Virtual Private Networks
|
|
- Hilary Dawson
- 8 years ago
- Views:
Transcription
1 Virtual Private Networks Petr Grygárek rek Agenda: VPN Taxonomy VPN Principles and Usage Cryptography Basics IPSec 1
2 Basic Terminology and Mechanisms of Network Security and Cryptography 2
3 Confidentality Data Protection unauthorized listener cannot understand data meaning implemented by encryption Authentication verification of data sender identity Data integrity verification that data were not modified during transport Non-repudiation data source cannot repudiate that it sent particular piece of data (i.e. it signed it) 3
4 Cryptographic Hash Function (1) one-way function (algorithm) that converts (arbitrary, long) block of data to (short) fixed-size hash value easy to compute infeasible to find a message with a given hash infeasible to modify a message without changing its hash Infeasible to find 2 different messages with the same hash 4
5 Cryptographic Hash Function (2) often used as Hashed Message Authentication Code (HMAC) the hash is computed from [data+secret] block algorithms commonly used as hash function HMAC-MD5 Message Digest 5 (128b message digest) HMAC-SHA1 Secure Hash Algorithm (stronger -160b message digest) 5
6 Cryptographic System plain text Encryption cyper text Decryption plain text Key Key Implementation options Conceal encryption/decryption algorithm If the algorithm is revealed, implementation is useless Conceal keys Keys used to parametrize (known) algorithm Enough number of possible keys has to be available 6
7 Symmetric Cryptosystem 7
8 Properties of Symmetric Cryptosystem Shared secret key Effective algorithm implementations speed, relative simplicity possible to implement in hardware DES, 3DES, AES, Problem with secure secret key distribution 8
9 Authentication in Symmetric Cryptosystem Sender encrypts username u using shared key, receiver decrypts using the same key and tests username validity Requires database of valid usernames Alternative validity check implementation: Sender appends username hash behind username, then encrypts whole block with shared key Receiver decrypts [username+hash] with shared key, computes username hash and compares with received hash Does not require to maintain username database Combines authentication with data integrity check 9
10 Data Integrity Check Implementation [message+shared shared secret key]->hash message+hash is sent receiver appends shared secret key behind received message, calculates hash by itself and compares with received hash Combines origin authentication and data integrity check 10
11 Asymmetric Cryptosystem 11
12 Public and Private Keys K A_PUBLIC K A_PRIVATE K B_PUBLIC K B_PRIVATE ALICE Encryption Decryption BOB public key K B_PUBLIC private key K B_PRIVATE Certification authority KA_PUBLIC K B_PUBLIC Keys generated as pair public and private key One key of pair used for encryption, second one for decryption no matter which one for what uses identical or complementary algorithms for encryption and decryption 12
13 Features of Asymmetric Cryptosystem More calculations comparing to symmetric algorithm => slower RSA, El-Gammal Problem of secure public key distribution no need to conceal them,, but we need a mechanism to protect public keys against modification during transport certification authority digitally signs public keys packed together with owner information (so called certificates ) 13
14 Usages of asymmetric metric system Digital signatures No problem with secret key distribution Exchange of keys for symmetric system Often generated dynamically keys with limited lifetime 14
15 Certification authority (1) Trusted entity Digitally signs public keys packed together with owner information - certificates First contact with CA must be personal obtaining of private+public key pair private key + signed certificate There exist ways how to deliver encrypted private key + certificate (containing signed public key) without physical contact need to authenticate certificate request uses password prenegotiated between user and CA to encrypt private key and certificate before sending it to user usage of LDAP password etc. private+public key generation may take place at client OS Only client keeps private key and sends public key for signing to CA using HTTPS 15
16 Certification authority (2) Public key of CA needed by communicating parties to verify certificates of other communicating peers Public key of CA has to be inserted into every system by some trustworthy manner built-in into OS/WWW browser installation files, Advantage: only one public key (CA certificate) has to be preconfigured manually 16
17 Authenti entication and Data Integrity Check in Asymmetric System Hash comparison ALICE Data Hash Data Hash BOB K A_PUBLIC K A_PRIVATE K B_PUBLIC K A_PRIVATE K B_PRIVATE K A_PUBLIC K B_PUBLIC K B_PRIVATE 17
18 Virtual Private Networks (VPN) 18
19 What is VPN? VPN allow to build private WANs using public shared infrastructure with the same level of security and configuration options as with private infrastructure Cheaper and flexible method for interconnection of geographically dispersed sites 19
20 Advantages of VPNs over Physical Private WAN Infrastructure Lower cost Short time of deployment Flexibility of (virtual) topology topology defined purely by configuration No WAN link maintenance and management needed provider (ISP) takes responsibility of infrastructure 20
21 Some VPN Classification Criteria (1) Level of customer trust to the shared infrastructure provider trusted/secured (+ level of security) Protocol/technology applied in the public infrastructure provider's network Packet-based (IPv4/IPv6) Virtual-circuit based (Frame Relay, ATM, VLANs) IP/MPLS VPN Location of tunnel termination (CE/PE) 21
22 Some VPN Classification Criteria (2) Amount of routing information exchanged between provider and customer sites Overlay (CPE-based) model Peer-to-peer (network-based) model Mixed model (MPLS VPN) Virtual topology options Point-to-point (virtual private lines) + topologies built from virtual P2P links Multipoint (virtual routed/switched network) 22
23 Some VPN Classification Criteria (3) OSI layer of provided connectivity L2 L2-technology dependent May support interworking L3 protocol transparent L3 Independent on L2 protocols L3-protocol dependent unicast/multicast/both traffic support Application scenarios Site-to-site / Remote access / VPDN 23
24 Some VPN Classification Criteria (4) Manual/Automatic configuration automatic configuration requires signaling & authentication automatic configuration is almost inevitable for interconnection of hundreds of thousands of customer sites 24
25 Overlay model Uses tunneling methods Encryption and authentication applied in most cases Does not utilize underlying infrastructure efficiently in most cases Customers have no visibility of provider's network and vice versa No special contract with infrastructure provider is needed we only need ISP does not filter tunneling protocols 25
26 Tunnel Virtual point-to-point connection over shared infrastructure often authenticated and encrypted Carries packets of some protocol encapsulated in another protocol sometimes in the same protocol (IP( over IP) tunnel can carry layer 2 frames also allows other protocols to be carried over IP network (even nonroutable protocols such as NetBEUI etc.) 26
27 VPN Protocols and Tunneling Techniques IP/IP (v4xv6), GRE L2TP (PPP frames), MPLS, IPSec SSL... 27
28 Peer-to-Peer model Provider network devices have to carry all customers' routes Problems with overlapping (private) addresses non-unique destination addresses Complicated filtering has to be configured poor scalability, risk of misconfiguration Optimal routing across provider's shared infrastructure 28
29 Most Common VPN Implementation Options Internetwork-wide VPNs => tunnels at or above layer 3 Layer 3 VPN IPSec media independent (above hop-by-hop L2 security) application independent connectionless security Layer 4 VPN SSL/TLS for TCP DTLS for UDP Layer 7 VPN application level (WWW) 29
30 Most Common VPN Implementation Scenarios Router-to-router (firewall( firewall) Site-to-site VPNs Single router may terminate multiple tunnels Remote User to VPN concentrator Remote access VPNs user has to have special encryption software installed (VPN client) 2009 Petr Grygárek, FEI VŠB-TU Ostrava, Computer Networks (Bc.) 30
31 Common VPN Applications (1) Site-to-site VPNs Router to router router (firewall to firewall) secure interconnection of (multiple) distant LANs counterpart with classical WAN networks Site-to-sitetunnel Encryption, Decryption Unsecurepublic infrastructure (Internet) Encryption, Decryption Secureintranet (2) Secureintranet (1) 31
32 Common VPN Applications (2/1) Remote access VPNs Client-initiated Remote user to VPN concentratortor user has special encryption software installed (VPN( client) NAS-initiated Remote user dials in to service provider s NAS using some connection-oriented telecommunication network (e.g. PSTN, ISDN) considered trustworthy NAS initiates secure tunnel to secure corporate network 32
33 Common VPN applications (2/2) PSTN NAS-initiated VPN tunnel Encryption tunnels modem User without any special software ISP NAS Unsecure public infrastructure (Internet) VPN concentrator Decryption Encryption User with VPN client software Client-initiated VPN tunnel Secure intranet 33
34 Virtual Private Dial-up Networks Provides connection of remote users into private networks Saves customers from maintaining their own physical RAS solution and interconnection to Telco Interoperation between provider's and customers' AAA infrastructures L2TP carries PPP sessions LAC L2TP Access Concentrator LNS L2TP Network Server 34
35 IPSec 35
36 IPSec (RFC 2401) IPSec = suite of protocols and algorithms used for data security implementation at network layer Open standards framework General, independent to actual algorithms used flexible and stable no need for complete change when particular algorithm is compromised Provides authenti entication, data integrity y and confidentality using particular preconfigured or negotiated algorithms, not by itself Only for unicast IP traffic but other protocols including IP broadcasts/multicasts can be encapsulated into IP before transportation over IPSec mechanism Implemented as additional mechanism for IPv4, natively built-in into IPv6 36
37 Basic IPSec terminology Security Association Set of policies and keys for data protection Shared by (two) communicating partners Authentication Header Header appended to IP packet to carry authentication system information (HMAC etc.) Encapsulating Security Payload Header Header appended to IP packet to carry security system information (authentication, confidenitality) 37
38 Security Association (1) Defines encryption and authentication parameters used between two partners communicating over IPSec tunnel encryption and authentication algorithm, key size, key lifetime encryption and authentication key (symmetric) IPSec mode (tunnel/transport) encapsulation protocol (AH/ESP) specification of traffic to be encrypted (/decrypted) Pre-configured or dynamically negotiated between partners during IPSec tunnel establishment 38
39 Security Association (2) Independent for both traffic directions Independent SAs for individual security protocols i.e. AH, ESP, IKE Internet Key Exchange (IKE) provides secure tunnel for dynamic SA negotiation Limited lifetime time/bytes transferred new SA is negotiated before lifetime expiration Stored in Security Association Database (SADB) Security Parameter Index (SPI) + SA values 39
40 IPSec modes: Tunnel and Transport Tunnel mode Transport Mode 40
41 End-to-end security Transport Mode Needs IPSec support in end-user stations operating system AH and ESP inserted between L3 anda L4 headers Impossible to filter traffic according to L4 header in the network (L4 header is encrypted) Next-header field of AH/ESP header identifies L4 header (L4 protocol) Original IP header unencrypted But protected by authenti entication/data integrity => incompatible with NAT 41
42 Tunnel Mode IPSec tunnel between routers connecting secure LANs to unsecure shared infrastructure (IPSec gateways) no need for IPSec support in users station operating systems IP packets encapsulated by another IP packets (tunnel) AH and ESP inserted at the beginning of encapsulating packet data field, original unchanged (tunneled) packet follows Packets encrypted including their IP headers => > potential spy in insecure network cannot even determine which stations of secure networks speak together Used most commonly today. 42
43 Transfer of IPSec Control C Information Authentication Header Information for authentication and data integrity Encapsulating Security Payload Information for encryption, authentication and data integrity and optionally anti-replay May completely supersede authentication header AH defined earlier, still maintained for compatibility with older implementations 43
44 Authentication header Assures authentication and (connectionless) data integrity Protects IP headerh (unchanging fields) and IP packet data carries authentication information (HMAC) carries Security Parameters Index (SPI) to identify particular security association used for current packet if multiple SAs used concurrently Optional support for anti-replay Sender inserts sequence numbers into packets, receiver may optionally verify them Protects transport IP header => > incompatible with NAT 44
45 AH transport mode 45
46 AH tunnel mode 46
47 Encapsulating Security Payload-ESP Carries control information for data encryption (and authentication) encapsulates protected data Optional data authentication and integrity check (only user data) Optional anti-replay check May provide all functions of authentication header 47
48 ESP transport mode 48
49 ESP tunnel mode 49
50 Dynamic SA negotiation Manual configuration of SAs at multiple stations is tedious and error-prone task Need for reoccurring reconfiguration - periodic change of authentication/encryption keys is necessary 50
51 Dynamic SA Negotiation Frameworks Internet Security Association and Key Management Protocol (ISAKMP) framework for secure (dynamic) key exchange and negotiation of security associations does not define any particular algorithms, provides only mechanics of parameter negotiation and key exchange protocols payload formats etc. Internet Key Interchange (IKE) operates within ISAKMP framework key exchange protocol (Oakley Key Exchange + Skeme Key Exchange) used to negotiate IPSec SAs SA negotiation protected by tunnel encrypted with dynamically negotiated keys (Diffie-Hellma( Diffie-Hellman algorithm) 51
52 Diffie-Hellman algorithm Used to negotiate shared secret key between two parties over unsecure channel Key value never sent over unsecure channel Based on public/private key pair generation on both sides, public key interchange and calculations with big prime numbers communicating parties have to be authenticated by some external mechanism prevents man-in-the-middle attack pre-shared key or certificates commonly used 52
53 1. Practical IPSec Operation 1. Interesting traffic detected 2. i.e. traffic whose encryption is required 2. IKE Phase 1 3. IPSec peer authentication (pre-shared keys, RSA signatures (X.509)) Negotiation of IKE SAs (Diffie-Hellman) Encryption algorithm, hash algorithm, keys, key lifetime, Establishes secure channel for IPSec SA negotiation 3. IKE Phase 2 4. Negotiation of IPSec SAs (for both directions) According to policies supported by peers Multiple priorized policies may be defined 4. Secure data exchange using IPSec SAs renegotiated by IKE if lifetime expires 5. After inactivity timeout, IPSec tunnel closed (SAs discarded) 5. 53
54 Which Traffic should be Encrypted? Crypto Access Lists Outbound - indicate which data have to be protected by IPSec Inbound - filter out and discard traffic that should have been protected by IPSec (but is not) 54
55 Required ACL Modification for Operation of IPSec ISAKMP UDP port 500 ESP IP protocol 50 AH IP protocol 51 55
56 IPSec NAT Traversal Changing of IP header fields by NAT causes HMAC mismatch Encapsulates IPSec-protected packet with another UDP/IP envelope NAT-T - UDP port 4500 Negotiated in IKE 56
APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationCCNA Security 1.1 Instructional Resource
CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe the purpose and types of VPNs and define where
More informationIntroduction to Security and PIX Firewall
Introduction to Security and PIX Firewall Agenda Dag 28 Föreläsning LAB PIX Firewall VPN A Virtual Private Network (VPN) is a service offering secure, reliable connectivity over a shared, public network
More informationBasics of Computer Networks Security
Basics of Computer Networks Security Computer Networks Lecture 7 http://goo.gl/pze5o8 The Process of Securing Computer Network (1) Security is not about installing a big security box, but about definition
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationVPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
VPN SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationINF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationChapter 10. Network Security
Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce
More informationIP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security
More informationReti Private Virtuali - VPN
1 Reti Private Virtuali - VPN Marco Misitano, CISSP Enterprise Conulting, Security misi@cisco.com Ordine degli Ingegneri della Provincia di Milano 2 Agenda Technology introduction Remote Access VPN Site
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationBranch Office VPN Tunnels and Mobile VPN
WatchGuard Certified Training Branch Office VPN Tunnels and Mobile VPN Fireware XTM and WatchGuard System Manager v11.7 Revised: January 2013 Updated for: Fireware XTM v11.7 Notice to Users Information
More informationVPN. VPN For BIPAC 741/743GE
VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,
More informationBUY ONLINE AT: http://www.itgovernance.co.uk/products/730
IPSEC VPN DESIGN Introduction Chapter 1: Introduction to VPNs Motivations for Deploying a VPN VPN Technologies Layer 2 VPNs Layer 3 VPNs Remote Access VPNs Chapter 2: IPSec Overview Encryption Terminology
More informationNetwork Security. Lecture 3
Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview
More informationInternetwork Security
Internetwork Security Why Network Security Layers? Fundamentals of Encryption Network Security Layer Overview PGP Security on Internet Layer IPSec IPv6-GCAs SSL/TLS Lower Layers 1 Prof. Dr. Thomas Schmidt
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationSite to Site Virtual Private Networks (VPNs):
Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationObjectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services
ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Providing Teleworker Services Describe the enterprise requirements for providing teleworker services Explain how
More informationSecurity Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)
Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic
More informationCS 4803 Computer and Network Security
Network layers CS 4803 Computer and Network Security Application Transport Network Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Application layer: the communicating processes themselves and
More informationVPN Solutions. Lesson 10. etoken Certification Course. April 2004
VPN Solutions Lesson 10 April 2004 etoken Certification Course VPN Overview Lesson 10a April 2004 etoken Certification Course Virtual Private Network A Virtual Private Network (VPN) is a private data network
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationIPsec VPN Security between Aruba Remote Access Points and Mobility Controllers
IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved. IPsec VPN Security
More informationFortiOS Handbook IPsec VPN for FortiOS 5.0
FortiOS Handbook IPsec VPN for FortiOS 5.0 IPsec VPN for FortiOS 5.0 26 August 2015 01-504-112804-20150826 Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered
More informationIP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw
IP Security IPSec, PPTP, OpenVPN Pawel Cieplinski, AkademiaWIFI.pl MUM Wroclaw Introduction www.akademiawifi.pl WCNG - Wireless Network Consulting Group We are group of experienced professionals. Our company
More informationApplication Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
More informationUnderstanding the Cisco VPN Client
Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a
More informationSecuring IP Networks with Implementation of IPv6
Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle
More informationThe BANDIT Products in Virtual Private Networks
encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their
More informationCisco Which VPN Solution is Right for You?
Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2
More informationHow To Understand And Understand The Security Of A Key Infrastructure
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More informationViewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355
VPN This chapter describes how to configure Virtual Private Networks (VPNs) that allow other sites and remote workers to access your network resources. It includes the following sections: About VPNs, page
More informationChapter 49 IP Security (IPsec)
Chapter 49 IP Security (IPsec) Introduction...49-3 IP Security (IPsec)...49-4 Security Protocols and Modes... 49-4 Compression Protocol... 49-5 Security Associations (SA)... 49-5 ISAKMP/IKE...49-6 ISAKMP...
More informationOther VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer
Other VPNs TLS/SSL, PPTP, L2TP Advanced Computer Networks SS2005 Jürgen Häuselhofer Overview Introduction to VPNs Why using VPNs What are VPNs VPN technologies... TLS/SSL Layer 2 VPNs (PPTP, L2TP, L2TP/IPSec)
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationConfiguring Internet Key Exchange Security Protocol
Configuring Internet Key Exchange Security Protocol This chapter describes how to configure the Internet Key Exchange (IKE) protocol. IKE is a key management protocol standard that is used in conjunction
More informationIP SECURITY (IPSEC) PROTOCOLS
29 IP SECURITY (IPSEC) PROTOCOLS One of the weaknesses of the original Internet Protocol (IP) is that it lacks any sort of general-purpose mechanism for ensuring the authenticity and privacy of data as
More informationOutline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts
Outline INF3510 Information Security Lecture 10: Communications Security Network security concepts Communication security Perimeter security Protocol architecture and security services Example security
More informationSecurity in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity
Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Audun Jøsang University of Oslo Spring 2015 Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationRemote Connectivity for mysap.com Solutions over the Internet Technical Specification
Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009 Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationTechnical papers Virtual private networks
Technical papers Virtual private networks This document has now been archived Virtual private networks Contents Introduction What is a VPN? What does the term virtual private network really mean? What
More informationChapter 2 Virtual Private Networking Basics
Chapter 2 Virtual Private Networking Basics What is a Virtual Private Network? There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies,
More information13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode
13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4
More informationSecurity Engineering Part III Network Security. Security Protocols (II): IPsec
Security Engineering Part III Network Security Security Protocols (II): IPsec Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science,
More informationTABLE OF CONTENTS NETWORK SECURITY 2...1
Network Security 2 This document is the exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationBuilding VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&
Building VPNs With IPSec and MPLS Nam-Kee Tan CCIE #4307 S& -.jr."..- i McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationAN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION
AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION DR. P. RAJAMOHAN SENIOR LECTURER, SCHOOL OF INFORMATION TECHNOLOGY, SEGi UNIVERSITY, TAMAN SAINS SELANGOR, KOTA DAMANSARA, PJU
More informationToday s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities
SSL/TLS Today s Topics Server Certificates Client Certificates Certification Authorities Trust Registration Authorities VPN IPSec Client tunnels LAN-to-LAN tunnels Secure Sockets Layer Secure Sockets Layer
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationLab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM
Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM Objective Scenario Topology In this lab, the students will complete the following tasks: Prepare to configure Virtual Private Network (VPN)
More informationConfiguration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview
Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationFirewalls and Virtual Private Networks
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationNetwork Security Fundamentals
APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity, authentication
More informationVPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
VPNs Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationAPNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &
More informationVirtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance
Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance Johnnie Chen Project Manager of Network Security Group Network Benchmarking Lab Network Benchmarking Laboratory
More informationSecure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity
Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity TABLE OF CONTENTS Introduction................................................2
More informationPart III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part III-b Contents Part III-b Secure Applications and Security Protocols Practical Security Measures Internet Security IPSEC, IKE SSL/TLS Virtual Private Networks Firewall Kerberos SET Security Measures
More informationVirtual Private Network and Remote Access Setup
CHAPTER 10 Virtual Private Network and Remote Access Setup 10.1 Introduction A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks
More informationUsing IPSec in Windows 2000 and XP, Part 2
Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security
More informationNetwork Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Network communication Who are you
More informationSecurity Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress
Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationVPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls
Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Computer Net Lab/Praktikum Datenverarbeitung 2 1 VPN - Definition VPNs (Virtual Private Networks) allow secure data transmission
More informationNetwork Security Part II: Standards
Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview
More informationI. What is VPN? II. Types of VPN connection. There are two types of VPN connection:
Table of Content I. What is VPN?... 2 II. Types of VPN connection... 2 III. Types of VPN Protocol... 3 IV. Remote Access VPN configuration... 4 a. PPTP protocol configuration... 4 Network Topology... 4
More informationVirtual Private Network and Remote Access
Virtual Private Network and Remote Access Introduction A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A
More informationGPRS / 3G Services: VPN solutions supported
GPRS / 3G Services: VPN solutions supported GPRS / 3G VPN soluti An O2 White Paper An O2 White Paper Contents Page No. 3 4-6 4 5 6 6 7-10 7-8 9 9 9 10 11-14 11-12 13 13 13 14 15 16 Chapter No. 1. Executive
More informationHow To Configure Apple ipad for Cyberoam L2TP
How To Configure Apple ipad for Cyberoam L2TP VPN Connection Applicable to Version: 10.00 (All builds) Layer 2 Tunneling Protocol (L2TP) can be used to create VPN tunnel over public networks such as the
More informationImplementing and Managing Security for Network Communications
3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationOverview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP
Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2
More informationIntranet Security Solution
Intranet Security Solution 1. Introduction With the increase in information and economic exchange, there are more and more enterprises need to communicate with their partners, suppliers, customers or their
More informationComputer Networks. Secure Systems
Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to
More informationBit Chat: A Peer-to-Peer Instant Messenger
Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one
More informationChapter 32 Internet Security
Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3
More informationLinkProof And VPN Load Balancing
LinkProof And Load Balancing Technical Application Note May 2008 North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ 07430 Tel 888 234 5763 International Radware Ltd. 22 Raoul Wallenberg
More informationThis chapter describes how to set up and manage VPN service in Mac OS X Server.
6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure
More informationOverview. Protocols. VPN and Firewalls
Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls VPN-Definition VPNs (Virtual Private Networks)
More informationConnecting Remote Users to Your Network with Windows Server 2003
Connecting Remote Users to Your Network with Windows Server 2003 Microsoft Corporation Published: March 2003 Abstract Business professionals today require access to information on their network from anywhere
More informationCSCI 454/554 Computer and Network Security. Topic 8.1 IPsec
CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why
More informationCisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham
Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham In part two of NetCertLabs Cisco CCNA Security VPN lab series, we explored setting up a site-to-site VPN connection where one side
More informationCPS 590.5 Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang xwy@cs.duke.edu
CPS 590.5 Computer Security Lecture 9: Introduction to Network Security Xiaowei Yang xwy@cs.duke.edu Previous lectures Worm Fast worm design Today Network security Cryptography building blocks Existing
More informationFortiOS Handbook - IPsec VPN VERSION 5.2.2
FortiOS Handbook - IPsec VPN VERSION 5.2.2 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT
More informationImplementing Secured Converged Wide Area Networks (ISCW) Version 1.0
COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.
More informationIntroduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces
Introduction An Overview of the D Industrial Router Product Line Secure Access with VPN Technology in Industrial Networks Outlining the IPsec and VPN capabilities available in the GarrettCom D series of
More information7.1. Remote Access Connection
7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to
More informationConfiguring a GB-OS Site-to-Site VPN to a Non-GTA Firewall
Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall S2SVPN201102-02 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email:
More informationFireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway
Fireware How To VPN How do I set up a manual branch office VPN tunnel? Introduction You use Branch Office VPN (BOVPN) with manual IPSec to make encrypted tunnels between a Firebox and a second IPSec-compliant
More information