virtual private networks
DESCRIPTION
A detailed presentation about Virtual private networksTRANSCRIPT
![Page 1: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/1.jpg)
![Page 2: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/2.jpg)
By. P. Victer Paul
Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit....
http://free-computerscience-ebooks.blogspot.com/
http://recent-computer-technology.blogspot.com/
http://computertechnologiesebooks.blogspot.com/
Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog.
![Page 3: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/3.jpg)
VPNs can be used to secure communications through the public Internet.
VPNs are often installed by organizations to provide remote access to a secure organizational network, or to connect two network locations together using an insecure network to carry the traffic.
A VPN does not need to have explicit security features such as authentication or traffic encryption. For example, a network service provider could use VPNs to separate the traffic of multiple customers over an underlying network.
VPNs such as Tor can be used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television.
![Page 4: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/4.jpg)
![Page 5: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/5.jpg)
![Page 6: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/6.jpg)
In the protocols they use to tunnel the traffic over the underlying network;
By the location of tunnel termination, such as the customer edge or network provider edge;
Whether they offer site-to-site or remote access connectivity;
In the levels of security provided; By the OSI layer which they present to the connecting
network, such as Layer 2 circuits or Layer 3 network connectivity.
![Page 7: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/7.jpg)
Secure VPNs explicitly provide mechanisms for authentication of the tunnel endpoints during tunnel setup, and encryption of the traffic in transit.
Often secure VPNs are used to protect traffic when using the Internet as the underlying backbone, but equally they may be used in any environment when the security level of the underlying network differs from the traffic within the VPN.
![Page 8: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/8.jpg)
Secure VPNs may be implemented by organizations wishing to provide remote access facilities to their employees or by organizations wishing to connect multiple networks together securely using the Internet to carry the traffic.
A common use for secure VPNs is in remote access scenarios, where VPN client software on an end user system is used to connect to a remote office network securely.
Secure VPN protocols include L2TP (with IPsec), SSL/TLS VPN (with SSL/TLS) or PPTP (with MPPE).
![Page 9: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/9.jpg)
Trusted VPNs are commonly created by carriers and large organizations and are used for traffic segmentation on large core networks. They often provide quality of service guarantees and other carrier-grade features.
Trusted VPNs may be implemented by network carriers wishing to multiplex multiple customer connections transparently over an existing core network or by large organizations wishing to segregate traffic flows from each other in the network. Trusted VPN protocols include MPLS, ATM or Frame Relay.
Trusted VPNs differ from secure VPNs in that they do not provide security features such as data confidentiality through encryption. Secure VPNs however do not offer the level of control of the data flows that a trusted VPN can provide such as bandwidth guarantees or routing.
![Page 10: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/10.jpg)
Security Address Translation Performance: Throughput, Load balancing (round-robin
DNS), fragmentation Bandwidth Management: RSVP (Resource Reservation Protocol) Availability: Good performance at all times Scalability: Number of locations/Users Interoperability: Among vendors, Internet Service Providers (ISPs), customers (for extranets) Standards Compatibility, ⇒
With firewall
![Page 11: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/11.jpg)
Compression: Reduces bandwidth requirements Manageability: SNMP (Simple Network Management
Protocol), Browser based, Java based, centralized/distributed
Accounting, Auditing, and Alarming Protocol Support: IP, non-IP (IPX) Platform and O/S support: Windows, UNIX, MacOS,
HP/Sun/Intel Installation: Changes to desktop or backbone only Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery
![Page 12: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/12.jpg)
IPsec (Internet Protocol Security) - A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4.
For VPNs L2TP is commonly used over IPsec. Transport Layer Security (SSL/TLS) is used either for
tunneling an entire network's traffic (SSL/TLS VPN) SSL has been the foundation by a number of vendors to
provide remote access VPN capabilities. SSL-based VPNs may be vulnerable to
denial-of-service attacks mounted against their TCP connections because latter are inherently unauthenticated.
![Page 13: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/13.jpg)
Datagram Transport Layer Security (DTLS), used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS
Microsoft Point-to-Point Encryption (MPPE) by Microsoft is used with their PPTP. Several compatible implementations on other platforms also exist.
Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels PPP or L2TP traffic through an SSL 3.0 channel.
![Page 14: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/14.jpg)
MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN“.
SSH VPN -- OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). This feature (option -w) should not be confused with port forwarding (option -L).
OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.
![Page 15: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/15.jpg)
Tunnel endpoints are required to authenticate themselves before secure VPN tunnels can be established.
End user created tunnels, such as remote access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods.
For network-to-network tunnels, passwords or digital certificates are often used, as the key must be permanently stored and not require manual intervention for the tunnel to be established automatically.
![Page 16: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/16.jpg)
Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. Multiprotocol Label Switching (MPLS) functionality blurs the L2-L3 identity.◦Customer edge device. (CE)◦ Provider edge device (PE)◦ Provider device (P)
![Page 17: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/17.jpg)
Customer edge device (CE) In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.
Provider edge device (PE) A PE is a device or set of devices, at the edge of the provider network, which provides the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state.
![Page 18: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/18.jpg)
Provider device (P) A P device operates inside the provider's core network, and
does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-
operated tunnels that belong to different customers' PPVPNs.
Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.
![Page 19: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/19.jpg)
![Page 20: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/20.jpg)
![Page 21: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/21.jpg)
![Page 22: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/22.jpg)
![Page 23: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/23.jpg)
![Page 24: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/24.jpg)
![Page 25: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/25.jpg)
![Page 26: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/26.jpg)
![Page 27: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/27.jpg)
![Page 28: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/28.jpg)
GRE: Generic Routing Encaptulation (RFC 1701/2) PPTP: Point-to-point Tunneling Protocol 2TP: Layer 2 Tunneling protocol IPsec: Secure IP MPLS: Multiprotocol Label Switching
![Page 29: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/29.jpg)
![Page 30: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/30.jpg)
![Page 31: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/31.jpg)
![Page 32: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/32.jpg)
Layer 2 Tunneling Protocol L2F = Layer 2 Forwarding (From CISCO) L2TP = L2F + PPTP Combines the best features of
L2F and PPTP Easy upgrade from L2F or PPTP Allows PPP frames to be sent over non-IP (Frame
relay, ATM) networks also (PPTP works on IP only) Allows multiple (different QoS) tunnels between the
same end-points. Better header compression. Supports flow control
![Page 33: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/33.jpg)
![Page 34: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/34.jpg)
Universal Transport Interface (UTI) is a pre-standard effort for transporting L2 frames.
L2TPv3 extends UTI and includes it as one of many supported encapsulations.
L2TPv3 has a control plane using reliable control connection for establishment, teardown and maintenance of individual sessions.
![Page 35: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/35.jpg)
![Page 36: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/36.jpg)
Allows virtual circuits in IP Networks Each packet has a virtual circuit number called ‘label’ Label determines the packet’s queuing and forwarding Circuits are called Label Switched Paths (LSPs) LSP’s have to be set up before use Allows traffic engineering
![Page 37: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/37.jpg)
![Page 38: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/38.jpg)
![Page 39: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/39.jpg)
Unsolicited: Topology driven Routing protocols ⇒exchange labels with routing information.
Many existing routing protocols are being extended:BGP, OSPF
On-Demand: ⇒ Label assigned when requested,
e.g., when a packet arrives latency⇒ Label Distribution Protocol called LDP RSVP has been extended to allow label request and
response
![Page 40: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/40.jpg)
![Page 41: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/41.jpg)
![Page 42: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/42.jpg)
VPN allows secure communication on the Internet Three types: WAN, Access, Extranet Key issues: address translation, security, performance Layer 2 (PPTP, L2TP), Layer 3 (IPSec) QoS is still an issue MPLS⇒
![Page 43: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/43.jpg)
FIREWALL
![Page 44: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/44.jpg)
Aspects of Security◦Data accessibility - contents accessible◦Data integrity - contents remain unchanged◦Data confidentiality - contents not revealed
AAA◦Authentication - You are who you say you are◦Authorization - Access control◦Accountability- Who is responsible for tracking access to
data
![Page 45: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/45.jpg)
![Page 46: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/46.jpg)
Scrambling of message such that only intended receiver can unscramble them◦Encrypting function - produces encrypted message◦Decrypting function - extracts original message◦Encryption key - parameter that controls
encryption/decryption
![Page 47: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/47.jpg)
Secret Key Encryption◦ Sender and receiver share secret key◦ Encrypted_Message = encrypt(K, Message)◦Message = decrypt(K, Encrypted_Message)◦ Example: Encrypt = division◦ 433 = 48 R 1 (using divisor of 9)
![Page 48: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/48.jpg)
Previous scheme requires shared secret K If K is discovered, security is compromised Public key encryption uses two keys:◦Private key - kept secret by user◦Public key - published by user
Message encrypted with public key can be decrypted only with private key, and vice-versa
![Page 49: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/49.jpg)
Encrypted_Message = decrypt(Public_Key, encrypt(Private_key, Message)
Message = decrypt(Private_Key, encrypt(Public_Key,Message)
![Page 50: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/50.jpg)
Goal - guarantee that message must have originated with certain entity
Encrypted_Message = encrypt(Private_Key, Message) Message = decrypt(Public_Key, Encrypted_Message) => Authentic
![Page 51: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/51.jpg)
User 1 to User2: Encrypted_Message = encrypt(Public_key2,
encrypt(Private_key1, Message) Message = decrypt(Public_key1, decrypt
(Private_key2,Encrypted_Message) => Authentic and Private
![Page 52: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/52.jpg)
Bastion Host DMZ (demilitarized zone) Perimeter network
![Page 53: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/53.jpg)
A bastion host is a computer that is fully exposed to attack
The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router
Firewalls and routers can be considered bastion hosts Other types of bastion hosts include web, mail, DNS,
and FTP servers, Proxy servers
![Page 54: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/54.jpg)
DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network.
It prevents outside users from getting direct access to a server that has company data
![Page 55: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/55.jpg)
A small, single-segment network between a firewall and the Internet for services that the organization wants to make publicly accessible to the Internet without exposing the network as a whole
If someone breaks into a bastion host on the perimeter net, he'll be able to snoop only on traffic on that net
Also known as ‘stub network’
![Page 56: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/56.jpg)
Can configure packet forwarding devices - esp. routers – to drop certain packets
Example: Only email gets in/out problem: Filter is accessible to outside world
![Page 57: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/57.jpg)
![Page 58: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/58.jpg)
![Page 59: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/59.jpg)
Proxy servers take users' requests and forward them to real servers
Take server’s responses and forwards them to users Enforce site security policy = > may refuse certain
requests Transparency is the major benefit of proxy services Also known as application-level gateways
![Page 60: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/60.jpg)
![Page 61: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/61.jpg)
![Page 62: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/62.jpg)
![Page 63: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/63.jpg)
![Page 64: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/64.jpg)
Can’t protect against malicious insiders can’t protect against connections that do not go through
it,◦ e.g. dial up
Can’t protect against completely new threats Can’t protect against viruses
![Page 65: Virtual private networks](https://reader034.vdocuments.net/reader034/viewer/2022051412/54be6bc04a7959e2468b4599/html5/thumbnails/65.jpg)
Security is a problem because Internet is not owned by one entity
Encryption and digital signatures can provide confidentiality and secure identification
Organizations can use firewalls to prevent unauthorized access