Transcript Guide to Network Defense and Countermeasures

Guide to Network Defense
and Countermeasures
Chapter 7
1
Chapter 7 - Setting up a Virtual
Private Network




Explain the “what, why, and how” of virtual
private networks (VPNs)
Understand the tunneling protocols that
enable secure VPN connections
Describe the encryption schemes used by
VPNs
Know how to adjust packet filtering rules for
VPNs
2
Exploring VPNs:
What, Why, and How

A VPN provides a way for two computers or
networks to communicate securely using
the same public channels available on the
Internet



The “V” in VPN means virtual; rather than a direct
network cable connection, a combination of Internetbased routers and network segments are used
The “P” means private; only the designated end
points of the VPN connection (tunnel) participate
The “N” means network; it connects one group of
computers to another, and extends the network’s
3
boundaries
Exploring VPNs:
What, Why, and How

VPN components:




VPN server, or host is a computer configured to
accept connections from clients who either dial in or
connect directly using a broadband connection
VPN client, or guest can be a router that serves as
the end-point of a gateway-to-gateway connection,
or can be a computer configured as an endpoint
Tunnel - the connection through which data is sent
VPN protocols are standardized communication
settings that hardware and software use to encrypt
data that is sent along the VPN, including IPSec,
PPTP, and L2TP
4
Exploring VPNs:
What, Why, and How

Two types of VPNs:



Site-to-site links two or more networks
Client-to-site allows network access to dial-in users
Hardware vs. software VPNs:


Hardware-based VPNs connect one gateway to
another; typically the gateways are routers that
encrypt/decrypt, but could be a VPN appliance
Software-based VPNs are usually integrated with
firewalls, and as a result, increase network security;
software solutions offer maximum flexibility
5
6
7
8
Exploring VPNs:
What, Why, and How

VPN combinations:


Combining VPN hardware or software with other
hardware and software adds network security; one
useful combination is a VPN bundled with a firewall,
since VPNs do not replace firewall functionality
VPN core activity #1: Encapsulation


Data encapsulation means that a packet is enclosed
within another one that has different IP addressing
data to provide a higher degree of protection
Data packets are encapsulated within packets that
use the source/destination of the VPN gateway
9
10
Exploring VPNs:
What, Why, and How

VPN core activity #2: Encryption



Encryption is the process of rendering information
unreadable by all but the intended recipient
VPN endpoints encrypt/decrypt data by exchanging
keys, or blocks of encoded data; the key is part of an
electronic document called a digital signature
VPN core activity #3: Authentication


Authentication is the process of identifying a user or
computer as being authorized to access a network
Authentication uses digital certificates; the tunneling
protocol determines the type of authentication
11
12
13
Exploring VPNs:
What, Why, and How

Why establish a VPN?



The need for private business transactions drives an
increasing number of organizations to adopt VPNs;
e-commerce popularity provides an incentive as
well; government and military agencies share more
information in order to provide homeland security
Budgetary considerations have always made VPNs
attractive to businesses; also, many businesses
employ remote users who need network access
Another incentive for creating a VPN is the need to
establish a high level of security in an extranet
14
15
Exploring VPNs:
What, Why, and How

Advantages and disadvantages of VPNs




VPNs provide a high level of security, but if a VPN is
poorly configured or a remote user at an endpoint
disables their firewall by mistake and lets in a
hacker, the normal protection can be undone
VPNs can be complex to configure and the
hardware can represent a substantial investment
By focusing on Internet-based technologies, VPNs
simplify a network overall
Running a VPN means better opportunity to
maximize network uptime
16
17
Exploring VPNs:
What, Why, and How

How to configure VPNs:



To set up a VPN, define a VPN domain
A VPN domain is a set of one or more computers
that is handled by the VPN hardware and software
as a single entity, and that uses the VPN to
communicate with another domain
Besides defining a VPN domain, determine whether
the network gateway will be included in that domain;
that, in turn, depends on whether the network has a
site-to-site or client-to-site type of VPN configuration
18
19
Exploring VPNs:
What, Why, and How

Single and multiple-entry point
configurations



Smaller networks that use VPNs often have single
entry point configurations, where all traffic to and
from the network passes through a single gateway
such as a router or firewall or both
Large organizations have networks that require
multiple-entry point configurations, in which multiple
gateways are used, each with a tunnel connecting a
different location
In multiple-entry point configurations, it is important
to exclude the gateway itself from the VPN domain 20
21
22
Exploring VPNs:
What, Why, and How

VPN topology configurations:



In a mesh topology, all the participants in the VPN
have Security Associations (SAs) with one another;
full mesh is where every subnet is connected to
every other; partial mesh is where any subnet may
or may not be connected to the other subnets
In a star topology, the VPN gateway is the hub, and
other participating networks are called rim subnets
As organizations with VPNs grow to include new
computers and new branch offices, they naturally
evolve from a mesh or hub-and-spoke to a hybrid
system that combines the two topologies
23
24
25
Understanding Tunneling Protocols

IPSec/IKE:



Internet Protocol Security (IPSec) was developed for
enabling secure communications in the Internet
IPSec has become the standard set of protocols for
VPN security because: it works at the Network layer;
it has the ability to encrypt the entire TCP/IP packet;
it can work with IPv6; it provides authentication of
source and destination computers
The biggest advantage to using IPSec is the fact
that it has gone through the standardization process
and is supported by a wide variety of VPN hardware
and software
26
27
28
Understanding Tunneling Protocols

Secure Shell (SSH):



Secure Shell (SSH) provides for authentication and
encryption of TCP/IP packets over a VPN
SSH works with UNIX-based systems and creates a
secure Transport layer connection, and makes use
of public key cryptography
Socks V.5:

Socks provides proxy services for applications that
don’t normally support proxying; Socks Version 5
adds encrypted authentication and UDP support
29
Understanding Tunneling Protocols

Point-to-point tunneling protocol (PPTP):



Point-to-point tunneling protocol (PPTP) is a VPN
configuration for users who need to dial in to a
server using a modem connection on a computer
running an older operating system
PPTP encapsulates TCP/IP packets and uses a
proprietary Microsoft technology called MPPE
Layer 2 tunneling protocol (L2TP):

Layer 2 tunneling protocol (L2TP) provides a higher
level of security than PPTP through IPSec support
30
31
Encryption Schemes used by VPNs

Triple-data encryption standard (TripleDES):



Most VPNs make use of Triple-data encryption
standard (Triple-DES) encryption
Triple-DES is strong because it uses three separate
64-bit keys to process data
Secure Sockets Layer (SSL):


Secure Sockets Layer (SSL) enables Web servers
and browsers to exchange encrypted information
SSL sessions make use of both symmetric and
asymmetric keys to encrypt data
32
33
Encryption Schemes used by VPNs

Kerberos:



Kerberos is a system for authentication of individual
network users that was developed at MIT
Kerberos uses an authentication method called
authentication by assertion - the computer that
connects to a server and requests services asserts
that it is acting on behalf of an approved user
Instead of digital certificates, Kerberos issues
tickets; accessing an application protected by
Kerberos requires a ticket
34
Adjusting Packet Filtering Rules
for VPNs

VPNs need to be used with firewalls



VPNs can be located in front of existing firewalls, or
placed in DMZs in parallel to an existing firewall
Packet filtering rules make use of three IP packet
header fields: the source address; the destination
address; the Protocol Identifier (Protocol ID)
Conduct packet filtering based on any or all of these
fields; block all packets from an address with the
source address; route entered packets with the
destination address; refer to protocols (ICMP, TCP,
UDP, ESP, AH) with the Protocol ID
35
Adjusting Packet Filtering Rules
for VPNs

PPTP filters



For PPTP traffic to pass through a firewall, set up
packet filtering rules that permit it
PPTP uses two protocols: TCP and Generic Routing
Encapsulation (GRE)
L2TP and IPSec filters

If L2TP is used, rules must be set up that permit
IPSec traffic
36
37
38
Chapter Summary


This chapter discussed issues involved in configuring
a Virtual Private Network (VPN) and the role that the
VPN plays in a network defense strategy
VPNs are virtual in that they do not make use of
proprietary leased lines. Rather, they connect
computers and networks through the public Internet.
VPNs are private because they send data through a
secure tunnel that leads from one endpoint to
another. Each endpoint is terminated by VPN
hardware or software that encrypts and encapsulates
the data. VPNs are networks that connect one
network to one or more networks, one computer to
another, or one computer to a network
39
Chapter Summary

VPNs consist of various components. These
include VPN servers, which are configured to
accept connections from client computers; VPN
clients; the tunnels through which data passes,
and protocols that determine how the tunneled
data is to be encrypted, such as IPSec. A site-tosite VPN uses such components to connect to
networks. A client-to-site VPN connects a remote
user to a network. VPN endpoints can be
terminated by VPN hardware, software, or a
combination of both
40
Chapter Summary

VPNs perform three core activities.
Encapsulation encloses one packet of digital
information within another one to conceal the
original packet’s source and destination IP
address and to protect the contents. Encryption
makes the contents of the packet - not only its
data, but its header information as well unreadable by all but the intended recipient.
Authentication ensures that the computers
participating in a VPN are authorized users
41
Chapter Summary

Because VPNs can be complex to configure, the
reasons for establishing them should be
understood.The need to keep critical business
communications private and secure drives the
adoption of VPNs. The cost-effectiveness of
using the Internet for VPN communications also
makes VPNs attractive. On the other hand, the
encryption performed by VPNs can slow down
data transfer rates. Reliance on the Internet,
which is often unpredictable, can result in the
VPN going down along with ISP connections
42
Chapter Summary

A VPN is often configured by establishing a VPN
domain, a group of computers that are handled
as one entity. Networks that use VPNs can have
single entry point configurations, in which all
traffic to and from the network passes through a
single gateway. Some VPNs are part of multipleentry point configurations, in which more than
one gateway is used. Whether single or multiple
entry points are in place in one network, that
network can then be connected to other VPN
participants using a mesh or star configuration, or
a combination of both
43
Chapter Summary

VPNs make use of standard instruction sets called
protocols that secure tunneled communications
between endpoints. IPSec combined with IKE is one
of the most popular protocols because of its wide
support in the industry and high degree of security
through AH and ESP encryption. SSH is a protocol
used to authenticate and encrypt packets in a UNIXbased environment. Version 5 of the Socks protocol
can also provide security for VPN transactions,
though it is not widely used. PPTP and L2TP enable
remote users to dial in to a computer over a secure
VPN connection
44
Chapter Summary

Encryption is one of the techniques that make
VPNs possible. Most VPNs today use Triple-DES
encryption, a variation of DES in which three
separate keys are used to process information.
However, some VPNs use SSL encryption when
Web-based applications need to be connected
securely. Another system, Kerberos, is used in
Windows and other OSs to give employees
access to network resources for relatively short
periods of time through the issuance of “tickets”
45
Chapter Summary

VPNs need to be used in conjunction with
firewalls. For the two devices to work together,
packet filtering rules need to be set up. The rules
cover such protocols as PPTP, L2TP, and IPSec.
The have as their ultimate goal the filtering of
packets so that only traffic to and from VPN
endpoints passes through the VPN, and other
traffic is filtered by the firewall to reach specific
destinations on the network
46