Scribd
Upload
16 views

chapter 5

Chapter 5 discusses Virtual Private Networks (VPNs), which provide encrypted connections over the Internet to ensure secure data transmission. It covers types of VPNs, including remote access and site-to-site, as well as protocols like IPsec and SSL that enhance security. The chapter concludes with deployment methods for organizations, including remote access, intranet, and extranet VPNs.

Uploaded by

umar
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
16 views

chapter 5

Chapter 5 discusses Virtual Private Networks (VPNs), which provide encrypted connections over the Internet to ensure secure data transmission. It covers types of VPNs, including remote access and site-to-site, as well as protocols like IPsec and SSL that enhance security. The chapter concludes with deployment methods for organizations, including remote access, intranet, and extranet VPNs.

Uploaded by

umar
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Oda Bultum University

Institute of Technology
Department of Electrical and Computer Engineering
(communication Engineering)
5th year Second semester
Switching and Intelligent Networks
By: Ahmed A. (MSc.)
Chapter 5
Virtual Private Network (VPN)
Outline
Introduction to VPN
The Internet Security (IPsec)
Secure Socket Layer (SSL)
What is a
VPN?
 A virtual private network, or VPN, is an encrypted connection over the Internet
from a device to a network.
 The encrypted connection helps ensure that sensitive data is safely transmitted.
 It prevents unauthorized people from eavesdropping on the traffic and allows
the user to conduct work remotely.
 VPN technology is widely used in corporate environments.

 An employee can work outside the office and still securely connect to the
corporate network.
 Even smartphones and tablets can connect through a VPN.
Cont……
 A virtual private network (VPN) is a technology that creates a safe and encrypted
connection over a less secure network, such as the internet.
 A Virtual Private Network is a way to extend a private network using a public
network such as the internet. The user can be part of a local network sitting at a
remote location.
 Virtual Private Networks are defined broadly as a way to extend a private
network through the public network such as the Internet (Brown, 1999). A private
network is a network that exists in a Local Area Network (LAN).
Cont…..
• VPN is a generic term used to describe a communication network
that uses any combination of technologies to secure a connection
tunneled through an otherwise unsecured or untrusted network
 Instead of using a dedicated connection, such as leased line (fig a),
a "virtual" connection is made between geographically dispersed
users and networks over a shared or public network, like the
Internet (fig b)
Cont…..

Fig a. Private Network using leased


lines

Fig b. Virtual Private Network: Uses


public Internet
• VPN transmits data by means of tunneling
 The packet is first encapsulated in a new packet, with a new
header
The header provides a routing information so that it can traverse
a shared or public network before it reaches its tunnel endpoint.
This logical path that the encapsulated packets travel through is
called a tunnel
Cont…..
• When a packet reaches the tunnel endpoint, it is decapsulated and
forwarded to its final destination
• Both tunnel endpoints need to support the same tunneling protocol.
• Tunneling protocols are operated at either layer 2 (data-link layer) or layer
3 (network layer)
• The most commonly used tunneling protocols are IPsec, L2TP, PPTP and SSL
Types of VPN
1. Remote access
• A remote access VPN securely connects a device outside the corporate office.

• These devices are known as endpoints and may be laptops, tablets, or


smartphones.

• Advances in VPN technology have allowed security checks to be conducted on


endpoints.

• Think of remote access as computer to network.


Cont…..
2. Site-to-site
• A site-to-site VPN connects the corporate office to branch offices over the
Internet.

• Site-to-site VPNs are used when distance makes it impractical to have direct
network connections between these offices.

• Dedicated equipment is used to establish and maintain a connection. Think of


site-to-site access as network to network.
IPSec
• A protocol used to enhance IP with security.
• IPsec provides basic authentication, data integrity and
encryption services to protect unauthorised viewing and
modification of data.
• It makes use of two security protocols
 Authentication Header (AH), and
 Encapsulating Security Payload (ESP).
Cont…..
• AH is used for authentication and also provides integrity of IP
packets but not encryption
• ESP provides confidentiality in addition to source authentication

• and integrity
• Used in transport mode (host-to-host), or tunnel mode
(gateway-to-gateway).
IPsec Security Association
(SA)
 Unidirectional logic connection between two Ipsec systems.
 Each SA has associated different security services.

 Two SA are needed to get complete protection of a bidirectional packet


flow.
IPsec local database
• SAD (SA Database)
 list of active SA and their characteristics (algorithms, keys, parameters)

• SPD (Security Policy Database)


 list of security policy to apply to the different packet flows
How IPsec works (sending)
Transport mode IPsec
• Used for end-to-end security, that is used by hosts, not gateways (exception:
traffic for the gateway itself, e.g. SNMP, ICMP)
• Pro: computationally light
• Con: no protection of header variable fields
Tunnel mode IPsec
• Used to create a VPN, usually by gateways

• Pro: protection of header variable fields

• Con: computationally heavy


IPsec AH
• AH protocol provides source authentication, and integrity of IP packets,
but it does not have encryption
• The IPsec authentication header in transport mode for IPv4
• How to let the receiver know that this packet is an IPsec packet?
Set the protocol field in the IP header to be IPsec
AH Fields

• Next Header: the actual “protocol” field in the IP header that was replaced with IPsec.
• Payload Length: length of AH (in counts of 32-bits)
• Security parameters index: connection identifier, indicates the connection that this packet
belongs to.
 Each connection has its own key. Therefore the receiver knows, from this identifier,
which key to use.
• Sequence number: used not for ordering (like TCP) but to prevent replay
attacks!
IPsec ESP
• Used for authentication, integrity and confidentiality.

• ESP header has fields similar to the AH header, plus some more for encryption purposes.

• HMAC is a trailer (rather than a header) due to easier hardware implementation (like
Ethernet’s CRC).

(a) ESP in transport (b) ESP in tunnel


mode. (Host to host) mode. (gateway to
gateway)
IPsec key management
• very important component of Ipsec

• provides to the IPsec parties the symmetric keys used for packet
authentication and/or encryption.
SSL (Secure Sockets Layer)
• SSL is a transport layer protocol that use TCP port 443

• An SSL VPN allows users to connect to VPN devices using a web browser.

• The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is
used to encrypt traffic between the web browser and the SSL VPN device.
• One advantage of using SSL VPNs is ease of use, because all standard web browsers
support the SSL protocol, therefore users do not need to do any software installation or
configuration
Modes of Operation
• Each security protocol supports two modes of operation
 Tunnel mode (End to End)
• It encrypts and/or authenticates the header and the data of each packet

 Transport mode (Host to Host)


• Only encrypts and/or authenticates the data itself
VPN Deployment
• VPN is mainly deployed by organizations and enterprises in the following ways:

• Remote Access VPN


 This is a user-to-network connection for the home, or from a mobile user wishing to
connect to a corporate private network from a remote location.
 This kind of VPN permits secure, encrypted connections between a corporate
private network and remote users
• Intranet
 Here, a VPN is used to make connections among fixed locations such as branch offices.
 This kind of LAN-to-LAN VPN connection joins multiple remote locations into a
single private network.
• Extranet:
 This is where a VPN is used to connect business partners, such as suppliers and
customers, together so as to allow various parties to work with secure data in a
shared environment.
ASSIGNMENT 3
1. Write techniques to create a VPN

2. What is IKE: Internet key exchange and IKE operation


End of Chapter 5
And Final Chapter For This
Course
Thank you
Most of the content for this slide are
taken from Prof Antonio Lioy
teaching material at www.polito.it

You might also like