andreas steffen, 16.12.2002, snk_vpnapp.ppt 1 zürcher hochschule winterthur sichere...

Andreas Steffen, 16.12.2002, SNK_VPNapp.ppt 1

ZürcherHochschuleWinterthurSichere Netzwerkkommunikation (SNK)

Prof. Dr. Andreas Steffen© 2000-2002 Zürcher Hochschule

Winterthur

Virtual Private NetworksApplications


ZürcherHochschuleWinterthurVirtual Private Networks

Internet

HeadQuarters Subsidiary

„Road Warrior“

VPN Tunnel

VPN Tunnel

VPN Gateway11.22.33.44


VPN Client

10.1.0.0/16

10.2.0.0/16

10.3.0.2


ZürcherHochschuleWinterthur

• Road Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP.

The „Road Warrior“ Remote Access Case

Internet

HomeNetwork IPsec Tunnel


10.1.0.0/16 Road Warrior

55.66.x.x

Dynamic IP

Virtual IP10.3.0.2

• Authentication is usually based on RSA public keys and X.509 certificates issued by the home network.

• Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.



• Internet Drafts: draft-ietf-ipsec-udp-encaps-04.txt draft-ietf-ipsec-nat-t-ike-04.txt

• Supported by SSH Sentinel and Linux FreeS/WAN

• NAT box (e.g. ADSL modem) with IPsec-Passthrough

NAT-Traversal (IPsec over UDP)

ESP and IKE from a single VPN client

• NAT box (e.g. ADSL modem) with NAT-Traversal

ESP encapsulated in UDP (port 4500)

NAT-keepalive packets needed


ZürcherHochschuleWinterthurIntranet VPNs

InternetPrivate Intranet

Wireless Intranet

User

VPN Tunnel0.0.0.0/0

VPN Gateway/ Firewall

VPN Client

IntranetServer

WLAN Access PointDMZ

Interface

Wireless VPN clients tunnel 100% of their IP traffic over the insecure air link using the peer network subnet mask 0.0.0.0/0.


ZürcherHochschuleWinterthurExample – University of Freiburg, Germany

• 44 WLAN access points, 1 Linux VPN gateway

• 202 active and 88 revoked X.509 certificates

• FreeS/WAN Linux clients / SSH Sentinel Windows clients

• Further information: http://mopoinfo.wlan.informatik.uni-freiburg.de

IPsec throughput at VPN gateway

Active VPN tunnelsCampus


ZürcherHochschuleWinterthurExtranet VPNs

Internet

PartnerNetwork

Customer

VPN Tunnel

VPN Tunnel

VPN Client

CustomerAccess

PrivateNetwork

PartnerAccess

VPN GatewayVPN Gateway

Network access must be partitioned and tightly controlled

Flexible and dynamic setup of Extranet VPN connections

Extranet VPN spans multiple administrative trust domains



Linux FreeS/WANSecurity Gateway



• Available from www.freeswan.ca / www.strongsec.com• OpenSource IPsec stack for Linux 2.2 and 2.4 kernels• X.509 certificate support developed by ZHW !!!• Easy installation via RedHat/SuSE/Debian/Mandrake RPMs• Number of VPN tunnels is limited by hardware resources,

only.• Linux Free/SWAN can also be used as a VPN client

• Road Warrior and Virtual IP support using X.509 certificates:

conn road-warriorright=%anyrightrsasigkey=%certrightsubnetwithin=10.3.0.0/16left=%defaultrouteleftsubnet=10.1.0.0/16leftcert=gwCert.pemauto=add

• Simple configuration

Linux FreeS/WAN as a VPN Gateway

left right

leftsubnet

gwCert%cert



/etc/etc

ipsec.dipsec.d

ipsec.conf

ipsec.secrets

cacertscacerts

cacert.pem

crlscrls

crl.pemprivateprivate

gwKey.pem

FreeS/WAN Directory Structure

certscerts

gwCert.pem

root read access only!



• On Oct. 2 2000, the symmetric block cipher Rijndael invented by the Belgian researchers J. Daemen and V. Rijmen was declared the new Advanced Encryption Standard (AES) by NIST (www.nist.gov/aes). One year later on Nov. 26 2001, AES was officially published as the U.S. Federal Information Processing Standard FIPS PUBS 197.

• AES works on a block size of 128 bits and can be used with key lengths of 128, 192 or 256 bits.

• AES is much faster than its predecessor 3DES. A 1 GHz Pentium III processor running under a Linux 2.4 kernel achieves the following constant IPsec throughput:• 3DES: 1000 MHz / 25 = 40 Mbit/s

• AES: 1000 MHz / 11 = 91 Mbit/s (can saturate a Fast Ethernet link)

• SSH Sentinel and PGPvpn have built-in AES support.

• AES patch for Linux FreeS/WAN: www.irrigacion.gov.ar/juanjo/ipsec/

Advanced Encryption Standard (AES)



Windows-basedVPN Clients


ZürcherHochschuleWinterthurVPN Client - Windows 2000/XP

• Windows 2000/XP comes with a built-in IPsec stack• Configuration via the mmc management console is

tiresome!• OpenSource tool from http://vpn.ebootis.de loads text-

based configuration directly into Windows registry:

conn client-gatewayleft=%any # insert client IPright=194.139.117.253 # gateway IPrightsubnet=10.1.0.0/16 # home network

rightca=”C=CH,O=strongSec GmbH, CN=strongSec CA”network=lan # lan/ras/auto auto=start

• WLAN clients can tunnel whole IP traffic to VPN gateway

conn wlan-gateway...rightsubnet=*...

• 3DES encryption only. Virtual IP not supported.


ZürcherHochschuleWinterthurVPN Client – SSH Sentinel

• Available from www.ipsec.com. Free for non-commercial use. • Runs on all Windows platforms:

Win 95/98/ME/NT/2000/XP

• Features• Encryption algorithms:

AES, 3DES, Twofish, Blowfish, CAST• Virtual IP support:

- static- DHCP-over-IPsec- IPsec config mode

• NAT-Traversal (IPsec over UDP)• WLAN clients:

Supports tunneling of 0.0.0.0/0• Personal firewall included:

Pre- and Post-IPsec packet filters

• Easy configuration via GUI


ZürcherHochschuleWinterthurOther Windows-based VPN Clients

• SafeNet/Soft-Remote (www.safenet-inc.com)• Simple and straight-forward configuration• 3DES encryption only• Comes with personal firewall (Zone Alarm)

• PGPvpn (www.pgpi.org / www.pgp.com)• Freeware Version PGP 7.0.3

- IPsec transport mode only- OpenPGP certificates or pre-shared keys only

• Professional Version PGP Desktop Security 7.1 - IPsec tunnel mode- X.509 certificates, with personal firewall

• Network Associates (NAI) closed down PGP Security Inc. last year.PGP Corporation founded with venture capital bought back theintellectual property rights from NAI in June 2002.

• PGP 8.0 for Windows and Macintosh released in December 2002.



• IPsec using IKE has become a mature technology, but still a large amount of fine-tuning is needed to achieve interoperability.

• The Interoperability Tests at the IPsec 2001 Global Summit in Paris have shown that with authentication based on X.509 certificates a full mesh among the following VPN gateways can be established:• Linux FreeS/WAN, OpenBSD, NetScreen, Cisco IOS/PIX/VPN3000

• Nortel Contivity, 6WIND (IPv6), Netcelo, Netasq

• www.hsc.fr/ressources/ipsec/ipsec2001/

Interoperability Issues

• Interoperability with other VPN products have been reported:• Checkpoint VPN-1, BinTec Router

• Many low-end VPN products support pre-shared keys, only:• Symantec Firewall/VPN Appliance, ZyWall, SonicWall (basic

version)

andreas steffen, 16.12.2002, snk_vpnapp.ppt 1 zürcher hochschule winterthur sichere...

Documents

linux vpn gateway

andreas steffen

vpn client road warrior

single vpn client nat

cert slide

linux freeswan nat box

d ipsec

conf ipsec