
Orig IP Hdr
ESP Hdr Orig ESP Trailer ESP AuthNew IP Hdr
TCP Hdr DataOriginal packet:
Tunnelmode:
Transportmode:
ESP Hdr ESP Trailer ESP AuthOrig IP Hdr TCP Hdr Data
ESP allows encryption
Computer Net Lab/Praktikum Datenverarbeitung 2 22
VPN and FirewallVPN and Firewall
• Idea of the FirewallThe Firewall is the only connection to the Internet. All other computers (even the VPN-Gateway) are located behind the Firewall.
• ProblemThe firewall ist not able to analyze the data because they are encrypted.
Computer Net Lab/Praktikum Datenverarbeitung 2 23
Internet
VPN behind FirewallVPN behind Firewall
LAN(center)
Firewall
VPN-Gateway
VPN Client
VPN
LAN(branch office)
decryptedData
Computer Net Lab/Praktikum Datenverarbeitung 2 24
VPN and Firewall togetherVPN and Firewall together
Internet
LAN(center)
Firewall andVPN-Gateway
VPN Client
VPNdecryptedDaten
LAN(branch office)
Computer Net Lab/Praktikum Datenverarbeitung 2 25
VPN Gateway in DMZVPN Gateway in DMZ
Internet
LAN(center)
inner Firewall outer Firewall
VPN-Gateway
VPN client
VPN
decryptedData
DMZ
LAN(branch office)
Internet
Computer Net Lab/Praktikum Datenverarbeitung 2 26
NATNAT
• Nat = Network Adress Translation• Allows through mapping the assignment of official IP-Addresses
to private one. Therefore it is possible to gain access to the internet with private IP-Addresses.
Internet
Sender-IP192.168.0.10Sender-IP
192.168.0.10 New Sender-IP134.91.90.70
New Sender-IP134.91.90.70
Webbrowser
NAT
New Target-IP192.168.0.10
New Target-IP192.168.0.10 Target-IP
134.91.90.70Target-IP
134.91.90.70
Computer Net Lab/Praktikum Datenverarbeitung 2 27
IPIP
• It carries the transport protocols TCP and UDP. • It builds IP-Packages out of the data which have to be
transmitted.• It adds additional information, the IP-Header. It contains source
and destination address.
Computer Net Lab/Praktikum Datenverarbeitung 2 28
TCPTCP
• TCP (Transmission Control Protocol) confirms every received data package.
• TCP repeats each data package until its receiving is confirmed.• TCP is reliable, that means the transmission is guaranteed.
32 BIT
Computer Net Lab/Praktikum Datenverarbeitung 2 29
IP-ForwardingIP-Forwarding
private, local Net
IP-Forwarding
Port 1723 or Gre-Protocol 47
IP-Paket withTarget: 134.91.90.70
IP-Paket withtarget: 192.168.1.1
Firewall
VPNGateway