Download - IPSec VPN Slides Final
-
8/3/2019 IPSec VPN Slides Final
1/30
IPSec and VPNAli Bodden
Joseph GonyaMiguel Mendez
-
8/3/2019 IPSec VPN Slides Final
2/30
IPSec / VPN Outline
What is IPSec?IPSec ArchitectureWhat are the Security Properties/Services of IPSec?What are the IPSec Protocol types?An example of IPSec in use.
What are the security issues concerning IP?What is IPSecs application to VPN?What is VPN?Transport and Tunnel ModesWhat are the two types of VPN?Current status of VPN solution technology versus first generation
What is the cost effectiveness of implementing a VPN?What are the advantages of an IPSec VPN?What are the disadvantages of an IPSec VPN?Review and Questions
-
8/3/2019 IPSec VPN Slides Final
3/30
What is IPSec?
IPSec is a set of extensions to the IP protocol family. It provides cryptographic
security services. These services allow for Authentication, Integrity, Access Control,and Confidentiality. IPSec provides similar services as SSL, but at the network layer,in a way that is completely transparent to your applications, and much more powerful.We say this because your applications do not have to have any knowledge of IPSecto be able to use it. You can use any IP protocol over IPSec. You can createencrypted tunnels (VPNs), or just do encryption between computers. Since you haveso many options, IPSec is rather complex (much more so then SSL!)
In a logical sense, IPSec works in any of these three ways: Host-to-Host Host-to-Network Network-to-Network
In every scenario that involves a network, meaning to imply router. As in, Host-to-Router (and this router controls and encrypts traffic for a particular Network.)
As you can see, IPSec can be used to tunnel traffic for VPN connections. However,its utility reaches beyond VPNs. With a central Internet Key Exchange registry, everymachine on the internet could talk to another one and employ powerful encryptionand authentication!
-
8/3/2019 IPSec VPN Slides Final
4/30
IPSec Architecture
IPSec Documents:
The IPSec specification consists of numerous documents.The most important of these, issued in November of 1998,are RFCs 2401, 2402, 2406, and 2408:
RFC 2401: An overview of a security architecture
RFC 2402: Description of a packet authentication extensionto IPv4 and IPv6
RFC 2406: Description of a packet encryption extension toIPv4 and IPv6
RFC 2406: Specification of key management capabilities
-
8/3/2019 IPSec VPN Slides Final
5/30
The internet protocol, IP, AKA IPv4, does not inherently provide anyprotection to your transferred data. It does not even guarantee that thesender is who he says he is. IPsec tries to remedy this. These services areconsidered distinct, but the IPsec supports them in a uniform manner.
ConfidentialityEnsure it is hard for anyone but the receiver to understand what data has beencommunicated. For example: ensuring the secrecy of passwords when logging into a
remote machine over the Internet.
IntegrityGuarantee that the data does not get changed on the way. If you are on a line carryinginvoicing data you probably want to know that the amounts and account numbers arecorrect and not altered while in-transit.
Authenticity
Sign your data so that others can see that it is really you that sent it. It is clearly nice toknow that documents are not forged.
Replay protectionWe need ways to ensure a datagram is processed only once, regardless of how manytimes it is received. I.e. it should not be possible for an attacker to record a transaction(such as a bank account withdrawal), and then by replaying it verbatim cause the peerto think a new message (withdrawal request) had been received. WARNING: as per the
standards specification, replay protection is not performed when using manual-keyedIPsec (e.g., when usingipsecadm(8)).
What are the SecurityProperties/Services of IPSec?
http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8 -
8/3/2019 IPSec VPN Slides Final
6/30
What are the IPSec Protocol types?First, the IP protocol is the description of how devices on the Internet can addresseach other. Internet Protocol Security (IPSec) adds security functionality to the IP
protocol. There are four (4) key protocols that collectively form the basis for IPSec:
IPSec = AH + ESP + IPComp + IKE
Authentication Header (AH): provides authenticity guarantee for packets by ensuringthe packet was not generated by an impersonator and was not modified in transit;
Encapsulating Security Payload (ESP): provides a confidential guarantee for data byencrypting packets with algorithms
IP Payload Compression (IPComp): provides a way to compress packets beforeencryption.
Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy
Security of IPSec depends on secret keys, generated by IKE. If the secret keys arecompromised, IPSec is no longer secure. Data encryption is a function of IPSec,made possible by ESP. An encryption algorithm, generated by ESP, is a way ofchanging data so that only the desired recipient knows how to reconstruct it. TripleDES (Data Encryption Standard) is an encryption algorithm that is unbreakable and isthe most popular algorithm because of its strong encryption and number of keys.Encryption allows only the receiver to read what has been sent over the network.
IPSEC provides the capability to secure tunnels between two network devices suchas two routers.
-
8/3/2019 IPSec VPN Slides Final
7/30
Step 1: Host A sends a TCP/IP packet toHost B.
The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
8/30
Step 2: Router A receives the packet and
adds the ESP:
The TCP/IP packet looks like this: [ESP][IPHDR][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
9/30
Step 3: Router A adds the AH:The TCP/IP packet looks like this: [AH][ESP][IPHDR][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
10/30
Step 4: Router A encapsulates the packetinto a new one, and sends it to Router B:
The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
11/30
Step 5: Router B receives the
packet and removes the AH:The TCP/IP packet looks like this: [ESP][IPHDR2][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
12/30
Step 6: Router B removes the ESP:The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
-
8/3/2019 IPSec VPN Slides Final
13/30
Step 7: Host B receives the original packetsent by Host A:
The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]
http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html
http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.htmlhttp://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html -
8/3/2019 IPSec VPN Slides Final
14/30
What are the most commonSecurity Issues concerning IP?
The three most serious types of attacks are:
Packet Sniffing
IP Spoofing
Denial-Of-Service
Other attacks include:
Eavesdropping Data Modification
Password Based Attacks
Man-in-the-Middle Attacks
Compromised-Key Attacks
Application-Layer Attacks
-
8/3/2019 IPSec VPN Slides Final
15/30
Packet Sniffing
A Packet Sniffer is a program running in a network attached device
that passively receives all data-link layer frames passing by thedevices network interface.
Packet Sniffers are commonly used to acquire account names andpasswords.
Packet Sniffing Software is freely available at various WWW sites
and as commercial products.
-
8/3/2019 IPSec VPN Slides Final
16/30
IP Spoofing
The intruder creates and transmits packets from the
outside with a source IP address field containing anaddress of an internal host.
Used to exploit applications that use simple sourceaddress security, in which packets from specific trusted
internal hosts are accepted.
-
8/3/2019 IPSec VPN Slides Final
17/30
Denial-Of-Service
A Denial-Of-Service attackrenders a network, host, orother piece of networkinfrastructure unusable bylegitimate users.
DoS attacks work by creatingso much work for theinfrastructure under attack thatlegitimate work cannot beperformed. (Resource
Exhaustion for ex. Disk Space,CPU Cycles, Memory, NetworkBandwidth, and ApplicationResources)
TCP Three-Way Handshake
Simple Example: SYN Flood
-
8/3/2019 IPSec VPN Slides Final
18/30
What is a VPN?
VPNs (Virtual Private Networks) are private, secure connectionsacross a public network (usually the internet) that extend corporatenetworks to remote offices, mobile users, telecommuters, andextranet partners.
VPNs maintain privacy through the use of tunneling protocols and
security procedures. VPN tunnels are secured through encryptiontechnology that uses advanced mathematical algorithms to scramblethe data flowing through the VPN.
POP = Points of Presence
-
8/3/2019 IPSec VPN Slides Final
19/30
Primary functions of a VPN
Encryption keep data confidential
Authentication ensure the identities of the two partiescommunicating
Tunneling safeguard the identities of communicating
partiesNon-Repudiation ensure data is accurate and in itsoriginal form
Replay Prevention guard against packets being sent
over and over again
Note All of the above features are components of theIP Security Protocol (IPSec) Standard!!!
-
8/3/2019 IPSec VPN Slides Final
20/30
What is IPSecs application to VPN?
VPNs provide the highest level of security using advanced,standards-based security protocols such as IPSec.
Use of IPSec with VPNs delivers enhanced network security in aninsecure, network world. IPSec (Internet Protocol Security) is thesecurity protocol most commonly associated with VPN. IPSec isused to transmit high value data securely in a VPN by utilizing Dataprivacy, Data authenticity and integrity, and Non-repudiation.
In IPSec, all protocols, which sit upon the network layer, areencrypted (once an IPSec tunnel is created) between the twocommunicating parties. TCP, UDP, SNMP, HTTP, POP, AIM,KaZaa etc, are all encrypted regardless of their built in (or lack ofbuilt in) security and encryption.
The deployment of IPSec VPNs provide a solution that is moresecure, flexible, easy to manage and cost-saving.
-
8/3/2019 IPSec VPN Slides Final
21/30
Transport and Tunnel Modes
Both AH and ESP support two modes of use:
Transport Mode
Tunnel Mode
Transport Mode provides protection primarily for upper-layer
protocols. That is transport mode protection extends to the payloadof an IP packet (everything in the packet behind and not includingthe IP header is protected). Typically, transport mode is used forend-to-end communication between two hosts.
Tunnel Mode provides protection to the entire IP packet
(everything behind and including the header is protected, requiring anew pseudo IP header). To achieve this, after the AH or ESP fieldsare added to the IP packet, the entire packet plus security fields, istreated as the payload of a new outer IP packet with a new outerIP header. The entire original or inner packet travels through atunnel from one point of an IP network to another. No routers
along the way are able to examine the inner IP header.
-
8/3/2019 IPSec VPN Slides Final
22/30
Transport and Tunnel Modes
-
8/3/2019 IPSec VPN Slides Final
23/30
How Does a VPN work?
VPN uses IPSec for transferring secure packets acrossthe network
IPSec identifies an authorized client/network
Negotiates an encrypted channel
Tunnels all network traffic through the encrypted channel
(authenticating keys).
The client/network appears to be locally connected
-
8/3/2019 IPSec VPN Slides Final
24/30
How does an IPSec VPN work?
Two Way authentication using tokens Digital Certificates Heavily Encrypted Access limited to well defined and controlled user base All IP related services supported More suited for internal company use
-
8/3/2019 IPSec VPN Slides Final
25/30
Current status of VPN solutiontechnology versus first generation
-
8/3/2019 IPSec VPN Slides Final
26/30
Cost savings of a VPN
implementation
Using the Ciscowebsite calculatora comparison of
three scenarioswas made toshow the costsaving benefits ofimplementing a
VPN solution.
Monthly Cost Savings for Site-to-Site
VPN
0
134055
678255
0
200000
400000
600000
800000
0 2000 4000 6000
Number of users
CostSavings$
www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/site2site.html
-
8/3/2019 IPSec VPN Slides Final
27/30
Advantages of an IPSec VPNSolution
Separate private networking solutions are expensive andcannot be updated quickly to adapt to changes in businessrequirements
The Internet is inexpensive but does not by itself ensureprivacy
Flexibility in Network Design
New Application Enablement
Any-to-Any Connectivity
-
8/3/2019 IPSec VPN Slides Final
28/30
Disadvantages of an IPSec VPNSolution
Small Packet Issue
When encrypting small pieces of information, the overheadcaused by the encryption process becomes larger than theactual payload, causing performance degradation. IPSec is not
immune to this problem.
Complexity Issues
IPSec was developed in a committee and has many featuresand options, therefore it is very complicated. The downside is,
more features means a greater possibility a weakness or holecan be found to compromise security.
For example, IPSec is weak against certain attacks, such asreplay attacks. Also, in certain cases, IPSec allows encryptionwithout authentication, which could allow an unauthorized
person to use IPSec for malicious purposes.
-
8/3/2019 IPSec VPN Slides Final
29/30
Question & Answers?
What is IPSec? IP Security, a set of standards for the internet security; also implementations of
VPN using the set of standards for internet security.
What are two properties\services of IPSec? Confidentiality, Integrity, Authentication, Replay Protection
What are two security issues concerning IP? Packet sniffing, IP spoofing, Denial of Service
What are the two types of VPNs? Transport and Tunnel
What are two advantages of an IPSec VPN? Cost savings, Bandwidth savings
What are two disadvantages of an IPSec VPN? Small packet issue, Complexity issues
-
8/3/2019 IPSec VPN Slides Final
30/30
The End!!!