Part 4: Virtual Private Networks

Similar documents
Bridgewalling - Using Netfilter in Bridge Mode

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

VPN. Date: 4/15/2004 By: Heena Patel

ReadyNAS Remote White Paper. NETGEAR May 2010

Chapter 7. Firewalls

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

OpenVPN - Site-to-Site routed VPN between two

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Firewall Troubleshooting

Installing OpenVPN on Ubuntu 10.04

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Appliance Quick Start Guide. v7.6

Lab Objectives & Turn In

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Guideline for setting up a functional VPN

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Virtual Private Network (VPN) Lab

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Scenario: IPsec Remote-Access VPN Configuration

OpenVPN. Tom Eastep April 29, 2006 Linuxfest NW

Using the Raspberry Pi to establish a Virtual Private Network (VPN) Connection to a Home Network

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

How To Configure L2TP VPN Connection for MAC OS X client

Load Balancing Clearswift Secure Web Gateway

21.4 Network Address Translation (NAT) NAT concept

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Load Balancing Trend Micro InterScan Web Gateway

Computer Networks. Secure Systems

Using IPsec VPN to provide communication between offices

Assignment 3 Firewalls

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

GregSowell.com. Mikrotik Basics

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

Overview. Author: Seth Scardefield Updated 11/11/2013

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Scenario: Remote-Access VPN Configuration

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

Setting up VPN Access for Remote Diagnostics Support

CCNA Security 1.1 Instructional Resource

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Smoothwall Web Filter Deployment Guide

Home Linux Networking Lab (202) This Howto shows how to recreate the CIS Lab environment at home.

IP Address: the per-network unique identifier used to find you on a network

Virtual Private Networks

Appliance Quick Start Guide v8.1

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Free Dynamic DNS account you can use one of your choosing I like DynDNS but there's also No-IP and probably others.

Load Balancing Bloxx Web Filter. Deployment Guide

Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)

Performance Evaluation of Linux Bridge

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

HOWTO: How to configure IPSEC gateway (office) to gateway

Linux Network Security

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

LECTURE 4 NETWORK INFRASTRUCTURE

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Load Balancing Smoothwall Secure Web Gateway

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Rapid Access Cloud: Se1ng up a Proxy Host

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

McAfee Web Filter Deployment Guide

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Advanced Higher Computing. Computer Networks. Homework Sheets

Security Technology: Firewalls and VPNs

ΕΠΛ 674: Εργαστήριο 5 Firewalls

HOWTO: How to configure VPN SSL roadwarrior to gateway

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Introduction To Computer Networking

Creating a VPN with overlapping subnets

LAB THREE STATIC ROUTING

Scalable Linux Clusters with LVS

Cornerstones of Security

Firewalls. Chien-Chung Shen

BASIC ANALYSIS OF TCP/IP NETWORKS

Chapter 5. Data Communication And Internet Technology

TCP/IP Network Essentials. Linux System Administration and IP Services

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Cisco Which VPN Solution is Right for You?

Network Security and Firewall 1

Load Balancing Sophos Web Gateway. Deployment Guide

OPC UA vs OPC Classic

Protecting and controlling Virtual LANs by Linux router-firewall

Appliance Quick Start Guide. v7.6

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Appliance Quick Start Guide v6.21

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

Case Study for Layer 3 Authentication and Encryption

Managing Multiple Internet Connections with Shorewall

Transcription:

Universität Passau Security Insider Lab I: Infrastructure Security WS15 Part 4: Virtual Private Networks Ahmed Azri Emna Maâtoug February 11, 2016 Advisor: Oussama Mahjoub, Bouthayna Belgacem

Contents 1 Exercise 1: OpenVPN : GATEWAY < > Road-warrior 3 1.1 Using own words, explain the difference between an IPsec and an SSL based VPN? Which one is implemented by OpenVPN?........ 6 1.2 Try to find reasons why we chose port 443?............... 7 1.3 What is the difference between the TUN and the TAP interfaces?.. 7 1.4 Why they are (TUN and TAP) called virtual (Virtual from the virtual machine s point of view)?......................... 7 1.5 What does the term VPN-Endpoint mean? What are the endpoints in your setting? what are the implication in terms of encrypted traffic? 7 1.6 What is the state of the physical network interface? why is this state necessary for VPN to work?....................... 8 2 Exercise 2: OpenVPN : Site to Site 9 2.1 What are the pro/cons for using PKI or static keys.......... 9 2.2 What Do you suggest to use TAP or TUN? and why?......... 9

1 Exercise 1: OpenVPN : GATEWAY < > Road-warrior In order to complete this lab exercise, we need one additional virtual machine, called "VPN-gateway". The network will then look as the one depicted in the figure below which overviews all IP configurations of the different virtual machines in our network. We will also install and use the software package OpenVPN as the basis for our VPN gateway. OpenVPN can be used as a server as well as a client. Figure 1: Desired VPN Extension of the existing network setup In this exercise, we will establish a VPN connection between a gateway (VPN Gateway) and a mobile "road warrior" (Remote Client). To achieve this, we will be using another VM that will be playing the role of the remote client. 3

In order to configure our VPN connection correctly, we ll be proceeding as follows. First, on both VPN-Gateway and remote client virtual machines, we start by installing OpenVPN using the following command: apt-get install openvpn Then, in order to be able to create and manage bridging of network interfaces on the VPN-Gateway for later use, the bridge-utils package needs to be installed: sudo apt-get install bridge-utils Now before configuring OpenVPN, we need to allow remote UDP traffic from the outside world to the VPN-Gateway via FW-south s eth0 interface on port 443 using the udp protocol: iptables -I FORWARD -p udp dport 443 -i eth0 -j ACCEPT Then, and in order to make sure that all incoming VPN traffic on FW-south s eth0 interface will be routed to the VPN-Gateway, the following rule can be set up to translate every packet s destination to the IP address of the VPN-Gateway: iptables -t nat -A PREROUTING -i eth0 -p udp dport 443 -j DNAT todestination 192.168.56.68:443 Also, packet forwarding on FW-south needs to be enabled. We need to make this permanent so that FW-south still forwards traffic after rebooting. So first, we open the sysctl setting file (/etc/sysctl.conf) and then we uncomment the next line to enable packet forwarding for IPv4: #net.ipv4.ip_forward=1 Afterwards, on the VPN-Gateway, we need to create a PreShared Symmetric Key as follows: openvpn genkey secret static.key Then, the server configuration file is the starting point for the OpenVPN server configuration. This file will create a VPN using the TAP network interface (tap0 interface) and will listen for client connections on UDP port 443. It also includes external scripts that will be executed when starting up or shutting down the OpenVPN service. /etc/openvpn/server.conf port 443 proto udp dev tap0 4

verb 5 secret static. key log openvpn. log script - security 3 system up./ start.sh down./ stop.sh The following describes the content of both start and stop external scripts that were mentioned in the server configuration file. The start script will set up the bridge and tap interfaces and configure the bridging when OpenVPN service starts, whereas the stop script will remove these interfaces at the end of the OpenVPN connection. /etc/openvpn/start.sh #!/ bin / bash br=" br0 " tap =" tap0 " eth =" eth0 " eth_ip =" 192.168.56.68 " eth_netmask =" 255.255.255.192 " eth_broadcast =" 192.168.56.127 " for t in $tap ; do openvpn -- mktun -- dev $t done brctl addbr $br brctl addif $br $eth for t in $tap ; do brctl addif $br $t done for t in $tap ; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast /etc/openvpn/bridge_stop.sh #!/ bin / bash br=" br0 " tap =" tap0 " 5

ifconfig $br down brctl delbr $br for t in $tap ; do openvpn -- rmtun -- dev $t done Now that the VPN-Gateway server is ready, let s move on to the OpenVPN client configuration. Like for the server, a client configuration file needs to be set up on the remote client machine to enable connection to the VPN-Gateway. Similarly, the client will be using the udp protocol on port 443 over the tap interface. It also contains the IP address of the client itself and will configure openvpn to adjust the client s routes to use the VPN connection to access our three internal subnets. /etc/openvpn/client.conf dev tap proto udp remote 192.168.12.1 443 secret static. key ifconfig 192.168.56.71 255.255.255.0 route 192.168.56.0 255.255.255.0 route 192.168.56.64 255.255.255.0 route 192.168.56.128 255.255.255.0 Once done with all client and server configurations, all we need to do is to start the openvpn service on the VPN-Gateway: service openvpn start Afterwards, we can establish a connection to the VPN-Gateway server from our remote client using the following command: openvpn client.conf What s left is to add a default route on the remote client with the VPN-Gateway server as a gateway for our VPN connections: route add default gw 192.168.56.68 1.1 Using own words, explain the difference between an IPsec and an SSL based VPN? Which one is implemented by OpenVPN? The difference between IPsec and SSL-based VPN is the network layer at which they function. IPsec is a Layer 3 VPN. For both network-to-network and remote-access deployments, an encrypted Layer 3 tunnel is established between the peers. An SSL VPN, in contrast, is typically a remote-access technology that provides Layer 6 encryption services for Layer 7 applications and, through local redirection on the 6

client, tunnels other TCP protocols. OpenVPN implements SSL-based VPN. 1.2 Try to find reasons why we chose port 443? The reason is that port 443 is, possibly, the last one to be blocked by a firewall. Often on locked-down networks, only ports like 80 and 443 will be allowed out for security reasons, and running OpenVPN on these allowed ports can help to get out in situations where access may otherwise be restricted. 1.3 What is the difference between the TUN and the TAP interfaces? The essential difference between TUN and TAP is the OSI layer at which they function. TAP functions as a physical extension to the ethernet cable our machine is connected to. This means it can pass any frame which exists on that wire (IPv4/6, Netware IPX and Appletalk). TUN functions as an endpoint to a TUNnel and only passes routable IPv4 packets. It also requires routing to be correctly set up so that those packets can be correctly routed to the next hop. Super simplistically, a TAP interface is a virtual ethernet adapter, while a TUN interface is a virtual point-to-point IP link. 1.4 Why they are (TUN and TAP) called virtual (Virtual from the virtual machine s point of view)? Being network devices supported entirely in software, TUN and TAP are called virtual network kernel devices. They differ from ordinary network devices which are backed up by hardware network adapters. 1.5 What does the term VPN-Endpoint mean? What are the endpoints in your setting? what are the implication in terms of encrypted traffic? VPN goes between a machine and a network (road-warrior), or a LAN and a network (site-to-site). Each end of the connection is a VPN "endpoint". Endpoints in our settings are two virtual machines. The first one is acting as the VPN server which is the VPN-Gateway in our case, and the second one is acting as the VPN client which is the remote client machine. 7

1.6 What is the state of the physical network interface? why is this state necessary for VPN to work? The state of the physical interface of the gateway needs to be set to "promiscuous mode". This tells the interface to forward all packets arriving at the NIC to the operating system, even those who are not addressed to the interface itself, so that packets that arrive can be sent through the bridge to the TAP device. 8

2 Exercise 2: OpenVPN : Site to Site 2.1 What are the pro/cons for using PKI or static keys A PKI allows computers to authenticate to each other or encrypt and decrypt data without prior contact. So no password exchange on forehand needed, no exchange of passwords over any medium. As for the disadvantages, a thorough understanding of PKI and asymmetric encryption principles is needed to set this up. It s not the simplest thing to do. Also, asymmetric encryption is slow. That s why it is only used on short messages. For large volume encryption, a PKI can be used to exchange the keys of a (fast) symmetric algorithm. On the other hand, Pre-shared key authentication does not require the hardware and configuration investment of a public key infrastructure. Pre-shared keys are simple to configure on a remote access server, and they are relatively simple to configure on a remote access client. However, the biggest problem with static key encryption is that we need to have a way to get the key to the party with whom we are sharing data. The key must be transmitted (either manually or through a communication channel) since the same key is used for encryption and decryption. A serious concern is that there may be a chance that an enemy can discover the secret key during transmission. When someone gets their hands on a symmetric key, they can decrypt everything encrypted with that key. 2.2 What Do you suggest to use TAP or TUN? and why? The TAP interface should be used and not the TUN one. In fact, the need of routing the packets from the source to the destination requires the use of that kind of interfaces. 9

List of Figures 1 Desired VPN Extension of the existing network setup........ 3 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information