Virtual Private Networking Outline � Introduction Virtual Private Networks � Types of VPNs � Tunneling � Security Cmput 410 – Presentations � Encryption November 25 - 2004 � Future of VPNs VPN - Definition � a way to provide remote access to an Virtual Private Networking organization's network � utilizes a public telecommunication infrastructure (e.g. Internet) Introduction � Various forms of security mechanisms to maintain privacy
VPNs - Why ? VPNs - History � Organizations need accurate and secure � Originally, organizations with such a information need used leased lines (some still do) � Not all operations are done in the same � Very Secure office, or even country � Very Expensive � Need an affordable option � Overhead to install � Maintenance � Increase with distance VPNs - History VPNs - History � VPNs offer low cost option Public precaution � Use existing infrastructure (internet) � Information sent through various public hubs. � No or little $ increase with distance � Minimum overhead and maintenance � Data can easily be extracted expenses � Thus the use of various encryption and � How about Security ? tunneling techniques to maintain privacy
VPNs – Basic Concepts VPNs – What it does Allows clients, customers, organizations... to Therefore, the basic idea of VPNs involve stay connected � the secure packaging of packets � transmission through virtual tunnels � the emulation of locally being connected = affordable and secure option to leased line VPNs – Common functionalities VPNs – Done the right way � support for remote access to an A well designed VPN should contain intranet � Security � support for connections between � Reliability multiple intranets within the same � Scalability organization � Network Management � Support for the joining of networks between two organizations, forming an � Policy Management extranet.
Types of VPNs � Site to Site VPN Virtual Private Networking � Intranet Based VPN � Extranet Based VPN � Remote Access VPN Types of VPNs Site to Site VPN Site to Site VPN � Intranet: Connects two office LANs � One to one connections securely and transparently across the � Encrypted IP tunnel internet. � Advantages � Extranet: Connects two different � Disadvantages companies’ office LANs to allow secure sharing of data across the internet.
Remote Access VPN � Virtual Private Dial-Up Network Virtual Private Networking � Connects a remote user to an office LAN securely across the internet � Advantages Tunneling � Disadvantages What is Tunneling? VPN Tunneling Protocols � Mechanism for the transportation of network � Carrier Carrier specific packets over foreign networks � The protocol used by the network that the information is traveling over Encapsulation � Encapsulation � The protocol (PPTP, GRE, IPSec, L2F, Data L2TP) that wraps, thereby encrypting, the original data � Passenger � The original data (IPX, NetBeui, IP) being carried
Example Tunneling with VPNs Carrier � Site-to-site Data � Commonly uses GRE as an encapsulation protocol � Other protocols such as IPSec exist � Remote-access � Predominately uses PPTP (Microsoft) � L2F (Cisco) � L2TP (PPTP Forum, Cisco, IETF) Encapsulation Point to Point Tunneling Protocol � Two types of information flows Virtual Private Networking � Control messages � Data packets Security � Authentication Relies on underlying � Encryption PPP protocol � Packet filtering
VPN Security VPN Security: Firewalls � A well-designed VPN uses several Protection of private networks from the internet methods for keeping your connection and data secure: *Firewalls *AAA Server *IPSec Control Over -Which files are allowed to leave private network *Encryption -How employees will connect to Web sites -What ports packets can pass through VPN Security: AAA Servers Virtual Private Networking Authentication [Who you are] -username/password -database retrieval Authorization [What you are allowed to do] -enforces policies Encryption -different privileges for different users Accounting [What you actually do] -logs session information -allows for statistical analysis -billing purposes
VPN Encryption: IPSec VPN Encryption: Definition IPSec (Internet Protocol Security) is the � Encryption: "the process of encoding protocol commonly used with VPNs. It information in such a way that only the has 2 modes: person (or computer) with the key can decode it“ (How Encryption Works • Tunnel – encrypts both the header and http://computer.howstuffworks.com/encryption.htm) payload of the packet � two methods: • Transport – encrypts only the payload � symmetric-key encryption � public key encryption VPN Encryption: VPN Encryption: Symmetric Key Encryption Public-key Encryption � Relatively uncommon � more commonly used, especially over � Each computer has the same private the internet key that is used for encryption and � invented in 1976 by Whitfield Diffie and decryption Martin Hellman, (aka Diffie-Hellman � The problem is how to send the private encryption key without allowing others to � It's usage is best illustrated by a short potentially "steal" or copy the key while story about Alice and Bob (RSA Encryption - Tutorial it is being transported over an http://www.woodmann.com/crackz/Tutorials/Rsa.htm) unsecured network
VPN Encryption: VPN Encryption: Public-key Encryption - Story Public-key Encryption - Story Alice and Bob agree on a public-key cryptosystem. Notes: 1. Bob generates a pair of mathematically linked keys : 2. • a common public-key cryptosystem is one public, one private. Bob transmits his public key to Alice over any RSA 3. insecure medium. Bob keeps the private key a secret. • A very simple cryptosystem could be 4. Alice uses Bob's public key and the encryption 5. reversing the order of each word. algorithm to encrypt her message, creating a ciphertext. eg. Hello there -> olleh ereht • Alice transmits the ciphertext to Bob. 6. Bob decrypts the ciphertext using the same 7. algorithm and his private key. VPN Encryption: Public-key Encryption VPN Encryption: RSA � Keys in public-key cryptography must � Keys are commonly made using RSA have a "trapdoor function" which allows (defined by Rivest, Shamir, and computation in one direction to be Adleman) relatively easy (ie. the encryption), and � This algorithm generates keys as decryption (without the proper key) to follows (RSA Encryption – Tutorial be relatively impossible http://www.woodmann.com/crackz/Tutorials/Rsa.htm)
VPN Encryption: RSA VPN Encryption: RSA Take two large primes, p and q � not known if RSA is secure 1. Compute their product n = pq; n is called the modulus 2. � know how to prove if an algorithm is Choose a number, e , less than n and relatively prime to 3. (p-1)(q-1), which means e and (p-1)(q-1) have no inherently "slow“ common factors except 1 � best/fastest way to crack such Find another number d such that (ed - 1) is divisible by 4. (p-1)(q-1). The values e and d are called the public and encryption is using factorization, finding private exponents, respectively the two large prime numbers used to The public key is the pair (n, e); the private key is (n, d) 5. The factors p and q may be kept with the private key, or create the key 6. destroyed. Notes: p & q are large primes, with ~200 digits each VPN Encryption: RSA - Factorization � Factorization algorithms can take a long time to find the answers Virtual Private Networking � for example factoring a 512 bit number, as part of a security challenge from RSA labs, took 292 CPU years (about 3.7 months in The Future of VPNs calendar time) in 1999 (http://www.rsasecurity.com/) � a 578 bit number was factorized in 2003, which took less time than the 512 bit one because of improved algorithms and faster hardware (http://www.rsasecurity.com/)
VPN Encryption: The Future � Factorization techniques are improving as hardware gets faster � Probable that in the future that current encryption techniques will be solvable (ie. crackable) in a short amount of time, rendering them useless � It's believed "If no new methods are developed, then 2048-bit RSA keys will always be safe from factorization, but one can't predict the future.“ (Cryptography FAQ (06/10: Public Key Cryptography http://www.faqs.org/faqs/cryptography- faq/part06/)
Recommend
More recommend
