Scribd
Upload
3 views21 pages

VPN and IPsec: Secure Network Overview

Uploaded by

youoio135
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views21 pages

VPN and IPsec: Secure Network Overview

Uploaded by

youoio135
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

VPN and IPsec: Secure

Network Communication
[Link] sayed
Introduction to VPN
What is a VPN?
• A Virtual Private Network (VPN) extends a private network across a
public network (e.g., the internet).
• Enables secure, encrypted communication between users, devices, or
entire networks.
• Protects data from eavesdropping, cyberattacks, and censorship.
• Allows remote users to access corporate resources securely.
How VPN Works
•A VPN creates a secure "tunnel" between the client and the VPN server.
•The data inside the tunnel is encrypted, preventing third parties from intercepting it.
•VPN assigns users a new virtual IP address, masking their real IP.
•Ensures authentication and data integrity to prevent unauthorized access.
Types of VPNs

•Remote Access VPN:


•Allows individual users to connect to a private network securely from any location.
•Typically used by employees working remotely.
•Site-to-Site VPN:
•Connects entire networks (e.g., two office branches) securely over the internet.
•Used by companies to enable seamless communication between offices.
•Client-to-Site VPN:
•A hybrid where an individual user connects to a network using VPN client software.
•Often used in corporate environments.
What is IP Security
• Framework of open standards to ensure secure communications over
the Internet
• Internet Protocol Security (IPsec) is a suite of protocols designed to
secure internet communication at the network layer (Layer 3) of the
OSI model.
IPsec Security Services
• Confidentiality: Prevents third parties from reading the data. IPsec ensures
confidentiality by using encryption.
• Data integrity: Ensures that data arrives unchanged at the destination.
IPsec ensures data integrity by using hash-based message authentication.
• Origin authentication: Ensures that the connection is made with the
desired communication partner. IPsec uses IKE to authenticate users and
devices that can carry out communication independently.
• Antireplay protection: Verifies that each packet is unique and is not
duplicated
• Key management: Allows for an initial exchange of dynamically generated
keys across a non-trusted network and a periodic re-keying process
Bulk Encryption Algorithms
• DES
• 3DES
• AES
• SEAL
Network Layer Security
• IP security (IPsec)
• Two protocols
• Authentication protocol, using an Authentication Header (AH)
• Encryption/authentication protocol, called the Encapsulating Security Payload (ESP)
• Two modes of operation
• Transport mode: provides protection for upper-layer protocols
• Tunnel mode: protects the entire IP datagram
What protocol to use?
• Differences between AH and ESP:
• ESP provides encryption, AH does not.
• AH provides integrity of the IP header, ESP does not.
• However, we don’t have to choose since both protocols can be used
in together.
Algorithms Used:
Encryption:
Symmetric – As IP packets may arrive out of order and Asymmetric algorithms are
incredible slow.
E.g. DES (Data Encryption Standard)

 Authentication:
MAC (Message Authentication Codes) based on symmetric encryption algorithms.
One way hash functions. (MD5 or SHA-1)
Transport Versus Tunnel Mode
• Transport Mode:
• Used for Peer to Peer communication security
• Data is encrypted

• Tunnel Mode:
• Used for site-to-site communication security
• Entire packet is encrypted.
How IPSec works: Phase 1
• Internet Key Exchange (IKE) is used to setup IPSec.
• IKE Phase 1:
• Establishes a secure, authenticated channel between the two computers
• Authenticates and protects the identities of the peers
• Negotiates what SA policy to use
• Performs an authenticated shared secret keys exchange
• Sets up a secure tunnel for phase 2
• Two modes: Main mode or Aggressive mode
• Main Mode IKE
1. Negotiate algorithms & hashes.
2. Generate shared secret keys using a Diffie-Hillman exchange.
3. Verification of Identities.
• Aggressive Mode IKE
• Squeezes all negotiation, key exchange, etc. into less packets.
• Advantage: Less network traffic & faster than main mode.
• Disadvantage: Information exchanged before a secure channel is created. Vulnerable to sniffing.
How IPSec works: Phase 2
• An AH or ESP packet is then sent using the agreed upon “main” SA during the
IKE phase 1.
• IKE Phase 2
• Negotiates IPSec SA parameters
• Establishes IPSec security associations for specific connections (like FTP, telnet, etc)
• Renegotiates IPSec SAs periodically
• Optionally performs an additional Diffie-Hellman exchange
IP sec Application
•IPSec provides the capability to secure communications across a
LAN, across private and public WANs, and across the Internet.
–Secure branch office connectivity over the Internet
–Secure remote access over the Internet
–Establishing extranet and intranet connectivity with partners
–Enhancing electronic commerce security
Why not use IPSec?
• Processor overhead to encrypt & verify each packet can be great.
• Added complexity in network design.

You might also like