VPN

AIM

• To get (me) and you started on VPN

• Know about different technical jargons surrounding VPN

• Answer some questions

• I will try my best to keep you awake and interested

Questions To be Answered

1. What is VPN and Why we VPN ?2. What is the typical mechanism of VPN?3. What are the terms PPTP L2TP IPSec ?4. What is IKE ?5. What are SSL VPN Remote Access VPN and Site

to Site VPNs ?6. Where in day to day life you are using VPN ?

Thank You for Bearing Me…

Have a Nice Week End

1. What is VPN and Why we VPN?

• Old Times

• Virtual - (As there will be no real direct connection. Connection is provided by VPN Software over the Public Internet )

• Private - Only members connected are allowed to read the data being exchanged

• Network – For obvious reasons

• New Times / VPN Times Back

2. Mechanism of VPN

• Closer Look at what is happening

• Data is encrypted at A , then on receiving decrypted at B.

• The Encryption is protecting it from Internet Users

• This lock to lock line is same a tunnel that protects a train from mountains

• So VPN jargon for this phenomenon is called as “Tunneling “.

• VPN is typically set between 2 Internet Access Routers that are equipped with a firewall and VPN Software.

• Software must be set to connect to the VPN Partner , firewall must be set to allow access and Data that is exchanged between partners must be secured by encryption

• But is it so simple ??????

• Get more into detail of what is happening

Scenario 1 :- I want to send a secret (not really) anonymous parcel to my dear friend Sai Srivastava Tumuluri ( Hope I have got the spelling correct )

My problem is that Sai lives in a community full of strange people like Manduva Prithvi, Mason, and Prabhjit ( No offense guys Please ) !!

So I do not want these strange guys to know it is me who has sent a parcel to Sai and at the same time, Sai will get an idea that it was me who sent the parcel.

• What I will do is I will take a brand new parcel and I will WRAP the old parcel which has my name on the sender’s information onto it.

• On the outside parcel I will have a different address label.

• So that when Sai gets it, he unwraps the first one and on the inside original packet I have my name as sender.

• Scenario 2 :- Now I distrust the community of strange people a little more. I feel someone might open the parcel on its way and find out what is inside.

• To prevent this I use a locked case.• There are only 2 keys to the lock. Sai has one and

I have one. So only me and Sai can unlock and see what is WRAPPED inside….

Now the question that would arise is, “What kind of Mad Guy Ketan is to discuss these two

scenarios?”

Answer is the VPN Software makes combined use of the 2 scenarios discussed. The VPN Software

Does following 3 things :-

1. Whole network packets to be sent consisting of header and data are wrapped into new packets.

2. All data including metadata such as sender/recipient can be encrypted.

3. New packets are labeled with new headers containing metadata information about the VPN and are addressed to the VPN Partner.

• So the different VPN Software Systems differ on the points of wrapping and locking the data.

• Now we try to understand what is OVERHEAD.• Suppose we want to send a file 1MB ( total

original packet size including header and data)and after adding the VPN stuff the total tunnel prepared size becomes 1.5MB then we say the file has 0.5MB OVERHEAD or 50% Overhead.

• Can you guess on what factors does the overhead will depend??

• OVERHEAD depends on the kind of Organizational Data and the kind of Encryption used.

• Better the Cipher more the overhead. So you got to choose between the Speed Vs Security.

• Come up with a GRE ( General Routing Encapsulation) standard for tunneling data. This is present in many of the devices.

• Also there is a VPN Consortium which takes care of the issues of standardization and interoperability etc. Back

3. What are PPTP L2TP IPSec ?

• PPTP – Point to Point Tunneling Protocol developed by Microsoft . It uses GRE Encapsulation and can tunnel IP, IPX and other protocols over the internet. The disadvantage is you can have only a single tunnel between two points say A and B. RFC 2637 for detail.

• L2F – Layer 2 Forwarding developed at the same time by other companies that included Cisco . This supports multiple tunnels being one highlight. Refer RFC 2341.

• L2TP – Layer 2 Tunneling Protocol . This is widely used by Cisco and other manufacturers. It combined the advantages of L2F and PPTP without suffering their drawbacks. It does not provide security mechanism but it can be combined with say IPSec to provide it. RFC 2661.

• Other points like authentication.• IPSec – Internet Protocol Security is the most

wide spread tunneling technology. • It is a complex set of protocols, mechanism than

a single technology. It is complex because it has many different implementations.

• IPSec was developed as an Internet Security Standard on Layer 3 and has been standardized by the Internet Engineering Task Force since 1995.

• IPSec can be used to encapsulate any traffic of application layer but not the lower levels.

• IPSec can use a variety of encryption mechanisms, authentication protocols and other security associations.

• The best thing is IPSec software exists for almost every platform.

• From the point of view of administrator he has a variety of hardware of diff genre , diff software implementations that he can choose from. Of course Cisco is the best.

• IP Sec has 2 modes:• Tunnel Mode - It is same a tunneling we

discussed with the wrapping of packets. • Transport mode - In this mode only the data

section is encapsulated and encrypted where as the header is not. So now the attacker can know who is communicating with whom but the data is kept private.

Back

4. What is IKE?

• All the while we are talking about the locking mechanism but what about the Security Association and the Keys?

• So comes the Internet Key Exchange Protocol which takes care of the key exchange for encryption purposes between A and B.

• This helps in forming the Security Association • The IKE typically uses the Diffie-Hellman Key

exchange algorithm.

• It was defined in 1998 by the IETF.

• This is present in many of the platforms.

Back

5. What are SSL VPN Site to Site VPN and Remote Access VPN ?

• Site to Site VPN - Suppose WSU has 3 locations and if it connects all these locations via VPN then that is a Site to Site VPN type being Intranet Site to Site VPN.

• Now if WSU wants to connect its network to KU then that will also be a Site to Site VPN type being Extranet.

• Remote Access VPNs – When you use a software like Cisco Anyconnect VPN client software and log in into your LAB computer ie.e connect remotely from your device to WSU’s network remotely using VPN.

• SSL VPN – Secured Socket Layer VPN that can be used with a standard web browser. So the client does not need to have any special client software in case of Remote Access VPNs.

• SSL Portal VPN – Allows for a single SSL Connection to a web site and then access network services. Portal as one door single page.

• SSL Tunnel VPN – This allows access even to protocols that are not web based through a tunnel that is running SSL. This requires the Web Browser to handle active content like java, java script.

Back

6. Use of VPN

Back

Thank You for Bearing Me…

Have a Nice Week End