1 Guide to Network Defense and Countermeasures Chapter 7

1

Guide to Network Defense and Countermeasures

Chapter 7

2

Chapter 7 - Setting up a Virtual Private Network

Explain the “what, why, and how” of virtual private networks (VPNs)

Understand the tunneling protocols that enable secure VPN connections

Describe the encryption schemes used by VPNs

Know how to adjust packet filtering rules for VPNs

3

A VPN provides a way for two computers or networks to communicate securely using the same public channels available on the Internet The “V” in VPN means virtual; rather than a direct

network cable connection, a combination of Internet-based routers and network segments are used

The “P” means private; only the designated end points of the VPN connection (tunnel) participate

The “N” means network; it connects one group of computers to another, and extends the network’s boundaries

Exploring VPNs: What, Why, and How

4

VPN components: VPN server, or host is a computer configured to accept

connections from clients who either dial in or connect directly using a broadband connection

VPN client, or guest can be a router that serves as the end-point of a gateway-to-gateway connection, or can be a computer configured as an endpoint

Tunnel - the connection through which data is sent VPN protocols are standardized communication

settings that hardware and software use to encrypt data that is sent along the VPN, including IPSec, PPTP, and L2TP


5

Two types of VPNs: Site-to-site links two or more networks Client-to-site allows network access to dial-in users

Hardware vs. software VPNs: Hardware-based VPNs connect one gateway to

another; typically the gateways are routers that encrypt/decrypt, but could be a VPN appliance

Software-based VPNs are usually integrated with firewalls, and as a result, increase network security; software solutions offer maximum flexibility


6

7

8

9

VPN combinations: Combining VPN hardware or software with other

hardware and software adds network security; one useful combination is a VPN bundled with a firewall, since VPNs do not replace firewall functionality

VPN core activity #1: Encapsulation Data encapsulation means that a packet is enclosed

within another one that has different IP addressing data to provide a higher degree of protection

Data packets are encapsulated within packets that use the source/destination of the VPN gateway


10

11

VPN core activity #2: Encryption Encryption is the process of rendering information

unreadable by all but the intended recipient VPN endpoints encrypt/decrypt data by exchanging

keys, or blocks of encoded data; the key is part of an electronic document called a digital signature

VPN core activity #3: Authentication Authentication is the process of identifying a user or

computer as being authorized to access a network Authentication uses digital certificates; the tunneling

protocol determines the type of authentication


12

13

14

Why establish a VPN? The need for private business transactions drives an

increasing number of organizations to adopt VPNs; e-commerce popularity provides an incentive as well; government and military agencies share more information in order to provide homeland security

Budgetary considerations have always made VPNs attractive to businesses; also, many businesses employ remote users who need network access

Another incentive for creating a VPN is the need to establish a high level of security in an extranet


15

16

Advantages and disadvantages of VPNs VPNs provide a high level of security, but if a VPN is

poorly configured or a remote user at an endpoint disables their firewall by mistake and lets in a hacker, the normal protection can be undone

VPNs can be complex to configure and the hardware can represent a substantial investment

By focusing on Internet-based technologies, VPNs simplify a network overall

Running a VPN means better opportunity to maximize network uptime


17

18

How to configure VPNs: To set up a VPN, define a VPN domain A VPN domain is a set of one or more computers

that is handled by the VPN hardware and software as a single entity, and that uses the VPN to communicate with another domain

Besides defining a VPN domain, determine whether the network gateway will be included in that domain; that, in turn, depends on whether the network has a site-to-site or client-to-site type of VPN configuration


19

20

Single and multiple-entry point configurations Smaller networks that use VPNs often have single

entry point configurations, where all traffic to and from the network passes through a single gateway such as a router or firewall or both

Large organizations have networks that require multiple-entry point configurations, in which multiple gateways are used, each with a tunnel connecting a different location

In multiple-entry point configurations, it is important to exclude the gateway itself from the VPN domain


21

22

23

VPN topology configurations: In a mesh topology, all the participants in the VPN

have Security Associations (SAs) with one another; full mesh is where every subnet is connected to every other; partial mesh is where any subnet may or may not be connected to the other subnets

In a star topology, the VPN gateway is the hub, and other participating networks are called rim subnets

As organizations with VPNs grow to include new computers and new branch offices, they naturally evolve from a mesh or hub-and-spoke to a hybrid system that combines the two topologies


24

25

26

IPSec/IKE: Internet Protocol Security (IPSec) was developed for

enabling secure communications in the Internet IPSec has become the standard set of protocols for

VPN security because: it works at the Network layer; it has the ability to encrypt the entire TCP/IP packet; it can work with IPv6; it provides authentication of source and destination computers

The biggest advantage to using IPSec is the fact that it has gone through the standardization process and is supported by a wide variety of VPN hardware and software

Understanding Tunneling Protocols

27

28

29

Secure Shell (SSH): Secure Shell (SSH) provides for authentication and

encryption of TCP/IP packets over a VPN SSH works with UNIX-based systems and creates a

secure Transport layer connection, and makes use of public key cryptography

Socks V.5: Socks provides proxy services for applications that

don’t normally support proxying; Socks Version 5 adds encrypted authentication and UDP support


30

Point-to-point tunneling protocol (PPTP): Point-to-point tunneling protocol (PPTP) is a VPN

configuration for users who need to dial in to a server using a modem connection on a computer running an older operating system

PPTP encapsulates TCP/IP packets and uses a proprietary Microsoft technology called MPPE

Layer 2 tunneling protocol (L2TP): Layer 2 tunneling protocol (L2TP) provides a higher

level of security than PPTP through IPSec support


31

32

Triple-data encryption standard (Triple-DES): Most VPNs make use of Triple-data encryption

standard (Triple-DES) encryption Triple-DES is strong because it uses three separate

64-bit keys to process data

Secure Sockets Layer (SSL): Secure Sockets Layer (SSL) enables Web servers

and browsers to exchange encrypted information SSL sessions make use of both symmetric and

asymmetric keys to encrypt data

Encryption Schemes used by VPNs

33

34

Kerberos: Kerberos is a system for authentication of individual

network users that was developed at MIT Kerberos uses an authentication method called

authentication by assertion - the computer that connects to a server and requests services asserts that it is acting on behalf of an approved user

Instead of digital certificates, Kerberos issues tickets; accessing an application protected by Kerberos requires a ticket

Encryption Schemes used by VPNs

35

VPNs need to be used with firewalls VPNs can be located in front of existing firewalls, or

placed in DMZs in parallel to an existing firewall Packet filtering rules make use of three IP packet

header fields: the source address; the destination address; the Protocol Identifier (Protocol ID)

Conduct packet filtering based on any or all of these fields; block all packets from an address with the source address; route entered packets with the destination address; refer to protocols (ICMP, TCP, UDP, ESP, AH) with the Protocol ID

Adjusting Packet Filtering Rulesfor VPNs

36

PPTP filters For PPTP traffic to pass through a firewall, set up

packet filtering rules that permit it PPTP uses two protocols: TCP and Generic Routing

Encapsulation (GRE)

L2TP and IPSec filters If L2TP is used, rules must be set up that permit

IPSec traffic

Adjusting Packet Filtering Rulesfor VPNs

37

38

39

Chapter Summary

This chapter discussed issues involved in configuring a Virtual Private Network (VPN) and the role that the VPN plays in a network defense strategy

VPNs are virtual in that they do not make use of proprietary leased lines. Rather, they connect computers and networks through the public Internet. VPNs are private because they send data through a secure tunnel that leads from one endpoint to another. Each endpoint is terminated by VPN hardware or software that encrypts and encapsulates the data. VPNs are networks that connect one network to one or more networks, one computer to another, or one computer to a network

40

Chapter Summary

VPNs consist of various components. These include VPN servers, which are configured to accept connections from client computers; VPN clients; the tunnels through which data passes, and protocols that determine how the tunneled data is to be encrypted, such as IPSec. A site-to-site VPN uses such components to connect to networks. A client-to-site VPN connects a remote user to a network. VPN endpoints can be terminated by VPN hardware, software, or a combination of both

41

Chapter Summary

VPNs perform three core activities. Encapsulation encloses one packet of digital information within another one to conceal the original packet’s source and destination IP address and to protect the contents. Encryption makes the contents of the packet - not only its data, but its header information as well - unreadable by all but the intended recipient. Authentication ensures that the computers participating in a VPN are authorized users

42

Chapter Summary

Because VPNs can be complex to configure, the reasons for establishing them should be understood.The need to keep critical business communications private and secure drives the adoption of VPNs. The cost-effectiveness of using the Internet for VPN communications also makes VPNs attractive. On the other hand, the encryption performed by VPNs can slow down data transfer rates. Reliance on the Internet, which is often unpredictable, can result in the VPN going down along with ISP connections

43

Chapter Summary

A VPN is often configured by establishing a VPN domain, a group of computers that are handled as one entity. Networks that use VPNs can have single entry point configurations, in which all traffic to and from the network passes through a single gateway. Some VPNs are part of multiple-entry point configurations, in which more than one gateway is used. Whether single or multiple entry points are in place in one network, that network can then be connected to other VPN participants using a mesh or star configuration, or a combination of both

44

Chapter Summary

VPNs make use of standard instruction sets called protocols that secure tunneled communications between endpoints. IPSec combined with IKE is one of the most popular protocols because of its wide support in the industry and high degree of security through AH and ESP encryption. SSH is a protocol used to authenticate and encrypt packets in a UNIX-based environment. Version 5 of the Socks protocol can also provide security for VPN transactions, though it is not widely used. PPTP and L2TP enable remote users to dial in to a computer over a secure VPN connection

45

Chapter Summary

Encryption is one of the techniques that make VPNs possible. Most VPNs today use Triple-DES encryption, a variation of DES in which three separate keys are used to process information. However, some VPNs use SSL encryption when Web-based applications need to be connected securely. Another system, Kerberos, is used in Windows and other OSs to give employees access to network resources for relatively short periods of time through the issuance of “tickets”

46

Chapter Summary

VPNs need to be used in conjunction with firewalls. For the two devices to work together, packet filtering rules need to be set up. The rules cover such protocols as PPTP, L2TP, and IPSec. The have as their ultimate goal the filtering of packets so that only traffic to and from VPN endpoints passes through the VPN, and other traffic is filtered by the firewall to reach specific destinations on the network

Documents

1 Guide to Network Defense and Countermeasures Chapter 7