Virtual Private Networks What is a Virtual Private

Virtual Private Networks • • • What is a Virtual Private Network (VPN)? How do VPNs work? How is security achieved? How secure is a VPN? What sort of VPN is right for your application? 6/7/2021 Jeff Rupp CS 691 1

VPN: What is it • VPNs provide a means to have access to an internal network from a remote location via the Internet • They are called ‘Virtual’ since the data is still traveling through the public network, but both the data and the header can be encrypted 6/7/2021 Jeff Rupp CS 691 2

How do VPNs work • VPNs consist of a gateway to the internal network and any number of remote clients • The gateway is the machine to which the clients connect • The gateway provides the server side encryption/decryption and user authentication 6/7/2021 Jeff Rupp CS 691 3

How VPNs Work • The most common standard in use today is IPSec as established by the Internet Engineering Task Force (IETF) • IPSec allows for 2 modes of operation: – Transport: only the packet data is encrypted, the header is in the clear – Tunnel: both header and data are encrypted 6/7/2021 Jeff Rupp CS 691 4

Security • The first step in a VPN session is authentication, where the user and host authenticate each other via X. 509, LDAP • The next step is to establish a key typically using the Diffie/Hellman protocol (public/private keys) – Packets are encrypted with this shared secret key, as public/private key cryptography is slower than secret key – The secret key may be changed may times during a single VPN session. 6/7/2021 Jeff Rupp CS 691 5

Security • IPSec does not dictate the encryption algorithm that is used • Most common is Triple DES – apply DES 3 times with unique keys each time • Some vendors have their own proprietary algorithm – These vendors would be worth avoiding, since if their algorithm is ever broken, then your system may be compromised 6/7/2021 Jeff Rupp CS 691 6

Speed • The limiting factor in the speed of a VPN system is the complexity of the encryption/decryption. • A software only solution provides acceptable bandwidth for 1 -2 clients – Speed is dependent on the platform, and other loads on the VPN gateway • Large scale VPNs require a hardware solution, called a VPN Appliance – These appliances range in speed from 20 Mbit - 200 Mbit 6/7/2021 Jeff Rupp CS 691 7

Choosing a VPN • All VPNs provide a software solution for the client, so the only hardware piece needs to be the gateway • If your system will support more than 2 simultaneous clients then a VPN appliance is the best choice – If you restrict the VPN gateway’s duties to VPN (not firewall, etc) then a software server side solution is acceptable for 1 -2 simultaneous clients 6/7/2021 Jeff Rupp CS 691 8

References • G 2 Firewall Solutions Brief – http: //www. securecomputing. com – Mar 05, 2003 • Virtual Private Network Consortium – http: //www. vpnc. org/vpn-standards. html – Mar 05, 2003 • Windows 2000 Step-by-Step Guid to Internet Protocol Security (IPSec) – http: //www. microsoft. com/windows 2000/techinfo/planning/security/ipsecsteps. asp – Mar 05, 2003 • Scott, Charlie; Wolfe, Paul; Erwin, Mike Virtual Private Networks, Second Edition – O’Reilly & Associates, Inc 1999 • Network World, Inc. , 2002 – Product database from 10/28/2002 6/7/2021 Jeff Rupp CS 691 9