Virtual Private Network (VPN)

Virtual Private Network (VPN)

Virtual Private Network (VPN)

WHAT VPNS ARE

 VPN

 Kết nối logic ảo

 Tạo kết nối an toàn trên kênh Internet

 Secure tunnel

 Tạo liên kết tổ chức logic giữa các side

 Đầu cuối của VPNs

 Specified computers, users, or network gateways

4

WHY ESTABLISH A VPN?

 Nguyên nhân triển khai

 VPNs mạng kết nối an toàn giá rẻ

 VPNs provide secure connection for remote users

WHY ESTABLISH A VPN?

 Hardware versus software VPNs

 Hardware-based VPNs

 Connect one gateway to another

 Routers at each network gateway encrypt and decrypt packets

 VPN appliance

 Designed to serve as VPN endpoint

 Join multiple LANs

 Benefits

 Scalable

 Better security

8

10

WHY ESTABLISH A VPN?

 Hardware versus software VPNs

 Software-based VPNs

 Integrated with firewalls

 Appropriate when participating networks use different routers and firewalls

 Benefits

 More cost-effective

 Offer maximum flexibility

WHY ESTABLISH A VPN?

 VPN combinations

 Combining VPN hardware with software adds

layers of network security

 One useful combination is a VPN bundled with a firewall

 VPNs do not eliminate the need for firewalls

 Provide flexibility and versatility

BIếN ĐổI ĐÓNG GÓI TRONG VPN

TUNNELING PROTOCOLS

 Point-to-Point Tunneling Protocol (PPTP)

Used when you need to dial in to a server with a modem connection

 On a computer using an older OS version

Encapsulates TCP/IP packets

Header contains only information needed to route data from the VPN client to the server

Uses Microsoft Point-to-Point Encryption (MPPE)

TUNNELING PROTOCOLS

 Layer 2 Tunneling Protocol (L2TP)

 Provides better security through IPSec

 IPSec enables L2TP to perform

 Authentication

 Encapsulation

 Encryption

18

TUNNELING PROTOCOLS

 Secure Shell (SSH)

 Provides authentication and encryption

 Works with UNIX-based systems

 Versions for Windows are also available

 Uses public-key cryptography

 Socks V 5

 Provides proxy services for applications

 That do not usually support proxying

 Socks version 5 adds encrypted authentication and support for UDP

20

 Internet Protocol Security (IPSec)

Set of standard procedures

Developed by the Internet Engineering Task Force (IETF)

Enables secure communications on the Internet

 Characteristics

Works at layer 3 Can encrypt an entire TCP/IP packet

 Widely supported

 Security Association (SA)

 Relationship between two or more entities

 Describes how they will use security services to communicate

 Used by IPSec to track all the particulars of a communication session

 SAs are unidirectional

22

 IPSec core components

 Authentication Header (AH)

 Encapsulation Security Payload (ESP)

Provides confidentiality for messages

Encrypts different parts of a TCP/IP packet

ESP in tunnel mode

 Encrypts both the header and data part of each packet

 Data cannot pass through a firewall using NAT (network address translation)

ESP in transport mode

 Encrypts only data portion of the packet

 Data can pass through a firewall

IPSec should be configured to work with transport mode

26

VPN CORE ACTIVITY 2: ENCRYPTION

 Certification Authority (CA)

Key exchange methods

ENCRYPTION SCHEMES USED BY

VPNS

 Triple Data Encryption Standard (3DES)

 Used by many VPN hardware and software

 3DES is a variation on Data Encryption Standard (DES)

 DES is not secure

 3DES is more secure

 Three separate 64-bit keys to process data

 3DES requires more computer resources than DES

30

ENCRYPTION SCHEMES USED BY

VPNS (CONTINUED)

 Secure Sockets Layer (SSL)

 Developed by Netscape Communications Corporation

 Enables Web servers and browsers to exchange encrypted information

 Characteristics

Uses public and private key encryption

Uses sockets method of communication

Operates at network layer (layer 3) of the OSI model

 Widely used on the Web

Only supports data exchanged by Web-enabled applications

Unlikely to replace IPSec 32

ENCRYPTION SCHEMES USED BY

VPNS (CONTINUED)

 Secure Sockets Layer (SSL) (continued)

 Steps

 Client connects to Web server using SSL protocol

 Two machines arrange a “handshake” process

 Client sends its preferences for encryption method, SSL version number, and a randomly generated number

 Server responds with SSL version number, its own cipher preferences, and its digital certificate

 Client verifies date and other information on the digital certificate

ENCRYPTION SCHEMES USED BY

VPNS (CONTINUED)

 Secure Sockets Layer (SSL) (continued)

 Steps

 Server uses its private key to decode pre-master code

 Generates a master secret key

 Client and server use it to generate session keys

 Server and client exchange messages saying handshake is completed

 SSL session begins

34

FIREWALL CONFIGURATION FOR

PPTP

IP 17

IP 6

UDPTCP

1701

ADVANTAGES AND DISADVANTAGES

OF VPNS

38

SUMMARY (CONTINUED)

 VPN types

Site-to-site

Client-to-site

 Encapsulation encloses one packet within another

Conceals the original information

 VPN protocols

Secure Shell (SSH)

Socks version 5

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

40