Virtual Private
Networks
A
virtual private network (VPN) is a private network that is built over a public
infrastructure. Security mechanisms, such as encryption, allow VPN users to
securely access a network from different locations via a public telecommunications
network, most frequently the Internet.
Devices Support
VPN
Router
Firewall
VPN concentrator
Server
Cisco VPN Client v5
VPN= Tunneling + Encryption
Encryption protocols
1. SSH ( Secure Shell) Ã Secure remote connectivity
2. S/MIME ( Secure/ Multipurpose internet
mail exchange) Ã Email Security
3. SSL ( Secure
socket Layer) Online transactions
4. Ipsec ( Ip
security) Online transactions
Tunneling
1. Ipsec à Open Standard
2. GRE Ã
Cisco Prop.
3. L2F Ã
Layer 2 Forwarding
4. L2TP Ã Layer 2 tunneling protocol
5. PPTP Ã point to point tunneling protocol
GRE Ipsec
Cisco Proprietary Open Standard
Generic Routing Encapsulation IP security
Tunneling Encryption
+Tunneling
Supports IP , IPX and Tunneling Supports only IP
Supports Unicast and Multicast Supports only Unicast
Less secure More secure
In real time we use GRE over Ipsec.
Internet Protocol Security (IPsec.)
IP sec is a open standard (IETF)
Network Layer Protocol
It provides data security and tunneling
services
It is a framework of many open standard
Scales from small to very large networks
It can work only for IP unicast traffic.
IP sec over GRE is used for protecting
non-ip or multicast traffic
IP
Sec Modes
Tunnel Mode (Encrypt IP + password)
·
Tunnel
mode creates a new additional IP header with data encryption
Transport mode (Encrypt +Password)
·
Just
encypt data without adding new IP header.
DES-
Data Encryption Standard; AES-
Advance Encryption Standard
Assymetric
encryption uses Different Keys: Private Key – Encryption, Public Key –
Decryption.
VPNs
are to provide data integrity,
authentication and data encryption to assure confidentiality of packets
sent over an unprotected network or the internet.
VPN
implementations are categorized in to two distinct groups:
Site- to –Site VPNs:
These VPN tunnels are terminated between two or more network infrastructure
devices.
Remote-access
VPNs: These VPN tunnels are formed between a VPN head-end device and an
end-user workstation or hardware VPN client.
Securing
Remote Access
IPSec
VPNs protect IP packets exchanged between remote networks or hosts and an IPSec
gateway located at the edge of your private network.
SSL VPN products protect application streams
from remote users to an SSL gateway.
In other words, IPSec connects hosts to entire private networks, while SSL VPNs
connect users to inside those services
and applications networks.
Technical Overview of IPSec
IPsec
uses the Internet Key Exchange (IKE) protocol to negotiate and establish
secured site-to-site or remote-access VPN tunnels.
Ipsec
is a framework provided by the Internet Security Association and Key Management
Protocol (ISKAMP) and parts of two other management protocols, namely Oakley
and Secure Key Exchange Mechanism (SKEME).
IKE
has two phases
Phase1
is used to create secure bidirectional communication channel between the IPsec
peers.
This
channel is known as the ISKAMP security association (SA).
Phase2 is use to negotiate the
IP Sec. SAs.
IKE phase 1
1. Negotiate phase 1( hagle)
2. Setup Keys (DH)
3. Authenticate
IKE Phase 1
“SA/Tunnel” Ready
Options IKE phase 1
Hashing: MD5/SHA
Authentication: PSK, RSA Signs
Group (DH): 1,2,5
Lifetime: # of seconds
Encryption: DES,
3DES, AES
IKE Phase 2
Negotiation phase
2
(Encryption,
Hashing, Lifetime, PFS)
IKE phase2 “SA/Tunnel”
Ready
Often called the
IPSec Tunnel
Options IKE Phase 2
Hashing: MD5/SHA
HMAC
(Already
Authenticated)
Group/PFS (DH): 1,
2, 5
Lifetime: Time or
Data
Encryption: DES,
3DES, AES
IP Sec. uses two
different protocols to encapsulate the data over a VPN tunnel.
Encapsulation Security Payload (ESP): IP protocol 50
Authentication Header (AH): IP Protocol 51
IP Sec can use two
modes with either AH or ESP:
Transport Mode: Protects upper-layer protocols, such as
UDP and TCP
Tunnel Mode: Protects the entire IP Packets.
IKEV2
IKE version 2
enhances the function of performing dynamic key exchange and peer
authentication.
Internet Key Exchange (IKE or IKEv2) is the protocol
used to set up a security association (SA) in the IPSec protocol suite.
Comparison between IKEv1 and IKEv2
The Internet Key Exchange (IKE) is an IPsec (Internet
Protocol Security) standard protocol used to ensure security for virtual
private network(VPN) negotiation and remote host or network access.
Specified in IETF Request for Comments(RFC) 2409, IKE defines
an automatic means of negotiation and authentication for IPsec security
associations (SA).
Security associations are security policies defined for
communication between two or more entities; the relationship between the
entities is represented by a key.
The IKE protocol ensures security for SA communication
without the pre-configuration that would be required.
IPSEC VS SSL:
This document is regarding the quick look out
of two VPN technologies. It covers the difference and strengths of both
technologies.
IPSEC:
- It works on Layer 3 (Network Layer) of OSI Model.
- Since, it works on
Network Layer; it secures all data that travels between two end
points without an
association to any specific application.
- Once, it gets connected
then
the person will be virtually connected to the respective entire
network and able to access the entire network
- It defines how to provide data integrity, authenticity and
confidentiality over insecure network
like Internet.
- It completes its goal through tunneling, Encryption
and Authentication.
- It is complex because the two entities which will communicate via IPSEC have to
agree on same security policies which must be configured on
the both end of the devices.
- A
Single IPSec tunnel secures all the communication between
the devices regardless of traffic type. It can
be TCP, UDP, ICMP etc or any application
like e-mail, client-server, database.
- Special purpose
software is available for IPSec connections.
This can be for PCs, Mobiles, and
PDAs as well as
for edge devices like Routers and Firewall.
SSL
VPN:
- It works on Layer 7 (Application Layer) of OSI Model.
- It is a protocol used for secure web-based communication over the Internet.
- It uses encryption
and authentication to keep communications private between two devices,
typically, web server and user machine.
- Like IPSec, SSL also provides flexibility by providing
level of security.
- Unlike IPSec, SSL helps to
secure one application at a time and each application
is supported via web browser.
- All basic web
browser application such
as IE or Mozilla supports SSL, by default. But, not all the
application supports same so it requires upgrading which
is very cost consuming.
- Above problem can
be resolved by purchasing SSL VPN gateway which is deployed at the edge
of the corporate network and
serve as a proxy toLAN application
such as e-mail, file servers and the other resources.
- The browser thinks it is directly
communicating with the application and application thinks it is
directly communicating with browser. SSL VPN makes it transparent to the either side of the
network.
SSL VPN delivers the following
three modes of SSL VPNaccess:
•Clientless—mode provides secure access to private web
resources and will provide accessto webcontent. This mode is useful for accessing most content that you would expect to access ina web
browser, such as Internet access, databases, and online tools that employ a web interface.
• Thin Client (port-forwarding Java applet)—Thin
client mode extends the capability of the
cryptographic functions of the web browser to enable remote access to TCP-based
applications such as Post Office Protocol version
3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access
protocol (IMAP), Telnet, and Secure Shell (SSH).
• Tunnel Mode—full tunnel client mode offers extensive application
support through its dynamically downloaded Cisco AnyConnect VPN
Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel
client mode delivers a lightweight, centrally configured
and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
Strength and Weaknesses:
IPsec ‘s key strength lies in its ability to provide a permanent connection between locations. Working at the network layer (layer 3 of the network stack) also makes it application agnostic: Any IP-based protocol could be tunneled through it. This makes IPsec an attractive alternative to an expensive leased line or a dedicated circuit. It could also serve as a backup link in the event that the primary leased line or dedicated circuit connecting the remote site to the central office goes down.
IPsec's application-agnostic design is also its weakness, however. Though it provides authentication, authorization and encryption, while basically extending the corporate network to any remote user, it does not have the ability to restrict access to resources at a granular level. Once a tunnel is set up ,remote users can typically access any corporate resource as if they were plugged directly into the corporate network.These VPN security concern are exacerbated because having a mobile workforce requires allowing non-managed IT assets like smartphones and home PCs to access corporate resources.These are assets that IT has no visibility into or control over, and there is no guarantee that thesedevices comply with the level of security that is typically enforced on managed assets.
IPsec is also more involved to maintain.In addition to setting up the appliance to terminate the tunnels, additional configuration and maintenance are required to support the remote user population. In situations where corporations use Network Address Translation (NAT), special configuration is required to ensure IPsec play snicely with the NAT setup.
SSL VPNs, on the other hand, have been designed from the ground up to support remote access.They do not require any special software to be installed. Remote access is provided through a browser-based session using SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular level. Specific authentication and authorization schemes for access to an application can be limited to a particular user population. Built-in logging and auditing capabilities address various compliance requirements. SSL VPNs also have the ability to run host compliance checks on the remote assets connecting to the enterprise to validate they are configured with the appropriate security software and have the latest patches installed.
This does not meanSSL VPNs are the panacea to all of IPsec’s weaknesses. If a remote site requires an always-on link to the main office, SSL VPN would not be the solution. IPsec, being application agnostic, can support a number of legacy protocols and traditional client/server applications with minimal effort.This is not the case with SSL VPNs, which have been built around Web-based applications. Many SSLVPNs get around this weakness by installing a Java or ActiveX-based agent on the remote asset. This installation is typically achieved seamlessly after the remote asset has successfully authenticated to the SSL VPN appliance, though it should be noted that both ActiveX and Java come with their own security weaknesses that attackers commonly seek to exploit.
IPSEC or SSL VPN:
Each VPN method has its place in an enterprise. Ideally, as SSL and IPsec VPNs serve different purposes and complement each other, they should both be implemented. IPsec should be leveraged in situations where an always-on connection to remote office locations or partners/vendors is required. In these instances, granular access control limitations and missing host-check capabilities should be augmented with a Network AccessControl (NAC) system, which can ensure only approved remote hosts are allowed to connect to the enterprise. Enterprises should leverage SSL VPNs primarily as a remote access method for the mobile workforce where granular access control capabilities, auditing and logging, and security policy enforcement are crucial. But, regardless of your VPN choice or specific needs, remember that a VPN must not only be updated, tested and monitored for performance, but also employed as part of a defense-in-depth strategy that utilizes comprehensive policies and a variety of network security technologies.
What is the difference between IPSec VPN and SSL VPN?
The IPSec is a set of
protocols which operate on a network layer of the OSI Model - it protects the
data sent between two endpoints by encrypting the IP traffic. Generally, the
IPSec requires a dedicated hardware and/or software ("client"
software) and specific knowledge to configure it properly and therefore is
quite expensive to implement.
SSL VPN is based on the SSL (secure socket layer) protocol - virtually every computer nowadays supports it. That means that your computer already has the "client" software to access the SSL VPN. Traditionally SSL VPN was associated with web-browsers (so you could use it only for a web-based traffic) - however with solutions like OpenVPN you can now create a VPN solution quite similar (and equally secure) to the one offered by IPSec.
The selection criteria really depend on what are your trying to achieve by implementing a VPN solution.
Traditionally for site-to-site VPN one would use IPSec, while for the client remote access SSL VPN would be selected (especially for the web-based access). However with the OpenVPN you can now implement equally secure site-to-site VPN solution.
As mentioned at the beginning IPSec would be more expensive in comparison to the SSL VPN (e.g. OpenVPN). SSL VPN is a tunneling method that uses an encryption layer on top of the IP stack -- usually, over TCP, which brings a number of congestion problems with it -- and can be used to secure traffic from an endpoint (home or on-the-road user) to a network that should not be publicly accessible.
Depending on the exact solution, it may be "clientless" which is kind of a misnomer as it will usually still require a java capable browser, in which a client applet is downloaded and run to build a connection.
There is no such thing as a standard for SSL VPN solutions, all have their own proprietary design.
Site-to-site (to connect two office networks to each other for example) connectivity may or may not be possible depending on the solution.
IPSec VPN on the other hand is an encryption method built as an extension to the IPv4 stack (or builtin in case of IPv6) and can besides tunneling also provide mere authentication of IP packets if required.
It is an internet standard and interoperable gateways are available from several vendors.
Site-to-site connectivity is also available in the standard.
IPSec may require dedicated software (or appliance) on the gateway side.
Client side, in case of endpoint-to-network connections, a client application may be required for ease of configuration although IPSec functionality is builtin into recent Windows versions, comes with all major Linux distributions, and is available on MacOS too.
SSL VPN is based on the SSL (secure socket layer) protocol - virtually every computer nowadays supports it. That means that your computer already has the "client" software to access the SSL VPN. Traditionally SSL VPN was associated with web-browsers (so you could use it only for a web-based traffic) - however with solutions like OpenVPN you can now create a VPN solution quite similar (and equally secure) to the one offered by IPSec.
The selection criteria really depend on what are your trying to achieve by implementing a VPN solution.
Traditionally for site-to-site VPN one would use IPSec, while for the client remote access SSL VPN would be selected (especially for the web-based access). However with the OpenVPN you can now implement equally secure site-to-site VPN solution.
As mentioned at the beginning IPSec would be more expensive in comparison to the SSL VPN (e.g. OpenVPN). SSL VPN is a tunneling method that uses an encryption layer on top of the IP stack -- usually, over TCP, which brings a number of congestion problems with it -- and can be used to secure traffic from an endpoint (home or on-the-road user) to a network that should not be publicly accessible.
Depending on the exact solution, it may be "clientless" which is kind of a misnomer as it will usually still require a java capable browser, in which a client applet is downloaded and run to build a connection.
There is no such thing as a standard for SSL VPN solutions, all have their own proprietary design.
Site-to-site (to connect two office networks to each other for example) connectivity may or may not be possible depending on the solution.
IPSec VPN on the other hand is an encryption method built as an extension to the IPv4 stack (or builtin in case of IPv6) and can besides tunneling also provide mere authentication of IP packets if required.
It is an internet standard and interoperable gateways are available from several vendors.
Site-to-site connectivity is also available in the standard.
IPSec may require dedicated software (or appliance) on the gateway side.
Client side, in case of endpoint-to-network connections, a client application may be required for ease of configuration although IPSec functionality is builtin into recent Windows versions, comes with all major Linux distributions, and is available on MacOS too.
Free gateway
software is available for either case, with OpenSwan being the major contender
in IPSec solutions, and OpenVPN in SSL solutions.
Incidentally, OpenVPN is an atypical SSL VPN in that it supports site-to-site connectivity, does require a dedicated client application in all cases (does not work through a browser), and uses it's own proprietary SSL protocol over UDP rather than TCP thus avoiding congestion issues of TCP-over-TCP which most "normal" SSL tunneling solutions have.
Typical decision criteria are the same as any IT project -- skill, budget, timeframe, ... Then apply those to the technologies at hand.
Differences (in brief, with no details):
1. SSL (secure tunnel to APPLICATION)
1.1 SSL works on high level (TCP). That is, it can secure TCP connections only.
1.2 Can authentication both sides/single side/no auth. (policy defined by configuration). For example, anyone can connect to LinkedIn web server via "https" (http over SSL).
1.3 Designed to secure TCP applications only (Examples: Web servers, Mail servers)
1.4 Usually implemented by software above OS (for example embedded in Web/mail server)
1.5 Requires additional software technology (TCP session forwarder) to secure particular application, if application do not support SSL directly
1.6 Cheap and well-standardized
1.7 Security is very sensitive to OS/Firewall missconfiguration
2. IPSec (secure tunnel to your NETWORK)
2.1 IPSec works on IP level (much lower level), so it can secure (in theory) any IP protocol (UDP, TCP, even ICMP in some implementations)
2.2 Requires authentication of both sides (need key distribution)
2.3 Application independent (that is, can secure any application in your network)
2.4 Usually works on OS IP stack implementation level
2.5 Expensive. Solutions from different vendors can be incompatible
2.6 Security is very sensitive to end-point security (because user will have access to your network).
2.7 Much less effort to grant access to particular application. In fact, IPSec is application-transparent.
Decision criteria (as for me):
1. If you need to supply full power of your corporate network (file sharing, domain servers, lots of applications etc.) to your VIP employees at home or you connect two remote office
Incidentally, OpenVPN is an atypical SSL VPN in that it supports site-to-site connectivity, does require a dedicated client application in all cases (does not work through a browser), and uses it's own proprietary SSL protocol over UDP rather than TCP thus avoiding congestion issues of TCP-over-TCP which most "normal" SSL tunneling solutions have.
Typical decision criteria are the same as any IT project -- skill, budget, timeframe, ... Then apply those to the technologies at hand.
Differences (in brief, with no details):
1. SSL (secure tunnel to APPLICATION)
1.1 SSL works on high level (TCP). That is, it can secure TCP connections only.
1.2 Can authentication both sides/single side/no auth. (policy defined by configuration). For example, anyone can connect to LinkedIn web server via "https" (http over SSL).
1.3 Designed to secure TCP applications only (Examples: Web servers, Mail servers)
1.4 Usually implemented by software above OS (for example embedded in Web/mail server)
1.5 Requires additional software technology (TCP session forwarder) to secure particular application, if application do not support SSL directly
1.6 Cheap and well-standardized
1.7 Security is very sensitive to OS/Firewall missconfiguration
2. IPSec (secure tunnel to your NETWORK)
2.1 IPSec works on IP level (much lower level), so it can secure (in theory) any IP protocol (UDP, TCP, even ICMP in some implementations)
2.2 Requires authentication of both sides (need key distribution)
2.3 Application independent (that is, can secure any application in your network)
2.4 Usually works on OS IP stack implementation level
2.5 Expensive. Solutions from different vendors can be incompatible
2.6 Security is very sensitive to end-point security (because user will have access to your network).
2.7 Much less effort to grant access to particular application. In fact, IPSec is application-transparent.
Decision criteria (as for me):
1. If you need to supply full power of your corporate network (file sharing, domain servers, lots of applications etc.) to your VIP employees at home or you connect two remote office