PPTP - Dr Ali Fanian

Download Report

Transcript PPTP - Dr Ali Fanian

In the Name of Allah
Virtual Private Network
Present by
Ali Fanian
Virtual Private Networks
Introduction
What security problems do VPNs solve ?
What security problems are not solved by
VPNs ?
VPN Principles of operation: tunneling,
encapsulation, encryption and authentication
VPN Technologies: Microsoft PPTP, L2TP
and IPsec

History and background of VPNs 1
Internet multi-site organisations operated private networks
using leased lines. This approach was expensive and inflexible.
It became cheaper to use shared Internet than dedicated.
Virtual Private Network is a type of private network that uses
public telecommunication, such as the Internet, instead of
leased lines to communicate
VPNs enabled more flexible use of larger networks by
removing network geography constraints from shared-insider
LAN/Intranet associations and services.
With cryptography as part of a VPN, a travelling saleseman
could communicate with head office at lower risk from spying
competitors etc.
What problems do VPNs solve ?
Avoiding costs of fixed lines.
 Extending security context of LAN across sites,
regardless of geography, including to mobile
users.
 Authentication: knowing who your users are.
 Encryption: preventing monitoring of use of
insecure client server applications at the
network level.

What security problems do VPNs not solve ?
Having a VPN which isn't secure and not
knowing this is probably worse than having no
VPN
Traffic analysis: monitoring of packet sizes,
network usage times, endpoints of
conversation etc.
 VPNs can be used to pierce firewalls, by
encapsulating traffic prohibited by
organisation policy within a firewalled
perimeter which the firewall can't inspect or
control.

Tunneling
Typically a VPN consists of a set of point to
point connections tunnelled over the
Internet.
The routers carrying this traffic over the
Internet see each P2P connection externally
as a sequence of packets routed between
endpoints.
VPN Architecture
ISP
Access
Server
VPN
Device
leased circuits
Telephone
Line
Office
VPN
Device
Employee’s
Home
Internet
Backbone
VPN Tunnel
VPN Tunnel
• VPN is transparent to the users, ISP, and
the Internet as a whole;
• It appears to be simply a stream of
packets moving across the Internet
VPN
Device
Office
Backbone
Encapsulation
In order to achieve tunnelling, the packets
including payloads, to and from addresses, port
numbers and other standard protocol packet
headers are encapsulated as the payload of
packets as seen by the external routers carrying
the connection.
Authentication
A digital signing scheme is typically used to
enable verification of the VPN principals.
Note that both the client and the server
need to authenticate each other.
Message authentication codes, hashes or
checksums are typically used to
authenticate message contents.
Encryption
To protect the privacy of the connection from
external snooping, the payload of the packets
visible externally will be encrypted.
To enable routing over conventional networks,
the packet headers of the encapsulating
packets are not encrypted, but the packet
headers of the encapsulated packets are
encrypted along with their contents.
VPN Topology: Types of VPNs
Remote access VPN
 Site-to-Site VPN

Types of VPNs

Remote Access VPN
 Provides access to
internal corporate
network over the
Internet.
 Reduces long
distance, modem
bank, and technical
support costs.
Corporate
Site
Internet
-12-
Types of VPNs
Corporate
Site

Remote Access VPN

Site-to-Site VPN
 Connects multiple
offices over Internet
 Reduces dependencies
on frame relay and
leased lines
Branch
Office
-13-
Internet
Types of VPNs


Remote Access VPN
Site-to-Site VPN
 Extranet VPN


Corporate
Site
Provides business
partners access to
critical information
(leads, sales tools, etc)
Reduces transaction
and operational costs
Internet
Partner #2
Partner #1
-14-
Types of VPNs


Remote Access VPN
Site-to-Site VPN


Database
Server
Extranet VPN
Intranet VPN:
LAN
clients
Links corporate
headquarters, remote
offices, and branch
offices over a shared
infrastructure using
dedicated connections.
LAN clients with
sensitive data
-15-
Internet
VPN Topology: How it works

Operates at layer 2 or 3 of OSI model


Layer 2 frame – Ethernet
Layer 3 packet – IP
VPN Components: Protocols

IP Security (IPSec)



Transport mode
Tunnel mode
Point-to-Point Tunneling Protocol (PPTP)

Uses PPP (Point-to-Point Protocol)
VPN Components: Protocols

Layer 2 Tunneling Protocol (L2TP)



Exists at the data link layer of OSI
Composed from PPTP and L2F (Layer 2
Forwarding)
Compulsory tunneling method
Point-to-Point Tunneling Protocol
(PPTP)

Layer 2 remote access VPN distributed with Windows product
family



Based on Point-to-Point Protocol (PPP)
Uses proprietary authentication and encryption
Limited user management and scalability
Corporate Network
Remote PPTP Client
PPTP RAS Server
Internet
ISP Remote Access
Switch
-19-
PPP

Point-to-Point Protocol (PPP)



PPP was created for dialing into a local RAS
server
But the site’s RAS may be far away
Long-distance calls are expensive
RAS
Long-Distance Call
PPTP

Point-to-Point Tunneling Protocol (PPTP)



We would like PPP to work over the Internet
to avoid long-distance telephone charges
But PPP is only a data link layer protocol
It is only good for transmission within a
subnet (single network)
RAS
PPTP

The Point-to-Point Tunneling Protocol
(PPTP) makes this possible


Created by Microsoft
Widely used
Access
Concentrator
RAS
PPTP

PPTP Operation


User dials into local PPTP access
concentrator host
User sends the access concentrator a PPP
frame within an IP packet
Access
Concentrator
Packet
RAS
PPTP

PPTP Operation


Access concentrator places incoming IP
packet within another IP packet
Sends packet to the distant RAS
Access
Concentrator
Encapsulated Packet
RAS
PPTP

PPTP Operation


Distant RAS removes the original packet
Deals with the PPP frame within the
packet
RAS
PPTP

PPTP Encapsulation



Access concentrator receives the original IP
packet, which has the IP address of the access
concentrator
Adds an enhanced general routing encapsulation
(GRE) header for security
Adds a new IP header with the IP address of the
Enhanced
New
RAS
Original IP Packet
GRE Header
Access
Concentrator
Tunnel
IPRAS
Header
-27-
-28-
IPSec
General IP Security mechanisms
 Provides





authentication
confidentiality
key management
Applicable to use over LANs, across
public & private WANs, & for the Internet
IPSec Uses
Transparency
Benefits of IPSec
Is below transport layer, hence transparent
to applications
 Can be transparent to end users
 Can provide security for individual users

Architecture & Concepts
Tunnel vs. Transport mode
 Security association (SA)




Security parameter index (SPI)
Security policy database (SPD)
SA database (SAD)
Authentication header (AH) Protocol
 Encapsulating security payload (ESP)
Protocol

Transport Mode vs. Tunnel Mode
Transport mode: host -> host
 Tunnel mode: host->gateway or gateway>gateway

Encrypted Tunnel
Gateway 1
Gateway 2
Encrypted
A
B
New IP
Header
AH or ESP
Header
Orig IP
Header
TCP Data
Transport Mode
IP
IP
header options
Real IP
destination
IPSec
header
Higher
layer protocol
ESP
AH


ESP protects higher layer payload only
AH can protect IP headers as well as higher
layer payload
Tunnel Mode
Outer IP IPSec
header header
Destination
IPSec
entity
ESP
Inner IP
header
Higher
layer protocol
Real IP destination
AH


ESP applies only to the tunneled packet
AH can be applied to portions of the outer
header
‫)‪Security Association (SA‬‬
‫‪‬‬
‫حاوي‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫الگوريتم ها‬
‫كليدهاي مورد نياز‬
‫پروتكل ‪ AH‬يا ‪ESP‬‬
‫زمان انقضاء كليد‬
‫پنجره جلوگيري از حمله تكرار‬
‫شماره آخرين بسته سالم دريافت شده‬
‫‪SPI‬‬
‫مشخصات ترافيكي كه ‪ SA‬براي آن توليد شده است شامل‪:‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫آدرس مبدا و مقصد بسته‬
‫پروتكل اليه باالتر‬
‫پورت هاي پروتكل اليه باالتر‬
‫‪36‬‬
‫)‪Security Association (SA‬‬
‫‪ ‬در يك جدول به نام ‪ SAD‬نگاه داري مي گردد‬
‫‪ ‬انديس ‪ SA‬در جدول فوق توسط ‪ SPI‬مشخص مي شود‬
‫‪ ‬اتصال يك طرفه از فرستنده به گيرنده‬
‫‪‬‬
‫براي ارتباط دو طرفه‪ ،‬دو ‪ SA‬مورد نياز است‬
‫‪ ‬كليدها بايستي به نحوي مذاكره شود‬
‫‪‬‬
‫‪Pre-shared key‬‬
‫‪‬‬
‫‪IKE‬‬
‫‪37‬‬
‫جلوگيري از حمله تكرار‬
‫اختصاص يك شمارنده با مقدار صفر به هر ‪SA‬‬
‫افزايش شمارنده به ازاي هر بسته جديد كه با اين ‪ SA‬فرستاده مي‬
‫شود‬
‫‪38‬‬
‫پروتكل مبادله كليد اينترنت (‪)IKE‬‬
‫‪ ‬برای برقراری ارتباط بين دو طرف الزم است که يك ‪ SA‬بين طرفين‬
‫ايجاد شود‪.‬‬
‫‪ ‬برقراری و تجديد اين ‪ SA‬ها می تواند بصورت دستی يا خودکار‬
‫انجام گردد‪.‬‬
‫‪ ‬پروتکلی که اين وظيفه را (بصورت خودکار) در اينترنت به عهده دارد‬
‫‪ IKE‬می باشد‬
‫‪39‬‬
‫پروتكل مبادله كليد اينترنت (‪)IKE‬‬
‫‪ ‬معرفي ‪IKE‬‬
‫• پروتكل اصلي براي ايجاد و ابقاء ‪IPSec SA‬‬
‫• پيش فرض ‪ IPSec‬براي مبادله امن كليد‬
‫• فراهم كردن يك ارتباط امن بين طرفين باتوافق بر روي كليدهاي جلسه‬
‫• متكي به مكانيزمهاي رمز كليد عمومي و توابع درهم كليددار‬
‫‪40‬‬
‫روشهاي احراز اصالت‬
‫‪ ‬روشهاي احراز اصالت در ‪IKE‬‬
‫‪ -1‬روش كليد از پيش مشترك ( ‪) Preshared Key‬‬
‫‪ -2‬روش امضاي كليد عمومي ( ‪) Public Key Signature‬‬
‫‪ -3‬روش رمزكليد عمومي ( ‪) Public Key Encryption‬‬
‫‪ -4‬روش رمزكليد عمومي اصالح شده ( ‪)Revised Public Key Encryption‬‬
‫‪41‬‬
‫پايگاه سياست هاي امنيتي )‪(SPD‬‬
‫‪‬‬
‫‪ SPD‬در يك جدول كه توسط راهبر سيستم تعريف شده است‬
‫قرار دارد‪.‬‬
‫‪ ‬ركوردهاي آن براي هر بسته وارد شده و در حال خروج سياست‬
‫امنيتي را مشخص مي كند‪:‬‬
‫‪‬‬
‫حفاظت )‪(Apply‬‬
‫‪‬‬
‫عبور بدون حفاظت )‪(Bypass‬‬
‫‪‬‬
‫دور انداختن )‪(Reject‬‬
‫‪42‬‬
‫پايگاه سياست هاي امنيتي )‪(SPD‬‬
‫‪ ‬هر ركورد حاوي‬
‫‪‬‬
‫مشخصات بسته هايي است كه بايد سياست خاص ي در مورد آنها‬
‫اعمال شود‪ .‬پارامترهاي انتخاب سياست عبارتند از‪:‬‬
‫‪‬‬
‫‪‬‬
‫مشخصات آدرس مبدا و مقصد بسته‬
‫‪‬‬
‫‪Range‬‬
‫‪‬‬
‫‪Subnet‬‬
‫مشخصات پروتكل اليه باالتر‬
‫‪‬‬
‫‪‬‬
‫‪TCP,UDP,..‬‬
‫در صورت ‪ TCP‬يا ‪ UDP‬بودن‪ ،‬مشخصات پورتها‬
‫‪43‬‬
‫پايگاه سياست هاي امنيتي )‪(SPD‬‬
‫‪ ‬هر ركورد حاوي‬
‫‪‬‬
‫‪‬‬
‫سياست امنيتي‬
‫‪‬‬
‫‪Apply‬‬
‫‪‬‬
‫‪Reject‬‬
‫‪‬‬
‫‪Bypass‬‬
‫و در صورت ‪ Apply‬مشتمل بر‪:‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫طرف مقابل در برقراري ارتباط‬
‫پروتكل ‪ AH‬يا ‪ ESP‬يا هردو‬
‫الگوريتم هاي قابل قبول براي احراز اصالت و رمزنگاري‬
‫طول مدت قابل قبول براي ‪(SA Life Time) SA‬‬
‫‪44‬‬
IPSec ‫معماري‬
IPsec module 1
IPsec module 2
SPD
SPD
IKE
Inbound
SAD Outbound
45
IKE
Inbound
Outbound SAD
SA
Outbound Process
Check SPDS against
Outboun SPD
Reject
Drop packet
F
ou
nd
ard
re
co
rd
w
For
S
P
D
Forward packet
N
o
Is SPD record SA
valid
yes
Drop packet and log
Awake IKE
Make new IPHDR & fill
up SPI field
& Sequence number
Drop Packet
ESP
yes
encryption
required ?
AH or ESP
AH
ICV Computation &
Padding
Encrypt packet
Forward new packet
No
Authentication
required ?
Yes
ICV Computation
NO
46
Forward new packet
Outbound process
Outbound Processing
Outbound packet (on A)
A
IP Packet
Is it for IPSec?
If so, which policy
entry to select?
SPD
(Policy)
B
SA
Database
IPSec processing
…
…
Determine the SA
and its SPI
SPI &
IPSec
Packet
Send to B
Inbound Processing
A
Inbound packet (on B)
B
From A
SPI & Packet
SA Database
SPD
(Policy)
Use SPI to
index the SAD
Was packet properly
secured?
Original IP Packet
…
“un-process”
…
How They Fit Together
SPD
SA-1
SA-2
SADB
SPI
SPI
49
SPD and SADB Example
A’s SPD
Transport Mode
A
C
D
B
Tunnel Mode
A’s SADB
From
To
Protocol
Port
Policy
A
B
Any
Any
AH[HMAC-MD5]
From
To
Protocol
SPI
SA Record
A
B
AH
12
HMAC-MD5 key
From
To
Protocol
Port
Policy
Tunnel Dest
Asub
Bsub
Any
Any
ESP[3DES]
D
From
To
Protocol
SPI
SA Record
Asub
Bsub
ESP
14
3DES key
C’s SPD
C’s SADB
50
‫پروتكل مبادله كليد اينترنت (‪)IKE‬‬
‫‪ ‬برای برقراری ارتباط بين دو طرف الزم است که يك ‪ SA‬بين‬
‫طرفين ايجاد شود‪.‬‬
‫‪ ‬برقراری و تجديد اين ‪ SA‬ها می تواند بصورت دستی يا خودکار‬
‫انجام گردد‪.‬‬
‫‪ ‬پروتکلی که اين وظيفه را (بصورت خودکار) در اينترنت به عهده‬
‫دارد ‪ IKE‬می باشد‬
‫‪51‬‬
‫پروتكل مبادله كليد اينترنت (‪)IKE‬‬
‫‪ ‬معرفي ‪IKE‬‬
‫• پروتكل اصلي براي ايجاد و ابقاء ‪IPSec SA‬‬
‫• پيش فرض ‪ IPSec‬براي مبادله امن كليد‬
‫• فراهم كردن يك ارتباط امن بين طرفين باتوافق بر روي كليدهاي جلسه‬
‫• متكي به مكانيزمهاي رمز كليد عمومي و توابع درهم كليددار‬
‫• چارچوب ‪ IKE‬بر اساس پروتكل ‪ISAKMP‬‬
‫)‪(Internet SA Key Management Protocol‬‬
‫‪52‬‬
‫‪IKE‬فازهاي‬
‫‪ IKE ‬داراي دو فاز مي باشد ‪:‬‬
‫• فاز ‪ : I‬برپايي ‪)IKE SA( ISAKMP SA‬‬
‫برپايي يك كانال امن احراز اصالت شده بين دو طرف‬
‫• فاز ‪ : II‬برپايي ‪IPSec SA‬‬
‫استفاده از كانال امن ايجاد شده در فاز ‪ 1‬براي ارائه سرويسهاي امنيتي ‪IPSec‬‬
‫‪ ‬فاز ‪ : I‬مي تواند به دو روش انجام شود‪:‬‬
‫• مبادله مود اصلي ( ‪) Main mode‬‬
‫• مبادله مود اعالن شناسه ها ( ‪) Aggressive mode‬‬
‫‪ ‬فاز ‪ : II‬به روش زير انجام مي شود‪:‬‬
‫• مبادله مود سريع ( ‪) Quick mode‬‬
‫‪53‬‬
‫روشهاي احراز اصالت‬
‫‪ ‬روشهاي احراز اصالت در مبادالت فاز ‪: I‬‬
‫‪ -1‬روش كليد از پيش مشترك ( ‪) Preshared Key‬‬
‫‪ -2‬روش امضاي كليد عمومي ( ‪) Public Key Signature‬‬
‫‪ -3‬روش رمزكليد عمومي ( ‪) Public Key Encryption‬‬
‫‪ -4‬روش رمزكليد عمومي اصالح شده ( ‪)Revised Public Key Encryption‬‬
‫‪54‬‬
) ‫پروتكل بر اساس روش امضاء( مود اصلي‬
‫ احراز اصالت توسط امضاي ديجيتال‬
‫مخاطب‬
‫آغازگر‬
Header , SAproposal
Header , SAchoice
Header , gi , Ni
Header , gr , Nr
Header , { IDi , [certi] , SIGi }SKEYID-e
Header , { IDr , [certr] , SIGr }SKEYID-e
55
) ‫ ( مود سريع‬2 ‫ در فاز‬IKE ‫پروتكل‬
‫مخاطب‬
‫آغازگر‬
Header ,{Hash1 , SAproposal , Ni , [gi] , [IDui , IDur]}SKEYID-e
Header ,{Hash2 , SAchoice , Nr , [gr] , [IDur , IDui]}SKEYID-e
Header , {Hash3}SKEYID-e
Hash1 = prf (SKEYID-a , Message ID SANi [gi] [IDui IDur] )
Hash2 = prf (SKEYID-a , Message ID Ni SA Nr [gi] [IDui IDur] )
Hash3 = prf (SKEYID-a , Message ID Ni Nr)
KEYMAT = prf ( SKEYID-d , [ gi ] protocol SPI Ni Nr )
63
‫وجود نقاط ضعف در ‪IKE‬‬
‫‪ ‬در پروتکل معرفی شدة ‪ IKE‬نقاط ضعفی به چشم می‬
‫خورد‪:‬‬
‫• تعداد زياد پيام‬
‫• پيچيدگی مشخصات‬
‫• عملکرد ضعيف در برابر حمالت ‪DoS‬‬
‫پروتکلهای جايگزين‬
‫‪64‬‬
‫پروتكلهاي جايگزين ‪IKE‬‬
‫‪‬‬
‫‪ ‬معرفی پروتکل ‪) 2001( IKEv2‬‬
‫‪JFKr‬‬
‫‪ ‬معرفی پروتکل ‪) 2002( JFK‬‬
‫‪JFKi‬‬
‫‪Full-SIGMA‬‬
‫‪ ‬معرفی پروتکل ‪) 2002( SIGMA‬‬
‫‪SIGMA-0‬‬
‫‪65‬‬