Virtual Private Network

Virtual Private Network
Main Function of VPN
Privacy
Authenticating
Data Integrity
Antireplay
VPN tunnel concept for site to site intranet VPN
Mechanism of site to site intranet VPN
PC1 with ip address 10.2.2.2 sent a packet to web server with ip address 10.1.1.1
Router in the branch office encrypt the packet, add some VPN header, add another IP header that public ip address. After that it forward the packet.
A man in the midle copies the packet but cannot change and read the content of the packet.
Past Activities of site to site intranet VPN
Device in the main office (ASA), receive the packet, confirm the authenticity of the sender, confirm the packet has not been changed, then decrypts the original packet.
Web server receive the unencrypted packet.
Types of VPN
Intranet VPN.
Extranet VPN.
Access VPN.
Types of VPN
Tunnel Protocols
Layer 2 Forwarding (L2F) is a intial Cisco proprietary protocols. First time it is used for private dial up network (VPDN). L2F was replaced by L2TP.
Point to Point Tunnel Protocols (PPTP) Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network.
Tunnel Protocols
Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTPinto one tunneling protocol.
Generic routing encapsulation (GRE) is another Cisco Proprietary tunneling protocol. It forms virtual point-to-point links, allowing for a variety of protocols to be encapsulated in IP tunnels.
Which components are needed for building a VPN network ?
Router: Main function of router is packet forwarding. However it can provide VPN functions. Router can have special add on card that perform encryption more quickly.
ASA: Cisco securiy appliance that can be configure for many security function, including VPN.
PIX: Older cisco firewall that can perform VPN function, new installation today would instead use ASA.
Which components need for building a VPN network ?
VPN concertrator: Older product line from Cisco, that specially perform VPN tunnel. new installation today would instead use ASA.
VPN client: for access VPN, users need software VPN client.
IPSEC VPNs
IPSEC is an architecture or framework for security services for IP networks.
Function of IPSEC:authentication, encryption, rules regarding to each those of functions.
IPSEC allow to use many protocol option for each VPN feature.
The structure of IPSEC packets can be changed or added over time to improve the security.
IPSec Encryption
IPSec encryption that use a pair of encryption algorithms. One to hide (encrypt) the data. Another to re-create (decrypt) the original data from the encrypted data.
Beside a pair of encryption algorithms. There is a encryption key that will be used with two formular.
IPSec Encryption
Formulars can be used consist of following:
DES (Data Encryption Standard): older version and less seucre than the others.
3DES: applied three different 56 bit DES that stronger than DES.
AES (Advanced Encryption Standard): the best encryption and less computation than 3DES.
IPSec Encryption
Mechanism of IPSec encryption
The sending VPN device feeds the originate packet and the session key into the formula. After that encrypted data.
The sending device encapsulates the encrypted data into packet. Which includes a new IP header and VPN header.
Mechanism of IPSec encryption
The sending device sends this new packet to the destination device.
Destination device receive the packet. After that runs the corresponding decryption formula. Using the encrypted data and session key – having the originate packet.
IPSec Key Exchange
Why must we use Key during encryption and authentication ?
There are two kinds of Key:
Pre-shared key.
Dynamic key.
IPSec Key Exchange
Pre-shared key
Configured manually in both of devices.
It is easy to configure but key is constantly during operating.
Weakness security.
IPSec Key Exchange
Dynamic Key Exchange
Frequently change the key to encrypt data.
Allow device to make up and exchange securely.
Preventing anyone who can see the message from deviring the key value.
Reduce the amount of lost data.
Algorithm is Diffie_Hellman. There are three options
DH-1: 768 bit
DH-2: 1024 bit
DH-3: 1536 bit
Internet Key Exchange (IKE)
ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) is a protocol framework that defines the payload format, the mechanics of implementing a key exchange protocol, and the negotiation of an SA.
IKE gives us the goods in the following six ways.
Internet Key Exchange (IKE)
It eliminates the need to manually specify all the IPSec security parameters in the crypt maps at both peers.
It allows you to specify a lifetime for the IPSec security SA.
It allows encryption keys to change during IPSec sessions.
It allows IPSec to provide anti-replay services.
It permits certification authority (CA) support for a manageable, scalable IPSec implementation.
It allows dynamic authentication of peers.
IPSec Authentication and Message Integrity
Authentication prefers a process by which receive device can confirm that a receive packet that was really sent by a trusted peers.
Authentication can use public and private key.
A packet can be encrypted with private key of sender. This packet can be also decrypted with sender’s public key.
IPSec Authentication and Message Integrity
IPSec Authentication and Message Integrity
Message integrity means how to a receiver can get a data from sender. And it was not change in the transit.
Message integrity can be performed by IPSec Athentication Header protocols using shared key.

IPSec Authentication and Message Integrity
Sender will use a hash function that calculate a small number and put it VPN header.
Receiver will also use hash function and shared key to recompute a small number. And compare two numbers.
IPSec Authentication and Message Integrity
Function can be used in message integrity
HMAC-MD5 (Hash based message authentication code message digest algorithm 5) : 128 bit hash value
HMAC-SHA (Hash based message authentication code secure hash algorithm): SHA-1 160 bit, SHA-256 256 bit, SHA-512 512 bit
The ESP and AH security protocols
ESP and AH security protocols are two kind of IPSec VPN.
ESP define rule for performing the main four function of VPN. Those are authentication, message integrity, encryption, antireplay.
AH can do two functions that authentication, message integrity.
IPSec Encapsulation
IPSec encapsulate the packet through use ESP and AH.
IPSec encapsule data by one of two methods
Transport Mode.
Tunnel Mode.
Transport Mode
Transport mode encapsulation uses the original IP header and inserts the header for ESP and/or AH.
In transport mode, the original IP header must contain a routable IP address.

Transport Mode
Packet format using ESP in transport mode

Transport Mode
Packet format using AH in transport mode
Transport Mode
Packet format using ESP and AH in transport mode
Tunnel Mode
Tunnel mode encapsulation, the original IP header doesn’t transport the packet.
A new IP header is created using the IP addresses of the IPSec peers as the source and destination of the packet.
Addresses of the originating devices can be private, so they’re less vulnerable to unwanted access.
Tunnel mode uses ESP and/or AH.
Tunnel Mode
Packet format using ESP in tunnel mode
Tunnel Mode
Packet format using AH in tunnel mode
Tunnel Mode
Packet format using ESP and AH in tunnel mode