Virtual Private Networks CS-480b Dick Steflik Virtual Private Networks (VPNs) • Used to connect two private networks together via the Internet • Used to connect remote users to a private network via the Internet • This could be done by opening your firewall to the LAN networking protocols (NETBIOS, NFS NetWare, AppleTalk)) • But… it would also make those protocols available to any one on the Internet and they could come into your LAN at will • Effectively make the whole Internet your LAN • Exposes all of your data • Anyone can easily take advantage of vulnerabilities in your internal hosts • No privacy • Better solution is to use a VPN in conjunction with your firewall VPNs • Since we all understand that IP is used to transport information between LANs if we add some security stuff to IP then this transport can be made more secure • Can be done two ways: • At the network level using IPSec • Currently the most widely used method – But requires special client installation on each workstation (more IT $) • At the Transport level using SSL • Quickly gaining popularity because there are no special software installation requirements for end user workstations – All that’s required is a browser with SSL support • Mozilla • Internet Explorer • Netscape • Opera IP Based VPNs • Fundamental Components • IP Encapsulation • Cryptographic based authentication • Secret Key Encryption – Single shared secret key for encrypt and decrypt • Public Key Encryption – Unidirectional keys • Encrypt or decrypt (not both) • Data Payload Encryption • Encrypt payload but not header (method depends on OEM/Vendor solution) • IP/IP Encapsulation • Makes remotely located LANs appear to be adjacent • Makes non-routable addresses (10.a.b.c a,d 192.168.c.d) routable VPN Characteristics • Cheaper than WANs • dedicated leased lines are very expensive • Easier to establish than WANs • ISPs will usually help make the initial IP connection • hours for VPNs vs. weeks for WANs • slower than LANs • encryption/dectyption takes time • typical LANS are 10-100 Mbps • endpoints connected by VPM may go through many router hops – minimize by using same ISP for everything • dial in users are going to be typically 56Kbps • less reliable than WANs • with WANs routers are under your control and performance is negotiated with provider, not so with VPN you only control initial IP connection • less secure than isolated LANs or WANs • because Internet is used hackers can find you • VPN protocol is one more thing to be attacked Types of VPNs • Server based • Firewall based • Router based (including VPN appliances Server based • Windows • Routing and Remote Access Service • NT supports only PPTP, W/2000 supports PPTP, L2TP and IPSec • comes with everything needed to establish a VPN • Linux • Blowfish, Free S/WAN, PPP over SSL, PPTP, L2TP • with IP masquerading/IP Chains and additional open source software can be used to create a very robust VPN • UNIX • many incorporating IPSec into their TCP/IP stacks • Be aware that VPN traffic leaving your LAN traverses the LAN twice • once to the RRAS service as regular LAN traffic, once encapsulated to the firewall Firewall based VPNs • Since firewalls already do all kinds of packet analysis, adding IP tunneling is relatively easy • Rapid acceptance of IPSec and IKE are making VPNing at the firewall more common • not all vendors versions of IPSec+IKE work together • make sure that remote clients software works with your firewall VPN • Router based VPNs • Typically used on big networks • specialized devices for to isolate internal LAN traffic and quickly convey inter-LAN traffic • IBM 2210 • CISCO Routers running IOS • Ascend’s MAX switches VPN Architectures • Mesh • each participant has a direct security relationship with every other user • Hub and spoke • each participant has a single security association with a single VPN router that has a security association with every VPN device • Hybrid • combination of both • mesh of hubs • star of hubs [...]... systems and appropriate measures for evaluating those products and systems NIAP Goals • The long-term goal of NIAP is to help increase the level of trust consumers have in their information systems and networks through the use of cost-effective security testing, evaluation, and validation programs In meeting this goal, NIAP seeks to: • Promote the development and use of evaluated IT products and • •... and reviewed EAL5 – Semi formally designed and tested EAL6 – Semi formally verified design and tested EAL7 – Formally verified design and tested SSL Based VPNs • Browser based • PositivePRO – Positive Networks ; Connectra – Checkpoint Software • No special client needed – can be used on any device that is web enabled that supports SSL (PDA, Cell phones ) – OS independent • Can’t access desktop applications... client software be installed for each user Open Source (free) very good track record (Since 2002) Runs on most OSs compatible with with: – – – – – – SSL/TLS RSA Certificates X509 PKI NAT DHCP TUN/TAP virtual devices . Virtual Private Networks CS-480b Dick Steflik Virtual Private Networks (VPNs) • Used to connect two private networks together via. private networks together via the Internet • Used to connect remote users to a private network via the Internet • This could be done by opening your firewall