Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
VirtualPrivateNetworks
ChesterRebeiroIITMadras
2
PrivateNetworks
2
PhysicallydisconnectedfromtheoutsideInternet.Threeproperties:• UsersAuthenticated.Usersareauthorizedandtheiridentitiesverified.• ContentProtected.
Communicationwithintheprivatenetworkcannotbesniffedfromoutside.cablesarephysicallysecured
• IntegrityPreserved.Nobodyfromoutsidethenetworkcanspoof
3
VirtualPrivateNetworks
3
Abletoachieve:UsersAuthentication,ContentProtection,andIntegrityPreservedwithoutbeingphysicallylocated
Internet
4
VirtualPrivateNetworks
4
Anyattempttodirectlyconnecttoacomputerinsidetheprivatenetworkwillbestoppedbythefirewall.Moreover,theIPaddressmaynotbevalid.
InternetFirewall
client
5
VirtualPrivateNetworks
5
VPNServer:exposedtotheoutsidenetwork.OutsidecomputerswillbeauthenticatedbytheVPNserver.Onceauthenticated,asecurechannelisestablishedbetweentheVPNserverandclient,sopacketsareencryptedandintegritypreserved.
InternetFirewall
VPNServer
Client
6
VirtualPrivateNetworks
6
OnlywaytoconnecttoasystemintheprivatenetworkisviatheVPNserver.NeedstobeTransparent.TheVPNclientshouldbeignorantthatitisaremoteclient.
InternetFirewall
VPNServer
Client
7
VPNvsApplicationLevelSecurity• Thisisdifferentfromaregularapplicationsecurity,whereTLS
canbeused.– IPspoofing/sniffingcanbedone– ClientneedstoopenandinitiateaTLSconnection,thusno
transparency
• ForVPN,theIPheadersneedtobeencrypted– However,trafficcannotberouted
7
8
IPTunneling
8
Firewall
VPNClient
IPPacket
IPPacketIPhead
Encryptedpacket
EncryptedpacketIPhead
forthedestination
fortheVPNserver
Destination
VPNServer
9
IPTunneling
9
Firewall
VPNClient
IPPacket
IPPacketIPhead
Encryptedpacket
EncryptedpacketIPhead
forthedestination
fortheVPNserver
Destination
toVPNSer
ver
EncryptedpacketIPhead
IPPacketIPheaddecrypt
Forwardtodestination
10
IPTunneling• TwowaysofachievingIPTunneling
– IPSectunneling:usesIPSecprotocolwhichoperatesattheIPlayerandhasatunnelingmode
– TheentireIPpacketisencapsulatedintoanewIPpacketwithanewheaderadded
– Doneatthekernellevel
10
11
IPTunneling• TwowaysofachievingIPTunneling
– TLStunneling:usesTLSlibraryattheapplicationlayertoachievetunneling
– TheentireIPpacketisencapsulatedintoanewTCP/UDPpacketwithanewheaderadded
– Doneattheapplicationlevel
11
12
AnOverviewofHowTLS/SSLVPNWorksThisisjustanormalTCPorUDPbasedSSLconnection
PrimarySiteSatelliteSite
13
AnOverviewofHowTLS/SSLVPNWorks
1.MutualauthenticationusingPKC,passwordauthentication
14
AnOverviewofHowTLS/SSLVPNWorks2.Routing
Anypacketto10.0.8.xwillberoutedtotheVPNclient
Anypacketto10.0.7.xwillberoutedtotheVPNserver
15
AnOverviewofHowTLS/SSLVPNWorks
NeedstoencapsulatetheframereceivedinaTLSpacketanddirectedtotheVPNserver.Needstobedoneintheapplicationlayer.Noteasilyachieved.Promiscuousmode,Rawpackets,filteringAlternatively:VirtualNetworkCards.
16
VirtualNetworkCards• Mostoperatingsystemshavetwotypesofnetworkinterfaces:
– Physical:CorrespondstothephysicalNetworkInterfaceCard(NIC)– Virtual:Itisavirtualizedrepresentationofcomputernetworkinterfacesthatmayormaynot
corresponddirectlytotheNICcard.Example:loopbackdevice
• TUNVirtualInterface– WorkatOSIlayer3orIPlevel– SendinganypackettoTUNwillresultinthepacketbeingdeliveredtouserspaceprogram
• TAPVirtualInterfaces– WorkatOSIlayer2orEthernetlevel– Usedforprovidingvirtualnetworkadaptersformultipleguestmachinesconnectingtoa
physicaldeviceofthehostmachine
16
17
TUN/TAPInterfaces
17
SocketInterface
18
CreatingaTUNInterface
18
TheflagIFF_TUNspecifiesthatwearecreatingaTUNinterface
RegisteraTUNdevicewiththekernel
NeedsCAP_NET_ADMIN
19
ConfiguretheTUNInterface
FindtheTUNinterface
20
ConfiguretheTUNInterface
AssignanIPaddresstotheTUNinterfaceandbringitup
21
SetUPtheRouting
Routingpacketstothetunnel
22
SetuptheRouting
Packetstothisdestinationshouldberoutedtothetun0interface,i.e.,theyshouldgothroughthetunnel.
Allothertrafficwillberoutedtothisinterface,i.e.,theywillnotgothroughthetunnel
23
PingtotheTUNinterface
23
24
ReadingFromTUNInterface
Wedidanexperimentbysendingapingpacketto10.0.8.32.ThepacketwassenttotheTUNinterfaceandthentoourprogram.Weuse“xxd”toreadfromtheinterfaceandconverttheintohexdump.
IPHeade
r
25
WritingToTUNInterface
• WecanwritedatatoTUNinterfaces.• Wecancreateavalidpacketusingthesame“xxd”command.• Copy-pastethexxdoutputfromthepreviousslideintoafile
called“hexfile”andrun“xxd–rhexfile>packetfile”.• Nowwewritethepacketfiletotheinterface:• WeshouldbeabletoobservethepacketusingWireshark.
26
EstablishaTransport-LayerTunnel
• AtunnelisjustaTLS/SSLconnection.• Twoapplications(VPNclientandserverapplications)just
establishaTLS/SSLconnectionbetweenthemselves.• TrafficinsideareprotectedbyTLS/SSL• WhatmakesthisTLS/SSLconnectionatunnel?
– ThepayloadsinsideareIPpackets– ThatiswhyitiscalledIPtunnel
27
HowtoSend/ReceivePacketsviaTunnelSendingapacketviathetunnel• GetanIPpacketfromtheTUNinterface• Encryptit(alsoaddMAC)• Senditasapayloadtotheotherendofthe
tunnel
Receivingapacketfromthetunnel• Getapayloadfromthetunnel• Decryptitandverifyitsintegrity• Wegettheactualpacket• WritethepackettotheTUNinterface
28
MonitoringBothInterfaces
• Eachtunnelapplicationhastwointerfaces:socketandTUN
• Needtomonitorboth• Forwardpacketsbetween
thesetwointerfaces
29
Implementation(Monitoringthe2Interfaces)
select()willbeblockeduntiloneoftheinterfaceshasdata.
30
Implementation(TUNàSocket)
Note:theencryptionstepisomittedfromthecode(forthesakeofsimplicity)
31
Implementation(SocketàTUN)
Note:thedecryptionstepisomittedfromthecode(forthesakeofsimplicity)
32
BypassingFirewallsusingVPN
33BypassingFirewallusingVPN:theMainIdea
• SendourFacebook-boundpacketstotheTUNinterfacetowardsVPNserver• VPNserverwillreleaseourFacebook-boundpacketstotheInternet• Facebook’sreplypacketswillberoutedtotheVPNserver(question:why)• VPNserversendsthereplypacketsbacktousviathetunnel
34
Experiment:NetworkSetup
35
• SetupfirewalltoblockUserfromaccessingFacebook• WerunthefollowingcommandtogetthelistofIPprefixesownedbyFacebook:
• WecanalsogetIPaddressesreturnedbyFacebook’sDNSserverbyrunningthefollowingcommand(thisIPaddresscanchange):dig www.facebook.com
SettingUPFirewall
36
BlockingFacebook
Facebookbecomesunreachable
OneoftheIPprefixesbelongtoFacebook
37
BypassingtheFirewall• Weaddaroutingentrytotheusermachine,changingtheroute
forallFacebooktraffic.Insteadofgoingthrougheth6,weusetheTUNinterface:
• TheFacebook-boundpacketsaregoingthroughourtunnel.• TheFacebook-boundpacketsarehiddeninsideapacketgoingto
theVPNserver,soitdoesnotgetblocked.• VPNserverwillreleasethepackettotheInternet.• RepliesfromFacebookwillcomebacktoVPNserver,whichwill
forwarditbacktousviathetunnel.