Tài liệu Virtual Private Networks doc

LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu Virtual Private Networks doc": http://123doc.vn/document/1043330-tai-lieu-virtual-private-networks-doc.htm

Virtual Private Networks
CS-480b
Dick Steflik

Virtual Private Networks (VPNs)
•
Used to connect two private networks together via the Internet
•
Used to connect remote users to a private network via the Internet
•
This could be done by opening your firewall to the LAN networking
protocols (NETBIOS, NFS NetWare, AppleTalk))
•
But… it would also make those protocols available to any one on the
Internet and they could come into your LAN at will
•
Effectively make the whole Internet your LAN
•
Exposes all of your data
•
Anyone can easily take advantage of vulnerabilities in your internal hosts
•
No privacy
•
Better solution is to use a VPN in conjunction with your firewall

VPNs
•
Since we all understand that IP is used to transport information
between LANs if we add some security stuff to IP then this transport
can be made more secure
•
Can be done two ways:
•
At the network level using IPSec
•
Currently the most widely used method
–
But requires special client installation on each workstation (more IT $)
•
At the Transport level using SSL
•
Quickly gaining popularity because there are no special software installation
requirements for end user workstations
–
All that’s required is a browser with SSL support
•
Mozilla
•
Internet Explorer
•
Netscape
•
Opera

IP Based VPNs
•
Fundamental Components
•
IP Encapsulation
•
Cryptographic based authentication
•
Secret Key Encryption
–
Single shared secret key for encrypt and decrypt
•
Public Key Encryption
–
Unidirectional keys
•
Encrypt or decrypt (not both)
•
Data Payload Encryption
•
Encrypt payload but not header (method depends on OEM/Vendor solution)
•
IP/IP Encapsulation
•
Makes remotely located LANs appear to be adjacent
•
Makes non-routable addresses (10.a.b.c a,d 192.168.c.d) routable

VPN Characteristics
•
Cheaper than WANs
•
dedicated leased lines are very expensive
•
Easier to establish than WANs
•
ISPs will usually help make the initial IP connection
•
hours for VPNs vs. weeks for WANs
•
slower than LANs
•
encryption/dectyption takes time
•
typical LANS are 10-100 Mbps
•
endpoints connected by VPM may go through many router hops
–
minimize by using same ISP for everything
•
dial in users are going to be typically 56Kbps
•
less reliable than WANs
•
with WANs routers are under your control and performance is negotiated
with provider, not so with VPN you only control initial IP connection
•
less secure than isolated LANs or WANs
•
because Internet is used hackers can find you
•
VPN protocol is one more thing to be attacked

Types of VPNs
•
Server based
•
Firewall based
•
Router based (including VPN appliances

Server based
•
Windows
•
Routing and Remote Access Service
•
NT supports only PPTP, W/2000 supports PPTP, L2TP and IPSec
•
comes with everything needed to establish a VPN
•
Linux
•
Blowfish, Free S/WAN, PPP over SSL, PPTP, L2TP
•
with IP masquerading/IP Chains and additional open source software can
be used to create a very robust VPN
•
UNIX
•
many incorporating IPSec into their TCP/IP stacks
•
Be aware that VPN traffic leaving your LAN traverses the LAN twice
•
once to the RRAS service as regular LAN traffic, once encapsulated to the
firewall

Firewall based VPNs
•
Since firewalls already do all kinds of packet analysis, adding IP
tunneling is relatively easy
•
Rapid acceptance of IPSec and IKE are making VPNing at the firewall
more common
•
not all vendors versions of IPSec+IKE work together
•
make sure that remote clients software works with your firewall VPN
•


Router based VPNs
•
Typically used on big networks
•
specialized devices for to isolate internal LAN traffic and quickly convey
inter-LAN traffic
•
IBM 2210
•
CISCO Routers running IOS
•
Ascend’s MAX switches

VPN Architectures
•
Mesh
•
each participant has a direct security relationship with every other user
•
Hub and spoke
•
each participant has a single security association with a single VPN router
that has a security association with every VPN device
•
Hybrid
•
combination of both
•
mesh of hubs
•
star of hubs

Implementations
•
IPSec Tunnel Mode
•
RFC 2401
•
Point-to-Point Tunneling Protocol (PPTP)
•
RFC 2637
•
Layer 2 Tunneling Protocol (L2TP)
•
RFC 2661
•
Point-to-Point Protocol over Secure Sockets Layer (PPP/SSL) or
Point-to-Point Protocol over Secure Shell (PPP/SSL)
•
considered to be hacks not standards

VPN Best Practices
•
Use a real firewall
•
Secure the base operating system
•
Use a single ISP
•
minimize routing hops and insure cooperation
•
Use packet filtering to reject unknown hosts
•
Use public-key encryption and secure Authentication
•
Compress before you encrypt
•
stream compression will help overall performance
•
Secure remote hosts

NIAP
•
National Information Assurance Partnership (NIAP)
•
U.S. Government initiative originated to meet the security testing
needs of both information technology (IT) consumers and
producers.
•
NIAP is a collaboration between the National Institute of
Standards and Technology (NIST) and the National Security
Agency (NSA)
•
in fulfilling their respective responsibilities under PL 100-235
(Computer Security Act of 1987).
•
combines the extensive IT security experience of both agencies to
promote the development of technically sound security
requirements for IT products and systems and appropriate
measures for evaluating those products and systems.

NIAP Goals
•
The long-term goal of NIAP is to help increase the level of
trust consumers have in their information systems and
networks through the use of cost-effective security testing,
evaluation, and validation programs. In meeting this goal,
NIAP seeks to:
•
Promote the development and use of evaluated IT products and
systems;
•
Champion the development and use of national and international
standards for IT security;
•
Foster research and development in IT security requirements
definition, test methods, tools, techniques, and assurance metrics;
•
Support a framework for international recognition and acceptance of
IT security testing and evaluation results; and
•
Facilitate the development and growth of a commercial security
testing industry within the U.S.