Virtual Private Networks (VPNs)

VPNs allow secure, remote, connections… but they don’t

protect you from a compromised remote PC.

Objectives (1 of 2)

Explain the reasons organizations implement VPNs.

Describe the VPNs core functions. Describe some of the issues

associated with implementing VPNs. Describe the four main functions of

IPSec.

Objectives (2 of 2)

Describe the difference between AH and ESP.

Explain the difference between Transport Mode and Tunnel Mode.

Implement a VPN solution using Cisco’s ASA solution.

Reasons for Implementing (1 of 1)

The need for secure business transactions.

Many organizations have adopted VPNs for the following purposes: E-commerce solutions Government/legal/financial reporting Remote user (road warrior) access Budgetary considerations

VPN Core Functions (1 of 3)

Core Activity #1: Encapsulation Data encapsulation means that a

packet is enclosed within another one that has a different IP Addressing to provide a higher degree of security.

Data packets are encapsulated within packets that contain the source and destination of the VPN gateway.

VPN Core Functions (2 of 3)

Core Activity #2: Encryption Encryption is the process of rendering

information unreadable by all but the intended receiver.

VPN endpoints encrypt and decrypt data by exchanging keys, or blocks of encoded data.

The key is a part of an electronic document called a digital signature.

VPN Core Functions (3 of 3)

Core Activity #3: Authentication Authentication is the process of

identifying a user or computer as being authorized to access a network or network resource.

Authentication uses digital certificates The tunnel protocol used determines the

type of authentication protocol used.

Issues with Implementing (1 of 6)

VPNs provide a high level of security but…

Depending on how they are implemented it may require opening up ports at the perimeter. If the central VPN device is located in

the DMZ and IPSec is used as the VPN tunneling protocol TCP ports 50 and 51 may need to be opened, or the VPN “pass-through” option needs to be turned on.

Issues with Implementing (2 of 6)

VPNs can be complex and expensive to implement and troubleshoot.

Central VPN devices can be relatively expensive and are often priced based on user and bandwidth capacity. The organization may also have to pay

for each client license that is used. Single or multiple point-of-entry

greatly alters the implementation design complexity and cost.

Issues with Implementing (3 of 6)

Complexity and Expense cont. Encryption of the packet’s header and

data makes it difficult to, and requires greater time to troubleshoot problems.

Encryption can result in higher bandwidth utilization and slower transfer rates.

Organizations may also be limited to a specific vendor as compatibility between vendor hardware and software is not guaranteed.

Issues with Implementing (4 of 6)

Poor configuration can result in weakened or bypassed security. Unattended or automated installations

may result in weaker security. While these may lower the administrator's

workload it does nothing for ensuring the systems base security setup.

Often these installations place a “point-and-click” icon on the user’s desktop for ease of use.

Issues with Implementing (5 of 6)

Remote user rights and changes can result in weakened or bypassed security. If the remote user has full rights on

their system/laptop they may: Disable vital system security features such

as personal firewalls and anti-malware applications.

Allow the installation of virus/worm infected files, trojans or other spyware.

Issues with Implementing (6 of 6)

Compromised systems (especially those with the “point-and-click” icons) allow the system to become a “secure and authenticated” entry point for the hacker to attack through.

IPSec’s AH Header does not work with NAT. If NAT needs to be performed it must

be done before the AH Header is applied.

IPSec (1 of 11)

IPSec is a framework of open standards

It has gone through a standardization processes and is supported by most vendors.

It operates on the network layer, protecting packets between network devices.

IPSec (2 of 11)

IPSec provides four main functions: Confidentiality (Encryption) Data Integrity Origin Authentication Anti-replay Protection

IPSec (3 of 11)

Confidentiality (Encryption) The sender encrypts the packets

before transmitting them across the network, to prevent anybody except the intended recipient from reading the data. IPSec can be configured to use both

symmetric or asymmetric keys.

IPSec (4 of 11)

Most often a Preshared Key or a RSA public/private key pair is used.

Preshared keys used the same key on all the VPN clients and devices to encrypt and decrypt.

RSA public/private key pair is more secure and requires each end-point to have its own private and public key combination.

IPSec (5 of 11)

Data Integrity This ensures the receiver can detect

if the data has been altered during transmission. To guard against interception and

alteration each message is sent with an hash digest.

The receiver calculates a hash digest on each message it receives and compares it to the sent hash digest.

IPSec (6 of 11)

IPSec uses the “Hashed Message Authentication Codes” (HMAC) protocol to calculate the hash digest. Currently there are two different hash

algorithms that are commonly used: HMAC-MD5: uses a 128-bit shared key and the

message to produce a 128-bit hash digest. MHAC-SHA1: Uses a 160-bit shared key and

the message to produce a 160-bit hash digest.

IPSec (7 of 11)

Origin Authentication This allows the receiver to verify

and authenticate the source of the packet. To do this the sender must attach some type of

digital signature to the message to allow for “peer” authentication.

Each end of the VPN tunnel must authenticate through this process before the transmission path is considered secure.

IPSec (8 of 11)

There are three common “peer” authentication methods: Preshared keys

Each peer has the same secret key entered into it manually.

This preshared key is combined with other information to form an “authentication” key.

This authentication key information is sent through a hash algorithm to create a hash digest that is sent to the other site/client.

If the remote peer is able to generate the same hash, the local peer is authenticated.

IPSec (9 of 11)

RSA signatures Uses a digital certificate that is also

digitally signed. Like the Preshared Key an authentication key

is created using the public/private key pair and other information and is then used to create a hash digest.

The hash digest is then encrypted with the sender’s private key to form the digital signature.

Both the digital certificate and digital signature are forwarded to the remote site.

The public key that is used to decrypt the signature is included in the digital certificate.

IPSec (10 of 11)

RSA encryption nonce Each peer generates a random number,

encrypts it and then exchanges it with the other peer.

Each peer then takes both nonce's and combines then with other information to make the authentication key.

All of this is then run through a hash algorithm to create the hash digest.

Remainder of the process is the same as RSA signatures.

IPSec (11 of 11)

Anti-replay Protection This allows the receiver to verify that

the packet is unique (the original) and has not been duplicated. This is done by comparing the sequence

number of the received packet with the sliding window’s expected sequence on the destination host.

If the sequence number is prior to the sliding window’s sequence number the packet is considered to be late or duplicated and it is dropped.

IPSec Protocols (1 of 10)

IPSec relies on existing technology (DES, 3DES and AES for example) to secure communications, however it provides two main framework protocols.

Authentication Header (AH) Encapsulation Security Payload (ESP)

IPSec Protocols (2 of 10)

Authentication Header Used when confidentiality is not

required. It provides data authentication (verifies

packets origin) and integrity (verifies data is not modified).

It does not encrypt the data so text is sent as is - clear, readable text.

IPSec Protocols (3 of 10)

Authentication Header con’t Authentication is achieved by using a

one-way hash algorithm to create a message digest based on the message data and the use of a symmetric key known to both systems.

Message data only uses fields in the datagram that remain static throughout transmission. i.e. Fields such as TTL are not used as part of the message data.

IPSec Protocols (4 of 10)

Authentication Header con’t Once calculated the message digest is

then combined with the message data and sent to the receiving end.

The receiver performs the same hash calculation and compares the received message digest with its own calculated message digest.

If the results are the same then the authenticity of the packet is verified.

IPSec Protocols (5 of 10)

Encapsulation Security Payload Used to provide encryption and

authentication. It provides confidentiality by

performing encryption at the IP packet layer.

Like AH it also provides data authentication (verifies packets origin) and integrity (verifies data is not modified).

IPSec Protocols (6 of 10)

Encapsulation Security Payload con’t

ESP supports several symmetric encryption algorithms including DES, 3DES and AES. If used between two VPN gateways the

entire IP Packet (IP Header and payload) are encrypted.

IPSec Protocols (7 of 10)

Encapsulation Security Payload con’t

When performing encryption an ESP Header and a trailer are added to the encrypted payload. If we are not performing authentication

a new IP Header would need to be inserted in front of the ESP header to send the now encrypted packet to the receiver.

IPSec Protocols (8 of 10)

Encapsulation Security Payload con’t

If we include authentication as part of our ESP scenario it is performed in a similar process to the AH method, however the ESP Header, trailer and encrypted IP Header are all now included in the hashing process.

IPSec Protocols (9 of 10)

Encapsulation Security Payload con’t

Once the authentication hashing digest has been calculated, the message digest is appended to the packet behind the ESP trailer and then the new IP Header is appended to the front of the packet.

IPSec Protocols (10 of 10)

Encapsulation Security Payload con’t

If ESP encryption and authentication are both used the encryption is performed first then the authentication. This facilitates faster detection and

rejection of incorrect and duplicate packets at the receiving end.

Tunnel and Transport Modes (1 of 7)

ESP and AH can be applied in two different modes.

Tunnel Mode Used between two VPN gateways.

Transport Mode Used between hosts or devices acting

as hosts and gateways.

Tunnel and Transport Modes (2 of 7)

Tunnel Mode In this mode the original IP header is

copied and is used as the packet’s new IP header. This keeps the original IP datagram (IP Header

and payload) intact. The AH and/or ESP header is appended in

front of the original IP datagram and then the new IP header is inserted at the front of the packet.

Tunnel and Transport Modes (3 of 7)

Tunnel Mode con’t When using the AH protocol only the

original IP datagram is kept intact. Both the original and new IP Headers now

become part of the authentication process. This becomes a bit of a problem if we are using

NAT as the new IP Header cannot be changed by NAT or it will destroy the hashing digest calculation.

Therefore NAT must be performed first, then the VPN processes can be performed.

Tunnel and Transport Modes (4 of 7)

Tunnel Mode con’t When using both ESP and AH, the

encryption process of ESP has to be performed first. ESP supports NAT in both Tunnel and

Transport Modes. It allows the entire original datagram to

be encrypted and authenticated because the receiver can authenticate the datagram before decrypting it.

Tunnel and Transport Modes (5 of 7)

Transport Mode In this mode the IP Address in the

original IP Header is left intact and readable. It uses the existing IP Header as the

mechanism for routing the packet across the internet.

Again, if we are using AH only then we must perform NAT before applying our VPN protocols.

Tunnel and Transport Modes (6 of 7)

Transport Mode con’t To implement AH or ESP in this

mode the original IP datagram is split into two parts the IP Header and the payload. Transport mode only protects the

payload portion of the packet and doesn’t care if AH and/or ESP are used.

Tunnel and Transport Modes (7 of 7)

Transport Mode con’t Once the IP Header and payload are

separated the AH and ESP protocol information can be inserted. If only AH is used then it is inserted

between the original IP header and the payload of the datagram.

If ESP is used then the ESP trailer (and possibly the ESP message digest) are appended to the end of the datagram.

VPN LAB (1 of 1)

Your turn…