SlideShare ist ein Scribd-Unternehmen logo

Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

Als PPTX, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

Converting your linux Box in security Gateway Part – 2 (Looking inside VPN) by Murtuja Bharmal @ null Pune Meet, April, 2011

Technologie
1 von 38
Convert your Linux box in to security Gateway Part-2 (VPN) By MurtujaBharmal http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ About Me No Work Busy Man…. Unemployed…. Interest…. /dev/random…. Co-founder of null…. :-D X-IBMer ….. Dal, Roti ka jugad, Security Consulting/Training
Prerequisites http://null.co.in/ http://nullcon.net/ Basic concept of networking/routing/natting. Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. How to Install and use Linux OS Some hands on Linux command line
Full Picture http://null.co.in/ http://nullcon.net/ Security Features of Linux.. Hardening OS Firewall Concept/Configuration VPN Concept/Configuration IDS/IPS Concept/Configuration Proxy Concept/Configuration Antivirus Concept/Configuration Hardening Services i.e. Web Server/Mail Server/Database etc.
Agenda for Today What is VPN Why VPN Benefits of VPN Types of VPN VPN Concept VPN Configuration – (Openswan) http://null.co.in/ http://nullcon.net/
What is VPN (Misconception) http://null.co.in/ http://nullcon.net/
What is VPN (Conceptually) http://null.co.in/ http://nullcon.net/
What is VPN (Actually) http://null.co.in/ http://nullcon.net/
Why VPN http://null.co.in/ http://nullcon.net/ Business have grown beyond local and regional concern. We now have to worry about global markets and logistics We need to get connected efficiently and securely to our offices. Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive. With the wide use of Internet, it became the medium to connect business together and also connect offices using VPN VPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.
Benefits of VPN Extend Geographic connectivity Reduce Operational costs versus traditional WAN Improve Security Improve productivity? Provide global networking opportunity Provide broadband networking compatibility Provide telecommuter support http://null.co.in/ http://nullcon.net/
Types of VPN (Based on Technology) IPSec VPN – IP Security SSL VPN – Secure Socket Layer MPLS – Multiprotocol Layering Switch GRE – Generic Route Encapsulation PPTP – Point-to-Point Tunneling Protocol L2TP – Layer 2 Tunneling Protocol http://null.co.in/ http://nullcon.net/
Types of VPN (Based on functionality) Site-to-Site VPN Client-to-Site VPN http://null.co.in/ http://nullcon.net/
Site-to-Site VPN http://null.co.in/ http://nullcon.net/ Courtesy: http://nirlog.com
Client-to-Site VPN http://null.co.in/ http://nullcon.net/ Courtesy: http://nirlog.com
VPN Concept (Encryption) Translation of data into secret code is called encryption To decrypt data you must have access to a secret key or password Unencrypted data is called plain text Encrypted data is called cipher text http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
VPN Concept (Encryption) There are two main forms of encryption Symmetric encryption Each computer uses a secret key that it can use to encrypt data. The same key is used to decrypt data too. Public Key encryption Uses a combination of two keys called as private key and public key. The public key is given to everyone. The data is encrypted using the publickey and the privatekey is used to decrypt it. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
VPN Concept (HASH) Cryptographic hash functions are used for example to create a message digest A hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message. Most widely used hash functions are md5 and sha-1 http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
VPN Concept (IPSec) Why do we need IPSec ? Suite of protocols for securing network connections IPSec provides mechanism and not policy You can decide on any encryption algorithm or authentication method as long as both the connecting parties agree http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
IP Header http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
VPN Concept (IPSec Overview) IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer  The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH). IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability. http://null.co.in/ http://nullcon.net/ Courtesy: http://cisco.com Courtesy: http://ipv6.com
VPN Concept (IPSec Overview) IPSec consists of the following two main protocols: Authentication Header (AH) Encapsulating Security Payload (ESP) http://null.co.in/ http://nullcon.net/
VPN Concept (IPSec Mode) •Transportmode IPsec transport mode works by inserting the ESP or AH header between the IP header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet. •Tunnelmode Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header. Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
Optional Encryption Optional Encryption Outer IP Header Inner IP Header VPN Concept (Difference in Modes) Original Packet Transport Mode IP Header Data Original IP Header IPSec ESP Header Data Tunnel Mode New IP Header IPSec ESP Header Data Original IP Header http://nullcon.net/ http://null.co.in/
http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
VPN Concept (Security Association) A Security Association (SA) is an agreement between two peers engaging in a crypto exchange. This agreement includes the type and strength of the encryption algorithm used to protect the data. The SA includes the method and strength of the data authentication and the method of creating new keys for that data protection. ,[object Object],The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2. ,[object Object],In this phase the ISAKMP SA established in Phase 1 is used to create SAs for othe security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated. http://null.co.in/ http://nullcon.net/
VPN Concept (Phase 1: Main Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
VPN Concept (Phase 1: Aggressive Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
VPN Concept (Phase 1: Authentication) IKE phase 1 has three methods to authenticate IPSec peers. 1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509 Digital Certificates. 3. RSA encrypted nonces http://null.co.in/ http://nullcon.net/
VPN Concept (Phase 2: Quick Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
VPN Configuration (OpenSwan)Site-to-Site VPN http://null.co.in/ http://nullcon.net/ 5.6.7.8 172.16.1.1 eth0 eth1 5.6.7.9 1.2.3.5 eth1 Office 2 LAN 172.16.1.0/24 1.2.3.4 eth0 192.168.1.1 Office 1 LAN 192.168.1.0/24
http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf Courtesy: http://www.linuxhomenetworking.com
Conn net-to-net authby=secret #Key exchange method left=1.2.3.4 leftsubnet =192.168.1.0/24 leftnexthope=%defaultroute right=5.6.7.8 rightsubnet=172.16.1.0/24 rightnexthope=5.6.7.9 auto=start/add http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf Courtesy: http://www.linuxhomenetworking.com
1.2.3.4 5.6.7.8 : PSK "nonebutourselvescanfreeourminds" http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.secrets Courtesy: http://www.linuxhomenetworking.com
net/ipv4/ip_forward = 1 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d 172.16.1.0/24 -j MASQUERADE http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Othersetting Courtesy: http://www.linuxhomenetworking.com
104 "net-to-net" #1: STATE_MAIN_I1: initiate 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established 112 "net-to-net" #2: STATE_QUICK_I1: initiate 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe0bdd0e9 <0x13ac7645} http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Log Courtesy: http://www.linuxhomenetworking.com
[root@vpn2 tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irttIface 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 6.25.232.0 0.0.0.0 255.255.255.248 U 40 0 0 eth0 172.16.1.0 1.2.3.4 255.255.255.0 UG 40 0 0 ipsec0 tcpdump -n -i ipsec0 icmp 03:05:53.971308 IP 192.168.1.5 > 172.16.1.5: icmp 64: echo request seq 89 03:05:53.995297 IP 172.16.1.5 > 192.168.1.5: icmp 64: echo reply seq89 tcpdump -n -i eth1 host 5.6.7.8 02:08:23.637149 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0xf4909a7e,seq=0x73) 02:08:24.635302 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x808e9a87,seq=0x74) http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Verification/Debug Courtesy: http://www.linuxhomenetworking.com
Questions? http://null.co.in/ http://nullcon.net/
void@null.co.in bharmal.murtuja@gmail.com http://null.co.in/ http://nullcon.net/ Courtesy http://www.wien2k.at

Empfohlen

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
ip security
ip securityip security
ip security
Chirag Patel
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Ip Sec
Ip SecIp Sec
Ip Sec
Ram Dutt Shukla
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 

Empfohlen

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
ip security
ip securityip security
ip security
Chirag Patel
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Ip Sec
Ip SecIp Sec
Ip Sec
Ram Dutt Shukla
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6
koolkampus
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
Abdallah Abuouf
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
jtlevesque
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
Sourabh Badve
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
ALLCAD Services Pvt Limited
 
Ip security
Ip security Ip security
Ip security
Dr.K.Sreenivas Rao
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Network
shubham ghimire
 
IPsec
IPsecIPsec
IPsec
abdullah roomi
 
IP security
IP securityIP security
IP security
shraddha mane
 
IP Security
IP SecurityIP Security
IP Security
sahilshah200
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Unit 5
Unit 5Unit 5
Unit 5
Vinod Kumar Gorrepati
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
davisli
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
Ip security
Ip securityIp security
Ip security
Jernej Virag
 
social media marketing strategy_소셜미디어 마케팅 전략
social media marketing strategy_소셜미디어 마케팅 전략social media marketing strategy_소셜미디어 마케팅 전략
social media marketing strategy_소셜미디어 마케팅 전략
Digital Initiative Group
 
National geographicphotos 1
National geographicphotos 1National geographicphotos 1
National geographicphotos 1
Apurva Desai
 
Plano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos PassosPlano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos Passos
guest91cc99
 

Weitere ähnliche Inhalte

Was ist angesagt?

IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6
koolkampus
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 

Was ist angesagt? (19)

IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
 
Ip security
Ip security Ip security
Ip security
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Network
 
IPsec
IPsecIPsec
IPsec
 
IP security
IP securityIP security
IP security
 
IP Security
IP SecurityIP Security
IP Security
 
IP Security
IP SecurityIP Security
IP Security
 
Unit 5
Unit 5Unit 5
Unit 5
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Ip security
Ip securityIp security
Ip security
 

Andere mochten auch

National geographicphotos 1
National geographicphotos 1National geographicphotos 1
National geographicphotos 1
Apurva Desai
 
Plano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos PassosPlano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos Passos
guest91cc99
 
Consumo en Navidad
Consumo en Navidad Consumo en Navidad
Consumo en Navidad
AnaOrtegaS
 
Presentacion telework
Presentacion teleworkPresentacion telework
Presentacion telework
Daisy
 
Bpoilspillinthegulfofmexico
Bpoilspillinthegulfofmexico Bpoilspillinthegulfofmexico
Bpoilspillinthegulfofmexico
Apurva Desai
 

Andere mochten auch (10)

social media marketing strategy_소셜미디어 마케팅 전략
social media marketing strategy_소셜미디어 마케팅 전략social media marketing strategy_소셜미디어 마케팅 전략
social media marketing strategy_소셜미디어 마케팅 전략
 
National geographicphotos 1
National geographicphotos 1National geographicphotos 1
National geographicphotos 1
 
Plano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos PassosPlano de Obama para a Saúde por Orlando Cândido dos Passos
Plano de Obama para a Saúde por Orlando Cândido dos Passos
 
Reclamacoes
ReclamacoesReclamacoes
Reclamacoes
 
45 lesons in life
45 lesons in life45 lesons in life
45 lesons in life
 
The Key Course
The Key CourseThe Key Course
The Key Course
 
Consumo en Navidad
Consumo en Navidad Consumo en Navidad
Consumo en Navidad
 
Presentacion telework
Presentacion teleworkPresentacion telework
Presentacion telework
 
Competències bàsiques i xarxes social
Competències bàsiques i xarxes socialCompetències bàsiques i xarxes social
Competències bàsiques i xarxes social
 
Bpoilspillinthegulfofmexico
Bpoilspillinthegulfofmexico Bpoilspillinthegulfofmexico
Bpoilspillinthegulfofmexico
 

Ähnlich wie Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
bigchill29
 

Ähnlich wie Converting your linux Box in security Gateway Part – 2 (Looking inside VPN) (20)

Ip sec
Ip secIp sec
Ip sec
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptx
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
The Security layer
The Security layerThe Security layer
The Security layer
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
V P N
V P NV P N
V P N
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
 
Ch16
Ch16Ch16
Ch16
 
IS - SSL
IS - SSLIS - SSL
IS - SSL
 
Ip security
Ip security Ip security
Ip security
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

  • 1. Convert your Linux box in to security Gateway Part-2 (VPN) By MurtujaBharmal http://null.co.in/ http://nullcon.net/
  • 2. http://null.co.in/ http://nullcon.net/ About Me No Work Busy Man…. Unemployed…. Interest…. /dev/random…. Co-founder of null…. :-D X-IBMer ….. Dal, Roti ka jugad, Security Consulting/Training
  • 3. Prerequisites http://null.co.in/ http://nullcon.net/ Basic concept of networking/routing/natting. Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. How to Install and use Linux OS Some hands on Linux command line
  • 4. Full Picture http://null.co.in/ http://nullcon.net/ Security Features of Linux.. Hardening OS Firewall Concept/Configuration VPN Concept/Configuration IDS/IPS Concept/Configuration Proxy Concept/Configuration Antivirus Concept/Configuration Hardening Services i.e. Web Server/Mail Server/Database etc.
  • 5. Agenda for Today What is VPN Why VPN Benefits of VPN Types of VPN VPN Concept VPN Configuration – (Openswan) http://null.co.in/ http://nullcon.net/
  • 6. What is VPN (Misconception) http://null.co.in/ http://nullcon.net/
  • 7. What is VPN (Conceptually) http://null.co.in/ http://nullcon.net/
  • 8. What is VPN (Actually) http://null.co.in/ http://nullcon.net/
  • 9. Why VPN http://null.co.in/ http://nullcon.net/ Business have grown beyond local and regional concern. We now have to worry about global markets and logistics We need to get connected efficiently and securely to our offices. Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive. With the wide use of Internet, it became the medium to connect business together and also connect offices using VPN VPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.
  • 10. Benefits of VPN Extend Geographic connectivity Reduce Operational costs versus traditional WAN Improve Security Improve productivity? Provide global networking opportunity Provide broadband networking compatibility Provide telecommuter support http://null.co.in/ http://nullcon.net/
  • 11. Types of VPN (Based on Technology) IPSec VPN – IP Security SSL VPN – Secure Socket Layer MPLS – Multiprotocol Layering Switch GRE – Generic Route Encapsulation PPTP – Point-to-Point Tunneling Protocol L2TP – Layer 2 Tunneling Protocol http://null.co.in/ http://nullcon.net/
  • 12. Types of VPN (Based on functionality) Site-to-Site VPN Client-to-Site VPN http://null.co.in/ http://nullcon.net/
  • 13. Site-to-Site VPN http://null.co.in/ http://nullcon.net/ Courtesy: http://nirlog.com
  • 14. Client-to-Site VPN http://null.co.in/ http://nullcon.net/ Courtesy: http://nirlog.com
  • 15. VPN Concept (Encryption) Translation of data into secret code is called encryption To decrypt data you must have access to a secret key or password Unencrypted data is called plain text Encrypted data is called cipher text http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
  • 16. VPN Concept (Encryption) There are two main forms of encryption Symmetric encryption Each computer uses a secret key that it can use to encrypt data. The same key is used to decrypt data too. Public Key encryption Uses a combination of two keys called as private key and public key. The public key is given to everyone. The data is encrypted using the publickey and the privatekey is used to decrypt it. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
  • 17. VPN Concept (HASH) Cryptographic hash functions are used for example to create a message digest A hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message. Most widely used hash functions are md5 and sha-1 http://null.co.in/ http://nullcon.net/ Courtesy: http://www.webopedia.com
  • 18. VPN Concept (IPSec) Why do we need IPSec ? Suite of protocols for securing network connections IPSec provides mechanism and not policy You can decide on any encryption algorithm or authentication method as long as both the connecting parties agree http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
  • 19. IP Header http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
  • 20. VPN Concept (IPSec Overview) IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer  The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH). IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability. http://null.co.in/ http://nullcon.net/ Courtesy: http://cisco.com Courtesy: http://ipv6.com
  • 21. VPN Concept (IPSec Overview) IPSec consists of the following two main protocols: Authentication Header (AH) Encapsulating Security Payload (ESP) http://null.co.in/ http://nullcon.net/
  • 22. VPN Concept (IPSec Mode) •Transportmode IPsec transport mode works by inserting the ESP or AH header between the IP header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet. •Tunnelmode Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header. Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network. http://null.co.in/ http://nullcon.net/ Courtesy: http://www.unixwiz.net
  • 23. Optional Encryption Optional Encryption Outer IP Header Inner IP Header VPN Concept (Difference in Modes) Original Packet Transport Mode IP Header Data Original IP Header IPSec ESP Header Data Tunnel Mode New IP Header IPSec ESP Header Data Original IP Header http://nullcon.net/ http://null.co.in/
  • 25.
  • 26. VPN Concept (Phase 1: Main Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
  • 27. VPN Concept (Phase 1: Aggressive Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
  • 28. VPN Concept (Phase 1: Authentication) IKE phase 1 has three methods to authenticate IPSec peers. 1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509 Digital Certificates. 3. RSA encrypted nonces http://null.co.in/ http://nullcon.net/
  • 29. VPN Concept (Phase 2: Quick Mode) http://null.co.in/ http://nullcon.net/ Courtesy: http://www.eetimes.com
  • 30. VPN Configuration (OpenSwan)Site-to-Site VPN http://null.co.in/ http://nullcon.net/ 5.6.7.8 172.16.1.1 eth0 eth1 5.6.7.9 1.2.3.5 eth1 Office 2 LAN 172.16.1.0/24 1.2.3.4 eth0 192.168.1.1 Office 1 LAN 192.168.1.0/24
  • 31. http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf Courtesy: http://www.linuxhomenetworking.com
  • 32. Conn net-to-net authby=secret #Key exchange method left=1.2.3.4 leftsubnet =192.168.1.0/24 leftnexthope=%defaultroute right=5.6.7.8 rightsubnet=172.16.1.0/24 rightnexthope=5.6.7.9 auto=start/add http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf Courtesy: http://www.linuxhomenetworking.com
  • 33. 1.2.3.4 5.6.7.8 : PSK "nonebutourselvescanfreeourminds" http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.secrets Courtesy: http://www.linuxhomenetworking.com
  • 34. net/ipv4/ip_forward = 1 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d 172.16.1.0/24 -j MASQUERADE http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Othersetting Courtesy: http://www.linuxhomenetworking.com
  • 35. 104 "net-to-net" #1: STATE_MAIN_I1: initiate 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established 112 "net-to-net" #2: STATE_QUICK_I1: initiate 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe0bdd0e9 <0x13ac7645} http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Log Courtesy: http://www.linuxhomenetworking.com
  • 36. [root@vpn2 tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irttIface 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 6.25.232.0 0.0.0.0 255.255.255.248 U 40 0 0 eth0 172.16.1.0 1.2.3.4 255.255.255.0 UG 40 0 0 ipsec0 tcpdump -n -i ipsec0 icmp 03:05:53.971308 IP 192.168.1.5 > 172.16.1.5: icmp 64: echo request seq 89 03:05:53.995297 IP 172.16.1.5 > 192.168.1.5: icmp 64: echo reply seq89 tcpdump -n -i eth1 host 5.6.7.8 02:08:23.637149 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0xf4909a7e,seq=0x73) 02:08:24.635302 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x808e9a87,seq=0x74) http://null.co.in/ http://nullcon.net/ VPN Configuration (OpenSwan)Site-to-Site VPN – Verification/Debug Courtesy: http://www.linuxhomenetworking.com
  • 38. void@null.co.in bharmal.murtuja@gmail.com http://null.co.in/ http://nullcon.net/ Courtesy http://www.wien2k.at

Hinweis der Redaktion

  1. Di