Monday, 26 March 2018

VPN:Detailed Notes


Virtual Private Networks
A virtual private network (VPN) is a private network that is built over a public infrastructure. Security mechanisms, such as encryption, allow VPN users to securely access a network from different locations via a public telecommunications network, most frequently the Internet.






















Devices Support VPN

Router
Firewall
VPN concentrator
Server
Cisco VPN Client v5

VPN= Tunneling + Encryption

Encryption protocols
1. SSH ( Secure Shell) à Secure remote connectivity
2. S/MIME ( Secure/ Multipurpose internet mail exchange) à Email Security
3. SSL ( Secure socket Layer) Online transactions
4. Ipsec ( Ip security)   Online transactions

Tunneling
1. Ipsec à Open Standard
2. GRE à Cisco Prop.
3. L2F à Layer 2 Forwarding
4. L2TP à Layer 2 tunneling protocol
5. PPTP à point to point tunneling protocol

GRE                                                    Ipsec
Cisco Proprietary                                Open Standard
Generic Routing Encapsulation           IP security
Tunneling                                            Encryption +Tunneling
Supports IP , IPX and Tunneling        Supports only IP
Supports Unicast and Multicast          Supports only Unicast
Less secure                                          More secure
In real time we use GRE over Ipsec.

Internet Protocol Security (IPsec.)
IP sec is a open standard (IETF)
Network Layer Protocol
It provides data security and tunneling services
It is a framework of many open standard
Scales from small to very large networks
It can work only for IP unicast traffic.
IP sec over GRE is used for protecting non-ip or multicast traffic

IP Sec Modes
Tunnel Mode (Encrypt IP + password)
·      Tunnel mode creates a new additional IP header with data encryption
Transport mode (Encrypt +Password)
·      Just encypt data without adding new IP header.
























DES- Data Encryption Standard;           AES- Advance Encryption Standard

Assymetric encryption uses Different Keys: Private Key – Encryption, Public Key – Decryption.

VPNs are to provide data integrity, authentication and data encryption to assure confidentiality of packets sent over an unprotected network or the internet.
VPN implementations are categorized in to two distinct groups:
Site- to –Site VPNs: These VPN tunnels are terminated between two or more network infrastructure devices.
 Remote-access VPNs: These VPN tunnels are formed between a VPN head-end device and an end-user workstation or hardware VPN client.
Securing Remote Access
IPSec VPNs protect IP packets exchanged between remote networks or hosts and an IPSec gateway located at the edge of your private network.
 SSL VPN products protect application streams from remote users to an SSL gateway.
 In other words, IPSec connects hosts to entire private networks, while SSL VPNs connect users to inside those services and applications networks.
Technical Overview of IPSec
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote-access VPN tunnels.
Ipsec is a framework provided by the Internet Security Association and Key Management Protocol (ISKAMP) and parts of two other management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).
IKE has two phases
Phase1 is used to create secure bidirectional communication channel between the IPsec peers.
This channel is known as the ISKAMP security association (SA).
Phase2  is use to negotiate the IP Sec. SAs.
IKE phase 1
1. Negotiate  phase 1( hagle)
2. Setup Keys (DH)
3. Authenticate
IKE Phase 1 “SA/Tunnel” Ready
Options IKE phase 1
Hashing: MD5/SHA
Authentication:  PSK, RSA Signs
Group (DH): 1,2,5
Lifetime: # of seconds
Encryption: DES, 3DES, AES

IKE Phase 2
Negotiation phase 2
(Encryption, Hashing, Lifetime, PFS)
IKE phase2 “SA/Tunnel” Ready
Often called the IPSec Tunnel

Options IKE Phase 2
Hashing: MD5/SHA HMAC
(Already Authenticated)
Group/PFS (DH): 1, 2, 5
Lifetime: Time or Data
Encryption: DES, 3DES, AES

IP Sec. uses two different protocols to encapsulate the data over a VPN tunnel.
Encapsulation Security Payload (ESP): IP protocol 50
Authentication Header (AH): IP Protocol 51
IP Sec can use two modes with either AH or ESP:
Transport Mode: Protects upper-layer protocols, such as UDP and TCP
Tunnel Mode: Protects the entire IP Packets.

IKEV2
IKE version 2 enhances the function of performing dynamic key exchange and peer authentication.
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPSec protocol suite.

Comparison between IKEv1 and IKEv2






































The Internet Key Exchange (IKE) is an IPsec (Internet Protocol Security) standard protocol used to ensure security for virtual private network(VPN) negotiation and remote host or network access.
Specified in IETF Request for Comments(RFC) 2409, IKE defines an automatic means of negotiation and authentication for IPsec security associations (SA). 
Security associations are security policies defined for communication between two or more entities; the relationship between the entities is represented by a key.
The IKE protocol ensures security for SA communication without the pre-configuration that would be required.
IPSEC VS SSL:
This document is regarding the quick look out of two VPN technologies. It covers the difference and strengths of both technologies.

IPSEC:
-      It works on Layer 3 (Network Layer) of OSI Model.
-      Since, it works on Network Layer; it secures all data that travels between two end points without an association to any specific application.
-      Once, it gets connected then the person will be virtually connected to the respective entire network and able to access the entire network
-      It defines how to provide data integrity, authenticity and confidentiality over insecure network
like Internet.
-      It completes its goal through tunneling, Encryption and Authentication.
-      It is complex because the two entities which will communicate via IPSEC have to agree on same security policies which must be configured on the both end of the devices.
-      A Single IPSec tunnel secures all the communication between the devices regardless of traffic type. It can be TCP, UDP, ICMP etc or any application like e-mail, client-server, database.
-      Special purpose software is available for IPSec connections. This can be for PCs, Mobiles, and
PDAs as well as for edge devices like Routers and Firewall.

SSL VPN:
-      It works on Layer 7 (Application Layer) of OSI Model.
-      It is a protocol used for secure web-based communication over the Internet.
-      It uses encryption and authentication to keep communications private between two devices, typically, web server and user machine.
-      Like IPSec, SSL also provides flexibility by providing level of security.
-      Unlike IPSec, SSL helps to secure one application at a time and each application is supported via web browser.
-      All basic web browser application such as IE or Mozilla supports SSL, by default. But, not all the application supports same so it requires upgrading which is very cost consuming.
-      Above problem can be resolved by purchasing SSL VPN gateway which is deployed at the edge
of the corporate network and serve as a proxy toLAN application such as e-mail, file servers and the other resources.
-      The browser thinks it is directly communicating with the application and application thinks it is directly communicating with browser. SSL VPN makes it transparent to the either side of the network.

SSL VPN delivers the following three modes of SSL VPNaccess:
Clientless—mode provides secure access to private web resources and will provide accessto webcontent. This mode is useful for accessing most content that you would expect to access ina web browser, such as Internet access, databases, and online tools that employ a web interface.

• Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).


• Tunnel Mode—full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.

Strength and Weaknesses:
IPsec ‘s key strength lies in its ability to provide a permanent connection between locations. Working at the network layer (layer 3 of the network stack) also makes it application agnostic: Any IP-based protocol could be tunneled through it. This makes IPsec an attractive alternative to an expensive leased line or a dedicated circuit. It could also serve as a backup link in the event that the primary leased line or dedicated circuit connecting the remote site to the central office goes down.

IPsec's application-agnostic design is also its weakness, however. Though it provides authentication, authorization and encryption, while basically extending the corporate network to any remote user, it does not have the ability to restrict access to resources at a granular level. Once a tunnel is set up ,remote users can typically access any corporate resource as if they were plugged directly into the corporate network.These VPN security concern are exacerbated because having a mobile workforce requires allowing non-managed IT assets like smartphones and home PCs to access corporate resources.These are assets that IT has no visibility into or control over, and there is no guarantee that thesedevices comply with the level of security that is typically enforced on managed assets.
IPsec is also more involved to maintain.In addition to setting up the appliance to terminate the tunnels, additional configuration and maintenance are required to support the remote user population. In situations where corporations use Network Address Translation (NAT), special configuration is required to ensure IPsec play snicely with the NAT setup.

SSL VPNs, on the other hand, have been designed from the ground up to support remote access.They do not require any special software to be installed. Remote access is provided through a browser-based session using SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular level. Specific authentication and authorization schemes for access to an application can be limited to a particular user population. Built-in logging and auditing capabilities address various compliance requirements. SSL VPNs also have the ability to run host compliance checks on the remote assets connecting to the enterprise to validate they are configured with the appropriate security software and have the latest patches installed.
This does not meanSSL VPNs are the panacea to all of IPsec’s weaknesses. If a remote site requires an always-on link to the main office, SSL VPN would not be the solution. IPsec, being application agnostic, can support a number of legacy protocols and traditional client/server applications with minimal effort.This is not the case with SSL VPNs, which have been built around Web-based applications. Many SSLVPNs get around this weakness by installing a Java or ActiveX-based agent on the remote asset. This installation is typically achieved seamlessly after the remote asset has successfully authenticated to the SSL VPN appliance, though it should be noted that both ActiveX and Java come with their own security weaknesses that attackers commonly seek to exploit.


IPSEC or SSL VPN:
Each VPN method has its place in an enterprise. Ideally, as SSL and IPsec VPNs serve different purposes and complement each other, they should both be implemented. IPsec should be leveraged in situations where an always-on connection to remote office locations or partners/vendors is required. In these instances, granular access control limitations and missing host-check capabilities should be augmented with a Network AccessControl (NAC) system, which  can ensure only approved remote hosts are allowed to connect to the enterprise. Enterprises should leverage SSL VPNs primarily as a remote access method for the mobile workforce where granular access control capabilities, auditing and logging, and security policy enforcement are crucial. But, regardless of your VPN choice or specific needs, remember that a VPN must not only be updated, tested and monitored for performance, but also employed as part of a defense-in-depth strategy that utilizes comprehensive policies and a variety of network security technologies.



What is the difference between IPSec VPN and SSL VPN?

The IPSec is a set of protocols which operate on a network layer of the OSI Model - it protects the data sent between two endpoints by encrypting the IP traffic. Generally, the IPSec requires a dedicated hardware and/or software ("client" software) and specific knowledge to configure it properly and therefore is quite expensive to implement. 

SSL VPN is based on the SSL (secure socket layer) protocol - virtually every computer nowadays supports it. That means that your computer already has the "client" software to access the SSL VPN. Traditionally SSL VPN was associated with web-browsers (so you could use it only for a web-based traffic) - however with solutions like OpenVPN you can now create a VPN solution quite similar (and equally secure) to the one offered by IPSec. 

The selection criteria really depend on what are your trying to achieve by implementing a VPN solution. 

Traditionally for site-to-site VPN one would use IPSec, while for the client remote access SSL VPN would be selected (especially for the web-based access). However with the OpenVPN you can now implement equally secure site-to-site VPN solution. 

As mentioned at the beginning IPSec would be more expensive in comparison to the SSL VPN (e.g. OpenVPN). SSL VPN is a tunneling method that uses an encryption layer on top of the IP stack -- usually, over TCP, which brings a number of congestion problems with it -- and can be used to secure traffic from an endpoint (home or on-the-road user) to a network that should not be publicly accessible. 
Depending on the exact solution, it may be "clientless" which is kind of a misnomer as it will usually still require a java capable browser, in which a client applet is downloaded and run to build a connection. 
There is no such thing as a standard for SSL VPN solutions, all have their own proprietary design. 
Site-to-site (to connect two office networks to each other for example) connectivity may or may not be possible depending on the solution. 

IPSec VPN on the other hand is an encryption method built as an extension to the IPv4 stack (or builtin in case of IPv6) and can besides tunneling also provide mere authentication of IP packets if required. 
It is an internet standard and interoperable gateways are available from several vendors. 
Site-to-site connectivity is also available in the standard. 
IPSec may require dedicated software (or appliance) on the gateway side. 
Client side, in case of endpoint-to-network connections, a client application may be required for ease of configuration although IPSec functionality is builtin into recent Windows versions, comes with all major Linux distributions, and is available on MacOS too. 

Free gateway software is available for either case, with OpenSwan being the major contender in IPSec solutions, and OpenVPN in SSL solutions. 
Incidentally, OpenVPN is an atypical SSL VPN in that it supports site-to-site connectivity, does require a dedicated client application in all cases (does not work through a browser), and uses it's own proprietary SSL protocol over UDP rather than TCP thus avoiding congestion issues of TCP-over-TCP which most "normal" SSL tunneling solutions have. 

Typical decision criteria are the same as any IT project -- skill, budget, timeframe, ... Then apply those to the technologies at hand. 
Differences (in brief, with no details): 
1. SSL (secure tunnel to APPLICATION) 
1.1 SSL works on high level (TCP). That is, it can secure TCP connections only. 
1.2 Can authentication both sides/single side/no auth. (policy defined by configuration). For example, anyone can connect to LinkedIn web server via "https" (http over SSL). 
1.3 Designed to secure TCP applications only (Examples: Web servers, Mail servers) 
1.4 Usually implemented by software above OS (for example embedded in Web/mail server) 
1.5 Requires additional software technology (TCP session forwarder) to secure particular application, if application do not support SSL directly 
1.6 Cheap and well-standardized 
1.7 Security is very sensitive to OS/Firewall missconfiguration 

2. IPSec (secure tunnel to your NETWORK) 
2.1 IPSec works on IP level (much lower level), so it can secure (in theory) any IP protocol (UDP, TCP, even ICMP in some implementations) 
2.2 Requires authentication of both sides (need key distribution) 
2.3 Application independent (that is, can secure any application in your network) 
2.4 Usually works on OS IP stack implementation level 
2.5 Expensive. Solutions from different vendors can be incompatible 
2.6 Security is very sensitive to end-point security (because user will have access to your network). 
2.7 Much less effort to grant access to particular application. In fact, IPSec is application-transparent. 

Decision criteria (as for me): 
1. If you need to supply full power of your corporate network (file sharing, domain servers, lots of applications etc.) to your VIP employees at home or you connect two remote office