2. Provides secure remote access to individuals and
businesses outside your network.
They use the Internet to route LAN traffic from
one private network to another
The packets are unreadable by intermediary
Internet computers because they are encrypted
and they can encapsulate (or carry) any kind of
LAN communications
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
3. VPN systems do not protect your network—they
merely transport data
most modern VPN systems are combined with
firewalls in a single device.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
6. Remote client authenticates itself on the VPN Gateway
The client acquire a private IP address with DHCP-over-
IPSec
Remote client is now part of the private network
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
8. solve the problem of direct Internet access to
servers through a combination of the following
fundamental components:
1. IP encapsulation
2. Cryptographic authentication
3. Data payload encryption
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
9. Although cryptographic authentication and data
payload encryption may seem like the same thing
at first, they are actually entirely different
functions
Secure Sockets Layer (SSL) performs datapayload
encryption without cryptographic authentication
of the remote user,
standard Windows logon performs cryptographic
authentication withoutperforming data payload
encryption.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
10. Remote client authenticates itself on the VPN Gateway
The client acquire a private IP address with DHCP-over-
IPSec
Remote client is now part of the private network
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
11. An IP packet can contain any kind of
information: program files, spreadsheet data,
audio streams, or even other IP packets.
When an IP packet contains another IP packet, it
is called IP encapsulation, IP over IP, or IP/IP.
Private networks should always use ranges for
their internal networking and use Network
Address Translation or proxying to access the
public Internet.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
12. IP encapsulation can make it appear to
computers inside the private network that
distant networks are actually adjacent—
separated from each other by a single router.
But they are actually separated by many Internet
routers and gateways that may not even use the
same address space because both internal
networks are using address translation.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
14. The tunnel endpoint—be it a router, firewall,
VPN appliance, or a server running a tunneling
protocol—will receive the public IP packet,
remove the internal packet contained within it,
decrypt it (assuming that it’s encrypted—it
doesn’t have to be), and then apply its routing
rules to send the embedded packet on its way in
the internal network.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
15. used to securely validate the identity of the
remote user so the system can determine what
level of security is appropriate for that user
In order for two devices from different vendors
to be compatible, they must
› support the same authentication and payload
encryption algorithms and
› implement them in the same way.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
16. used to obfuscate the contents of the
encapsulated data without relying on
encapsulating an entire packet within another
packet.
In that manner, data payload encryption is
exactly like normal IP networking except that the
data payload has been encrypted
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
17. Obfuscates the data but does not keep header
information private, so details of the internal
network can be ascertained by analyzing the
header information
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
18. cheaper than WANs
easier to establish than WANs
slower than LANs
less reliable
Less secure than local LANs and WANs
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
20. IETF’s standard suite for secure IP
communications that relies on encryption to
ensure the authenticity and privacy of IP
communications.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
21. provides mechanisms that can be used to do the
following:
› Authenticate individual IP packets and guarantee
that they are unmodified.
› Encrypt the payload (data) of individual IP packets
between two end systems.
› Encapsulate a TCP or UDP socket between two end
systems (hosts) inside an encrypted IP link (tunnel)
established between intermediate systems (routers)
to provide virtual private networking.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
22. IPSec performs these three functions using three
independent mechanisms:
Authenticated Headers (AH) to provide
authenticity (Integrity)
Encapsulating Security Payload (ESP) to encrypt
the data portion of an IP Packet
(Integrity and Confidentiality)
Internet Key Exchange (IKE) for exchanging
public keys (Authentication)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
23. Computes checksum of header information of a
TCP/IP packet
Encrypts the checksum with the public key of the
receiver
Receiver decrypts the checksum with its key
Checks the header against the checksum
If the computed checksum is different-
› Decryption failed
› Header has been modified
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
24. Because NAT changes header information, IPSec
AH cannot be reliably passed through a NAT
ESP can still be used to encrypt the payload, but
support for ESP without AH varies among
implementations of IPSec.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
25. With Encapsulating Security Payload, the
transmitter encrypts the payload of an IP packet
using the public key of the receiver.
The receiver then decrypts the payload upon
receipt and acts accordingly.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
26. In early IPSec systems, public keys for were
manually installed via file transfer or by actually
typing them in.
each machine’s public key had to be installed on
the reciprocal machine.
As the number of security associations a host
required increased, the burden of manually
keying machines became seriously problematic
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
27. Internet Key Exchange (IKE) protocol obviates
the necessity to manually key systems.
IKE uses private key security to validate the
remote firewall’s authority to create an IPSec
connection and to securely exchange public
keys.
Once the public keys are exchanged and the
encryption protocols are negotiated, a security
association is automaticallycreated on both
hosts and normal IPSec communications can be
established.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
28. Layer 2 Tunneling Protocol (L2TP) is an extension
to the Point-to-Point Protocol (PPP)
PPP is the protocol used when you dial into the
Internet with a modem
it transfers data from your computer to a
remote access server at your ISP
ISP forwards the data on to the Internet.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
29. Like PPP, L2TP includes a mechanism for secure
authentication using a number of different
authentication mechanisms
Unlike pure IPSec tunneling, L2TP can support
any interior protocol, including Internetwork
Packet Exchange (IPX), AppleTalk and NetBEUI
L2TP packets can also be encrypted using IPSec.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
30. it can be transported over any Data Link layer
protocol (ATM, Ethernet, etc.) or Network layer
protocol (IP, IPX, etc.)
L2TP supports the three requisite functions to
create a VPN: authentication, encryption, and
tunneling
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
31. Microsoft and Cisco both recommend it as their
primary method for creating VPNs.
It is not yet supported by most firewall vendors,
however,
does not transit network address translators
well.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
32. PPTP was Microsoft’s first attempt at secure
remote access for network users
PPTP creates an encrypted PPP session between
two TCP/IP hosts.
Unlike L2TP, PPTP operates only over TCP/IP
PPTP does not use IPSec to encrypt packets
it uses a hash of the user’s Windows NT
password to create a private key between the
client and the remote server
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
33. Because of its ubiquity, routing flexibility, and
ease of use, it is probably the most common
form of VPN
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
34. Use a real firewall
› Firewalls make ideal VPN endpoints because they
can route translated packets between private
systems.
Secure the base operating system
› No VPN solution provides effective security if the
operating system of the machine is not secure
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
35. Use packet filtering to reject unknown hosts
› You should always use packet filtering to reject
connection attempts from every computer except
those you’ve specifically set up to connect to your
network remotely
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
36. Compress before you encrypt
› properly encrypted data cannot be compressed.
› This means that if you want to use compression,
you must compress before you encrypt
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
37. Secure remote hosts
› Consider the case of a home user with more than
one computer who is using a proxy product like
WinGate to share their Internet connection and
also has a VPN tunnel established over the
Internet to your network.
› Any hacker on the planet could then proxy
through the WinGate server directly into your
private network.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37