Network+ Guide to Networks 6 th Edition Chapter 10 Virtual Networks and Remote Access.
Chapter 4: Virtual Networks
description
Transcript of Chapter 4: Virtual Networks
Virtual Networks 1
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalysis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 2
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalysis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 3
Introduction
Secure channel: Properties:
Confidentiality Integrity Authenticity Non-repudiation
Sender Receiver
Secure channel?
Virtual Networks 4
Introduction
Confidentiality: Transmitted info in an insecure channel can
only be understood by desired destination/s It must stay unintelligible for the rest Ways of protection:
Dedicated physical links High costDifficult maintenance
Cipher
Attack e.g.: obtaining data from sender
Virtual Networks 5
Introduction
Integrity: Ensures that transmitted info was not
modified during the communication process Message in destination must be the same as
in source Ways of protection:
Digital signature
Attack e.g.: modifying the destination address in a product bought on the internet
Virtual Networks 6
Introduction
Authenticity: Ensures the source of the info Avoids impersonation Ways of protection:
Digital signature Challenge Human authentication
Biometric (fingerprint, retina, facial recognition, etc.)
Attack e.g.: user impersonation in bank transaction
Virtual Networks 7
Introduction
Non-repudiation: Avoid sender’s denial Avoid receiver’s denial Ways of protection:
Digital signature
Attack e.g.: loss of an application form
Virtual Networks 8
Introduction
Insecure channel: Non-reliable Attacks: Violation of channel security
TypesPassiveActive
CategoriesInterceptionInterruptionModificationFabrication
Virtual Networks 9
Introduction
Passive attacks: Attacker does not change the content of the
transmitted information Objectives:
Entity identification Traffic control Traffic analysis Usual data exchange time detection
Difficult to detect Easy to avoid -> encryption
Virtual Networks 10
Introduction
Active attacks: Attacker does change the content of the
transmitted information Types:
Masked (impostor) Repetitive (intercepted msg, repeated later) Msg modification Service denial
Difficult to prevent Easy to detect -> detection & recovery
Virtual Networks 11
IntroductionInterception: Confidentiality attack Passive A non-authorized intruder achieves the access to a non-
shared resource E.g:
Traffic capture Obtaining copies of files or programs
Transmitter
Receiver
Intruder
Virtual Networks 12
Introduction
Interruption: Destruction of a shared resource Active E.g:
Destruction of hardware Communication breakdown
Transmitter
Receiver
Intruder
Virtual Networks 13
Introduction
Modification: A non-shared resource is intercepted & modified by a non-
authorized host before arriving to its final destination Active E.g:
Change in sent data
Transmitter
Receiver
Intruder
Virtual Networks 14
IntroductionFabrication: Authenticity attack Active Non-authorized host (impostor) generates a resource that
arrives to the final destination E.g:
Fraud information
Transmitter
Receiver
Intruder
Virtual Networks 15
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 16
Cryptography
Introduction: Why?
Way of protecting information against intruders (encryption & digital signatures)
Definition Science of secret writing, for hiding information
from third parties
Principle Keeping privacy between two or more
communication elements
Virtual Networks 17
Introduction: Functioning basis
Altering original msg to avoid the access to the information of any non-authorized party
E.g Original msg: “This lecture is boring” Altered msg: “Wklv ohfwxuh lv erulqj” Caesar cipher (K=3)
Cryptography
Virtual Networks 18
Cipher: Mechanism that
converts a plain msg in an incomprehensible one
Cipher algorithm needs a key
Decipher: Mechanism that
converts an incomprehensible msg in the original one
Necessary to know the used cipher algorithm and the key
Cryptography
Virtual Networks 19
Introduction: Functioning scheme
Transmitter
Receiver
cipher decipher
Cryptography
Virtual Networks 20
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 21
Cryptanalysis
Introduction: Definition
Set of methods used to guess the key used by the elements of communication
Objective Reveal the secret of communication
Attacks Brute force attack (most common) Types:
Ciphertext-Only Attack Known Plaintext Attack Chosen Plaintext Attack
Virtual Networks 22
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 23
Symmetric Key
Features: Private key Transmitter & Receiver share the same key
Transmitter
Receiver
cipher decipher
Virtual Networks 24
Algorithms: DES, 3DES, RC5, IDEA, AES Requirements:
Neither plaintext nor the key may be extracted from the msg
The cost in time & money of obtaining the information must be higher than the value of the obtained information
Algorithm strength: Internal complexity Key length
Symmetric Key
Virtual Networks 25
Accomplished objectives: Confidentiality Integrity Authentication Non repudiation
Depending on the number of parties sharing the secret key
Symmetric Key
Virtual Networks 26
Advantages: Algorithm execution rate
Best method to cipher great pieces of information
Disadvantages: Distribution of private key Key management
The number of used keys is proportional to the number of used secure channels
Symmetric Key
Virtual Networks 27
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 28
Features: Public Key Every party has got a pair of keys (private-public)
Transmitter
Receiver
cipher decipher
Tx private
Tx public
Rx private
Rx public
Asymmetric Key
Virtual Networks 29
Algorithms: Diffie-Hellman, RSA, DSA Requirements:
Neither plaintext nor the key may be extracted from the msg
The cost in time & money of obtaining the information must be higher than the value of the obtained information
For an public-key encrypted text, there must be only a private key capable of decrypt it, and viceversa
Asymmetric Key
Virtual Networks 30
Accomplished objectives: Confidentiality Integrity Authentication
Offers very good mechanisms
Non repudiation Offers very good mechanisms
Asymmetric Key
Virtual Networks 31
Advantages: No problems for key distribution -> public
key In case of the steal of a user’s private key,
only the msgs sent to that user are involved Better authentication mechanisms than
symmetric systems Disadvantages: Algorithm execution rate
Asymmetric Key
Virtual Networks 32
Authentication: Challenge-response Digital signature Digital certificate
Non repudiation: Digital signature Digital certificate
Asymmetric Key
Virtual Networks 33
Challenge-response: Send of a challenge in clear text. Its response is only known
by the transmitter The transmitter sends a private-key ciphered response
Transmitter
Receiver
cipher decipher
Asymmetric KeyTx private
Tx public
Rx private
Rx public
Virtual Networks 34
Digital signature: Verifies source authenticity Parts
Signature (transmitter) Signature verification (receiver)
Transmitter
Receiver
Signature verification
Asymmetric Key Tx private
Tx public
Rx private
Rx public
Virtual Networks 35
Digital signature: Problem: Process is slow Use of fingerprint
Transmitter
Receiver
Asymmetric Key Tx private
Tx public
Rx private
Rx public
Virtual Networks 36
Digital signature - fingerprint: Reduces encryption time Hash function
Turns a variable length set of data in a summary or fingerprint. A fingerprint has a fixed length and it is illegible and nonsense
Irreversible Algorithms SHA-1, MD5 Requirements
Capability of turning variable length data in fixed length blocks
Easy to use and implement Impossible to obtain the original fingerprint text Different texts must generate different fingerprints
Problem: Key management
Asymmetric Key
Virtual Networks 37
Digital certificate: Information unit containing a pair of public-private
keys, together with the necessary information to allow the owner for secure communications
Contents: Public key Private key (if owner) Owner information Useful information (algorithms, allowed
functions, ...) Valid-from Certificate Authority signatures
Revocation is possible
Asymmetric Key
Virtual Networks 38
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 39
Mixed systems
Session keys: Process
Session Key distribution (asymmetric) Secure communication (symmetric)
Transmitter
Receiver
Session key
Tx private
Tx public
Rx private
Rx public
Virtual Networks 40
Transmitter
Receiver
Session key
Tx private
Tx public
Rx private
Rx publicSession keys: Process
Session Key distribution (asymmetric) Secure communication (symmetric)
Mixed systems
Virtual Networks 41
Accomplished objectives: Confidentiality Integrity Authentication Non repudiation
Use of digital signatures & certificates
Mixed systems
Virtual Networks 42
Advantages: No problems for key distribution -> public
key Improbable to guess session key May use public key authentication & non-
repudiation mechanisms Algorithm execution rate
Mixed systems
Virtual Networks 43
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 44
Virtual Private Networks
Introduction: Interconnection of users & entities
Dedicated line (intranets)ExpensiveDifficult to manage
Use os public access networkSecurity risks
LAN
Public network
Virtual Networks 45
Concept: VPN: Private data channel implemented upon a
public communication network Objectives:
Linking remote subnetworks Linking subnetworks & remote users
Use of virtual tunnel with encryption
LANVirtual tunnel
Public network
Virtual Private Networks
Virtual Networks 46
Requirements: Authentication & identity verification Virtual IP address range management Data cipher Management of digital certificates and
public and private keys Support for many protocols
Virtual Private Networks
Virtual Networks 47
Types: Hardware-based systems
optimized specific designs Very secure and simple High performance High cost Additional services (firewalls, intruder detectors,
antivirus, etc.) Cisco, Stonesoft, Juniper, Nokia, Panda Security
Software-based systems
Virtual Private Networks
Virtual Networks 48
Advantages: Security & confidentiality Cost reduction Scalability Simple management Compatibility with wireless links
Virtual Private Networks
Virtual Networks 49
Elements: Local or private networks
Restricted access LAN with pvt IP address range
Insecure networks VPN tunnels Servers Routers Remote users (road warriors) Remote offices (gateways)
Virtual Private Networks
Virtual Networks 50
Scenarios: P2P LAN - LAN LAN – remote user
LAN
LAN LAN
Virtual Private Networks
Virtual Networks 51
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 52
PPTP
Features: Peer to Peer Tunnel Protocol (PPTP) Designed & developed by 3Com, Microsoft
Corporation, Ascend Communications y ECI Telematics; defined IETF (RFC 2637)
Used for secure virtual access of remote users to a private network
Use of tunnel mechanisms for the send of data from client to server
Use of a private or public IP network
Virtual Networks 53
PPTP
Functioning: PPTP server configured to distribute private LAN
IP addresses Server acts as a bridge
LANRemote user
67.187.11.25
PPTP server192.168.1.1
192.168.1.30
192.168.1.31
192.168.1.32192.168.1.100 -
120
Virtual Networks 54
PPTP
Phases: PPP Connection establishment with ISP PPTP connection control
TCP connection Control msgs exchange
Data transmission GRE Protocol Cipher
Virtual Networks 55
PPTP
PPP: Point-to-Point Protocol (RFC 1661)
Data link layer Used for the connection to ISP by means of a telephony
line (modem) or PSTN Versions for broadband access (PPPoE y PPPoA) Functions:
Establishing, maintaining and finishing peer-to-peer connection
User authentication (PAP y CHAP)Creation of encrypted frames
IP DataPPP
Virtual Networks 56
PPTP
PPTP connection control: Specifies session control messages:
PPTP_START_SESSION_REQUEST: session start request PPTP_START_SESSION_REPLY: session start response PPTP_ECHO_REQUEST: session keepalive request PPTP_ECHO_REPLY: session keepalive response PPTP_WAN_ERROR_NOTIFY: error notification PPTP_SET_LINK_INFO: client-server connection
configuration PPTP_STOP_SESSION_REQUEST: session stop request PPTP_STOP_SESSION_REPLY: session stop reply
Virtual Networks 57
PPTP
PPTP authentication: Uses the same mechanisms as PPP:
PAP (Password Authentication Protocol)Very simple: send of name and passwd in plaintext
CHAP (Challenge Handshake Authentication Protocol)Challenge-response mechanismClient generates a fingerprint from the received challenge
(MD5)Shared secret keySend of challenge to renew identity
Virtual Networks 58
PPTP
PPTP authentication: Two new mechanisms:
SPAP (Shiva Password Authentication Protocol)PAP with the send of an encrypted client passwd
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
Proprietary CHAP-based-Algorithm by Microsoft Mutual authentication process (client & server)Due to a security failure in Windows NT, MS-CHAP v2 was
created
Virtual Networks 59
PPTP
Data transmission: Uses a modification of GRE (Generic Routing
Encapsulation) protocol: RFC 1701 y 1702 Establishes a functional division in three protocols:
Passenger ProtocolCarrier ProtocolTransport Protocol
Protocol
CarrierTransport
Virtual Networks 60
PPTP
Data transmission: Send of PPP frames -> encapsulated in IP
datagrams
GRE DataPPPIPMAC
TCP DataIP
Virtual Networks 61
PPTP
Encryption: MPPE (Microsoft Point-To-Point Encryption)
RFC 3078 uses RSA RC4 algorithm-> Session key from a client pvt
key Only with CHAP or MS-CHAP
Allows non-encrypted tunneling (PAP or SPAP) -> No VPN
Virtual Networks 62
PPTP
Advantages: Implementation low cost (uses public network) No limit for the number of tunnels due to server
physical interfaces (but more resources are necessary in the server for every tunnel)
Disadvantages: Very vulnerable
Non-authenticated TCP connection control Weakness of MS-CHAP protocol in NT systems Weakness of MPPE protocol
Use of pvt passwd
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
63Virtual Networks
Virtual Networks 64
L2TP
Features: Layer 2 tunneling protocol (RFC 2661) - PPP L2TP v3 (RFC 3931) - multiprotocol Based in 2 network protocols to carry de red PPP
frames: PPTP L2F (Layer Two Forwarding)
Used together with IPSec to offer more security (L2TP/IPSec, RFC 3193)
Virtual Networks 65
L2TP
Functioning: LAC: L2TP Access Concentrator LNS: L2TP Network Server Server acts as a bridge
LAN
Remote user
67.187.11.25
L2TP Server(LNS)192.168.1.1
192.168.1.31
192.168.1.32
192.168.1.100 - 120
ISP
LAC
Voluntary
Compulsory
Virtual Networks 66
L2TP
Types of tunnels: Compulsory:
1) User starts a PPP connection with ISP
2) ISP accepts connection & PPP link
3) ISP requests authentication 4) LAC starts L2TP tunnel to LNS5) If LNS accepts, LAC
encapsulates PPP with L2TP and sends frames
6) LNS accepts L2TP frames & process them as if they were PPP frames
7) LNS authenticates PPP valid user -> assigns IP addr
Voluntary:1) Remote users is
connected to ISP2) L2TP client starts L2TP
tunnel to LNS3) If LNS accepts, LAC
encapsulates PPP with L2TP and sends through tunnel
4) LNS accepts frames & process them as if they were PPP frames
5) LNS authenticates PPP valid user -> assigns IP addr
Virtual Networks 67
L2TP
Messages: Two types:
ControlUsed during the establishment, keepalive & termination of
the tunnelReliable control channel (guarantees msg delivery)
DataEncapsulates information into PPP frameUses UDP port 1701
Virtual Networks 68
L2TP
Control msgs: Connection keepalive:
Start-Control-Connection-Request: Session start request Start-Control-Connection-Reply: Session start response Start-Control-Connection-Connected: Established
session Start-Control-Connection-Notification: Session end Hello: sent during inactivity periods
Virtual Networks 69
L2TP
Control msgs: ‘Call’ keepalive:
Outgoing-Call-Request: start of outgoing call Outgoing-Call-Reply: start of outgoing call response Outgoing-Call-Connected: outgoing call established Incoming-Call-Request: start of incoming call Incoming-Call-Reply: start of incoming call response Incoming-Call-Connected: incoming call established Call-Disconnect-Notify: call stop
Virtual Networks 70
L2TP
Control msgs: Error notification:
WAN-Error-Notify
PPP Control session: Set-Link-Info: configures client-server connection
Virtual Networks 71
L2TP
Advantages: Implementation low cost Multiprotocol supportDisadvantages: Only the two terminals in the tunnel are
identified (possible impersonation attacks) No support for integrity (possible service denial
attack) Does not develop confidentiality Does not offer encryption, though PPP may be
encrypted (no mechanism for automatic key generation)
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
72Virtual Networks
Virtual Networks 73
IPSec
Features: Internet Protocol Security Offers security services for the network layer Allows linking different networks (remote offices) Allows a remote user to access the pvt resources
in a network IETF (Internet Engineering Task Force) Standard Integrated in IPv4; default included in IPv6 IPSec is connection oriented
Virtual Networks 74
IPSec
Features: Services:
Data integrity Source authentication Confidentiality Replay attack prevention
Functioning modes: Transport mode Tunnel mode
Virtual Networks 75
IPSec
Security association: Definition (SA):
“Unidirectional agreement between the parties in an IPSec connection according to the methods & parameters used for the tunnel structure. They must guarantee transmitted data security”
An entity must store: Used security algorithms and keys Functioning mode Key management methods Valid time for the established connection Database with SA
Virtual Networks 76
IPSec
Security association: Example:
SPI: 12345Source IP: 200.168.1.100Dest IP: 193.68.2.23 Protocol: ESPEncryption algorithm: 3DES-cbcHMAC algorithm: MD5Encryption key: 0x7aeaca…HMAC key:0xc0291f…
Methods for key distribution & management: Manual: personal delivery Automatic: AutoKey IKE
Virtual Networks 77
IPSec
IKE Protocol: Internet Key Exchange Protocol (IKE) Defined in IETF
key distribution & management SA establishment
Standard is not only limited to IPSec (OSPF or RIP) Hybrid protocol:
ISAKMP (Internet Security Association and Key Management Protocol)
Define msg syntaxNecessary proceedings for SA establishment, negotiation,
modification and deletion Oakley
Specifies the logic for the secure key exchange
Virtual Networks 78
IPSec
IKE – IPSec tunnel negotiation: Two phases:
Phase 1: Establishment of a secure bidirectional communication channel (IKE SA)
IKE SA different to IPSec SACalled ISAKMP SA
Phase 2: Agreements about cipher and authentication algorithms -> IPSec SA
Uses ISAKMP to generate IPSec SAThe precursor offers different possibilities The other entity accepts the first configuration according
to its limitations They inform each other about the type of traffic
Virtual Networks 79
IPSec
Advantages: Allows remote access in a secure way Best option for e-commerce (secure
infrastructure for electronic transactions) Allows secure corporate networks (extranets)
over public networks
Virtual Networks 80
IPSec
Protocols: Authentication Header Protocol (AH) Encapsulated Secure Payload (ESP)
Virtual Networks 81
IPSec
AH Protocol: Network layer Protocol field: 51 Provided services:
Integrity Authentication Does not guarantee confidentiality (no data encryption)
HMAC (Hash Message Authentication Codes) Generation of digital fingerprint (SHA or MD5) Encryption of digital fingerprint with shared secret
Virtual Networks 82
IPSec
AH Protocol: HMAC
Transmitter
HMACIP AH DATA
Receiver
HMACIP AH DATA
Virtual Networks 83
IPSec
AH Protocol: Format
Next header
Payloadlength
Reserved
Security Parameters Index (SPI)
Sequence number
Authentication data
IP header
Data
AH header
32 bits
Virtual Networks 84
IPSec
AH Protocol: Format:
Next header: superior layer protocol Payload length: Data field length (32 bits) Security Parameters Index (SPI): SA identifier Sequence number Authentication data: Variable length HMAC
Virtual Networks 85
IPSec
ESP Protocol: Network layer Protocol field: 50 Supported services:
Integrity (optional) Authentication (optional) Confidentiality (data encryption)
Symmetric key encryption algorithm Algoritmo de (DES, 3DES, Blowfish) Usually block encryption (padding) Requires a secure mechanism for key distribution (IKE)
Virtual Networks 86
IPSec
ESP Protocol:
Transmitter
IP ESP DATA
Receiver
IP ESP DATAESP ESP
Virtual Networks 87
IPSec
ESP Protocol: Formato
Padding
Security Parameters Index (SPI)
Sequence number
IP header
Datos ESP
32 bits
Next header
Padlength
Authentication data
Encryption
Virtual Networks 88
IPSec
ESP Protocol: Format:
Security Parameters Index (SPI): SA Identifier Sequence number Padding Pad length: padding length (bytes) Next header: Superior layer protocol Authentication data: Variable length HMAC
Virtual Networks 89
IPSec
Modes of operation: Applicable to AH & ESP
Transport Mode using AH
Transport Mode using ESP
Tunnel Mode using AH
Tunnel Mode using ESP
Most used
Virtual Networks 90
IPSec
Transport Mode: Data are encapsulated in an AH or ESP datagram Ensures end-to-end communication client-client scheme (both ends must understand
IPSec) Used to connect remote users
IP 1DataIPSecIP 2
IP 1 IP 2
IPSec host IPSec host
Virtual Networks 91
IPSec
Transport mode: AH: Next header = Protocol in IP header
ESP: Next header = Protocol in IP header
AHheader
DataOriginal IP header
Authentication
ESP
header
Data
Encryption
Authentication
Original IP header
Virtual Networks 92
IPSec
Tunnel mode: Data are encapsulated in a whole IP datagram A new IP header is generated Used when the final destination is not the IPSec
end (gateways)
IP ADataIPSecIP B
gateway using IPSec gateway using IPSec
Host without IPSec
IP 1
IP 2IP BIP A
IP 1IP 2
Host without IPSec
Virtual Networks 93
IPSec
Tunnel mode : AH: New IP header Protocol = 51 & Next header = 4
ESP: New IP header Protocol = 50 & Next header = 4
AH header
DataNewIP header
Authentication
ESPHeader
DataNewIP header
Encryption
Authentication
Original IPHeader
Original IPHeader
Virtual Networks 94
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 95
SSL
Project OpenVPN: Implementation of VPN based on SSL (OpenSSL) Free software (GPL) Reason: Limitations of IPSec Features:
Driver is in charge of building a tunnel & encapsulating pkts through a virtual link
Allows authentication & encryption All communications using TCP or UDP port (default
1194) Multiplatform Allows compression
Virtual Networks 96
SSL
Project OpenVPN: Features:
Client-server model (version 2.0) Self-install packages and graphic interfaces Allows remote management Great flexibility (many script formats)
Virtual Networks 97
Chapter 4: Virtual Networks
4.1 Security in networks 4.1.1 Introduction 4.1.2 Cryptography 4.1.3 Cryptanalisis 4.1.4 Symmetric key 4.1.5 Asymmetric key 4.1.6 Mixed systems
4.2 Virtual Private Networks, VPN 4.2.1 Introduction 4.2.2 PPTP 4.2.3 L2TP 4.2.4 IPsec 4.2.5 SSL
4.3 Virtual Local Area Networks, VLAN
Virtual Networks 98
VLAN
Introduction: Las LANs institucionales modernas suelen
presentar topología jerárquica Cada grupo de trabajo posee su propia LAN
conmutada Las LANs conmutadas pueden interconectarse
entre sí mediante una jerarquía de conmutadores
A
B
S1
C D
E
FS2
S4
S3
H
I
G
Virtual Networks 99
VLAN
Inconvenientes: Falta de aislamiento del tráfico
Tráfico de difusión Limitar tráfico por razones de seguridad y
confidencialidad
Uso ineficiente de los conmutadores Gestión de los usuarios
Virtual Networks 100
VLAN
VLAN: VLAN basada en puertos
División de puertos del conmutador en grupos Cada grupo constituye una VLAN Cada VLAN es un dominio de difusión Gestión de usuario -> Cambio de configuración del
conmutador
A B C D E F G H I
Virtual Networks 101
VLAN
VLAN: ¿Cómo enviar información entre grupos?
Conectar puerto del conmutador VLAN a router externo Configurar dicho puerto como miembro de ambos grupos Configuración lógica -> conmutadores separados conectados
mediante un router Normalmente los fabricantes incluyen en un único dispositivo
conmutador VLAN y router
A B C D E F G H I
Virtual Networks 102
VLAN
VLAN: Localización diferente
Miembros de un grupo se encuentran en edificios diferentes Necesario varios conmutadores Conectar puertos de grupos entre conmutadores -> No
escalable
A BC
D E FG HI
Virtual Networks 103
VLAN
VLAN: Localización diferente
Troncalización VLAN (VLAN Trunking) Puerto troncal pertenece a todas las VLANs ¿VLAN Destino de la trama? -> formato de trama 802.1Q
A BC
D E FG HI
Enlace
troncal
Virtual Networks 104
VLAN
IEEE 802.1Q: IEEE 802.3 (Ethernet)
IEEE 802.1Q
Dir.Destino
DatosPreambuloDir.Origen
Tipo CRC
Dir.Destino
DatosPreambuloDir.Origen
Tipo CRC nuevoTPID TCI
Información de control de etiquetado
Identificador de protocolo de etiquetado
Virtual Networks 105
VLAN
VLAN: VLAN basada en MAC (nivel 2)
El administrador de red crea grupos VLAN basados en rangos de direcciones MAC
El puerto del conmutador se conecta a la VLAN correspondiente con la dirección MAC del equipo asociado
VLAN nivel 3 Basada en direcciones de red IPv4 o IPv6 Basada en protocolos de red (Appletalk, IPX, TCP/IP)