Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel
Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls
VPN-Definition VPNs (Virtual Private Networks) allow secure data transmission over insecure connections. VPNs connect computers and/or networks (on various locations) to a common network by use of public communication structures.
VPN Scheme LAN LAN VPN-Tunnel VPN Internet VPN Client Client
VPN terms Virtual: due to the usage of a public communication infrastructure there is no permanent physical connection but a logical one. Private: because only valid users should have access to the network respectively the data. Additionally all data have to be transmitted confidential.
VPN requirements Data security must ensure Confidentiality Integrity Authentication Quality of Service Guarantees availability of connectivity Support of all applications Additional requirements Reasonable administration effort Effectiveness and extendibility
Confidentiality means that no unauthorized person, who got illegal access to data, is able to read respectively understand data. is realized by encryption. The data are coded d by an encryption algorithm and an encryption key. Only owner of the appropriate decryption key are able to decrypt the coded data.
Integrity means that no data has been changed/manipulated during transmission. is realised by checksum of transferred data. By use of a mathematical function a checksum is build over the data which has to be transmitted. This checksum is unique. The checksum together with the data is sent to the recipient.
Authentication means that a recipient of a message is able to ensure that he got the message from the right person and not from a person who pretend to be the right one. is realized by use of digital signatures. Digital signatures are like a normal signature in a document which unambiguously identifies the author.
Symetric encryption Each communication partner has the same key N (N-1)/2 keys, for N communication partner which h communicate pair wise High effort for Key maintenance Key length with 128 Bit are said to be sure, typical values 40,56,128 Fast Method DES, Triple DES, Blowfish
Asymetric encryption Distinction between private (my) and public keys (for others) Communication with N participants i t means N public keys Key length higher than symetric keys typical length: 512,1024,2048, Slower than symmetric encryption Example: PGP, RSA
Tunnel Tunneling means the embedding of a complete data package (header and payload) within the payload segment of an other protocol in the same protocol level. Advantage: Data can be coded/encrypted Orig IP Hdr TCP Hdr Data New IP Hdr Oi Orig IPHdr TCP Hdr Data
End-To-End-Constellation Internet Computer 1 Computer 2
End-To-Site-Constellation mobile computer Internet Intranet VPN Gateway
Site-To-Site-Constellation Intranet 1 Intranet 2 Internet VPN Gateway 1 VPN Gateway 2
VPN and Network Layer Applicationlevel (Layer 5-7) Application-Layer encryption Transport-/ network level (Layer 3-4) Network-Layer encryption Link-/ physical level (Layer 1-2) Link-Layer encryption Link-Layer encryption
VPN and Network Layer (2) Application Transport Network Link SSH, Kerberos, Virusscans, Content Screening, IPSEC (IKE) SSL/TLS, Socks V5 IPSEC (AH, ESP), Paket Filtering, NAT Tunneling Protocols (L2TP, PPTP, L2F), CHAP, PAP,
PPTP-Protocol Point To Point Tunneling, widespread because simple Layer-2 Protocol Only user authentification => Security = Password Set up of communication: 1. PPP connection with user Authentification 2. Link and control (TCP Port 1723) IP- GRE (IP 47) PPP 3. Tunnel: PPP Payload Header Header Header IP-Adresses Client+Server, => NAT and dynam. IP-Adresses ok opt. with MPPE (RC4) encrypted
PPTP-Protocol 2
IPSec 1 Internet Protocol Security is a protocol family Allows encryption and integrity check integrity check (Authentication Header Protocol): encryption (Encapsulating Security Payload Protocol): Open for enhancements, encryption method not fixed Authentification: Diffie-Hellmann key exchange confidentiality: Triple,-DES, IDEA, Blowfish Integrity by use of Hash building: MD5 und SHA Two mode of operation modes Tunnel mode protects address information and payload Transport mode protects only payload
IPSec AH AH allows only check of integrity Original packet: Orig IP Hdr TCP Hdr Data Tunnel mode: Transport mode: New IP Hdr AH Header Orig IP Hdr TCP Hdr Data Orig IP Hdr AH Header TCP Hdr Data
IPSEC ESP ESP allows encryption Original packet: Tunnel mode: New IP Hdr Orig IP Hdr TCP Hdr Data ESP Hdr Orig ESP Trailer ESP Auth Transport Oi Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth mode:
VPN and Firewall Idea of the Firewall The Firewall is the only connection to the Internet. All other computers (even the VPN-Gateway) are located behind the Firewall. Problem The firewall ist not able to analyze the data because they are encrypted.
VPN behind Firewall LAN (center) VPN-Gateway LAN (branch office) decrypted Data VPN Internet Firewall VPN Client
VPN and Firewall together LAN (center) Firewall and VPN-Gateway LAN (branch office) decrypted Data VPN Internet VPN Client
VPN in DMZ (between 2 FW) LAN (center) VPN-Gateway DMZ LAN (branch office) decrypted Data Internet VPN Internet inner Firewall outer Firewall VPN client
NAT Nat = Network Address Translation Allows through mapping the assignment of official IP- Addresses to private one. Therefore it is possible to gain access to the internet with private IP-Addresses. Sender-IP 192.168.0.10 New Sender-IP 134.91.90.70 Webbrowser New Target-IP 192.168.0.10 Target-IP 134.91.90.70 NAT Internet
IP IP (Internet Protocol) has 3 main tasks: 1. It carries the transport protocols TCP and UDP. 2. It builds IP-PackagesP out of the dt data which h have to be transmitted 3. It adds additional information, the IP-Header. Amongst others the header contains source and destination address.
TCP TCP (Transmission Control Protocol) confirms every received data package TCP repeats each data package until its receiving is confirmed TCP is reliable, that means the transmission is guaranteed 32 BIT
VPN practical training Firewall Firewall Internet VPN-Gateway VPN-Gateway private, local net =Tunnel private, local net
VPN Gateway Firewall private, local Net IP-Paket with target: 192.168.1.1 IP-Forwarding IP-Paket with Target: 134.91.90.70 Port 1723 or Gre-Protocol 47
VPN-Practical training 2 We have to consider Configuration of the firewall Configuration of DHCP Configuration of Routing Configuration of the VPN-Connection