NETW 05 A APPLIED WIRELESS SECURITY Wireless VPN
- Slides: 40
NETW 05 A: APPLIED WIRELESS SECURITY Wireless VPN Technology By Mohammad Shanehsaz Spring 2005 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives Virtual Private Networks Implement, configure, and manage the following VPN solutions in a wireless LAN environment: n w. PPTP w. IPSec w. L 2 TP Explain the importance and benefits of session persistence in a wireless VPN environment Describe benefits of mobile VPN solutions This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives Explain the differences, strengths, and limitations of each of the following as a wireless VPN solution n n Routers VPN Concentrators Firewalls This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives Software solutions Implement software solutions for the following: n n This work is supported by the National Science Foundation under Grant Number DUE-0302909. SSH 2 Tunneling Securing wireless thin clients Port redirection Transport Layer Security (TLS) Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Virtual Private Network Provides a means for a computer and network to securely communicate over public or unsecured network connections VPN uses both authentication and encryption to ensure that only authorized users access the network and read data while data integrity is maintained from cryptographic checksums VPN typically employs a form of encapsulation where one protocol is carried inside of another (Tunneling) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless VPN The use of VPN technology over wireless medium Allows mobile users to securely access a corporate network from remote locations (such as a wireless hot spot) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VPN Process A device that initiates a connection to a VPN server (VPN concentrator) is a VPN client A VPN client can be an individual computer obtaining remote access or a router that obtains a peer-to-peer (router-to-router) VPN connection The connection is referred to as a tunnel (encapsulating one protocol inside another) During tunnel setup, the devices on each side of the tunnel agree on the details of authentication and encryption This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VPN Process Passwords, smart cards, biometrics and other methods are commonly deployed for VPN authentication Some standard tunneling protocols are: n n n PPTP (Point-to-Point Tunneling Protocol) L 2 TP Layer 2 Tunneling Protocol) IPSec (Internet Protocol Security) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless VPN Considerations Wireless VPNs do not always fulfill every security design requirement For maximum security in wireless VPN both layer 2 and layer 3 of the OSI model should be secured This level of security carries a high price tag, n n high administrative overhead and reduced throughput This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless VPN Considerations Advantages vs Disadvantages (coming slides) Security Issues (unintentional sharing of the VPN connection) Administration (VPNs administered remotely) Scalability (solutions will grow with the organization without constant replacement and retraining ) Subnet Roaming (Mobile. IP VPNs solution needed to solve the roaming, but it is complicated to configure and manage in large environment) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless VPN Considerations Role-based Access Control (assign privileges based on user’s role in network) VLANs (since VPNs servers are encrypting routers with authentication support, segmentation will happen at layer 3 in the network and requires skilled & experienced IT professionals) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Advantages of using Wireless VPNs Very secure encryption is available Connections are point-to-point Well established standards are readily available from many vendors Many security administrators already understand VPN technology Most VPN servers work with established authentication methods like RADIUS Class-of-Service mechanisms like RBAC can be deployed VPNs reduce broadcast domains in comparison with 802. 1 x/EAP solutions Authentication can be performed through a web browser This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Disadvantages of Wireless VPNs Expensive Hot failover designs are very expensive Advanced routing is difficult Lack of interoperability between vendors Lack of OS support across multiple platforms Configuration of clients and servers and deployment can be difficult High encryption/decryption overhead VPN connections can be broken by roaming across layer 3 boundaries This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VPN Connections types Remote Access Connections - created when a client initiates a connection to a VPN server Peer-to-Peer Connections - connect two private networks This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
PPTP VPN protocol Point-to-Point-Tunneling Protocol supports multiple encapsulated protocols, authentication and encryption It uses a client/server architecture Microsoft developed it so most of Microsoft’s desktop and server OS support it natively It is based on the point-to-point protocol PPTP supports Microsoft Point-to-Point encryption (MPPE) using the RC 4 algorithm with a 128 -bit key PPTP support has been implemented in the Linux server software called POPTOP The authentication methods used by PPTP are typically PAP. MS-CHAP or MS-CHAPv 2 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
How does PPTP works? Starts by forming a tunnel between the client and server Many protocols can be encapsulated inside of IP for use with PPTP, but by far IP-in-IP is the most common Client/server connection has an IP subnet, and the tunnel itself has a different subnet DHCP can be used for both subnets inside and outside the tunnel VPN server handles tunnel IP address Client connects with the server by dialing the server The server then authenticates the user, establishes tunnel addresses and begins passing traffics This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
L 2 TP VPN Protocol Developed jointly by Cisco and Microsoft L 2 TP is a combination of Cisco’s Layer 2 Forwarding (L 2 F) and Microsoft’s PPTP There are two distinct parts to the L 2 TP network: n n The L 2 TP Access Concentrator (LAC) where the client’s physical connection terminates The L 2 TP Network Server (LNS) where the upstream LNS terminates the PPP session Since it does not define any encryption standard, L 2 TP is often combined with IPSec for security This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Similarities between PPTP and L 2 TP Both provide a logical transport mechanism to send PPP frames Both provide tunneling and encapsulation so that PPP frames based on any protocol can be sent across an IP network Both rely on the PPP connection process to perform user authentication, typically using n n a user name and password, and protocol configuration This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Differences between PPTP and L 2 TP With PPTP data encryption begins after the PPP connection process is completed, so the user authentication process is not encrypted, while L 2 TP/IPSec user authentication is encrypted PPTP uses MPPE encryption which is RC 4 with 40, 56, 128 bit encryption keys where L 2 TP/IPSec uses DES ( 56 bit key) or 3 DES. ( Note: Microsoft L 2 TP/IPSec VPN client only supports DES ) PPTP requires only user-level authentication while L 2 TP/IPSec connections require two levels, to create SAs (for protecting encapsulated data), first client must perform a computer-level authentication with a certificate or pre-shared key , then user-level authentication will be performed This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Advantages of using L 2 TP IPSec provides per-packet data origin authentication, data integrity, replay protection, and data confidentiality, where PPTP provides only per-packet data confidentiality L 2 TP/IPSec requires stronger authentication. (two level authentication) PPP frames exchanged during user-level authentication are encrypted This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec/IKE Collection of IETF standards specify key management protocols and encrypted packet formats/protocols (RFCs 2401 to 241 X) Supports a wide variety of encryption algorithms (DES, 3 DES, AES, RC 4) It supports a variety of data integrity mechanisms (128 -bit MD 5, 160 -bit SHA-1) Standards supports pre-shared secrets and X. 509 digital certificates for authenticating VPN peers IPSec is a network layer VPN technology independent of the applications that use it IPSec encapsulates the original IP data packet with its own packet The IPSec standards support IP unicast traffic only This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec Security Features Prevent Eavesdropping by encrypting headers and data Prevent Data modification by including a checksum with each packets Prevent Forgery by keying the data and the encryption of identities Replay attacks are prevented by sequencing the packets Mutual authentication and shared keys prevent man-inthe-middle attacks The packet filtering features of IPSec prevent denial-ofservice by blocking the packets that do not come from a valid IP range This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec protocols There are two main protocols used with IPSec: n n Authentication Header Encapsulating Security Payload This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Authentication Header Provides datagram authentication and integrity by applying a key (secret shared key between two systems) to create a one-way hash message digest The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit The IP header and data payload is hashed for integrity The hash is used to build a new header, which is appended to the original packet After receiving the new packet , the peer router hashes the IP header and data payload, and compares that with the transmitted hash from AH header This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Encapsulating Security Payload Provides confidentiality (encryption at IP layer), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality ESP provides confidentiality by encrypting at the IP layer (original IP header is unencrypted) It supports a variety of symmetric encryption algorithms, but for interoperability it uses 56 -bit DES This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Modes of IPSec Transport mode, is used between end stations or between end station and a gateway, if it is being treated as a host (telnet session to a router from workstation ) where only the data portion of each packet gets encrypted Tunnel mode, is the most commonly used between gateways or at the end station to a gateway where both the header and payload get encrypted See figures 13. 11 and 13. 12 for comparison of AH and ESP with transport and tunnel modes This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Choosing between AH or ESP If you need to transfer data with integrity and don’t need confidentiality, use the AH protocol If you need to transfer data with integrity and confidentiality, use the ESP protocol, because ESP will encrypt the upper-layer protocols in transport mode and the entire IP datagram in tunnel mode This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec/IKE Remote Access The IP connection uses special encapsulation or header between two endpoints Client configuration is done through client software (native or third party), and consists of setting authentication and encryption rule (also called a policy) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Policies Policy items may include most, if not all, of the following: n n n n n Whether to secure a single connection or all connections Connection type and ID (such as a secure gateway tunnel and IP address) Mode ( Transport or Tunnel ) ID Type ( Digital Certificate or Pre-Shared Key ) Negotiation Mode (Main or Aggressive) Perfect Forward Secrecy (enabled/disabled) PFS Key Group (Diffie-Hellman type) Replay Detection (enabled/disabled) Phase 1 proposal (encryption algorithm, hash algorithm SA life key group) Phase II proposal (SA life, compression, ESP/AH) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec VPNs Pros All IP types and services are supported Failover without dropping sessions is available from multiple vendors High performance is available Dynamic re-keying, strong algorithms, and long key lengths make encryption very strong Same technology base works in client-to-site, site-to-site, and client-to-client Supports strong authentication technologies and directory integration This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec VPNs Pros (continue) VPN server/gateway is typically co-resident, and therefore integrated, with firewall functions for access control, content screening, and other security controls IPSec client solution manufacturers are starting to bundle personal firewall, and other security functions (e. g. anti-virus and intrusion detection) with IPSec client products Once a key exchange is complete, many connections can utilize the established tunnel This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IPSec VPNs Cons Typically requires a client software installation; not all required client OS may be supported Connectivity can be adversely affected by firewalls between the client and gateway Connectivity can be adversely affected by NAT or proxy devices between the client and gateway Requires client configuration before the tunnel is established Weak interoperability between IPSec clients and servers/gateways due to configuration issue Once a client has a tunnel into an organization, this can be a target of hackers, unless mitigated by personal firewalls or access controls at the VPN gateway This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Advantages and Disadvantages of Using Digital Certificate for Authentication Users no longer have to maintain a set passwords for entities that need to be authenticated when using certificates L 2 TP/IPSec connections still need passwords for user authentication (entity being authenticated using certificate is a computer) CAs issue certificates only to trusted entities It is difficult to impersonate a certificate holder The main disadvantage is that a PKI needed to issue certificates to users This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Advantages and disadvantages of Pre-Shared Key Authentication The advantage is that it does not require PKI The disadvantages are: n n A single key for all L 2 TP/IPSec connections in WIN 2 k server and Microsoft L 2 TP/IPSec VPN client The key can be mistyped The difficulty in method of distribution The origin, history and valid lifetime can not be determined This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
SSH 2 IETF open standard Provides secure TCP/IP tunnel between two computers with authentication Encryption at transport layer while authentication is implemented within the application Requires client and server software Clients get authenticated using its public key or username and password or both methods Uses public key/private key encryption scheme Uses Message Authentication Code (MAC) algorithms for data integrity (SSH 1 uses 32 -bit CRC) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
SSH 2 protocol SSH 2 provides three main capabilities: n n n Secure command shell Secure file transfer Port forwarding (uses IP port 22 to route encrypted traffic from client to server and vice versa ) w Can be handled “locally” on the client computer Client is preconfigured with redirected ports w Can be handled “remotely" on the server SSH 2 mitigates the following attacks: n n n Eavesdropping Man-in-the middle attacks Insertion and Replay attacks This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Mobile IP Specified in RFC 2002 It is combined with IPSec to provide security Made up of two primary components: n n n Home Agent (HA) a server or router with static IP address that serves as VPN tunnel server Client with a mobile IP software (vendor-specific) installed registers with HA When client roams to a foreign network, it registers (notifies the HA) its new address, “ care-of ” address Foreign Agent (FA), which is preconfigured with HA connectivity information that act as liaison between the client and the HA, when there is no DHCP server This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Mobile IP Process The mobile node roams onto a foreign network and requests an IP address from DHCP server If there is no DHCP, the client locates the FA, through broadcasting The FA registers the mobile node’s new care-of address with HA The HA accepts packets destined to the mobile node on its behalf The HA redirects the packets to mobile node by creating a new IP header with a destination address of the care-of address The FA unwraps the packet and forwards it to the destination Whenever the mobile node moves, it registers a new care-of address with its HA This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Mobile IP security The Mobile IP specification addresses only redirection attacks All other security issues open for resolution by employing additional security layering This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources CWSP certified wireless security professional, from Mc. Graw-Hill This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless security in cryptography
Ncsu vpn
Ipsec vpn vs ssl vpn
Private security
Telecommunications, the internet, and wireless technology
Dibawah ini yang tidak temasuk security vpn adalah
802-11-wireless-security
Wlan meaning
Wireless integrated network sensors
Wireless security threats and vulnerabilities
Wireless security training
Wireless transport layer security
Wireless security threats
Cnss security model
Security guide to network security fundamentals
Osi security architecture model with neat diagram
E commerce security policy
Visa international security model diagram
Security guide to network security fundamentals
Software security touchpoints
Electronic mail security in network security
Security guide to network security fundamentals
Wis vpn
Ntua vpn
Vpn paris
Vpn slides
Uwaterloo cisco anyconnect
Vpn construction
Directaccess vs vpn
Vpn notre dame
Nthu vpn
Vpn lina
Cis 375
Sentronis
Open source vpn
Fortinet vpn 漏洞
Vodafone business vpn
Byu cs vpn
Uhcl vpn
Untangle vpn setup
Otto vpn
