scsc 455 computer security
DESCRIPTION
SCSC 455 Computer Security. Virtual Private Network (VPN). How to connect LANs. There’re common demands of joining two or multiple LANs to facilitate corporate communications secure point-to-point communications The connection can only used by authenticated LANs / hosts - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/1.jpg)
SCSC 455 Computer Security
Virtual Private Network (VPN)
![Page 2: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/2.jpg)
How to connect LANsThere’re common demands of joining two or multiple LANs to facilitate corporate communications secure point-to-point communications The connection can only used by authenticated LANs /
hosts
One solution (traditional one) is to use private leased lines Problems: don’t scale well, cost is high, and the
complexity of maintaining the leased lines
Another solution – virtual private networks
![Page 3: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/3.jpg)
VPNs
Goal of VPNs Provide a cost-effective and secure way to connect
businesses to one another and remote workers to office networks
Functionalities of VPNs Encapsulate and encrypt data being transmitted Use authentication to ensure that only approved users
can access the VPN Provide a means of secure point-to-point
communications over the public Internet
![Page 4: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/4.jpg)
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
![Page 5: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/5.jpg)
Components within VPNSVPNs consist of two different types of components
Hardware devices two endpoints (terminators)
Encryption, authentication, and encapsulation a (virtual) tunnel
A series of connections between two endpoints than makes
use of Internet-based hosts/servers
Software that performs security-related activities
![Page 6: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/6.jpg)
![Page 7: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/7.jpg)
![Page 8: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/8.jpg)
![Page 9: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/9.jpg)
Essential Activities of VPNs
Three essential activities of VPNs
IP encapsulation
Data payload encryption
Encrypted authentication
![Page 10: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/10.jpg)
IP Encapsulation
VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway
The benefits of encapsulating IP packets Source and destination information of actual data packets are
completely hidden source and destination IP addresses of actual data packets can be
in private reserved blocks not usually routable over the Internet
![Page 11: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/11.jpg)
Data Payload Encryption
VPNs do NOT encrypt the header within packets, only the data payload that the packets carry.
The encryption can be performed in one of two ways: Transport method
The host encrypts traffic when it’s generated Tunnel method
The traffic is encrypted and decrypted in transit, somewhere between the source host and destination.
![Page 12: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/12.jpg)
Encrypted Authentication
Authentication is essentialHosts in the network that receive VPN communicationneed to know that the host originating thecommunications is an approved user of the VPN
Hosts are authenticated by exchanging long blocks of code - keys Types of keys that can be exchanged in an encrypted
transaction: Symmetric keys Asymmetric keys
![Page 13: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/13.jpg)
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
![Page 14: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/14.jpg)
Types of VPNs
Two types of VPNs Site-to-site VPN
Links two or more networks Client-to-site VPN
Makes a network accessible to remote users who need dial-in access
These two types VPNs are NOT mutually exclusivee.g., a large corporations’ network support both site-to-site
VPN and client-to-site VPN
![Page 15: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/15.jpg)
Advantage of Using Hardware Systems
![Page 16: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/16.jpg)
Software VPN Systems
Software VPN are generally less expensive than hardware systems Tend to scale better for fast-growing networks
Examples F-Secure VPN+ Novell BorderManager VPN services Check Point FireWall-1
![Page 17: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/17.jpg)
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
![Page 18: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/18.jpg)
Index
VPN components and operations
Types of VPNs
VPN setups
Tunneling protocols used with VPNs
Enabling secure remote access connections within VPNs
VPNs best practices
![Page 19: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/19.jpg)
Tunneling Protocols Used with VPNs
In the past , firewalls support VPNs used proprietary protocols
Both endpoints must use the same brand of firewall
Today the proprietary protocols are used less often. Most VPNs use standard tunneling protocols
IPSec/IKE PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) PPP over SSH (Point-to-Point Protocol over Secure Shell)
![Page 20: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/20.jpg)
IPSec/IKEIPSec provides:
Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP)
Authenticated header is used to authenticate packets Encapsulating Security Payload encrypts the data portions of
the packet IPSec is commonly combined with IKE as means of using public
key cryptography to encrypt data
IKE provides: Exchange of public keys Ability to determine which encryption protocols should be used to
encrypt data that flows through VPN tunnel
![Page 21: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/21.jpg)
Other tunneling protocols: PPTP
PPTP is developed by Microsoft for granting VPN access to
remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation (NAT)
Replaced by L2TP
![Page 22: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/22.jpg)
Other tunneling protocols: L2TP
L2TP is an extension of Point-to-point Protocol (PPP) that enables dial-up users to establish a VPN connection to a remote access server Uses IPSec rather than MPPE to encrypt data provides a higher level of encryption and authentication Incompatible with NAT
![Page 23: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/23.jpg)
Other tunneling protocols: PPP Over SSL and PPP Over SSH
PPP over SSL and PPP over SSH are two UNIX based methods for creating VPNs
Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH)
SSL Public key encryption system used to provide secure
communications over the Web SSH
UNIX secure shell that perform secure authenticated logons and encrypted communications between a client and a server.
![Page 24: SCSC 455 Computer Security](https://reader035.vdocuments.us/reader035/viewer/2022062423/568149bb550346895db6f096/html5/thumbnails/24.jpg)
When to Use Different tunneling Protocols (important!)