The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
1. Convert your Linux box in to security Gateway Part-2 (VPN) By MurtujaBharmal http://null.co.in/ http://nullcon.net/
2. http://null.co.in/ http://nullcon.net/ About Me No Work Busy Man…. Unemployed…. Interest…. /dev/random…. Co-founder of null…. :-D X-IBMer ….. Dal, Roti ka jugad, Security Consulting/Training
3. Prerequisites http://null.co.in/ http://nullcon.net/ Basic concept of networking/routing/natting. Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. How to Install and use Linux OS Some hands on Linux command line
4. Full Picture http://null.co.in/ http://nullcon.net/ Security Features of Linux.. Hardening OS Firewall Concept/Configuration VPN Concept/Configuration IDS/IPS Concept/Configuration Proxy Concept/Configuration Antivirus Concept/Configuration Hardening Services i.e. Web Server/Mail Server/Database etc.
5. Agenda for Today What is VPN Why VPN Benefits of VPN Types of VPN VPN Concept VPN Configuration – (Openswan) http://null.co.in/ http://nullcon.net/
6. What is VPN (Misconception) http://null.co.in/ http://nullcon.net/
7. What is VPN (Conceptually) http://null.co.in/ http://nullcon.net/
8. What is VPN (Actually) http://null.co.in/ http://nullcon.net/
9. Why VPN http://null.co.in/ http://nullcon.net/ Business have grown beyond local and regional concern. We now have to worry about global markets and logistics We need to get connected efficiently and securely to our offices. Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive. With the wide use of Internet, it became the medium to connect business together and also connect offices using VPN VPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.
10. Benefits of VPN Extend Geographic connectivity Reduce Operational costs versus traditional WAN Improve Security Improve productivity? Provide global networking opportunity Provide broadband networking compatibility Provide telecommuter support http://null.co.in/ http://nullcon.net/
15. VPN Concept (Encryption) Translation of data into secret code is called encryption To decrypt data you must have access to a secret key or password Unencrypted data is called plain text Encrypted data is called cipher text http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
16. VPN Concept (Encryption) There are two main forms of encryption Symmetric encryption Each computer uses a secret key that it can use to encrypt data. The same key is used to decrypt data too. Public Key encryption Uses a combination of two keys called as private key and public key. The public key is given to everyone. The data is encrypted using the publickey and the privatekey is used to decrypt it. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
17. VPN Concept (HASH) Cryptographic hash functions are used for example to create a message digest A hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message. Most widely used hash functions are md5 and sha-1 http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
18. VPN Concept (IPSec) Why do we need IPSec ? Suite of protocols for securing network connections IPSec provides mechanism and not policy You can decide on any encryption algorithm or authentication method as long as both the connecting parties agree http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
20. VPN Concept (IPSec Overview) IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH). IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability. http://null.co.in/ http://nullcon.net/ Courtesy: http://cisco.com Courtesy: http://ipv6.com
21. VPN Concept (IPSec Overview) IPSec consists of the following two main protocols: Authentication Header (AH) Encapsulating Security Payload (ESP) http://null.co.in/ http://nullcon.net/
22. VPN Concept (IPSec Mode) •Transportmode IPsec transport mode works by inserting the ESP or AH header between the IP header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet. •Tunnelmode Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header. Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
23. Optional Encryption Optional Encryption Outer IP Header Inner IP Header VPN Concept (Difference in Modes) Original Packet Transport Mode IP Header Data Original IP Header IPSec ESP Header Data Tunnel Mode New IP Header IPSec ESP Header Data Original IP Header http://nullcon.net/ http://null.co.in/
28. VPN Concept (Phase 1: Authentication) IKE phase 1 has three methods to authenticate IPSec peers. 1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509 Digital Certificates. 3. RSA encrypted nonces http://null.co.in/ http://nullcon.net/