Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.
-
Upload
bryan-thomas-green -
Category
Documents
-
view
216 -
download
0
Transcript of Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.
![Page 1: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/1.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
1
VPN Last Update 2010.11.29
1.3.0
![Page 2: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/2.jpg)
Objective
• Learn what a VPN is and why you would use one
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
2
![Page 3: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/3.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
3
What is a VPN
• A VPN – Virtual Private Network is a method used to add security to a WAN link
• This added security is especially important for those methods of linking Point A to Point B that make the link through the Internet
![Page 4: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/4.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
4
Types of VPNs
• A VPN can be purchased as a service from a service provider or it can be setup by the end user
• If a service provider is used, this service provider can be the same one that provided the data line or a provider that just adds a VPN on top of the data line
![Page 5: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/5.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
5
Types of VPNs
• Service provider offerings are typically one of two methods– IPSec-encrypted tunnel VPN– MPLS VPN
• IPSec tunnel-based VPNs are sometimes referred to as client-premises equipment-based VPNs because the service provider typically places equipment at the client site
![Page 6: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/6.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
6
Types of VPNs
• This device handles encryption and decryption of traffic before it goes out over the service providers' network
• Traffic within the service provider network is routed the same as any other IP traffic, and the service provider has no visibility into the IP tunnel
![Page 7: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/7.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
7
Types of VPNs
• Nor does the service provider network need to be configured in any special manner to support IPSec VPNs
• Because traffic in an IPSec-based VPN is encrypted, it is generally considered secure to use IPSec to transport sensitive traffic over a public IP network
![Page 8: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/8.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
8
Types of VPNs
• An IPSec-based VPN can also be offered by a service provider as a managed service
• With this type of VPN, the service provider deploys and manages the customer premises equipment, and all traffic is carried over that provider's network
• This lets the provider offer service-level guarantees for assured performance
![Page 9: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/9.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
9
Types of VPNs
• These are also called Private IP Networks sometimes
• A end user can also deploy their own VPN devices
• This approach is recommended for connecting branch offices that only have one Internet connection
![Page 10: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/10.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
10
Types of VPNs
• The disadvantages to the do it yourself method is that you are responsible for managing VPN configurations, and because traffic is transversing the Internet, there are no performance guarantees
• However, a do it yourself approach lets corporations establish a VPN to any site that has access to the Internet regardless of whose network they must use to do this
![Page 11: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/11.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
11
Types of VPNs
• The second type of service provider based VPN operates at either layer 2 or layer 3
• Layer 2 VPNs based on the IETF - Internet Engineering Task Force's Martini draft or Kompella draft simply emulate layer 2 services such as Frame Relay, ATM or Ethernet
![Page 12: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/12.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
12
Types of VPNs
• Typically, layer 2 MPLS VPNs are invisible to the end user, much in the same way the underlying ATM infrastructure is invisible to Frame Relay users
• The customer is still buying Frame Relay or ATM, regardless of how the provider provisions the service
![Page 13: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/13.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
13
Types of VPNs
• With layer 3 MPLS VPNs, also known as IP enabled or Private IP VPNs, service providers assign labels to IP traffic flows
• These labels represent unique identifiers and allow for the creation of virtual IP circuits or LSP - Label Switched Paths within an IP network
![Page 14: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/14.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
14
Types of VPNs
• By using labels, a service provider can create closed paths that are isolated from other traffic within the service provider's network, providing the same level of security as other PVC - Private Virtual Circuit type of services such as Frame Relay or ATM
![Page 15: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/15.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
15
Types of VPNs
• Because MPLS VPNs require the service provider to modify its network, they are considered network-based VPNs
• MPLS-based VPNs require no client devices, and tunnels usually terminate at the service provider edge-router
• Layer 3 VPNs offer significant advantages to traditional Layer 2 services
![Page 16: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/16.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
16
Types of VPNs
• Because they rely on IP routing to build paths, they easily can be used to create fully or partially meshed networks within a service provider cloud, with only one entry point into the cloud from each location
![Page 17: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/17.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
17
Sources
• The preceding is from a discussion from April 2002 in Network Fusion by Irwin Lazar
![Page 18: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/18.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
18
Types of VPNs
• When an organization sets up their own VPN connections they can also use a IPSec based VPN
• Considering the difficulty in distributing the required certificates, many have begun switching to SSL instead
• This is the same Secure Sockets Layer that is used for online web purchases
![Page 19: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/19.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
19
Types of VPNs
• By using SSL the need to load special software on each workstation is avoided
• At present SSL is limited to just a few applications as they must be browser based
![Page 20: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/20.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
20
How to Create a VPN
• To create a VPN – Virtual Private Network connection two things are required– A tunnel– An encryption method
![Page 21: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/21.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
21
The Tunnel
• The tunnel is the VPN connection
![Page 22: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/22.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
22
An Encryption Method
• The encryption method makes the data unreadable
![Page 23: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/23.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
23
Type of VPNs
• Remote Access• Site to Site
![Page 24: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/24.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
24
Remote Access
• A single computer connecting to a centralized VPN server is remote access
![Page 25: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/25.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
25
Site to Site
• A site to site or gateway to gateway VPN uses devices at each end to allow to LANs to connect to each other
![Page 26: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/26.jpg)
IPSec Process
• An IPSec VPN relies on three things to ensure the data is safe– Encryption– Authentiction– Message Integrity
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
26
![Page 27: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/27.jpg)
Encryption
• IPSec encryption uses two pairs of encryption algorithms to– Hide the data– Recover the data
• Here is the process as shown in Wendell Odom’s ICDN2 book
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
27
![Page 28: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/28.jpg)
Encryption
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
28
![Page 29: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/29.jpg)
Encryption
• There are several algorithms of increasing security but increasing load on the devices using them
• As shown in Wendell Odom’s ICDN2 book
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
29
![Page 30: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/30.jpg)
Encryption
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
30
![Page 31: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/31.jpg)
Encryption
• As discussed above the process requires a key
• How is the key to be exchanged before the VPN is established
• This can be through a phone call, a letter, or unsecured email
• This is simply the PSK – Pre Shared Key process
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
31
![Page 32: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/32.jpg)
Encryption
• The other problem is once the PSK is distributed it is rarely changed
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
32
![Page 33: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/33.jpg)
Authentication
• Authentication is part of the PSK process
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
33
![Page 34: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/34.jpg)
Message Integrity
• Message integrity is part of this basic process as well
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
34
![Page 35: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/35.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
35
Common VPN Alternatives
• Here is table showing the common VPN alternatives as of May 2006
• This is copied from Cisco’s Packet magazine
![Page 36: Copyright 2005-2010 Kenneth M. Chipps Ph.D. 1 VPN Last Update 2010.11.29 1.3.0.](https://reader035.fdocuments.net/reader035/viewer/2022062715/56649d9e5503460f94a88e64/html5/thumbnails/36.jpg)
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com
36
Common VPN Alternatives