Dienstag, 27. Januar 2015

Virtual private networks

(see http://en.wikipedia.org/wiki/Virtual_private_network)

First watch the video at https://www.youtube.com/watch?v=4BfL0UHrzDY&spfreload=10. Afterwards please answer the following questions:

What is a VPN used for?

A Virtual Private Network (VPN) is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider. Large corporations, educational institutions, and government agencies use VPN technology to enable remote users to securely connect to a private network.

A VPN can connect multiple sites over a large distance just like a Wide Area Network (WAN). VPNs are often used to extend intranets worldwide to disseminate information and news to a wide user base. Educational institutions use VPNs to connect campuses that can be distributed across the country or around the world.

In order to gain access to the private network, a user must be authenticated using a unique identification and a password. An authentication token is often used to gain access to a private network through a personal identification number (PIN) that a user must enter. The PIN is a unique authentication code that changes according to a specific frequency, usually every 30 seconds or so.


Which types of VPNs are used?

There are three kinds of virtual private networks (VPNs). The most common ones are remote access VPNs or virtual private dial-up networks (VPDNs). These are user-to-LAN connections used when employees of a company who are in remote locations need to connect to the company's private network. A company that wants to set up a remote-access VPN usually outsources to an ESP or enterprise service provider. The ESP sets up a NAS (network access server) and also provides remote users with the software they need for their computers. Then users simply dial the NAS using a toll-free number and access the network via their VPN client software. VPNs offer a good third-party service for encrypted, secure connections between remote users within a private network.

The other two types of VPN are both site-to-site, meaning that multiple fixed sites are connected over a public network (like the Internet). A site-to-site VPN requires large-scale encryption and dedicated equipment. An intranet (password-protected site for company employees)-based VPN connects LAN to LAN when a company wants to connect multiple remote connections in one private network. An extranet-based VPN connects LAN to LAN between multiple companies (such as customers and suppliers) so that they can work in a shared environment.


How did VPNs evolve?

Many organisations today operate in complex, distributed environments that encompass multiple branch offices spread across diverse geographical locations, some of which may be subsidiaries or affiliated companies. For most of these, access to centralised IT resources is a must. And they also need to provide access to those IT resources for an expanding army of mobile workers and for external users. Remote access has become a fact of life.

To provide secure remote access to employees - and increasingly to business partners, suppliers and users - virtual private networks (VPN) have emerged as the technology of choice. The majority of VPN deployments are one of two flavours. Secure socket layer (SSL) VPNs require just an internet browser for setting up a VPN connexion and are an effective remote access solution for large numbers of remote and ad hoc users.


What made VPNs possible?

As the public networks evolved, also VPNs became more important. VPNs bring the possibility to get a private connection over a public network.


What are the components of a VPN? How do they work together? Explain that in more detail.


  • VPN server: A computer that accepts VPN connections from VPN clients. 
  • VPN client: A computer that initiates a VPN connection to a VPN server. A VPN client can be an individual computer or a router.
  • Tunnel: The portion of the connection in which your data is encapsulated.
  • VPN connection: The portion of the connection in which your data is encrypted. For typical secure VPN connections, the data is encrypted and encapsulated along the same portion of the connection.
  • Tunneling protocols: Protocols that are used to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to be a VPN connection. The Windows Server 2003 family includes the PPTP and L2TP tunneling protocols. For more information, see Point-to-Point Tunneling Protocol and Layer Two Tunneling Protocol.
  • Tunneled data: Data that is usually sent across a private point-to-point link.
  • Transit internetwork: The shared or public network crossed by the encapsulated data. For the Windows Server 2003 family, the transit internetwork is always an IP internetwork. The transit internetwork can be the Internet or a private IP-based intranet.

Quelle: https://i-msdn.sec.s-msft.com/dynimg/IC197655.gif


What is tunneling?

Virtual private network technology is based on the idea of tunneling.
VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side. For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.


Which algorithms are used for encrpyting the packets?


A data packet can only be sent if the encryption key is known to both parties, and the connection is activated. If the encryption key is not known, a request is sent to the destination using the meta connection to retrieve it.

So, the entire VPN packet is encrypted using a symmetric cipher, including a 32 bits sequence number that is added in front of the actual VPN packet, to act as a unique IV for each packet and to prevent replay attacks. A message authentication code is added to the UDP packet to prevent alteration of packets. Tinc by default encrypts network packets using Blowfish with 128 bit keys in CBC mode and uses 4 byte long message authentication codes to make sure eavesdroppers cannot get and cannot change any information at all from the packets they can intercept. The encryption algorithm and message authentication algorithm can be changed in the configuration. The length of the message authentication codes is also adjustable. The length of the key for the encryption algorithm is always the default length used by OpenSSL.

Which VPN protocols are used very often in industry?


  • OpenVPN
  • PPTP
  • Chameleon
  • L2TP/IPsec
  • SSL with encryption
  • MPLS with constrained distribution of routing information through BGP


What is a split tunnel?

Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network.


Explain in short how OpenVPN and IPSec work and which components do they consist of?


OpenVPN:
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.



IPSec:
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit.


Quellen:
http://whatismyipaddress.com/vpn
http://computer.howstuffworks.com/three-types-of-vpn.htm
http://technet.microsoft.com/en-us/library/cc786563%28v=ws.10%29.aspx
http://compnetworking.about.com/od/vpn/a/vpn_tunneling.htm
http://www.tinc-vpn.org/documentation-1.1/Encryption-of-network-packets.html
http://documentation.netgear.com/reference/enu/vpn/VPNBasics-3-02.html

Eingestellt von um

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)