computer net lab/praktikum datenverarbeitung 2 1 overview vpn vpn requirements encryption vpn-types...

Computer Net Lab/Praktikum Datenverarbeitung 2 1

OverviewOverview

• VPN• VPN requirements• Encryption• VPN-Types • Protocols• VPN and Firewalls


VPN - DefinitionVPN - Definition

• VPNs (Virtual Private Networks) allow secure data transmission over insecure connection.

• VPNs connect computer and/or networks (on various locations) to a common network by use of public communication structures.


VPN SchemeVPN Scheme

Internet

Client

LAN

Client

LAN

VPNVPN

VPN-Tunnel


VPN - termsVPN - terms

• Virtual, due to the usage of a public communication infrastructure there is no permanent physical connection but a logical one. If there are some data to transmit then the bandwith is occupied and data is transmitted according the routing information.

• Private, because only valid users should have access to the network respectively the data. Additionally all data have to be transmitted confidential.


VPN requirementsVPN requirements

• Data security must ensure Confidentiality IntegrityAuthentication

• Quality of ServiceGuarantees availability of connectivitySupport of all applications

• Additional requirementsReasonable administration effortEffectiveness and extendibility


ConfidentialityConfidentiality

• means that no unauthorized person, who got illegal access to data, is able to read respectively understand data.

• Is realized by encryption. The data are coded by an encryption algorithm and an encryption key. Only owner of the appropriate decryption key are able to decrypt the coded data.


IntegrityIntegrity

• means that no data has been changed/manipulated during transmission.

• is realised by checksum of transferred data. By use of a mathematical function a checksum is build over the data which has to be transmitted. This checksum is unique. The checksum together with the data is sent to the recipient.


AAuthentication

• means that a recipient of a message is able to ensure that he got the message from the right person and not from a person who pretend to be the right one.

• is realized by use of digital signatures. Digital signatures are like a „normal“ signature in a document which unambiguously identifies the author.


Symmetric EncryptionSymmetric Encryption

• Each communication partner has the same key• N (N-1)/2 keys, for N communication partner which communicate pair

wise• High effort for Key maintenance• Key length with 128 Bit are said to be sure, typical values 40,56,128• Fast Method• DES, Triple DES, Blowfish


Asymmetric EncryptionAsymmetric Encryption

• Distinction between private (my) and public keys (for others)• Communication with N participants means N public keys• Key length higher than symetric keys

typical length: 512,1024,2048• Slower than symmetric encryption• Example: PGP, RSA


TunnelTunnel

• Tunneling means the embedding of a complete data package (header and payload) within the payload segment of an other protocol in the same protocol level. Advantage: Data can be coded/encrypted

Orig IP HdrNew IP Hdr TCP Hdr Data

Orig IP Hdr TCP Hdr Data


End-to-End ConstellationEnd-to-End Constellation

Internet

Computer 1 Computer 2


End-to-Site ConstellationEnd-to-Site Constellation

mobilecomputer

VPNGateway

Internet

ISP

ISP

Dial-up

Dial-up

mobilecomputer

Intranet


Site-to-Site ConstellationSite-to-Site Constellation

VPNGateway 1

Internet

VPNGateway 2

Intranet 1 Intranet 2


VPN-TypesVPN-Types

Application-level

(Layer 5-7)

Transport-/network level(Layer 3-4)

Link-/physical level(Layer 1-2)

Application-Layer encryption

Network-Layer encryption

Link-Layerencryption

Link-Layerencryption


VPN and ISO/OSI LayerVPN and ISO/OSI Layer

Application

Transport

Network

Link

SSH, Kerberos, Virusscans, Content Screening, IPSEC (IKE)…

SSL, Socks V5, TLS

IPSEC (AH, ESP),Paket Filtering, NAT

Tunneling Protocols (L2TP,PPTP, L2F), CHAP, PAP,…


PPTP-ProtocolPPTP-Protocol

• Point To Point Tunneling, widespread because simple• Layer-2 Protocol• Only user authentification => Security = Password• Set up of communication:

1. PPP connection with user –Authentification

2. Link and control (TCP Port 1723)

3. Tunnel:PPP PayloadPPP

HeaderGRE (IP 47)

HeaderIP-

Header

opt. with MPPE (RC4) encrypted

IP-Adresses Client+Server, => NAT and dynam. IP-Adresses ok


PPTP-Protocol 2PPTP-Protocol 2


IPSec 1IPSec 1

• Internet Protocol Security is a protocol family• Allows encryption and integrity check

– integrity check (Authentication Header Protocol): – encryption (Encapsulating Security Payload Protocol):

• Open for enhancements, encryption method is not fixed– Authentification: Diffie-Hellmann key exchange– confidentiality: Triple,-DES, IDEA, Blowfish– Integrity by use of Hash building: MD5 und SHA

• Two mode of operation modes– Tunnel mode protects address information and payload– Transport mode protects only payload


IPSec AHIPSec AH

Orig IP HdrAH HeaderNew IP Hdr TCP Hdr Data

Orig IP Hdr TCP Hdr Data

AH allows only check of integrity

AH Header

Orig IP Hdr TCP Hdr DataOriginal packet:

Tunnelmode:

Transportmode:


IPSec ESPIPSec ESP

Orig IP Hdr

ESP Hdr Orig ESP Trailer ESP AuthNew IP Hdr

TCP Hdr DataOriginal packet:

Tunnelmode:

Transportmode:

ESP Hdr ESP Trailer ESP AuthOrig IP Hdr TCP Hdr Data

ESP allows encryption


VPN and FirewallVPN and Firewall

• Idea of the FirewallThe Firewall is the only connection to the Internet. All other computers (even the VPN-Gateway) are located behind the Firewall.

• ProblemThe firewall ist not able to analyze the data because they are encrypted.


Internet

VPN behind FirewallVPN behind Firewall

LAN(center)

Firewall

VPN-Gateway

VPN Client

VPN

LAN(branch office)

decryptedData


VPN and Firewall togetherVPN and Firewall together

Internet

LAN(center)

Firewall andVPN-Gateway

VPN Client

VPNdecryptedDaten

LAN(branch office)


VPN Gateway in DMZVPN Gateway in DMZ

Internet

LAN(center)

inner Firewall outer Firewall

VPN-Gateway

VPN client

VPN

decryptedData

DMZ

LAN(branch office)

Internet


NATNAT

• Nat = Network Adress Translation• Allows through mapping the assignment of official IP-Addresses

to private one. Therefore it is possible to gain access to the internet with private IP-Addresses.

Internet

Sender-IP192.168.0.10Sender-IP

192.168.0.10 New Sender-IP134.91.90.70

New Sender-IP134.91.90.70

Webbrowser

NAT

New Target-IP192.168.0.10

New Target-IP192.168.0.10 Target-IP

134.91.90.70Target-IP

134.91.90.70


IPIP

• It carries the transport protocols TCP and UDP. • It builds IP-Packages out of the data which have to be

transmitted.• It adds additional information, the IP-Header. It contains source

and destination address.


TCPTCP

• TCP (Transmission Control Protocol) confirms every received data package.

• TCP repeats each data package until its receiving is confirmed.• TCP is reliable, that means the transmission is guaranteed.

32 BIT


IP-ForwardingIP-Forwarding

private, local Net

IP-Forwarding

Port 1723 or Gre-Protocol 47

IP-Paket withTarget: 134.91.90.70

IP-Paket withtarget: 192.168.1.1

Firewall

VPNGateway


VPN-Practical trainingVPN-Practical training

Internet

private, local net

Firewall

private, local net

Firewall

VPN-Gateway VPN-Gateway

=Tunnel

computer net lab/praktikum datenverarbeitung 2 1 overview vpn vpn requirements encryption vpn-types...

Documents

coded data

vpn requirements data

checksum of transferred

encryption key

secure data transmission

extendibility slide

rsa slide

key n n