SlideShare ist ein Scribd-Unternehmen logo

L4 vpn

Als PPT, PDF herunterladen
Rushdi Shams
Rushdi Shams
Technologie
1 von 37
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
 Provides secure remote access to individuals and businesses outside your network.  They use the Internet to route LAN traffic from one private network to another  The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
 VPN systems do not protect your network—they merely transport data  most modern VPN systems are combined with firewalls in a single device. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
 Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
 solve the problem of direct Internet access to servers through a combination of the following fundamental components: 1. IP encapsulation 2. Cryptographic authentication 3. Data payload encryption Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
 Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions  Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,  standard Windows logon performs cryptographic authentication withoutperforming data payload encryption. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
 Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
 An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.  When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.  Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
 IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent— separated from each other by a single router.  But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
 The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
 used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user  In order for two devices from different vendors to be compatible, they must › support the same authentication and payload encryption algorithms and › implement them in the same way. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
 used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.  In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
 Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
 cheaper than WANs  easier to establish than WANs  slower than LANs  less reliable  Less secure than local LANs and WANs Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
 IPSec tunnel mode  L2TP  PPTP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
 IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
 provides mechanisms that can be used to do the following: › Authenticate individual IP packets and guarantee that they are unmodified. › Encrypt the payload (data) of individual IP packets between two end systems. › Encapsulate a TCP or UDP socket between two end systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
 IPSec performs these three functions using three independent mechanisms:  Authenticated Headers (AH) to provide authenticity (Integrity)  Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)  Internet Key Exchange (IKE) for exchanging public keys (Authentication) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
 Computes checksum of header information of a TCP/IP packet  Encrypts the checksum with the public key of the receiver  Receiver decrypts the checksum with its key  Checks the header against the checksum  If the computed checksum is different- › Decryption failed › Header has been modified Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
 Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT  ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
 With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.  The receiver then decrypts the payload upon receipt and acts accordingly. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
 In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.  each machine’s public key had to be installed on the reciprocal machine.  As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
 Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.  IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.  Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
 Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)  PPP is the protocol used when you dial into the Internet with a modem  it transfers data from your computer to a remote access server at your ISP  ISP forwards the data on to the Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
 Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms  Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI  L2TP packets can also be encrypted using IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
 it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)  L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
 Microsoft and Cisco both recommend it as their primary method for creating VPNs.  It is not yet supported by most firewall vendors, however,  does not transit network address translators well. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
 PPTP was Microsoft’s first attempt at secure remote access for network users  PPTP creates an encrypted PPP session between two TCP/IP hosts.  Unlike L2TP, PPTP operates only over TCP/IP  PPTP does not use IPSec to encrypt packets  it uses a hash of the user’s Windows NT password to create a private key between the client and the remote server Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
 Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
 Use a real firewall › Firewalls make ideal VPN endpoints because they can route translated packets between private systems.  Secure the base operating system › No VPN solution provides effective security if the operating system of the machine is not secure Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
 Use packet filtering to reject unknown hosts › You should always use packet filtering to reject connection attempts from every computer except those you’ve specifically set up to connect to your network remotely Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
 Compress before you encrypt › properly encrypted data cannot be compressed. › This means that if you want to use compression, you must compress before you encrypt Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
 Secure remote hosts › Consider the case of a home user with more than one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network. › Any hacker on the planet could then proxy through the WinGate server directly into your private network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37

Empfohlen

Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Editor IJARCET
 
Unit 5
Unit 5Unit 5
Unit 5Vinod Kumar Gorrepati
 
A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsA Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsIJARIDEA Journal
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payloadijtsrd
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Research trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesResearch trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 

Empfohlen

Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Ijarcet vol-2-issue-4-1322-1329
Ijarcet vol-2-issue-4-1322-1329Editor IJARCET
 
Unit 5
Unit 5Unit 5
Unit 5Vinod Kumar Gorrepati
 
A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsA Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools
A Survey on IPv6 Secure Link Local Communication Models, Techniques and ToolsIJARIDEA Journal
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payloadijtsrd
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Research trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesResearch trends review on RSA scheme of asymmetric cryptography techniques
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Go3611771182
Go3611771182Go3611771182
Go3611771182IJERA Editor
 
Ip sec
Ip secIp sec
Ip secShiva Krishna Chandra Shekar
 
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
 
Ijcatr04051002
Ijcatr04051002Ijcatr04051002
Ijcatr04051002Editor IJCATR
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication securityLê Liêu
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpnHarshika Rana
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...AM Publications,India
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
794326
794326794326
794326Vinay Kumar
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKScscpconf
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsijcisjournal
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET Journal
 
L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logicRushdi Shams
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 

Weitere ähnliche Inhalte

Was ist angesagt?

Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication securityLê Liêu
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...AM Publications,India
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKScscpconf
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsijcisjournal
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET Journal
 

Was ist angesagt? (19)

Go3611771182
Go3611771182Go3611771182
Go3611771182
 
Ip sec
Ip secIp sec
Ip sec
 
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsMitigation of Selfish Node Attacks In Autoconfiguration of MANETs
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETs
 
Ijcatr04051002
Ijcatr04051002Ijcatr04051002
Ijcatr04051002
 
Part05 communication security
Part05 communication securityPart05 communication security
Part05 communication security
 
IP Security
IP SecurityIP Security
IP Security
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpn
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
 
Ipsec
IpsecIpsec
Ipsec
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
794326
794326794326
794326
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
 
IP Security
IP SecurityIP Security
IP Security
 
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKSDESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
DESIGN OF A SCHEME FOR SECURE ROUTING IN MOBILE AD HOC NETWORKS
 
AnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdfAnuuTech Whitepaper.pdf
AnuuTech Whitepaper.pdf
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
A novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systemsA novel authenticated cipher for rfid systems
A novel authenticated cipher for rfid systems
 
IRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid CryptographyIRJET- Message Encryption using Hybrid Cryptography
IRJET- Message Encryption using Hybrid Cryptography
 

Andere mochten auch

Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: ParsingRushdi Shams
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Rushdi Shams
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translationRushdi Shams
 
8 drived horizontal fragmentation
8 drived horizontal fragmentation8 drived horizontal fragmentation
8 drived horizontal fragmentationMohsan Ijaz
 

Andere mochten auch (8)

L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logic
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processing
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineering
 
L1 phishing
L1 phishingL1 phishing
L1 phishing
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: Parsing
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translation
 
8 drived horizontal fragmentation
8 drived horizontal fragmentation8 drived horizontal fragmentation
8 drived horizontal fragmentation
 

Ähnlich wie L4 vpn

online-module-guide.pdf
online-module-guide.pdfonline-module-guide.pdf
online-module-guide.pdfssusera1b6c7
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocolKirti Ahirrao
 
Virtual private network
Virtual private networkVirtual private network
Virtual private networkSOHIL SUNDARAM
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET Journal
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
Stay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfStay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfTEWMAGAZINE
 
Cryptographic tunneling
Cryptographic tunnelingCryptographic tunneling
Cryptographic tunnelingKevin Ndemo
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20eyad alaa
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 

Ähnlich wie L4 vpn (20)

Cn36539543
Cn36539543Cn36539543
Cn36539543
 
online-module-guide.pdf
online-module-guide.pdfonline-module-guide.pdf
online-module-guide.pdf
 
V P N
V P NV P N
V P N
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocols
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
Virtual private networks
Virtual private networks Virtual private networks
Virtual private networks
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Katuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdfKatuwal_Arun_flex_get_vpn.pdf
Katuwal_Arun_flex_get_vpn.pdf
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocol
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
 
L3 defense
L3 defenseL3 defense
L3 defense
 
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
IRJET - Virtual Private Network Implementation on PC as a Router for Privacy ...
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3
 
Stay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdfStay Anonymous and Protected.pdf
Stay Anonymous and Protected.pdf
 
Cryptographic tunneling
Cryptographic tunnelingCryptographic tunneling
Cryptographic tunneling
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20
 
VPN presentation
VPN presentationVPN presentation
VPN presentation
 
Vpn
VpnVpn
Vpn
 

Mehr von Rushdi Shams

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchRushdi Shams
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IRRushdi Shams
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101Rushdi Shams
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationRushdi Shams
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semanticsRushdi Shams
 
Propositional logic
Propositional logicPropositional logic
Propositional logicRushdi Shams
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logicRushdi Shams
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structureRushdi Shams
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representationRushdi Shams
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hackingRushdi Shams
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)Rushdi Shams
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process modelsRushdi Shams
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software failsRushdi Shams
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsRushdi Shams
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksRushdi Shams
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsRushdi Shams
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingRushdi Shams
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processesRushdi Shams
 

Mehr von Rushdi Shams (20)

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better Research
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IR
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translation
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semantics
 
Propositional logic
Propositional logicPropositional logic
Propositional logic
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logic
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structure
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representation
 
First order logic
First order logicFirst order logic
First order logic
 
Belief function
Belief functionBelief function
Belief function
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hacking
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process models
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software fails
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systems
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocks
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu scheduling
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processes
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

L4 vpn

  • 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  • 2.  Provides secure remote access to individuals and businesses outside your network.  They use the Internet to route LAN traffic from one private network to another  The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  • 3.  VPN systems do not protect your network—they merely transport data  most modern VPN systems are combined with firewalls in a single device. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  • 4. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  • 5. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  • 6.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  • 7. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  • 8.  solve the problem of direct Internet access to servers through a combination of the following fundamental components: 1. IP encapsulation 2. Cryptographic authentication 3. Data payload encryption Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  • 9.  Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions  Secure Sockets Layer (SSL) performs datapayload encryption without cryptographic authentication of the remote user,  standard Windows logon performs cryptographic authentication withoutperforming data payload encryption. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  • 10.  Remote client authenticates itself on the VPN Gateway  The client acquire a private IP address with DHCP-over- IPSec  Remote client is now part of the private network Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  • 11.  An IP packet can contain any kind of information: program files, spreadsheet data, audio streams, or even other IP packets.  When an IP packet contains another IP packet, it is called IP encapsulation, IP over IP, or IP/IP.  Private networks should always use ranges for their internal networking and use Network Address Translation or proxying to access the public Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  • 12.  IP encapsulation can make it appear to computers inside the private network that distant networks are actually adjacent— separated from each other by a single router.  But they are actually separated by many Internet routers and gateways that may not even use the same address space because both internal networks are using address translation. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  • 13. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  • 14.  The tunnel endpoint—be it a router, firewall, VPN appliance, or a server running a tunneling protocol—will receive the public IP packet, remove the internal packet contained within it, decrypt it (assuming that it’s encrypted—it doesn’t have to be), and then apply its routing rules to send the embedded packet on its way in the internal network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  • 15.  used to securely validate the identity of the remote user so the system can determine what level of security is appropriate for that user  In order for two devices from different vendors to be compatible, they must › support the same authentication and payload encryption algorithms and › implement them in the same way. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  • 16.  used to obfuscate the contents of the encapsulated data without relying on encapsulating an entire packet within another packet.  In that manner, data payload encryption is exactly like normal IP networking except that the data payload has been encrypted Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  • 17.  Obfuscates the data but does not keep header information private, so details of the internal network can be ascertained by analyzing the header information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  • 18.  cheaper than WANs  easier to establish than WANs  slower than LANs  less reliable  Less secure than local LANs and WANs Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  • 19.  IPSec tunnel mode  L2TP  PPTP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  • 20.  IETF’s standard suite for secure IP communications that relies on encryption to ensure the authenticity and privacy of IP communications. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  • 21.  provides mechanisms that can be used to do the following: › Authenticate individual IP packets and guarantee that they are unmodified. › Encrypt the payload (data) of individual IP packets between two end systems. › Encapsulate a TCP or UDP socket between two end systems (hosts) inside an encrypted IP link (tunnel) established between intermediate systems (routers) to provide virtual private networking. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  • 22.  IPSec performs these three functions using three independent mechanisms:  Authenticated Headers (AH) to provide authenticity (Integrity)  Encapsulating Security Payload (ESP) to encrypt the data portion of an IP Packet (Integrity and Confidentiality)  Internet Key Exchange (IKE) for exchanging public keys (Authentication) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  • 23.  Computes checksum of header information of a TCP/IP packet  Encrypts the checksum with the public key of the receiver  Receiver decrypts the checksum with its key  Checks the header against the checksum  If the computed checksum is different- › Decryption failed › Header has been modified Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  • 24.  Because NAT changes header information, IPSec AH cannot be reliably passed through a NAT  ESP can still be used to encrypt the payload, but support for ESP without AH varies among implementations of IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  • 25.  With Encapsulating Security Payload, the transmitter encrypts the payload of an IP packet using the public key of the receiver.  The receiver then decrypts the payload upon receipt and acts accordingly. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  • 26.  In early IPSec systems, public keys for were manually installed via file transfer or by actually typing them in.  each machine’s public key had to be installed on the reciprocal machine.  As the number of security associations a host required increased, the burden of manually keying machines became seriously problematic Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  • 27.  Internet Key Exchange (IKE) protocol obviates the necessity to manually key systems.  IKE uses private key security to validate the remote firewall’s authority to create an IPSec connection and to securely exchange public keys.  Once the public keys are exchanged and the encryption protocols are negotiated, a security association is automaticallycreated on both hosts and normal IPSec communications can be established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  • 28.  Layer 2 Tunneling Protocol (L2TP) is an extension to the Point-to-Point Protocol (PPP)  PPP is the protocol used when you dial into the Internet with a modem  it transfers data from your computer to a remote access server at your ISP  ISP forwards the data on to the Internet. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  • 29.  Like PPP, L2TP includes a mechanism for secure authentication using a number of different authentication mechanisms  Unlike pure IPSec tunneling, L2TP can support any interior protocol, including Internetwork Packet Exchange (IPX), AppleTalk and NetBEUI  L2TP packets can also be encrypted using IPSec. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  • 30.  it can be transported over any Data Link layer protocol (ATM, Ethernet, etc.) or Network layer protocol (IP, IPX, etc.)  L2TP supports the three requisite functions to create a VPN: authentication, encryption, and tunneling Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
  • 31.  Microsoft and Cisco both recommend it as their primary method for creating VPNs.  It is not yet supported by most firewall vendors, however,  does not transit network address translators well. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
  • 32.  PPTP was Microsoft’s first attempt at secure remote access for network users  PPTP creates an encrypted PPP session between two TCP/IP hosts.  Unlike L2TP, PPTP operates only over TCP/IP  PPTP does not use IPSec to encrypt packets  it uses a hash of the user’s Windows NT password to create a private key between the client and the remote server Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
  • 33.  Because of its ubiquity, routing flexibility, and ease of use, it is probably the most common form of VPN Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
  • 34.  Use a real firewall › Firewalls make ideal VPN endpoints because they can route translated packets between private systems.  Secure the base operating system › No VPN solution provides effective security if the operating system of the machine is not secure Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
  • 35.  Use packet filtering to reject unknown hosts › You should always use packet filtering to reject connection attempts from every computer except those you’ve specifically set up to connect to your network remotely Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
  • 36.  Compress before you encrypt › properly encrypted data cannot be compressed. › This means that if you want to use compression, you must compress before you encrypt Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
  • 37.  Secure remote hosts › Consider the case of a home user with more than one computer who is using a proxy product like WinGate to share their Internet connection and also has a VPN tunnel established over the Internet to your network. › Any hacker on the planet could then proxy through the WinGate server directly into your private network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37