1 Copyright © 2014 M. E. Kabay. All rights reserved. VPNs CSH6 Chapter 32 “Virtual Private...
-
Upload
gabriella-atkins -
Category
Documents
-
view
218 -
download
1
Transcript of 1 Copyright © 2014 M. E. Kabay. All rights reserved. VPNs CSH6 Chapter 32 “Virtual Private...
1 Copyright © 2014 M. E. Kabay. All rights reserved.
VPNsCSH6 Chapter 32
“Virtual Private Networks & Secure Remote Access”
Justin Opatrny & Carl Ness
2 Copyright © 2014 M. E. Kabay. All rights reserved.
TopicsIntroductionRemote-Access VPNsSite-to-Site VPNsExtranets
3 Copyright © 2014 M. E. Kabay. All rights reserved.
Introduction
Borders DissolvingSecure Remote AccessVirtual Private NetworksVPN Technology Concepts
4 Copyright © 2014 M. E. Kabay. All rights reserved.
Borders Dissolving (1)
Before Internet access, security → internal networks
After ~1993, explosion in Internet connectionsPerimeter firewall reduced access by digital
predatorsHow to maintain network security for
employees using mobile technology?Laptop computers, cell phonesHome, traveling
How to define extranets for business partners?
5 Copyright © 2014 M. E. Kabay. All rights reserved.
Borders Dissolving (2)
Competitive advantage requiresEmployee network & information accessFrom outside workplaceCoping with inclement weather, disruptionsGeographic dispersion of workforce
B2B requirements growingVendors, suppliers, partnersOutsourcingSupport
B2C demandsGrowing expectations from consumers
6 Copyright © 2014 M. E. Kabay. All rights reserved.
Secure Remote AccessRequire extensive planning & review
Must not jeopardize safety of critical information & information systems
Primary toolsVirtual Private Networks
(VPNs)Secured connectionEncrypted tunnel
ExtranetsEncrypted connection to
Web application server outside internal NW
Usually need connections from server to internal NW for data exchange
7 Copyright © 2014 M. E. Kabay. All rights reserved.
Virtual Private NetworksBasic idea
Create stream of encrypted data through firewall“Encrypted tunnel”
GoalsSecurely extend
internal networkProtect data during
transmissionMaintain security of
systemTwo categories
Remote-Access VPNsSite-to-Site VPNs
8 Copyright © 2014 M. E. Kabay. All rights reserved.
VPN Technology ConceptsSee other chapters in CSH6 for background concepts,
terminology, details & readingsChapter 5: Data Communications & Information
SecurityChapter 6: Network Topologies, Protocols & DesignChapter 7: EncryptionChapter 26:
Gateway Security Devices
Chapter 37: PKI & Certificate Authorities
9 Copyright © 2014 M. E. Kabay. All rights reserved.
Remote-Access VPNsIPSecTransport-Layer SecurityUser-Authentication MethodsInfrastructure RequirementsNetwork-Access
Requirements
10 Copyright © 2014 M. E. Kabay. All rights reserved.
IPSec
BasicsSuite of Internet Protocol (IP) layer
protocolsEstablish & protect VPN transmissionsUsually uses client-resident applicationCreate encrypted VNP tunnel into internal
networkTopics
Key Exchange & ManagementAuthentication Header vs Encapsulating
Security PayloadTransport vs Tunnel Mode
11 Copyright © 2014 M. E. Kabay. All rights reserved.
IPSec: Key Exchange & ManagementMust establish and manage Security Association (SA)
between client & server IPSec uses Internet Key Exchange (IKE)
Good reference: NIST Guide to IPSEC VPNs (SP 800-77)
2 phases in establishing SAPhase 1 creates initial
IKE SACan use 2 modes:
Main modeAggressive mode
Phase 2 establishes IPSec SA
More details on following slides
12 Copyright © 2014 M. E. Kabay. All rights reserved.
IKE Phase 1 Main ModeMost commonly used3 pairs of packets
1st pair negotiates 4-parameter protection suiteEncryption algorithm (e.g., 3DES, AES)Integrity protection algorithm (e.g., HMAC-SHA-1)Authentication method (e.g.,
shared key, PKI certificate)Diffie-Hellman group* (category of keylength &
type of encryption algorithm)2nd pair exchanges encryption keys using D-H3rd pair authentications each side of connection to
other
HMAC: hashed message authentication code
*See SP800-77 pp 3-11 & 3-12
13 Copyright © 2014 M. E. Kabay. All rights reserved.
IKE Phase 1 Aggressive Mode3 packets (not pairs of packets)
1st & 2nd packets Negotiate all IKE SA
parameters Perform key exchange
2nd & 3rd packetsAuthenticate end-points
to each other
14 Copyright © 2014 M. E. Kabay. All rights reserved.
IKE Phase 2 Quick mode to establish IPSec SAs Each side maintains IPSec SA in SAD (Security Association
Database) Initiating device creates & sends
SA proposal to VPN server VPN server replies with SA
selection & hash to authenticate connection
Initiating device replies with hash generated from prompt received from server
If server matches received hash with sent hash, server adds SA to SAD & connection proceeds
15 Copyright © 2014 M. E. Kabay. All rights reserved.
IPSec: AH vs ESPAuthentication Header (AH)
Protects integrity of packet header & payload
Uses cryptographic hashingEncapsulating Security
Payload (ESP)More common
implementation todayEncrypt entire packetCreate new IP headerProtects both integrity &
confidentiality
16 Copyright © 2014 M. E. Kabay. All rights reserved.
IPSec: Transport vs Tunnel ModeTransport mode
Preserves original IP headerProvides confidentiality &
integrity protection for payloadIncompatible with Network
Address Translation (NAT)TCP integrity checks failNAT alters IP address during
transmission – therefore IPSec hash will be incorrect
Tunnel modeProtects both header and payloadPrimary method today for host-to-gateway &
gateway-to-gateway VPNs
17 Copyright © 2014 M. E. Kabay. All rights reserved.
Transport-Layer Security (TLS)TLS provides protection of client/server linksMost common implementation: SSL (Secure
Sockets Layer) → HTTPSBasics
128-bit encryptionWidely available on browsers & serversClient* provides SSL-related parameters
for establishing HTTPS connection to server
Server responds with its SSL parameters + digital certificate
Client authenticates server
18 Copyright © 2014 M. E. Kabay. All rights reserved.
User-Authentication MethodsSimplest method: user name & passwordOther methods
RADIUS: Remote Authentication Dial-In User Service
LDAP: Lightweight Directory Access ProtocolKerberos: access control system
Developed at MIT in 1980sAccepted by IETF in 2003See http://www.ietf.org/rfc/rfc1510.txt Diagram from CDE on next slide
19 Copyright © 2014 M. E. Kabay. All rights reserved.
KerberosLogin: user PW
encrypted & sent to KDC
KDC Authenticates PWSends master
ticket (a kind of session key) to user
User sends master ticket to KDC when requesting service
Used by kind permission of the author.Copyright © 2010 Computer Language Corporation
http://www.computerlanguage.com
20 Copyright © 2014 M. E. Kabay. All rights reserved.
Infrastructure RequirementsVPN should be outside firewallConnection to internal networks protected by
firewallRestrict all external connections to internal
networkAllow encrypted connections to VPN
server to be relayed through firewall
21 Copyright © 2014 M. E. Kabay. All rights reserved.
Network-Access Requirements IPSec
Can use split tunneling for better throughputEnforce encryption on inbound trafficAllow outbound traffic to Internet to be treated
normally (not through encrypted tunnel)But lose ability to inspect outbound traffic
TLS/SSLDashboard allows administrator to control
settingsCurrent implementations similar to IPSec
flexibility
22 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site VPNs
VPNs mostly used for client remote accessBut also used for secure internal
communicationsCan create equivalent of secure WAN
(Wide Area Network)Reduce complexity of physically-wired
WANTopics in next slides relating to Trusted VPNs
MPLSSite-to-Site VPNsInformation Assurance Considerations
23 Copyright © 2014 M. E. Kabay. All rights reserved.
MPLS: Multiprotocol Layer Switching (1)Not traditional encrypted VPNSimilar serviceComplex issues in
deploymentService providers differ
in offeringsTopics on next slides:
PurposeRequirements
24 Copyright © 2014 M. E. Kabay. All rights reserved.
MPLS (2): Purpose Typical WAN topologies = star, ring or mesh (or
combinations) MPLS creates
MeshedRoutedVirtual network atService provider level
MPLS free to route packets from 1 WAN endpoint to another in virtual network
Eliminates hub as single point of failure Can provide multiple QoS (quality of service) levels
Prioritize trafficAllow specific protocols more bandwidth at times
25 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site (S2S) VPNs Purpose
Extend WAN concepts to areas where traditional direct connections (T1, frame relay…) are too expensive
Leased lines be too slow Alternative WAN
Use / share Internet connectionHigher bandwidth, lower cost
BackupRedundancy at relatively
low cost Requirements
Internet, VPN end-points (routers)Possibly VPN-enabled gateway security device (firewall)
26 Copyright © 2014 M. E. Kabay. All rights reserved.
IA Considerations
Remote-access VPN ConsiderationsFidelity of Mobile DeviceVPN Client ManagementProtection of VPN DeviceCryptographic OptionsTraffic InspectionProcessing Power InterceptionSite-to-Site VPN Considerations Implications of Elusive VPNs Impact of IPv6
27 Copyright © 2014 M. E. Kabay. All rights reserved.
IA Considerations
Remote-access VPN ConsiderationsBy nature of VPN, assuming
hostile environment for data transmission
Fidelity of Mobile DeviceEssential to protect laptops,
phones…Firewall, antivirus, patches, encryptionStatus may change during connectionNetwork Access Control (NAC)
Interrogate connecting device at loginVerify security statusComplex management issue
28 Copyright © 2014 M. E. Kabay. All rights reserved.
VPN Client Management
IPSec requires client-side app or embedded OSNeed to maintain up-to-date configurationAvoid user involvement
Push updates rather than pulling
TLS/SSL VPN less complex to administerAutomatic downloads of
small Java applets or ActiveX controls
Code can remain resident – avoid delay at re-initiation of sessions
29 Copyright © 2014 M. E. Kabay. All rights reserved.
Protection of VPN DeviceConfigure firewall to stop access to all unused portsRemove unacceptable cryptographic modesLimit access to network management protocols
such as ICMP & SNMP using ACLsDon’t allow insecure protocols such as FTP or HTTP
for administrationUse strong I&A
(e.g., token-based, two-factor)
30 Copyright © 2014 M. E. Kabay. All rights reserved.
Cryptographic Options
Selection of cryptographic protocolDuring IKE negotiation
Cipher suite determines what is availableRemove unacceptably weak protocols from
cipher suitePrevents incompatible clients from
connecting
31 Copyright © 2014 M. E. Kabay. All rights reserved.
Traffic InspectionEncrypted traffic on VPN interferes with content
inspectionLimit inspection to post-decryption packets
inside network after VPN device processes data stream
Some VPN systems do provide administrative dynamic decryption of packets for content inspection
32 Copyright © 2014 M. E. Kabay. All rights reserved.
Processing PowerVPN can easily become a bottleneckMonitor processing power required to maintain
bandwidth Increase dedicated VPN
devices as number of connections increases
Can sometimes add hardware encryption accelerators
33 Copyright © 2014 M. E. Kabay. All rights reserved.
Interception (1)
Possible to capture packetsDatagram Protocol spreads packets over
multiple routesThus end-point interception only practical
approachMassively parallel computational power
can crack encryptionMan-in-the-middle (MITM) attack
While VPN session being establishedAddress Resolution Protocol (ARP)
poisoning to redirect traffic to attacker’s system
34 Copyright © 2014 M. E. Kabay. All rights reserved.
Interception (2) IPsec MITM vector: preshared key
Group name & passwordAuthenticate IPsec connectionFiked emulates VPN termination & collects user
credentialsCan defend using client or computer certificate for IPsec
authentication SSLStrip (2009)
ARP-poisoning to intercept client request for TLS/SSLEstablishes valid TLS/SSL session with serverCreates HTTP session with user but puts fake lock icon
into browser windowCan reduce risk by forcing use of direct TLS/SSL
connections, not redirection from HTTP to HTTPS
35 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site VPN Connections
Infrastructure DesignCostAvailability
36 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site VPNs: Infrastructure DesignMultiprotocol Layer Switching (MPLS) changes
WAN administrationCan provide any-to-any connectivityMore difficult to troubleshoot than hub/spoke
topology Increased number of security devicesMaintain Border Gateway Protocol (BGP) routing
securityBoth sides must authenticate before being
added to routing tableVPN naturally puts Internet in contact with
internal networksImplement gateway security devices (GSD)
37 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site VPNs: Cost
New / converted circuitsQoS (quality of service)
monitoringSupport for MPLS and routingTime for redesigning network
routing infrastructureSite-to-site (S2S) VPNs require
high processing powerMay need code upgrades ($$)
Higher administrative costs for managing increased number of devices
38 Copyright © 2014 M. E. Kabay. All rights reserved.
Site-to-Site VPNs: AvailabilityVPNs quickly become necessityMobile workforce may be severely impaired if VPNs go
downCan load-balance across redundant systems Ideally, connections in process will not be droppedMust have redundant (independent) infrastructure elements
Internet linksPowerOther network
components
39 Copyright © 2014 M. E. Kabay. All rights reserved.
Implications of Elusive VPNsMore VPNs in use than administrators may
be aware ofGotoMyPcMalicious VPNs such as botnet control
channelsLaplink™ software could allow
unauthorized access to work PCBypass normal administrative controlsPeer-to-peer (P2P) networks use VPN-like
featuresSkype can encrypt voice calls and file
transfersMust plan for these in defining policies
40 Copyright © 2014 M. E. Kabay. All rights reserved.
Impact of IPv6
We are running out of IPv4 address space (or have already)
Yet migration to IPv6 still not evident in real world
Verify that VPN infrastructure is IPv6 compliant
Expect to have to translate IPv6 into IPv4 for foreseeable future
IPv6 does provide support for IPSec automatically
41 Copyright © 2014 M. E. Kabay. All rights reserved.
ExtranetsInformation
Assurance GoalsExtranet ConceptsTypes of Extranet
AccessInformation
Assurance Considerations
42 Copyright © 2014 M. E. Kabay. All rights reserved.
Extranets: Information Assurance Goals Protecting shared information
assetsIncreased security issues with
external accessorsCompetitive advantage,
regulatory requirements Preventing information exposure
Principle of least privilegeIdentity managementAccess management
Minimizing ancillary risksRestrict outsiders’ access to
non-essential services
43 Copyright © 2014 M. E. Kabay. All rights reserved.
Extranet ConceptsService NW vs DMZ
Don’t count on DMZ (weak security) for extranet services
Define specific firewall architecture with particular settings for extranet servers
N-Tier ArchitectureDistribute functions across multiple serversE.g., separate front-end user-server from back-end
database serverSSL Encryption
Enforce HTTPS Secure Sockets Layer trafficVerify that padlock icon is implemented correctly
44 Copyright © 2014 M. E. Kabay. All rights reserved.
Types of Extranet Access Vendor/Partner Information Sharing
ERP (enterprise resource planning)SCM (supply chain management)
E-CommerceEDI (electronic data interchange)CRM (customer relationship
management)B2B (business to business)B2C (business to client)
Employee Self-ServiceE-mailBenefits systemsAccess to intranet systems
Norwich University extranets* owa for e-mail* my.norwich.edu* BannerWeb
45 Copyright © 2014 M. E. Kabay. All rights reserved.
Extranets: Information Assurance Considerations (1) Technical Security
Cannot secure using only a single point
Need security at multiple layers
Traffic InspectionDifficult between nodesMay have to inspect traffic on extranet server before
encryptionIncreases processing load on server CPU
Or may terminate SSL upstream and send cleartext data to extranet server
Relieves extranet server of need for decryption / encryption processing
46 Copyright © 2014 M. E. Kabay. All rights reserved.
Extranet IA Considerations (2) Internal Network Exposure
Compromise of extranet server must not allow breach of inside resources
Ensure appropriate firewalls to shield internal networks from extranet
ServerHarden servers by removing vulnerable unused services
Configure for minimum functionality requiredClose attention to patchesIntrusion prevention/detection devicesVirtualization has additional complexities
47 Copyright © 2014 M. E. Kabay. All rights reserved.
ApplicationMany systems susceptible to common attacks
Buffer overflowsSQL injectionCross-site scripting (XSS)
Developers must keep security in mind throughout process
Use best practicesStay current on threat
landscape
BO: failure to prevent data outside bounds of a buffer from being accepted in input and then used.
SQLI: DB query sw doesn’t test query statement for correctness.
XSS: Browser executes hostile script; e.g., hiding code in bogus URL for non-existent page.
Extranet IA Considerations (3)
48 Copyright © 2014 M. E. Kabay. All rights reserved.
Extranet IA Considerations (4) Policies
Provide written policies about requirements for access & use
Establish expectationsUseful for legal
proceedings Access & Identity
ManagementI&A support access
controlsBut passwords a poor
authentication methodBetter: issuing digital certificates
Availability: critical issue – plan for it! Impact of IPv6: infrastructure support issues
49 Copyright © 2014 M. E. Kabay. All rights reserved.
Now go and study