vpn and ipsec - seneca collegeraymond.chan/nad810/0901/ipsec-vpn… · address and security...
Post on 10-Jul-2020
13 Views
Preview:
TRANSCRIPT
VPN and IPsec
Network Administration – Using Linux
Virtual Private Network and IPSec04/2009
What is VPN?
VPN is “an emulation of a private Wide Area Network (WAN) using shared or public IP facilities.”
A typical VPN consists of two or more private intranets connected by “logical tunnels” using a public network.
These tunnels enables the two ends to exchange data similar to pointtopoint communication.
SitetoSite VPN
VPN ComponentsSecurity Mechanisms:● Payload Encryption● User Authentication● Resource AuthorizationVPN Tunnelling Protocols:● IP Security (IPsec)● PointtoPoint Tunneling Protocol (PPTP)● Layer 2 Tunneling Protocol (L2TP)
EncryptionThe process of converting data into a form that can be read only by the intented receiver.
Publickey encryption:● Sender uses the receiver's public key to encrypt
the message● Receiver uses its private key to decrypt the the
encoded messagePretty Good Privacy (PGP), Data Encryption Standared (DES)
Authentication
To verify the identity of the user.● Username / password● Secretkey encryption● Publickey encryption
Authorization
Granting or denying access to resources to a user.
The user must be identified and authenticated. Access to resource can be based on
● source and destination IP addresses, ● port addresses, and group affiliations ● time, day, date, ● application, service, ● authentication method, etc.
IPSec
Internet Protocol Security (IPSec) RFC 2401● Open Internet Standard● Transmission security (data encryption)● User authentication● Operate at the Network Layer
PPTP
PointtoPoint Tunneling Protocol:● Microsoft, 3COM and Ascend Communications● Proposed as an alternative to IPSec● Operate at Layer 2 (Data Link Layer)● Used for secure transmission of Windowsbased
traffic● RFC 1171
L2TP
Layer 2 Tunneling Protocol:● Cisco Systems● A combination of Layer 2 forwarding and PPTP● Offer strong encryption of data
Tunneling Components● Target network – network that contains
resources for remote access● Initiator node – remote client or server that
initiates the VPN session● HA (home agent) software at the network
access node (router) in the target network.● FA (foreign agent) software at the initiator
node or at the network access node (router) of the network to which the initiator node belongs
Tunnel Operations● The initiator sends a connection request to the FA● FA authenticate the user● FA forwards request to the HA of the target
network● HA verify the supply information and sends back
information for FA to establish a tunnel● The initiator starts forwarding data packets to FA
Tunnel operation 2● FA creates the tunnel header and the routable
protocol header for the data packet● FA encrypts the data and appends tunnel header
and routable protocol header to the data● FA forward the resulting packet to HA● HA strips off the headers and decrypts the data● HA forward the original data packet to the
intended destination node.
Tunneled Packet
What is IPSec?
IPSec (Internet Protocol Security) refers to a suite of protocols:● AH Authentication Header Protocol● ESP Encapsulating Security Payload Protocol● IKE (or ISAKMP/Oakley) – Internet Key
Exchange or Internet Security Association and Key Management Protocol
IPSec SA
Security Association (SA) is fundamental to IPSec.
An SA is a unidirectional (simplex) logical connection between two IPsec systems.
An SA consists of:● Security parameter index (SPI)● IP Destination Address● Security Protocol
Security Association
Security parameter index (SPI)● A 32bit vlaue used to identify different Sas with the same destination
address and security protocol. The SPI is carried in the header of the security protocol (AH or ESP)
IP Destination Address● This address can be a unicast, broadcast or multicast IP address. Current
SA management mechanism is defined only for unicast addresses.
Security Protocol● This can be either AH or ESP
IPSec SA Databases
An IPSec SA uses two databases:● The Security Association Database (SAD) maintains the
information related to each SA. This information includes the algorithm keys, SA lifespan, and sequence numbers.
● The Security Policy Database (SPD), maintains the information about security services along with an ordered list of inbound and outbound policy entries.Much like firewall rules and packet filters, these entries define what traffic must be processed and what traffic must be ignored per IPSec standards.
Authentication Header● AH is used to provide integrity and authentication
to IP datagrams● Replay protection is alos possible● AH is used in two modes: transport mode and
tunnel mode● AH is identified by protocol number 51
Encapsulating Security Payload● ESP is used to provide integrity check,
authentication, and encryption to IP datagrams● Optional replay protection is also possible● ESP is used in two modes: Transport mode and
tunnel mode● ESP is identified by protocol number 50
AH format
ESP Format
Transport Mode
Transport Mode
Tunnel Mode
Tunnel Mode
Internet Key Exchange Protocol● Previousely referred to as ISAKMP/Oakley● Supports automated negotiation of Security
Associations● Supports automated generation and refresh of
crypotographic keys● Uses parts of ISAKMP and prarts of Oakley and
SKEME key exchange protocols to provide management of keys and security associations for the IPSec AH and ESP protocols.
IKE Version 1
● RFC 2409 – The Internet Key Exchange● RFC 2408 Internet Security Association and Key
Management Protocol (ISAKMP)● RFC 2407 The Internet IP Security Domain of
Interpretation for ISAKMP● RFC 2412 The OAKLEY Key Determination Protocol● RFC 2411 IP Security Document Roadmap
IKE Phases
Internet Key Exchange negotiation operates in two separate phases:
● Phase 1– Authenticating the other IPsec gateway– Negotiating an IKE SA with the other gateway– Setup a secure twoway tunnel for IPSec using
ISAKMP to handle phase 2 negotiation(Internet Security Association and Key Management Protocol)
IKE Phase 2● Phase 2
– Using the ISAKMP SA, negotiate the set of Security Paramenters for the IPSec (ESP and/or AH) tunnel
(ESP/AH keys are unidirectional)– Creating the IPSec tunnel
● Both phases use UDP port 500 for their negotiations
● ESP and AH protocols do not have ports
Free/Open IPSec Implementation
FreeS/WAN
http://www.freeswan.org(no longer active)
OpenSWAN
http://www.openswan.org(based on FreeS/WAN)
top related