Skip to content

Latest commit

 

History

History
136 lines (107 loc) · 6.99 KB

Module6-VPNs.md

File metadata and controls

136 lines (107 loc) · 6.99 KB

Module 6 - VPNs

Intro to VPN

  • remote users
  • site-to-site connectivity
  • secure,

VPN Protocols

  • part of the connection in which data is encapsulated is referred to as Tunnel.
  1. PPTP (Point-to-Point Tunneling Protocol)
    • enables PPP to encapsulate packets within IP packets.
    • older than L2TP and ipsec.
    • consumes less resources.
    • secure extension of PPP
    • operated on L2 of OSI model, allowing different N/W protocols to run over PPTP tunnel.
    • supports 2 separate technologies for - authenticating (EAP - Extensible Authentication protocol and CHAP - Challenge Handshake Authentication Protocol).
  • EAP
    • was designed for PPTP, works within PPP's authentication protocol.
    • provides framework for different authentication methods.
    • includes, passwords, chalange-response tokens, PKI certs.
  • CHAP
    • a three part handshaking procedure.
    • once link established, server sends a challenge to client, client responds by a calculated value, using one-way hash. server checks response against its own calculated hash.
    • it repeats this process periodically. (re-authentication), provide robust security.
  1. L2TP ( Layer 2 Tunneling Protocol), is often combined with IPSec to achieve a high level of security.
    • enhancement of PPTP, improved version of PPTP.
    • operates on L2 (datalink layer), like PPTP.
    • considered as less secure than IPsec.
    • supports both EAP and CHAP. and more .... , MS-CHAP, PAP, SPAP, Kerberos
  • MS-CHAP

    • Microsoft-specific extension to CHAP
    • mostly consistent with CHAP, some basic differences.
      • response packet is in format compatible with MS networking.
      • does not require the authenticator to store a clear-text pwd.
      • provides authenticator-controlled authentication retry.
      • defines a set of reason-for-failure codes.(in failure packet's messages field).
  • PAP

    • Password Authentication Protocol, basic form of authentication.

    • tramission is clear txt as well as unencrypted.

    • http uses PAP.

    • no longer used. -SPAP

    • Shiva Password Authentication Protocol, proprietary.

    • bit more secure than PAP, username/pwd are encrypted, when sent.

    • susceptible to playback attacks, because SPAP uses same reversible encryption method. -Kerberos

    • works by sending messages back and forth b/w the client and server.

    • actual pwd is never sent (not even hashed)

    • username is sent.

    • server gets stored hash of pwd, and uses it as encryption key to encrypt data and sent it back to client.

    • client then uses pwd entered by user and uses that as a key to decrypt.

    • if pwd is wrong (entered by user), it will never get decrypted.

    • Authentication happens with UDP on port 88.

    • After user's username is sent to AS (authentication service), AS will use the hash of user password that is stored as secret key to encrypt the following 2 messages that get sent to client -

      1. Message A: Contains client/TGS(Ticket Granting Service) sessions key encrypted with secret key of client.
      2. Message B: Contains TGT (Ticket Granting Ticket) that includes client ID, client network address and validity period.
    • client attempts to decrypt Message A with secret key generated by hash of user's entered pwd.

    • if decryption works, messageA's TGS key can be used for communication with TGS. MessageB is encrypted with TGS secret key and cannot be decrypted by client.

    • now user is authenticated to system, but when user requests a service, more authorization/comm required with more messages. When requesting services, client sends 2 messages to TGS.
      3. Message C: composed of TGT from message B and the ID of the requested service.
      4. Message D: Authenticator (clientID and timestamp), encrypted used client/TGS session key.

    • TGS retrieves message B from message C. decrypts message B usign TGS secret key -> resulting "Client/TGS session key". using this key TGS decrypts message D and sends following to client.
      5. Message E: Client-to-server ticket (includes clientiD, client nw addr, validity period and client/server session key), encrypted using the service's secret key.
      6. Message F: client/server session key encrypted with client TGS session key.

    • on receiving E and F from TGS, client has enough info to authenticate itself to service server (SS). client connects to SS and send 2 messages
      6. Message E: from above step, encrypted with servers secret key.
      7. Message G: a new authenticator, which includes clientID and timestamp - encrypted using client/server session key.

    • SS decrypts the ticket (E) using its own key -> retrieves client/server secret key. using session key, SS decrypts the Authenticator and sends following messages to client - to confirm identify and willingness to server the client.
      8. Message H: Timestamp found in clients Authenticator.

    • client decrypts the confirmation (H) using session key. and checks wether the timestamp is correct. -> yes -> trus the server and start issueing service requests. server provides the requested service.

  • Kerberos terms:

    • Principal

    • Authentication Service (AS)

    • Ticket Granting Service (TGS)

    • Key Distribution Centre (KDC)

    • Realm: a boundary within an org. each realm has its own AS and TGS.

    • Remote TGS

    • Ticket Granting Ticket (TGT)

    • Ticket:

    • Session Key:

    • AUthenticator:

IPSec - Internet Protocol Security.

  • used for VPN.
  • set of protocols - to support sec exchange of packets.
  • two encryption modes, Transport (encrypts data but not header) and Tunnel (encrypts both header and data).
  • both sending and receiving devices must share a key (single).
  • Two protocols -
    • AH (Authentication Header):
    • ESP (Encapsulating Security Payload): - can be used with confidentiality only, authentication only or both.
    • both can be applied to single packet.
    • other protocols, IKE (internet key exchange).
    • ISAKMP, provides framework for auth and key exchange.
    • DH public keys will be used to encrypt data being sent bw two endpoints.
    • quick mode
    • Aggressive mode

SSL/TLS - Secure Sockets Layers/ Transport Layer Security

  • VPN thorough web portal
  • SSL handshake process is needed to establish secure/encrypted connection: 1.

VPN Solutions

  • Cisco Solutions

    • uses 3DES encryption., but AES is preferred and recommended.
    • can handle packets larger than 500bytes.
    • can create upto 60 new virtual tunnels/sec.
  • Openswan

    • open source, Linux OS, free, uses IPSec.
    • remote user or site-to-site, supports wireless.
    • does not support NAT.