Use of Cryptosystems and Authentication in a VPN
2.3 VPN Protocols
Coming from different directions and supporting different products and services, several security protocols have been in development over the last few years. We will start with one that has firmed up only recently, but will probably become nearly universal—the IPSec standard.2.3.1 IPSec
Over the years as vendor after vendor labored over reinventing wheels, trying to hide IP packets in a secure protocol, people began to wonder why the TCPIP protocol itself wasnt updated to support authentication and encryption. That way, the network itself is secure and everything built upon it must also be secure. IPSec is the answer to this question. The Internet Security Protocol IPSec is a generic structure initiated and maintained by a working group of the Internet Engineering Task Force IETF to provide various security services for the Internet Protocol IP, for both IPv4 the current standard and IPv6 the upcoming one. IPSec presents design goals for a top-level component-oriented structure, rather than detailing specific encryption algorithms or key-exchange methodologies. Conceptually, IPSec was created to secure the network itself, presenting no real changes to the applications that run above it. Since the TCPIP protocol is so ubiquitous, it is a natural evolution to produce a secure network system developed almost in parallel to the existing system. Upgrading to IPSec products and services will only enhance security, as current network-oriented applications can still be used to transport data. The IPSec documents produced by the IETF are predominantly concerned with three basic areas of securing the IP protocol: encryption algorithms, authentication algorithms, and key management. These components help define the entire architecture of a security scheme, 33 generically making the IPSec structure insensitive to the fast-paced, changing world of authentication and encryption algorithms. It is expected that new algorithms will be presented for use as times change and computing services emerge. IPSec is designed so that new methods can be added to the suite with very little work and little effect upon previous implementations. The two key benefits derived from IPSec compliance are that products or services sporting IPSec gain additional security features as well as interoperability with other IPSec products. Enhanced security means that only the most comprehensive and most robust authentication, key-exchange, and encryption algorithms, hardened for use in the real world, will be used. Interoperability is also a must in todays world, where many different products will be expected to communicate securely with one another. Although IPSec is still undergoing change, much of the basic framework has been frozen enough for vendors to finalize, test, and distribute their VPN products. It is a common consensus that the finalized IPSec standard wont be solidified until the end of 1998 or the beginning of 1999. IPSec was designed to support two encryption modes. The transport mode protects only the payload portion of each packet, while the tunnel mode encrypts both the header and the payload. Logically enough, the tunnel mode is more secure, as it protects the identity of the sender and receiver, along with hiding certain other IP fields that may give a middleman useful information. For IPSec to work as expected, all devices must share a common key. Even though the protocols used to cipher the data are very important to the overall success of the system, a great deal of work has gone into the authentication and exchange of keys by the sender and the receiver. Of course, this effort wasnt done in a vacuum, as it builds upon the body of work done to create and swap keys using public digital certificates. This is largely accomplished through the ISAKMPOakley protocol now updated to the IKE protocol and the X.509 digital certificate system.2.3.1.1 IPSec security issues
In order to erect a tunnel between two networks using IPSec or any protocol, for that matter, each having a firewall on the Internet, you have to make sure both gateways have similar security policies. Different architectures could lead to one network being less secure than the other, and would draw attention to compromising the system there. Such a fault could lead to an attacker having access to the more secure network by sophisticated masquerading. IPSec, if used with a bastion host, could also adversely affect the performance of the network. Bastion hosts have long been considered a substandard method for securing a network, as they restrict the traffic to a few points of failure. When you add the computationally expensive process of random number generation, key exchange, and strong payload encryption, a bastion host is burdened to the edge of its feasible limits. Further, it is likely that bastion hosts will handle these algorithms in software using a general-purpose microprocessor, whereas dedicated solutions positioned at an organizations gateway would use specialized hardware to accomplish the same task.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more