Upload
gary-gibson
View
212
Download
0
Embed Size (px)
Citation preview
Agenda Virtual Private Networks (VPNs)
Motivation and Basics Deployment Topologies
IPSEC (IP Security) Authentication Header (AH) Encapsulating Security Payload
CS G513 / SS G513 Network
Security
Sundar B.
VPN - Motivation
Edge SecurityGoal: Separate a private network (LAN) from the public network.Typical mechanisms: Firewalls, Gateways, ProxiesWorks when edge (i.e. boundary) is clearly defined.
In-Out or Out-In flow regulated systematically.
Does not work when there is (geographical) segmentation of (logical) private networkMobility (of users/clients) – external access, roaming access.
Sundar B.
VPN Motivation
Both segmentation and mobility are familiar scenarios:
Subnetting to VLAN
Differences (between VLANs and VPNs):Segmentation in subnetting scenario happens within a (more) trusted private network whereas segmentation in private networks happens across an untrusted public network (the Internet).The primary motive of VLANs was traffic isolation – between subnets – not security.Subnets and subnet boundaries are L-2 artifacts whereas private-public boundaries are L-3
Sundar B.
Virtual Private Networks
Primary Purposes: Handling segmentation across the public network
Site-to-Site VPNs
Handling external access / roaming accessRemote Access VPNs
In summary, a VPN enables logical extension of private network(s) over the Internet using service provider backbones.
Since the Internet (including the service provider) cannot be trusted (or inviolate in terms of security) VPNs need a security cover.
Sundar B.
IPSEC
IPSEC loosely refers to a phalanx of protocols for supporting
Confidentiality, integrity and authenticity for IP datagrams between endpoints (of a VPN)
Client to VPN termination point (a.ka. Server) in a remote-access VPNVPN server to VPN server in a site-to-site VPN
The main components:IPSEC proper defines IP packet encapsulation for confidentiality, integrity and authentication as well as data encryption.Internet Key Exchange (IKE) automates key management and protocol negotiation bet. endpts
Sundar B.
IPSEC modes
Tunneling modeEncapsulates a complete IP packet including header
i.e. header is hidden;
A new IP header is added for forwardingthe encrypting router’s IP address is used.
Transport modeUses underlying tunneling protocol (e.g. Cisco’s GRE)
Sundar B.
IPSEC Headers
IPSEC adds new header info. to an IP datagram:
Authentication Header (AH)Provides integrity and authenticity for the packet including the invariant fields in the outer IP header Uses keyed hashing
Encapsulating Security Payload (ESP)Provides confidentiality, integrity and authenticity of the data only (i.e. header info. Not included)
Either or both the headers can be used.No restriction on encryption algorithms – can be negotiated bet. endpoints
Sundar B.
Site-to-Site Topologies
Fully-meshed topologyComplete (logical) graphVery robustCost saving compared to leased lines (or wide area networks) between sites.
Hub-and-spoke topologyRadial graph – spoke sites connect to a hub site.Hub site would require tunnel aggregation (routers)Useful when traffic is asymmetric i.e. mostly directed toward the hub
Otherwise large transcription overhead at the hub
Sundar B.
Site-to-Site Topologies
Fully meshed on-demand topology w/ Tunnel End Discovery
Complete Graph w/ dynamic IP addressesTunnel end is discovered dynamically
Dynamic Multipoint topologyAllows both Spoke-Hub, as well as Spoke-Spoke tunneling.More flexible.
Sundar B.
Pros and Cons
Reduced cost compared to leased lines or WAN without compromising securityPerformance Penalties:
Protocol overheadsAdditional burden in routing and forwarding – specialized solutions neededIP Address partitioning mechanisms are not always clean.