vpns - written report
TRANSCRIPT
-
8/12/2019 VPNs - Written Report
1/12
Virtual Private Networks
NVS1
THIS DOCUMENT DESCRIBES HOW VIRTUAL PRIVATENETWORKS (VPNS) WORK. THE RESULTING BENEFITS ANDIMPORTANT POINTS ARE ALSO MENTIONED.
DOMINIK HERKEL
STERREICH | WIEN | 1050 | Spengergasse 20
-
8/12/2019 VPNs - Written Report
2/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 1 / 11
Table of ContentsVirtual Private Networks ............................................................................................................ 2
General ................................................................................................................................... 2
History .................................................................................................................................... 2
Benefits for Business .............................................................................................................. 2
Implementation ...................................................................................................................... 3
Generic Routing Encapsulation (GRE) ................................................................................ 3
General ........................................................................................................................... 3
Process............................................................................................................................ 3
Advantages ..................................................................................................................... 4
Disadvantages ................................................................................................................ 4
Internet Protocol Security (IPsec) ...................................................................................... 4
General ........................................................................................................................... 4
Process............................................................................................................................ 6
Advantages ..................................................................................................................... 6
Disadvantages ................................................................................................................ 6
GRE over IPsec .................................................................................................................... 7
SSL/TLS ................................................................................................................................ 7
General ........................................................................................................................... 7
Process............................................................................................................................ 7
Advantages ..................................................................................................................... 7
Disadvantages ................................................................................................................ 8
Cisco VPN Solutions ................................................................................................................ 8
Access Network Resources ..................................................................................................... 8Configuration .......................................................................................................................... 8
Bibliography .............................................................................................................................. 10
-
8/12/2019 VPNs - Written Report
3/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 2 / 11
Virtual Private NetworksGeneralIn the simplest sense, a Virtual Private Network (VPN) is used to create an end-to-end
private network connection, or rather a tunnel over third party networks, such as theinternet. Depending on the type of VPN used, the connection is less or more secure and its
users have either full, or restricted access to internal network resources.
HistoryThe term VPN has been associated with remote connectivity services such as the public
telephone network and Frame Relay Permanent Virtual Circuits (PVCs). Nowadays its a
synonym for IP-based data networking. (AnexGATE)
Before modern VPNs came up, a company had to lease a dedicated link which connected the
main business campus with its branch Offices to build a comprehensive Intranet.
Companies which couldnt afford such high amount of resources and expertise were left out.
Modern VPNs solve this problem. These days there is no longer the need to buy expensive
infrastructure or lease dedicated lines. No, the solution is built up on existing infrastructure,
which almost any company already has. Instead of using private circuits, the public internet
serves as a medium to connect places in different locations.
Now some people would say that this is questionable solution in relation to data security.
Maybe it was in the past, but nowadays this counterargument is addressed with rise of the
Internet Protocol Security (short IPsec) framework, or Secure Sockets Layer (short SSL)
services.
This new technologies paved the way for the shift to telecommuting. So its a fact that even
some people say that they arent affected by such technical nonsense, they cant ignore the
capabilities which progress offers.
Benefits for BusinessWhen companies use VPNs they can benefit in the following points:
Cost efficiency:In most cases the companies doesnt have to lease dedicated WANlinks anymore. Even if the leased lines provided a reliable and fast solution, it wouldbe a lot better for the companies to spend their money on high-bandwidth internet
connection technologies. So all of the transmissions are fast and not only between
the sites anymore.
Security:When modern VPN technologies are used, the sent data is protected withthe confidentiality and integrity during transit. This is realized through advanced
encryption and authentication protocols.
Scalability: Infrastructure which is already in place can be used to connect an officethrough a VPN connection. In most cases there are no additional costs, because
either way the majority of companies have a high-bandwidth internet connection.(Cisco)
-
8/12/2019 VPNs - Written Report
4/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 3 / 11
Compatibility: With VPNs branch offices, as well as remote home offices and mobileworkers can connect to the corporate
network. This type of access is
compatible with broadband
technologies among others. So
flexibility and efficiency is provided,
which are two of the most important
points in todays business.
ImplementationA VPN connection can be made at either Layer
2, 3, or the upper layers of the OSI model.
Common examples of methods to form a
Virtual Private Network are Generic Routing
Encapsulation (GRE), Internet ProtocolSecurity (IPsec) and Secure Sockets Layer (SSL)
to mention but a few.
Generic Routing Encapsulation GRE)GeneralThis protocol was originally developed by
Cisco and later standardized as Request for
Comments (RFC) 1701. GRE tunnels are
stateless, just like the User Datagram Protocol(UDP). This means that each tunnel endpoint
doesnt keep any information about the
availability of the other endpoint. Due to its
advantages it is still widely in use.
ProcessGRE encapsulates the entire original IP packet with a
tunneling IP header and a GRE header.
GRE packet - Dominik Herkel
Flags:Optional header fields.
Protocol Types:Type of payload (0x800 is used for IP).
VPN Method Decision - Dominik Herkel
-
8/12/2019 VPNs - Written Report
5/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 4 / 11
(Cisco)
This results in an additional overhead of 24 bytes.
AdvantagesGRE comes up with the following advantages:
Multiprotocol support:GRE supports multiprotocol tunneling, this means that it isntonly narrowed to IP networks, but also to IPX or AppleTalk. Certainly it is a fact that IP
networks are the most common nowadays.
Routing protocol support:Another advantage of GRE as opposed to other VPNprotocols is its routing protocol support. In a GRE tunnel, routers can advertise their
Open Shortest Path First (OSPF), Routing Information Protocol (RIP) and Enhanced
Interior Gateway Routing Protocol (EIGRP) routes to mention but a few.
Multicast and Broadcast support:GRE doesnt only support unicasts, instead it canalso handle multicasts and broadcasts.Disadvantages
Even if GRE has great advantages, it is also affected by some big disadvantages:
Security:In general traffic which traverses through a GRE tunnel isnt protectedbyencryption or other security measurements. This is because when GRE was
developed security wasnt a big concern.It can easily be altered or eavesdropped.
Overhead:The GRE header together with the tunneling IP header, creates at least 24bytes of additional overhead for tunneled packets. (Cisco)
Internet Protocol Security IPsec)GeneralThis protocol is standardized in RFC 2401. One of the main characteristics of IPsec is that it
isnt bound to any specific security technologies. Instead it is a framework of open standards
that defines the rules for a secure communication process. Therefore IPsec itself doesnt
come up with any new encryption algorithms to provide confidentiality of data. It uses
already existing security standards. Furthermore IPsec operates at the network layer and in
theory operates with all data link layer protocols, such like Ethernet or Token Ring of the OSI
model. Although I couldnt find any real implementation of IPsec over Token Ring.
The IPsec process and the security measurements are described below:
Protocol:When using IPsec one of the protocols below must be selected. Bothsolutions can work either in transport, or tunnel mode.
-
8/12/2019 VPNs - Written Report
6/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 5 / 11
Tunnel mode:Security for the complete original IP packet is provided. The original IP
packet is encrypted and then encapsulated in another IP packet. This is known as IP-
in-IP encryption. The outside IP packet is
used for routing it through the Internet.
Transport mode:Different to tunnel mode,
the original IP address is left in plaintext.
Security is only provided for the rest of the
packet.
o Authentication Header (AH):It isthe appropriate protocol when
confidentiality is not required.
Therefore it only provides
authentication and integrity.
Confidentiality through encryption
isnt part of this method,consequently all data is sent in
plaintext.
o Encapsulating Security Payload(ESP):Just like AH, this protocol also
supports authentication and
integrity, with the big difference
that data encryption is also
provided.
Confidentiality:To achieve this feature, the trafficis encrypted by symmetric algorithms. For example: Data Encryptions Standard (DES),Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) are
used.
Integrity:Keyed-Hash Message Authentication Code (HMAC) are used to proofintegrity and authentication of data. Instead of only calculating a hash value out of
the data, an additional shared secret key is added to the data before. Then the HMAC
is calculated out of the key-data combination with a hash algorithm like Message-
Digest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA-1, SHA-2 and SHA-3).
Authentication:In a conversation it is necessary that both participating partiesauthenticate each other. To achieve this either pre-shared secret keys or Rivest-
Shamir-Adleman (RSA) signatures are used.
Secure Key Exchange:In a symmetric key system it is important to ensure that allparticipating parties know the secret key prior to encrypt or decrypt data. Therefore
the Diffie-Hellman (DH) key exchange method was developed. It is a mathematical
algorithm that allows two parties to generate an identical shared secret, without
having ever communicated before. The new shared key is never actually exchanged
between the sender and receiver, but both parties now it. DH defines several groups,
from number 1 to 24, which differ relating to strength of encryption.
IPsec Framework - Dominik Herkel
-
8/12/2019 VPNs - Written Report
7/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 6 / 11
ProcessThe operation of IPsec VPNs can be broken down into five steps:
1. Initiation:Interesting traffic which match the configured security policy starts theInternet Key Exchange process.
2. IKE phase 1:IPsec peers are authenticated and Security Associations (SAs) arenegotiated. A secure channel is set up.
3. IKE phase 2:IPsec SA parameters are negotiated and matching IPsec SAs are set up.4. Data transfer:Data can be securely transmitted between the IPsec peers.5. IPsec tunnel termination:The tunnel is terminated, because it timed out, or
manually terminated.
A detailed description of these steps is beyond the scope of this presentation, because they
require a comprehensive understanding of security in general, IPsec and the Internet Key
Exchange (IKE). For further information use the internet or attend to a CCNA Security
certification class.
Advantages Security:Authentication, Confidentiality and Integrity is provided by IPsec VPNs. In
fact security is the biggest concern.
Based on existing algorithms:One of the biggest advantages of the IPsec suite is thatit doesnt try to reinvent to wheel. Instead it is based on existing algorithms.
Therefore even new inventions can be added to IPsec and used in the process.
Disadvantages Solely IP support:No other Layer 3 protocol are supported. So when AppleTalk or IPX
should be used, the VPN couldnt be based on IPsec.
Only unicasts:Multicasts and Broadcasts arent supported. Therefore only unicastscan be sent.
Routing protocols not supported:Routing protocols like OSPF, RIP and EIGRP are notsupported. In IPsec VPNs only static routes can be used.
VPN Method Decision - Dominik Herkel
(Cisco)
-
8/12/2019 VPNs - Written Report
8/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 7 / 11
GRE over IPsecAs time passed the idea came up to use both GRE as well as IPsec together. So often there is
no need to decide between the two tunnel technologies anymore. This method combines
the benefits of GRE and IPsec into one solution. The security of the data is provided by the
IPsec framework with the flexibility of GRE. Therefore GREsmultiprotocol support, routingupdates, multicasts and broadcasts can be sent encrypted and secured over the tunnel.
SSL/TLSGeneralThe Secure Sockets Layer (SSL) protocol is the predecessor of the modern Transport Layer
Security (TLS) protocol. Both work at the presentation layer of the OSI model, whereas the
term SSL is often used for TLS too. SSL/TLS use asymmetric cryptography for their key
exchange, HMACs for authentication and integrity and symmetric algorithms for bulk
encryption. To authenticate the provider participant in the communication process,certificates delivered by third party Certification Authorities (CA), such as VeriSign are
involved. One of SSL/TLS major operational area is Hypertext Transfer Protocol Secure
(HTTPS).
ProcessTo ease this presentation the process of SSL/TLS is described in the YouTube video below:
http://www.youtube.com/watch?v=SJJmoDZ3il8
Advantages Security:The communication process over a SSL/TLS VPN is secured by
authentication, confidentiality and integrity.
Almost everywhere available:One of the biggest advantages of SSL/TLS over otherVPN technologies is that for most implementations only a generic modern web
browser is needed. So no client software, like Cisco AnyConnect is needed.
http://www.youtube.com/watch?v=SJJmoDZ3il8http://www.youtube.com/watch?v=SJJmoDZ3il8http://www.youtube.com/watch?v=SJJmoDZ3il8 -
8/12/2019 VPNs - Written Report
9/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 8 / 11
Third partyregulation:Entities
which provide
SSL/TLS VPNs, for
example for secure
shopping, are
regulate and verified
by third party
organizations.
Disadvantages Faked SSL/TLS
certificates:Users are
lulled into a false
sense of security withcertificates from CAs.
Its not uncommon
that malicious
attackers tamper
SSL/TLS certificates.
Denial of Service (DoS) attacks:Its a fact that establishing a SSL/TLS VPN connectionrequires much more resources on the server than on the client computer. This fact
can be exploited in a DoS attack.
Cisco VPN SolutionsCisco provides a broad and comprehensive selection of VPN solutions:
Cisco Integrated Services Router (ISR) with enabled VPN Cisco Private Internet eXchange (PIX)end of life (EOL), end of sale (EOS) Cisco Adaptive Security Appliance (ASA) 5500 Series Cisco VPN 3000 Series Concentratorend of life (EOL), end of sale (EOS) Small and Home Office (SOHO) Routers
Access Network ResourcesThere are several ways provided by Cisco to access network resources through VPNs:
Site to Site Configuration Cisco VPN Client Cisco AnyConnect VPN Client
ConfigurationTo give only a short overview over the complexity of IPsec tunnel configuration, an excerpt
of the commands which are needed to perform this type of VPN on a Cissco IOs Router:
VPNs - Dominik Herkel
-
8/12/2019 VPNs - Written Report
10/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 9 / 11
R1 R3
R1(config)#access-list 110 permit ip
192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-
share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exitR1(config)#crypto isakmp key vpnpa55
address 10.2.2.2 0.0.0.0
R1(config)#crypto ipsec transform-set VPN-
SET esp-3des esp-sha-hmac
R1(config)#crypto map VPN-MAP 10 ipsec-
isakmp
R1(config-crypto-map)#match address 110
R1(config-crypto-map)#set peer 10.2.2.2R1(config-crypto-map)#set transform-set
VPN-SET
R1(config-crypto-map)#exit
R1(config)#interface se0/0/0
R1(config-if)#crypto map VPN-MAP
R3(config)#access-list 110 permit ip
192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-
share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exitR3(config)#crypto isakmp key vpnpa55
address 10.1.1.2 0.0.0.0
R3(config)#crypto ipsec transform-set VPN-
SET esp-3des esp-sha-hmac
R3(config)#crypto map VPN-MAP 10 ipsec-
isakmp
R3(config-crypto-map)#match address 110
R3(config-crypto-map)#set peer 10.1.1.2R3(config-crypto-map)#set transform-set
VPN-SET
R3(config-crypto-map)#exit
R3(config)#interface se0/0/1
R3(config-if)#crypto map VPN-MAP
-
8/12/2019 VPNs - Written Report
11/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 10 / 11
BibliographyAnexGATE. (n.d.).AnexGATE.Retrieved from
http://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf
AnexGATE. (n.d.).AnexGATE.Retrieved fromhttp://www.anexgate.com/downloads/whitepapers/vpnprimer.pdf
Cisco. (n.d.). Cisco.Retrieved from
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_exampl
e09186a008009438e.shtml
Cisco. (n.d.). Cisco Netacademy.Retrieved from
http://www.cisco.com/web/learning/netacad/index.html
Cisco. (n.d.). Cisco Netacademy.Retrieved from
http://www.cisco.com/web/learning/netacad/index.html
Covenant. (n.d.). DSLreports.Retrieved from http://www.dslreports.com/faq/8228
Edwards, J. (n.d.). ITsecurity.Retrieved from http://www.itsecurity.com/features/vpn-
popularity-021108/
Itif. (n.d.). Itif.Retrieved from http://www.itif.org/files/Telecommuting.pdf
Kilpatrick, I. (n.d.). IT Pro Portal.Retrieved from
http://www.itproportal.com/2007/05/18/benefits-and-disadvantages-of-ssl-vpns/
Mason, A. (n.d.). CiscoPress.Retrieved from
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
Pearson. (n.d.). Pearsoncmg.Retrieved from
http://ptgmedia.pearsoncmg.com/images/9781587201509/samplechapter/1587201
50X_CH14.pdf
Rager, A. T. (n.d.). SourceForge.Retrieved from http://ikecrack.sourceforge.net/
SANS Institute. (n.d.). GoogleDocs.Retrieved from
https://docs.google.com/viewer?a=v&q=cache:LcJ_BIRpFl4J:www.sans.org/reading_r
oom/whitepapers/vpns/vulnerabilitys-ipsec-discussion-weaknesses-ipsec-
implementation-pro_760+ipsec+vulnerabilities&hl=de&gl=at&pid=bl&srcid=ADGEESjc5VtF9axW6pM9
jnZscnGxhS2U9roAq
Suida, D. (n.d.). WordPress.Retrieved from
http://waynetwork.wordpress.com/2011/07/02/video-tutorial-ipsec-over-a-gre-
tunnel/
Unknown. (n.d.). ETutorials.Retrieved from
http://etutorials.org/Networking/network+security+assessment/Chapter+11.+Assess
ing+IP+VPN+Services/11.2+Attacking+IPsec+VPNs/
Unknown. (n.d.).Journey2CCIE.Retrieved from http://journey2ccie.blogspot.co.at
-
8/12/2019 VPNs - Written Report
12/12
Virtual Private Networks 30.10.2012 Dominik Herkel 4AHIF
Page 11 / 11
Unknown. (n.d.). Teleworkers Research Network.Retrieved from
http://www.teleworkresearchnetwork.com/telecommuting-statistics
Unknown. (n.d.). The Hackers Choice.Retrieved from
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
Wikipedia. (n.d.). Wikipedia.Retrieved from
http://en.wikipedia.org/wiki/Telecommuting#Telecommuting_and_telework_statisti
cs
Wikipedia. (n.d.). Wikipedia.Retrieved from
http://en.wikipedia.org/wiki/Transport_Layer_Security
Zandi, S. (n.d.). Cisco LearningNetwork.Retrieved from
https://learningnetwork.cisco.com/docs/DOC-2457