A Quick Trip Through VPN The purpose of this presentation is to define VPNs in general, to briefly describe some technologies used in.
Download ReportTranscript A Quick Trip Through VPN The purpose of this presentation is to define VPNs in general, to briefly describe some technologies used in.
Slide 1
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 2
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 3
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 4
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 5
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 6
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 7
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 8
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 9
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 10
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 11
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 12
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 13
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 14
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 15
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 16
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 17
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 18
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 19
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 20
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 21
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 22
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 23
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 24
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 25
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 26
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 27
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 28
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 2
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 3
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 4
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 5
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 6
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 7
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 8
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 9
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 10
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 11
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 12
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 13
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 14
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 15
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 16
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 17
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 18
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 19
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 20
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 21
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 22
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 23
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 24
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 25
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 26
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 27
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES
Slide 28
A Quick Trip
Through VPN
The purpose of this presentation is to define VPNs in general, to
briefly describe some technologies used in VPNs, and to introduce
major industry vendors together with the VPN solution of CISCO
Systems
Sklenar Petr, 2-20-2003
CONTENT
1-a VPN Definitions
1-b VPN Segmented
1-c VPN Market
2–a
2-b
2-c
2-d
Technology Overview
Layer-2 Tunnels
Layer-3 Tunnels
Upper-Layer Systems
3–a CISCO Enterprise Solution
3-b VPN Future
3-c Resources
1-a
VPN DEFINITIONS
VPNs combine two concepts:
–virtual networks in which geographically or
topographically distributed users and computers
interact and are managed as a single (flat)
network
- private networks in which data is protected from
eavesdropping and the identities of users and
nodes on the network are trusted
VPNs - an alternative to WAN infrastructure:
- deployed on a shared infrastructure employ the
same security and management as applied in
private networks
- can utilize the most pervasive transport
technologies of today (the public Internet, ISPs
IP backbones, service providers ATM and Frame
Relay networks)
- cost effective, flexible (no need to pay for leased
lines, extendable to “everywhere”)
1-a
VPN DEFINITIONS
VPNs based on IP tunnels:
- Encapsulate a data packet within a normal IP
packet for forwarding over an IP-based network.
The encapsulated packet does not need to be IP,
and could, in fact, be any protocol such as IPX,
AppleTalk, SNA or DECnet.
- The encapsulated packet does not need to be
encrypted and authenticated; however, with most
IP based VPNs, especially those running over the
public Internet, encryption is used to ensure
privacy and authentication to ensure integrity of
data.
- Mainly self-deployed; users buy connections from
an ISP and install VPN equipment which they
configure and manage themselves, relying on the
ISP only for the physical connections.
1-a
VPN DEFINITIONS
VPNs based on ISDN, Frame Relay or ATM
- Very different from VPNs based on IP tunnels.
- Use public switched data network services and
use ISDN B channels, PVCs, or SVCs to separate
traffic from other users. Single or multiple B
channels, PVCs, or SVCs may be used between
sites with additional features such as backup and
bandwidth on demand.
- Data packets do not need to be IP, nor do they
need to be encrypted. Due to more wide-spread
awareness about security issue, many users now
choose to encrypt their data.
1-b
VPN SEGMENTED
VPNs ARE SEGMENTED INTO THREE CATEGORIES:
- Remote access
- Intranets
- Extranets
1-b
VPN SEGMENTED
Remote access
- Connects telecommuters, mobile users, smaller
remote offices to the enterprise LAN with minimal
traffic to the corporate computing resources.
1-b
VPN SEGMENTED
Site-to-Site services (Intranets)
- Connect fixed locations, branch offices, and home
offices, within an enterprise WAN.
- VPN services offered to entire LAN / WAN or just
to selected set of authorized hosts.
1-b
VPN SEGMENTED
Business-to-Business services (Extranets)
- Extend limited access of enterprise computing
resources to business partners, such as suppliers
or customers, enabling access to shared
information.
- Use both topologies – Site-to-Site and Remote
Access.
According to research and consulting companies
and to real-time observations, 100 percent of
enterprises are expected to supplement their
WAN infrastructures with VPNs in relatively short
time.
1-c
VPN MARKET
- The tech market is bursting at the seams with HW based
VPNs, and vendors are filling out product lines to target
the smallest of SOHOs all the way to the world’s largest
companies. The result is a dizzying number of choices
from a dizzying number of competitor’s.
- The VPN market hit approximately $1.4 billion in 2001.
Currently, four vendors are carving the lion’s share of the
market:
Check Point (www.checkpoint.com)
Nortel Networks (www.nortelnetworks.com)
NetScreen Technologies (www.netscreen.com)
Cisco Systems (www.cisco.com)
1-c
VPN MARKET
WHY CISCO VPNs?
- One-stop shop for problem solutions – encompass all
segments of the networking infrastructure – platforms,
security, network services and appliances, and management.
- Relatively an easy upgrade of the existing CISCO
infrastructure - a smooth migration path to a VPN
environment by installing VPN modules.
- Low-cost options offered with expanding the product line of
PIX firewall / VPN appliances to target small enterprises and
remote offices.
- Acceptance and development of IPSec – the next generation
network layer crypto platform for Cisco’s security platforms.
2-a
TECHNOLOGY OVERVIEW
THE MOST COMMON VPN TECHNOLOGIES
Layer-2 tunnels – carry point-to-point data link (PPP)
connections between tunnel endpoints in remote access
VPNs.
- Compulsory mode
- Voluntary mode
Layer-3 tunnels – provide IP-based virtual connections.
Packets routed between tunnel endpoints wrapped by IETF
defined headers that provide message integrity and
confidentiality.
Secure Shell – to forward any application protocol over an
authenticated and encrypted client-server connection
Secure Sockets Layer – to secure application protocol’s
transaction over network
2-b
LAYER-2 TUNNELS
LAYER-2 – THE MOST COMMONLY USED TUNNELING PROTOCOLS
PPTP – one of the first protocols, designed by Microsoft
- widely deployed since included with NT,95,98
- builds on functionality of PPP, encapsulates PPP by using the
GRE (generic routing encapsulation) protocol, and, as a layer-2
protocol, handles other than IP traffic (IPX, NetBEUI)
- supports authentication for dial-in user (PAP or CHAP)
L2F – developed in the early stages of VPN by CISCO Systems
- can use other media (ATM, frame-relay) and its tunnels can
support more than one connection
- support for more authentication systems (RADIUS, TACACS+)
L2FT – being designed by IETF, as the heir apparent to PPTP and
L2F, with support for various authentication systems and transport
media
2-c
LAYER-3 TUNNELS
All of the layer-2 systems provide some level of encryption of
the encapsulated data. To achieve a total protection, they call
for Layer-3 protocols
to strengthen the encryption,
confidentiality and message integrity.
IPsec – THE BEST VPN SOLUTION FOR IP ENVIRONMENTS
- Multivendor and supported by all major OSs
- Scalable (designed with large enterprises in mind)
- General solution – protects any protocol running above IP
and any medium running below
- Designed to secure IP links between machines – cannot
provide the same end-to-end (user-to-user) security as
systems working at the upper levels (i.e. PGP)
- IPsec gateways can be installed whereever they are required
- on firewalls, routers or servers
2-c
LAYER-3 TUNNELS
A list of ICSA Labs certified IPsec products: www.icsalabs.com
THE CORE PROTOCOLS OF IPsec
ESP (Encapsulating Security Payload) – encrypts and/or
authenticates data
AH (Authentication Header) – provides a packet authentication
service
IKE (Internet Key Exchange) – negotiates connection parameters
including keys
IPsec vs. NAT – an interesting complication
Any attempt to perform NAT operations on IPsec packets between
the IPsec gateways creates a basic conflict. In the following
scenario, guest’s VPN client will try to access its VPN server.
2-c
- IPsec wants to authenticate packets and ensure they are
unaltered on a gateway-to-gateway basis
- NAT rewrites packet headers as they go by
- IPsec authentication fails if packets are rewritten anywhere
between the gateways
2-c
LAYER-3 TUNNELS
An example of GUI router configuration of IPsec:
2-c
Configure IKE
Advanced IKE
2-c
LAYER-3 TUNNELS
To protect the contents of an IP datagram, the data is transformed
using cryptography. Two main transformation types form the
building blocks of IPSec, the AH transformation, and the ESP
transformation. AH and ESP can be used in two modes, transport
and tunnel. AH and ESP can also be combined. The transformations
are configured in a data structure called a security association (SA).
2-d
UPPER-LAYER SYSTEMS
Secure Sockets Layer (SSL)
- developed by Netscape and RSA (public-private key encryption)
to transmit private documents via the Internet
- uses a program layer located between HTTP and TCP layers to
secure transmission
- handles the encryption part of a secure HTTP transaction, a
Digital Certificate is necessary to provide server authentication
Whereas SSL creates a secure connection between a client and a
server, over which any amount of data can be sent securely,
S-HTTP was designed to transmit individual messages securely.
SSL evolved in TLS (Transport Layer Security) – IETF standard
- SSL and TSL clients are integral part of several Web browsers
- TLS Record Protocol provides encrypted connection
- TLS Handshake Protocol allows the server and client to
authenticate each other and to negotiate an encryption algorithm
and cryptographic keys before data is exchanged.
2-d
UPPER-LAYER SYSTEMS
An example of authentication via self-issued Digital Certificate:
2-d
After
authentication
and login,
I can control my
firewall logs
from anywhere…
UPPER-LAYER SYSTEMS
2-d
UPPER-LAYER SYSTEMS
… and finally, perhaps to run a few useful commands thanks to SSH
2-d
UPPER-LAYER SYSTEMS
Secure Shell (SSH)
- developed by SSH Communications Security Ltd. to log into
another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another
- provides strong authentication and encryption over insecure
channels
-an inexpensive method of providing trusted users with secure
remote access to a single application, but requires installing SSH
client software
SSH2 – a powerful protocol suite developed by IETF
SSHD2 (Secure Shell Deamon) – server for SSH2
SCP2 (Secure Copy) - to copy files over the network securely
SFTP2 - ftp-like client used for secure file transfer
APPLICATION LAYER SECURITY TECHNIQUES (i.e. TLS & SSH)
THAT DO NOT MAKE USE OF OR DEPEND ON IP ADDRESSES
WILL WORK CORRECLTY IN THE PRESENCE OF NAT
2-d
UPPER-LAYER SYSTEMS
E-mail-protection systems: S/MIME and OpenPGP
3-a
CISCO ENTERPRISE SOLUTION
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
2-d
VPN FUTURE
-integration of multimedia and VoIP - the focus falling on
delivery of quality of service (QoS) and class of service
(CoS) over IP networks as part of a VPN
- voice and data services merging into one (voice over IP, IP
fax), and new network services being developed to offer the
QoS/CoS required for data, telephony and fax - all
communication devices becoming IP addressable - providing
voice, fax, video and data to the desktop – using VPN security
protocol
- name servers becoming very useful for configuring and
reconfiguring VPNs - work being in progress to extend the use
of DNS servers to provide a secure (IP Security-based)
mechanism for routers to find peer routers and for clients to
find servers
3-b
www.networkmagazine.com
www.cisco.com
www.sans.org
www.freeswan.org
www.iec.org
Petr Sklenar
[email protected]
RESOURCES