VPN – Virtual Private Network
Lecturer:
Nguyễn Đức Thái, Ph.D
Report:
13070263 Nguyễn Minh Thành
13070220 Nguyễn Phan Anh
13070268 Nguyễn Ngọc Thuận
7140229 Bùi Tiến Đức
Outline
Introduction VPN
Security - Tunneling
OpenVPN
Conclusion
2
What is a VPN ?
Virtual Private Network (VPN) is a type of private network that uses public network, such
as the Internet, instead of leased lines to communicate
VPN technology enables organizations to create private network over the public network
(Internet) infrastructure that maintain confidentiality and security
3
What is a VPN ?
4
Common Uses of VPN
Remote access over the internet
5
Common Uses of VPN
Connecting two computer networks securely
6
VPN benefits
Cost savings
Security - Advanced encryption and authentication protocols protect data from unauthorized
access.
Scalability - VPN use the internet infrastructure within ISPs and carriers, making it easy for
organizations to add new users.
7
Online markets with the highest VPN usage penetration as of 1st quarter
2014
/>
8
Global VPN and proxy server usage as of 1st quarter 2014, by income
/>
9
VPN Characteristics
Data confidentiality
Data integrity
Authentication
10
Introduction VPN
Private Network
•
•
•
Leased telephone lines
Work fine, very secure
High Cost on telephone regions between two points
Virtual Private Network
•
•
•
•
Overlay networks on top of public networks
Most of the properties of private networks
Firewall, Tunnels between Offices
Greater flexibility on Internet than Leased lines
11
VPN Type
Secure VPNs use cryptographic tunneling protocols
•
IPsec, SSL/TLS, OpenVPN, PPTP, L2TP, L2TPv3, VPN-Q and MPVPN
Trusted VPNs rely on the security of a single provider’s network to protect the traffic
•
MPLS and L2TP, L2F
12
VPN model
Topology as seen from the inside
Virtual Private Network
Source: Computer Networks - A Tanenbaum - 5th edition, p.822
Each pair of firewalls has to negotiate the parameters of its SA, including the services, modes, algorithms, and keys
Firewalls, VPNs, and IPsec with ESP in tunnel mode are a natural combination and widely used in practice
13
VPN Products
Components based on the type of VPN (remote-access or site-to-site)
•
•
•
•
•
•
Desktop software client for each remote user
Dedicated hardware such as a Cisco VPN Concentrator or a Cisco Secure PIX Firewall
Dedicated VPN server for dial-up services
Network Access Server (NAS) used by service provider for remote user VPN access
Private network and policy management center
VPN-Enabled Router/VPN-Optimized Router
14
Secure VPN protocols
Internet Protocol Security (IPsec) by the Internet Engineering Task Force (IETF) for IPv6, IPv4, Layer 2 Tunneling Protocol
Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project) or secure an individual
connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address
Translation and firewall rules.
Datagram Transport Layer Security (DTLS) - used in Cisco AnyConnect VPN and in OpenConnect VPN[9] to solve the issues SSL/TLS has with tunneling over
UDP.
Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
Microsoft Secure
Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP
was introduced in Windows Server 2008 and in Windows Vista Service Pack 1)
Multi Path Virtual Private Network (MPVPN)
Secure Shell (SSH) VPN - OpenSSH offers VPN tunneling (distinct from port forwarding) to secure remote connections to a network or to inter-network links.
OpenSSH server provides a limited number of concurrent tunnels
15
Virtual Private Network: 3 Forms
Network - Network (site – site)
Host - Network (remote access)
Host – Host
16
Outline
Introduction VPN
Security - Tunneling
OpenVPN
Conclusion
17
Security
VPN provides:
Confidentiality
Using:
•
•
Authentication: user, message, computer
Encryption: message
Integrity
Using: Message authentication code (MAC)
Protocols: TLS/SSL, IPsec, L2TP, PPTP
18
TLS/SSL protocol
SSL: secure socket layer
TLS: transport layer security, based on SSL 3.0
Layers (and protocols) for a home user browsing with SSL
(from Tanenbaum, Wetherall, Computer Networks, 5
19
th
edition, 2011, page 854)
TLS/SSL protocol
SSL consists of 2 subprotocols:
one for establishing a secure connection using certificate, public-key (PK) cryptography
one for using that connection using symmetric-key (SK) cryptography, HMAC
Reason: SK algorithm runs faster than PK algorithm
20
TLS/SSL protocol
A simplified version of the SSL connection establishment subprotocol
(from Tanenbaum, Wetherall, Computer Networks, 5
21
th
edition, 2011, page 855)
Message authentication code (MAC)
Also called: Message integrity check (MIC)
MAC is a string used to check message's authentication and integrity.
Message digest (MD) is a one-way hash function that takes plaintext P, computes a fixedlength bit string MD(P)
So, in general, given a plaintext P and a key K, we computes
MAC = combination of MD(P) and K
22
TLS/SSL protocol
Data transmission using SSL
(from Tanenbaum, Wetherall, Computer Networks, 5
23
th
edition, 2011, page 856)
Tunneling
Packet A encapsulates packet B, to transport packet B through different network protocols.
This technique is used in L2TP, PPTP
Tunneling a packet from Paris to London
(from Tanenbaum, Wetherall, Computer Networks, 5
24
th
edition, 2011, page 430)
Outline
Introduction VPN
Security - Tunneling
OpenVPN
Conclusion
25