Virtual Private Networks



Similar documents
APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Virtual Private Network Using Peer-to-Peer Techniques

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Internet Privacy Options

Компјутерски Мрежи NAT & ICMP

Network Security. Lecture 3

This chapter describes how to set up and manage VPN service in Mac OS X Server.

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

21.4 Network Address Translation (NAT) NAT concept

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Protocol Security Where?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Network Security Fundamentals

Networking Basics and Network Security

Securing IP Networks with Implementation of IPv6

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Cisco Which VPN Solution is Right for You?

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

Computer Networks. Secure Systems

VPN. Date: 4/15/2004 By: Heena Patel

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Protocols. Packets. What's in an IP packet

Virtual Private Network and Remote Access Setup

GPRS / 3G Services: VPN solutions supported

Technical Support Information Belkin internal use only

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Network Address Translation (NAT) Virtual Private Networks (VPN)

IP - The Internet Protocol

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Security Technology: Firewalls and VPNs

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Transport and Network Layer

NETWORK SECURITY (W/LAB) Course Syllabus

Firewalls. Chien-Chung Shen

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Linux MDS Firewall Supplement

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Application Note: Onsight Device VPN Configuration V1.1

Virtual Private Networks

Packet Monitor in SonicOS 5.8

Ethernet. Ethernet. Network Devices

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Networking Test 4 Study Guide

Cisco SA 500 Series Security Appliance

Connecting to and Setting Up a Network

INTRODUCTION TO FIREWALL SECURITY

IP addressing and forwarding Network layer

Network Access Security. Lesson 10

7.1. Remote Access Connection

Computer Networks/DV2 Lab

Introduction to Computer Security

Juniper NetScreen 5GT

Chapter 9. IP Secure

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Solution of Exercise Sheet 5

Network layer: Overview. Network layer functions IP Routing and forwarding

Introduction to Computer Security

Lecture Computer Networks

How To Understand And Understand The Security Of A Key Infrastructure

Guideline for setting up a functional VPN

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Network Security Firewall Manual Building Networks for People

Gary Hecht Computer Networking (IP Addressing, Subnet Masks, and Packets)

Virtual Private Networks: IPSec vs. SSL

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Cisco RV 120W Wireless-N VPN Firewall

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

CS 4803 Computer and Network Security

Virtual Private Network and Remote Access

Virtual Private Networks Solutions for Secure Remote Access. White Paper

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Firewalls and Virtual Private Networks

Linux Network Security

Table of Contents. Cisco Cisco VPN Client FAQ

Overview. Protocols. VPN and Firewalls

About Firewall Protection

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Protecting the Home Network (Firewall)

Network Security and Firewall 1

intelligence at the edge of the network EdgeBOX V4.3 VPN How-To

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

Introduction To Computer Networking

NETASQ MIGRATING FROM V8 TO V9

Secure Network Design: Designing a DMZ & VPN

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs

Exam Questions SY0-401

Unix System Administration

LECTURE 4 NETWORK INFRASTRUCTURE

Transcription:

Virtual Private Networks Jonathan Reed jdreed@mit.edu MIT IS&T VPN Release Team Overview Basic Networking Terms General Concepts How the VPN works Why it s useful What to watch out for Q&A Networking 101 OSI seven layer model 1. Physical (copper/fiber) 2. Data Link (MAC/network card) 3. Network (routing) 4. Transport (protocol) 5. Session (connections) 6. Presentation (encoding/platform independence) 7. Application (program itself) 8. Money 9. Politics 10. Religion 1

Layer 3 protocols IP - Internet Protocol (IPv4) provides addressing for packets provides fragmentation and reassembly of packets that exceed MTU (maximum transmission unit - how big a packet can be - typically 1500 bytes) ICMP - Internet Control Message Protocol allows for reporting errors, congestion, timeouts, no such host, etc - used by ping Layer 4 protocols TCP - Transmission Control Protocol allows for streams, reliability, full-duplex packets guaranteed to be received in order sent UDP - User Datagram Protocol connectionless send a packet and hope for the best packets can be received out of order (zephyr, streaming media) IP packets time to live protocol source address Packets destination address checksum data 2

Packets, cont UDP: all of IP packet info, plus: source and dest. ports checksum TCP: all of IP packet info, plus: source and dest. ports sequence and acknowledgement numbers checksum window (amount of data that can be sent before the receipt is acknowledged) Services Services listen on a port (TCP or UDP) When a packet arrives, kernel checks port number if a service is listening on that port (ie: sshd, apache), decode packet and send to service if not, return ICMP port unreachable message Port Blocking/Firewalls kernel can check for user-specified info (port num, source addr, dest. addr, etc) return ICMP unreachable (appears as if no service on that port) drop packet on floor (wait for remote machine to timeout) return other ICMP message (protocol not allowed, host doesn t exist, prohibited, etc) 3

NAT static NAT (what most people use) 1 real IP address 1 or more private IP addresses security only through obscurity can also act as firewall breaks any protocols that rely on knowing the source IP address (krb4, FTP, etc) Tunneling the idea that some element of data can be encapsulated in a larger element of data in simplest form, IP-IP tunnels one IP packet wrapped in another IP packet only works for IP networks (not Netware (IPX), AppleTalk, etc) offers no more and no less security than a regular network Regular Packet Tunneling Abstraction To: www.google.com Port: 80 Data: school science +Cambridge Tunneled Packet To: vpn-public.mit.edu Port: 12345 Data: To: www.google.com Port: 80 Data: school science +Cambridge 4

Layer 2 VPNs (L2TP, L2F, PPTP) Both based on the idea that layer 2 protocols can be encapsulated in IP Basically, extends PPP over the internet uses existing PPP authentication (which has vulnerabilities) PPTP encryption is also cryptographically weak (RC4) Requires routers to understand protocols VPN Abstraction Web Browser libraries.mit.edu To: libraries.mit.edu Port: 80 Data: stuff To: libraries.mit.edu Port: 80 Data: stuff VPN Client Your Computer To: vpn-public.mit.edu Port: 12345 Data: To: libraries.mit.edu Port: 80 Data: stuff VPN Server Layer 3 VPN: IPSec IP Security: suite of protocols for securing IP packets Protect Data (ESP) Key exchange protocols (IKE) Authentication of packets (AH) can provide either authentication or authentication + encryption (most common use) backwards compatible with existing networks 5

Negotiation authenticate nodes to each other pre-shared keys X.509 Certificates with RSA signature set up tunnel establish security associations assign client IP address for VPN renegotiate ( re-key ) periodically to ensure security Cisco s Implementation pre-shared keys In this case, the group name, and group key (stored in MITnet-VPN.pcf file) XAUTH - external authentication use other methods, such as RADIUS, to authenticate users Determined to be insecure, Cisco plans new version man-in-the-middle attack Security Layer 3 and above security between client and VPN server only Security between VPN server and eventual dest. is user s responsibility Once packet leaves server in W92, it s no different than any packet from any other machine on MITnet 6

How it bypasses port blocking The actual port numbers are encrypted, so firewalls don t see them Appears to just be one connection to one machine (the VPN server) on one specific port (or set of several ports) ISPs can disallow VPN connections by blocking those ports How it solves krb4 issues Assigns your machine a new IP address krb4 (and FTP, and other things) use that IP address local machine temporarily forgets about its other IP addresses (ie: address assigned by Comcast) How is it different from HTTPS or SSH? Those are layer 7 protocols. Anyone can view those packets and tell what machine you re talking to and what the port numbers are, and what the protocol is, it s just the data that s encrypted VPN encrypts the entire packet attackers monitoring the VPN stream can t tell what machine you re talking to or what protocol you re using 7

When to use it? work around port-blocking (ie: Verizon SMTP) solve the krb4 NAT problem assign you a net-18 IP address (restricted library resources, etc) on-campus When not to use it will hide you from those on your subnet, but nothing else to hide your websurfing once the packet leaves W92, it s clear text to send passwords/credit card numbers in e-mail once the packet leaves W92, it s clear text example: FileMaker databases What goes wrong krb4 tickets already obtained will no longer work established zephyr/discuss/kerberized IMAP sessions fail Quit all applications before connecting your MTU changes (PPPoE/DSL customers might care) 8

Known Issues You lose advanced IP/routing control Cisco clients only - design choice various OS issues VPN has to insert itself between kernel core and networking drivers libpcap gets confused on Linux OS X s KEM/configd doesn t work, if you use the Kicker, it won t notice (correct behavior) MTU silently reset on OS X even when VPN not running Cisco VPN Client Available from http://web.mit.edu/software/ Product Front Door: http://itinfo.mit.edu/product?name=vpn Supported on: Windows, Mac, Linux (Red Hat Enterprise) Linux client will work on other distributions (4.6 is LSB/FHS compliant) Open Source VPN Client http://www.unix-ag.uni-kl.de/~massar/vpnc/ Still in testing, but functional on Linux (x86, ppc, arm), *BSD (x86), Solaris Runs entirely in userland no kernel module required uses native OS IPSec support Completely unsupported by IS&T 9

Native VPN clients XP and OS X will not work with MIT VPN server L2TP over IPSec or PPTP client only Wrap-Up Questions? vpn-release@mit.edu More info: http://vpn.shmoo.com http://www.vpnc.org/ietf-ipsec/ Virtual Private Networks, 2nd Ed. (O Reilly) (somewhat dated, but useful) 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information