Third Edition Chapter 11 Virtual Private Network VPN Concepts Guide to Network Defense and Countermeasures Second Edition 2 Objectives Explain basic VPN concepts Describe encapsulation in VPNs ID: 753245
Download Presentation The PPT/PDF document "Guide to Network Defense and Countermeas..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Guide to Network Defense and Countermeasures Third Edition
Chapter 11Virtual Private Network (VPN) ConceptsSlide2
Guide to Network Defense and Countermeasures, Second Edition2
ObjectivesExplain basic VPN conceptsDescribe encapsulation in VPNsDescribe encryption in VPNs
Describe authentication in VPNs
Summarize the advantages and disadvantages of VPNsSlide3
Guide to Network Defense and Countermeasures, Second Edition3
Objectives (contd.)Explain design considerations for a VPNDescribe options for VPN configuration
Explain how to set up VPNs with firewalls
Explain how to adjust packet-filtering rules for VPNs
Describe guidelines for auditing VPNs and VPN policies Slide4
Guide to Network Defense and Countermeasures, Second Edition4
Understanding VPN ConceptsVirtual Private Network (VPN) enables computers to
Communicate securely over insecure channels
Exchange private encrypted messages that others cannot decipherSlide5
Guide to Network Defense and Countermeasures, Second Edition5
What VPNs AreVPNVirtual network connection
Uses the Internet to establish a secure connection
Secure tunnel
Extends an organization’s network
Endpoints
Specified computers, users, or network gatewaysSlide6
Guide to Network Defense and Countermeasures, Second Edition6Slide7
Guide to Network Defense and Countermeasures, Second Edition7
Why Establish a VPN?Business incentives driving VPN adoption
VPNs are cost-effective
VPNs provide secure connection for remote users
Contractors
Traveling employees
Partners and suppliers
VPN Components
VPN server or host
Configured to accept connections from clients
VPN client or guest
Endpoints connecting to a VPNSlide8
Guide to Network Defense and Countermeasures, Second Edition8
Why Establish a VPN? (continued)VPN Components
Tunnel
Connection through which data is sent
VPN protocols
Sets of standardized communication settings
Used to encrypt data sent along the VPN
Types of VPNs
Site-to-site VPN
Gateway-to-gateway VPN
Client-to-site VPN
Remote access VPNSlide9
Guide to Network Defense and Countermeasures, Second Edition9
Why Establish a VPN? (continued)Hardware versus software VPNs
Hardware-based VPNs
Connect one gateway to another
Routers at each network gateway encrypt and decrypt packets
VPN appliance
Designed to serve as VPN endpoint
Join multiple LANs
Benefits
Scalable
Better securitySlide10
Guide to Network Defense and Countermeasures, Second Edition10Slide11
Guide to Network Defense and Countermeasures, Second Edition11Slide12
Guide to Network Defense and Countermeasures, Second Edition12
Why Establish a VPN? (continued)Hardware versus software VPNs (continued)
Software-based VPNs
Integrated with firewalls
Appropriate when participating networks use different routers and firewalls
Benefits
More cost-effective
Offer maximum flexibilitySlide13
Guide to Network Defense and Countermeasures, Second Edition13Slide14
Guide to Network Defense and Countermeasures, Second Edition14
Why Establish a VPN? (continued)VPN combinations
Combining VPN hardware with software adds layers of network security
One useful combination is a VPN bundled with a firewall
VPNs do not eliminate the need for firewalls
Provide flexibility and versatilitySlide15
Guide to Network Defense and Countermeasures, Second Edition15
Why Establish a VPN? (continued)VPN combinations (continued)
Points to consider when selecting VPNs
Compatibility
Scalability
Security
Cost
Vendor supportSlide16
Guide to Network Defense and Countermeasures, Second Edition16
VPN Core Activity 1: EncapsulationCore set of activities
Encapsulation
Encryption
Authentication
Encapsulation
Encloses a packet within another
That has different IP source and destination
Protects integrity of the dataSlide17
Guide to Network Defense and Countermeasures, Second Edition17Slide18
Guide to Network Defense and Countermeasures, Second Edition18
Understanding Tunneling ProtocolsPoint-to-Point Tunneling Protocol (PPTP)Used when you need to dial in to a server with a modem connection
On a computer using an older OS version
Encapsulates TCP/IP packets
Header contains only information needed to route data from the VPN client to the server
Uses Microsoft Point-to-Point Encryption (MPPE)
Encrypt data that passes between the remote computer and the remote access server
L2TP uses IPSec encryption
More secure and widely supportedSlide19
Guide to Network Defense and Countermeasures, Second Edition19
Understanding Tunneling Protocols (continued)Layer 2 Tunneling Protocol (L2TP)Provides better security through IPSec
IPSec enables L2TP to perform
Authentication
Encapsulation
EncryptionSlide20
Guide to Network Defense and Countermeasures, Second Edition20Slide21
Guide to Network Defense and Countermeasures, Second Edition21
Understanding Tunneling Protocols (continued)Secure Shell (SSH)Provides authentication and encryption
Works with UNIX-based systems
Versions for Windows are also available
Uses public-key cryptography
Socks V. 5
Provides proxy services for applications
That do not usually support proxying
Socks version 5 adds encrypted authentication and support for UDPSlide22
Guide to Network Defense and Countermeasures, Second Edition22
IPSec/IKEInternet Protocol Security (IPSec)Set of standard procedures
Developed by the Internet Engineering Task Force (IETF)
Enables secure communications on the Internet
Characteristics
Works at layer 3
Can encrypt an entire TCP/IP packet
Originally developed for use with IPv6
Provides authentication of source and destination computersSlide23
Guide to Network Defense and Countermeasures, Second Edition23
IPSec/IKE (continued)Widely supportedSecurity Association (SA)
Relationship between two or more entities
Describes how they will use security services to communicate
Used by IPSec to track all the particulars of a communication session
SAs are unidirectionalSlide24
Guide to Network Defense and Countermeasures, Second Edition24
IPSec/IKE (continued)ComponentsInternet Security Association Key Management Protocol (ISAKMP)
Internet Key Exchange (IKE)
Oakley
IPSecurity Policy Management
IPSec Driver
IPSec core components
Authentication Header (AH)
Encapsulation Security Payload (ESP)Slide25
Guide to Network Defense and Countermeasures, Second Edition25
IPSec/IKE (continued)Authentication Header (AH)Provides authentication of TCP/IP packets
Ensures data integrity
Packets are signed with a digital signature
Adds a header calculated by the values in the datagram
Creating a messages digest of the datagram
AH in tunnel mode
Authenticates the entire original header
Places a new header at the front of the original packet
AH in transport mode
Authenticates the payload and the headerSlide26
Guide to Network Defense and Countermeasures, Second Edition26Slide27
Guide to Network Defense and Countermeasures, Second Edition27Slide28
Guide to Network Defense and Countermeasures, Second Edition28
IPSec/IKE (continued)Encapsulation Security Payload (ESP)Provides confidentiality for messages
Encrypts different parts of a TCP/IP packet
ESP in tunnel mode
Encrypts both the header and data part of each packet
Data cannot pass through a firewall using NAT
ESP in transport mode
Encrypts only data portion of the packet
Data can pass through a firewall
IPSec should be configured to work with transport modeSlide29
Guide to Network Defense and Countermeasures, Second Edition29Slide30
Guide to Network Defense and Countermeasures, Second Edition30
VPN Core Activity 2: EncryptionEncryptionProcess of rendering information unreadable by all but the intended recipient
Components
Key
Digital certificate
Certification Authority (CA)
Key exchange methods
Symmetric cryptography
Asymmetric cryptography
Internet Key Exchange
FWZSlide31
Guide to Network Defense and Countermeasures, Second Edition31Slide32
Guide to Network Defense and Countermeasures, Second Edition32
Encryption Schemes Used by VPNsTriple Data Encryption Standard (3DES)Used by many VPN hardware and software
3DES is a variation on Data Encryption Standard (DES)
DES is not secure
3DES is more secure
Three separate 64-bit keys to process data
3DES requires more computer resources than DESSlide33
Guide to Network Defense and Countermeasures, Second Edition33Slide34
Guide to Network Defense and Countermeasures, Second Edition34
Encryption Schemes Used by VPNs (continued)Secure Sockets Layer (SSL)Developed by Netscape Communications Corporation
Enables Web servers and browsers to exchange encrypted information
Characteristics
Uses public and private key encryption
Uses sockets method of communication
Operates at network layer (layer 3) of the OSI model
Widely used on the Web
Only supports data exchanged by Web-enabled applications
Unlikely to replace IPSecSlide35
Guide to Network Defense and Countermeasures, Second Edition35
Encryption Schemes Used by VPNs (continued)Secure Sockets Layer (SSL) (continued)Steps
Client connects to Web server using SSL protocol
Two machines arrange a “handshake” process
Client sends its preferences for encryption method, SSL version number, and a randomly generated number
Server responds with SSL version number, its own cipher preferences, and its digital certificate
Client verifies date and other information on the digital certificate
Client generates and send a “pre-master” codeSlide36
Guide to Network Defense and Countermeasures, Second Edition36
Encryption Schemes Used by VPNs (continued)Secure Sockets Layer (SSL) (continued)Steps
Server uses its private key to decode pre-master code
Generates a master secret key
Client and server use it to generate session keys
Server and client exchange messages saying handshake is completed
SSL session beginsSlide37
Guide to Network Defense and Countermeasures, Second Edition37
VPN Core Activity 3: AuthenticationAuthenticationIdentifying a user or computer as authorized to access and use network resources
Types of authentication methods used in VPNs
IPSec
MS-CHAP
Both computers exchange authentication packets and authenticate one another
VPNs use digital certificates to authenticate usersSlide38
Guide to Network Defense and Countermeasures, Second Edition38Slide39
Guide to Network Defense and Countermeasures, Second Edition39
Advantages and Disadvantages of VPNsSlide40
Guide to Network Defense and Countermeasures, Second Edition40
Designing a VPNAssess organization’s needs and goalsType of business
How many employees it has
Infrastructure already in place
Security required
Enforce security on the client side of the VPN tunnel
Most difficult aspect of the design processSlide41
Guide to Network Defense and Countermeasures, Second Edition41
Business NeedsBusiness processes Determine how you will implement a VPN strategy
Careful analysis of the existing infrastructure
Helps you integrate the VPN with minimal disruption
VPNs can be classified as site-to-site or client-to-site
Can offer cost-effective, secure connectivity
Legal implications to failing to secure access to a remote networkSlide42
Guide to Network Defense and Countermeasures, Second Edition42
Business Needs (continued)Nature of the businessWhat does it do?
What product or service does it sell?
Who are its customers?
Cost is usually a key factor
Narrows the choices of hardware and softwareSlide43
Guide to Network Defense and Countermeasures, Second Edition43
Business Needs (continued)Nature of the businessA secure VPN design should address:
Secure connectivity
Availability
Authentication
Secure management
Reliability
Scalability
PerformanceSlide44
Guide to Network Defense and Countermeasures, Second Edition44
Client SecuritySeveral ways to increase VPN client security
Split tunneling
Describes multiple paths
One path goes to the VPN server and is secured
Another unauthorized and unsecured path permits users to connect to the Internet
While still connected to the corporate VPN
Leaves the VPN server and internal LAN vulnerable to attackSlide45
Guide to Network Defense and Countermeasures, Second Edition45Slide46
Guide to Network Defense and Countermeasures, Second Edition46Slide47
Guide to Network Defense and Countermeasures, Second Edition47
Client Security (continued)Planning VPN deployment
Consider the existing infrastructure
Make a network map
Decide on the placement of VPN servers
Research hardware and software to use
Decide whether you need new hardware or software
Sometimes you can reconfigure existing resources to support a VPN
Develop a list of requirements
When you meet a vendor so nothing is overlooked
Follow security policy guidelinesSlide48
Guide to Network Defense and Countermeasures, Second Edition48
VPN Topology ConfigurationsVPN topologyHow components in a network are connected physically to one another
Determines how gateways, networks, and clients are related to each other
Corresponds to the basic physical and logical topologies of any networkSlide49
Guide to Network Defense and Countermeasures, Second Edition49
VPN Topology Configurations (continued)Mesh topologyAll participants in the VPN have Security Associations (SAs) with one another
Types of mesh arrangements
Full mesh
Every subnetwork is connected to all other subnets in the VPN
Complex to manage
Partial mesh
Any subnet in the VPN may or may not be connected to the other subnetsSlide50
Guide to Network Defense and Countermeasures, Second Edition50Slide51
Guide to Network Defense and Countermeasures, Second Edition51
VPN Topology Configurations (continued)Star topologyAlso known as a hub-and-spoke configuration
VPN gateway is the hub
Networks that participate in the VPN are called rim subnetworks
Separate SAs are made between the hubs of each rim subnetwork in the star configuration
Central VPN router is at organization’s central office
Any LANs or computers that want to participate need to connect only to the central serverSlide52
Guide to Network Defense and Countermeasures, Second Edition52Slide53
Guide to Network Defense and Countermeasures, Second Edition53
VPN Topology Configurations (continued)Hybrid topologyCombines two different network topologies
Central core uses a mesh topology
Mesh topologies tend to operate more efficiently
Branch offices can be connected using a star topology
Benefits from strengths of each topology
Scalability (of the star topology)
Speed (of the mesh configuration)Slide54
Guide to Network Defense and Countermeasures, Second Edition54Slide55
Guide to Network Defense and Countermeasures, Second Edition55
Using VPNs with FirewallsVPNs do not reduce the need for a firewall
Always use a firewall as part of VPN security design
Install VPN software on the firewall itself
Firewall allows outbound access to the Internet
Firewall prevents inbound access from the Internet
VPN service encrypts traffic to remote clients or networksSlide56
Guide to Network Defense and Countermeasures, Second Edition56
Using VPNs with Firewalls (continued)Install VPN software on the firewall itself
Advantages
Control all network access security from one server
Fewer computers to manage
Use the same tools for VPN and firewall
Disadvantages
Single point of failure
Must configure routes carefully
Internet access and VPN traffic compete for resources on the serverSlide57
Guide to Network Defense and Countermeasures, Second Edition57Slide58
Guide to Network Defense and Countermeasures, Second Edition58
Using VPNs with Firewalls (continued)Set up VPN parallel to your firewall inside the DMZ
Advantages
No need to modify firewall settings to support VPN traffic
Configuration scales more easily
Can deal with congested servers
Disadvantages
VPN server is connected directly to the Internet
If VPN server becomes compromised, attacker will have direct access to your internal network
Cost of supporting a VPN increases with new serversSlide59
Guide to Network Defense and Countermeasures, Second Edition59Slide60
Guide to Network Defense and Countermeasures, Second Edition60
Using VPNs with Firewalls (continued)Set up VPN server behind the firewall connected to the internal network
Advantages
VPN server is completely protected from the Internet
Firewall is the only device controlling access
VPN traffic restrictions are configured on VPN server
Disadvantages
VPN traffic must travel through the firewall
Firewall must handle VPN traffic
Firewall might not know what to do with IP protocols other than ICMP, TCP, and UDPSlide61
Guide to Network Defense and Countermeasures, Second Edition61Slide62
Guide to Network Defense and Countermeasures, Second Edition62
Adjusting Packet-Filtering Rules for VPNsPerimeter firewall filters packets VPN sends or receivesPacket filtering is based on header fields of inbound and outbound packets
IP packet header fields used by packet filtering
Source address
Destination address
Protocol identifier
You can conduct packet filtering based on any or all of these header fieldsSlide63
Guide to Network Defense and Countermeasures, Second Edition63
PPTP FiltersPPTPFirst widely supported VPN protocol
Supports legacy authentication methods
Does not require PKI
Might be only option when VPN connections pass through NAT
PPTP uses two protocols
TCP
GRESlide64
Guide to Network Defense and Countermeasures, Second Edition64Slide65
Guide to Network Defense and Countermeasures, Second Edition65
L2TP and IPSec FiltersNeed to set up rules that permit IPSec trafficIKE uses protocol ID 171 and UDP on port 500
ESP uses protocol ID 50
AH uses protocol ID 51Slide66
Guide to Network Defense and Countermeasures, Second Edition66Slide67
Guide to Network Defense and Countermeasures, Second Edition67
Auditing VPNs and VPN PoliciesAuditing needed to make sure organizations have a well-define VPN policyAccess policies define standards for connecting to the organization’s network
Must be integrated with the security policy
Policies should be defined for different levels of restrictions
VPN endpoints are as vulnerable as internal network computers
Endpoints should also use antivirus software and personal firewallsSlide68
Guide to Network Defense and Countermeasures, Second Edition68
Auditing VPNs and VPN Policies (continued)Test each client that will connect to your LANHelps prevent network threats
You can standardize VPN client for remote users
Third-party solutions
Cisco Secure VPN Client
Nokia VPN Client
SonicWALL VPN Client
Verify everything is working according to your policiesSlide69
Guide to Network Defense and Countermeasures, Second Edition69
SummaryBusiness nature helps determine your VPN requirementsDecide placement of VPN serversResearch hardware and software to use
Establish a VPN domain
VPN configurations
Single entry point configurations
Multiple entry point configurations
VPNs need to be used with firewallsSlide70
Guide to Network Defense and Countermeasures, Second Edition70
Summary (continued)Adjust packet-filtering rulesTo allow PPTP, L2TP, and IPSec trafficAuditing VPNs and VPN policies
After you have installed and configured your VPN
Work with a knowledgeable remote user
Helps determine a baseline for future auditing, testing, and troubleshootingSlide71
Guide to Network Defense and Countermeasures, Second Edition71
SummaryVPNs do not make use of dedicated leased linesVPNs send data through a secure tunnel that leads from one endpoint to another VPNs keep critical business communications private and secure
VPN components
VPN servers
VPN clients
ProtocolsSlide72
Guide to Network Defense and Countermeasures, Second Edition72
Summary (continued)VPN typesSite-to-siteClient-to-site
Encapsulation encloses one packet within another
Conceals the original information
VPN protocols
Secure Shell (SSH)
Socks version 5
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)Slide73
Guide to Network Defense and Countermeasures, Second Edition73
Summary (continued)IPSec/IKEEncryption makes the contents of the packet unreadableAuthentication ensures participating computers are authorized users
Kerberos: strong authentication system
VPN advantages
High level of security at low cost
VPN disadvantages
Can introduce serious security risks