Chapter 5: Virtual Networks

About This Presentation

Title:

Chapter 5: Virtual Networks

Description:

Chapter 5: Virtual Networks 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN – PowerPoint PPT presentation

Number of Views:310

Avg rating:3.0/5.0

Slides: 113

Provided by: Jorg2155

Category:

more less

Transcript and Presenter's Notes

Title: Chapter 5: Virtual Networks

1
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalysis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

2
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalysis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

3
Introduction

Secure channel
Properties
Confidentiality
Integrity
Authenticity
Non-repudiation

Secure channel?
Receiver
Sender
4
Introduction

Confidentiality
Transmitted info in an insecure channel can only
be understood by desired destination/s
It must stay unintelligible for the rest
Ways of protection
Dedicated physical links
High cost
Difficult maintenance
Cipher
Attack e.g. obtaining data from sender

5
Introduction

Integrity
Ensures that transmitted info was not modified
during the communication process
Message in destination must be the same as in
source
Ways of protection
Digital signature
Attack e.g. modifying the destination address in
a product bought on the internet

6
Introduction

Authenticity
Ensures the source of the info
Avoids impersonation
Ways of protection
Digital signature
Challenge
Human authentication
Biometric (fingerprint, retina, facial
recognition, etc.)
Attack e.g. user impersonation in bank
transaction

7
Introduction

Non-repudiation
Avoid senders denial
Avoid receivers denial
Ways of protection
Digital signature
Attack e.g. loss of an application form

8
Introduction

Insecure channel
Non-reliable
Attacks Violation of channel security
Types
Passive
Active
Categories
Interception
Interruption
Modification
Fabrication

9
Introduction

Passive attacks
Attacker does not change the content of the
transmitted information
Objectives
Entity identification
Traffic control
Traffic analysis
Usual data exchange time detection
Difficult to detect
Easy to avoid -gt encryption

10
Introduction

Active attacks
Attacker does change the content of the
transmitted information
Types
Masked (impostor)
Repetitive (intercepted msg, repeated later)
Msg modification
Service denial
Difficult to prevent
Easy to detect -gt detection recovery

11
Introduction

Interception
Confidentiality attack
Passive
A non-authorized intruder achieves the access to
a non-shared resource
E.g
Traffic capture
Obtaining copies of files or programs

Receiver
Transmitter
Intruder
12
Introduction

Interruption
Destruction of a shared resource
Active
E.g
Destruction of hardware
Communication breakdown

Receiver
Transmitter
Intruder
13
Introduction

Modification
A non-shared resource is intercepted modified
by a non-authorized host before arriving to its
final destination
Active
E.g
Change in sent data

Receiver
Transmitter
Intruder
14
Introduction

Fabrication
Authenticity attack
Active
Non-authorized host (impostor) generates a
resource that arrives to the final destination
E.g
Fraud information

Receiver
Transmitter
Intruder
15
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

16
Cryptography

Introduction
Why?
Way of protecting information against intruders
(encryption digital signatures)
Definition
Science of secret writing, for hiding information
from third parties
Principle
Keeping privacy between two or more communication
elements

17
Cryptography

Introduction
Functioning basis
Altering original msg to avoid the access to the
information of any non-authorized party
E.g
Original msg This lecture is boring
Altered msg Wklv ohfwxuh lv erulqj
Caesar cipher (K3)

18
Cryptography

Decipher
Mechanism that converts an incomprehensible msg
in the original one
Necessary to know the used cipher algorithm and
the key

Cipher
Mechanism that converts a plain msg in an
incomprehensible one
Cipher algorithm needs a key

19
Cryptography

Introduction
Functioning scheme

Receiver
Transmitter
cipher
decipher
20
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

21
Cryptanalysis

Introduction
Definition
Set of methods used to guess the key used by the
elements of communication
Objective
Reveal the secret of communication
Attacks
Brute force attack (most common)
Types
Ciphertext-Only Attack
Known Plaintext Attack
Chosen Plaintext Attack

22
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

23
Symmetric Key

Features
Private key
Transmitter Receiver share the same key

Receiver
Transmitter
cipher
decipher
24
Symmetric Key

Algorithms
DES, 3DES, RC5, IDEA, AES
Requirements
Neither plaintext nor the key may be extracted
from the msg
The cost in time money of obtaining the
information must be higher than the value of the
obtained information
Algorithm strength
Internal complexity
Key length

25
Symmetric Key

Accomplished objectives
Confidentiality
Integrity
Authentication
Non repudiation
Depending on the number of parties sharing the
secret key

26
Symmetric Key

Advantages
Algorithm execution rate
Best method to cipher great pieces of information
Disadvantages
Distribution of private key
Key management
The number of used keys is proportional to the
number of used secure channels

27
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

28
Asymmetric Key
Tx private
Tx public
Rx private

Features
Public Key
Every party has got a pair of keys
(private-public)

Rx public
Receiver
Transmitter
cipher
decipher
29
Asymmetric Key

Algorithms
Diffie-Hellman, RSA, DSA
Requirements
Neither plaintext nor the key may be extracted
from the msg
The cost in time money of obtaining the
information must be higher than the value of the
obtained information
For an public-key encrypted text, there must be
only a private key capable of decrypt it, and
viceversa

30
Asymmetric Key

Accomplished objectives
Confidentiality
Integrity
Authentication
Offers very good mechanisms
Non repudiation
Offers very good mechanisms

31
Asymmetric Key

Advantages
No problems for key distribution -gt public key
In case of the steal of a users private key,
only the msgs sent to that user are involved
Better authentication mechanisms than symmetric
systems
Disadvantages
Algorithm execution rate

32
Asymmetric Key

Authentication
Challenge-response
Digital signature
Digital certificate
Non repudiation
Digital signature
Digital certificate

33
Asymmetric Key
Tx private
Tx public
Rx private
Rx public

Challenge-response
Send of a challenge in clear text. Its response
is only known by the transmitter
The transmitter sends a private-key ciphered
response

Receiver
Transmitter
cipher
decipher
34
Asymmetric Key
Tx private
Tx public
Rx private

Digital signature
Verifies source authenticity
Parts
Signature (transmitter)
Signature verification (receiver)

Rx public
Receiver
Transmitter
Signature
verification
35
Asymmetric Key
Tx private
Tx public
Rx private

Digital signature
Problem Process is slow
Use of fingerprint

Rx public
Receiver
Transmitter
36
Asymmetric Key

Digital signature - fingerprint
Reduces encryption time
Hash function
Turns a variable length set of data in a summary
or fingerprint. A fingerprint has a fixed length
and it is illegible and nonsense
Irreversible
Algorithms SHA-1, MD5
Requirements
Capability of turning variable length data in
fixed length blocks
Easy to use and implement
Impossible to obtain the original fingerprint
text
Different texts must generate different
fingerprints
Problem Key management

37
Asymmetric Key

Digital certificate
Information unit containing a pair of
public-private keys, together with the necessary
information to allow the owner for secure
communications
Contents
Public key
Private key (if owner)
Owner information
Useful information (algorithms, allowed
functions, ...)
Valid-from
Certificate Authority signatures
Revocation is possible

38
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

39
Mixed systems
Tx private
Tx public
Rx private
Rx public

Session keys
Process
Session Key distribution (asymmetric)
Secure communication (symmetric)

Session key
Receiver
Transmitter
40
Mixed systems
Tx private
Tx public
Rx private
Rx public

Session keys
Process
Session Key distribution (asymmetric)
Secure communication (symmetric)

Session key
Receiver
Transmitter
41
Mixed systems

Accomplished objectives
Confidentiality
Integrity
Authentication
Non repudiation
Use of digital signatures certificates

42
Mixed systems

Advantages
No problems for key distribution -gt public key
Improbable to guess session key
May use public key authentication
non-repudiation mechanisms
Algorithm execution rate

43
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

44
Virtual Private Networks

Introduction
Interconnection of users entities
Dedicated line (intranets)
Expensive
Difficult to manage
Use os public access network
Security risks

LAN
Public network
45
Virtual Private Networks

Concept
VPN Private data channel implemented upon a
public communication network
Objectives
Linking remote subnetworks
Linking subnetworks remote users
Use of virtual tunnel with encryption

Virtual tunnel
LAN
Public network
46
Virtual Private Networks

Requirements
Authentication identity verification
Virtual IP address range management
Data cipher
Management of digital certificates and public and
private keys
Support for many protocols

47
Virtual Private Networks

Types
Hardware-based systems
optimized specific designs
Very secure and simple
High performance
High cost
Additional services (firewalls, intruder
detectors, antivirus, etc.)
Cisco, Stonesoft, Juniper, Nokia, Panda Security
Software-based systems

48
Virtual Private Networks

Advantages
Security confidentiality
Cost reduction
Scalability
Simple management
Compatibility with wireless links

49
Virtual Private Networks

Elements
Local or private networks
Restricted access LAN with pvt IP address range
Insecure networks
VPN tunnels
Servers
Routers
Remote users (road warriors)
Remote offices (gateways)

50
Virtual Private Networks

Scenarios
P2P
LAN - LAN
LAN remote user

LAN
LAN
LAN
51
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

52
PPTP

Features
Peer to Peer Tunnel Protocol (PPTP)
Designed developed by 3Com, Microsoft
Corporation, Ascend Communications y ECI
Telematics defined IETF (RFC 2637)
Used for secure virtual access of remote users to
a private network
Use of tunnel mechanisms for the send of data
from client to server
Use of a private or public IP network

53
PPTP

Functioning
PPTP server configured to distribute private LAN
IP addresses
Server acts as a bridge

192.168.1.30
192.168.1.31
PPTP server 192.168.1.1
67.187.11.25
LAN
192.168.1.32
Remote user
192.168.1.100 - 120
54
PPTP

Phases
PPP Connection establishment with ISP
PPTP connection control
TCP connection
Control msgs exchange
Data transmission
GRE Protocol
Cipher

55
PPTP

PPP
Point-to-Point Protocol (RFC 1661)
Data link layer
Used for the connection to ISP by means of a
telephony line (modem) or PSTN
Versions for broadband access (PPPoE y PPPoA)
Functions
Establishing, maintaining and finishing
peer-to-peer connection
User authentication (PAP y CHAP)
Creation of encrypted frames

IP
Data
PPP
56
PPTP

PPTP connection control
Specifies session control messages
PPTP_START_SESSION_REQUEST session start request
PPTP_START_SESSION_REPLY session start response
PPTP_ECHO_REQUEST session keepalive request
PPTP_ECHO_REPLY session keepalive response
PPTP_WAN_ERROR_NOTIFY error notification
PPTP_SET_LINK_INFO client-server connection
configuration
PPTP_STOP_SESSION_REQUEST session stop request
PPTP_STOP_SESSION_REPLY session stop reply

57
PPTP

PPTP authentication
Uses the same mechanisms as PPP
PAP (Password Authentication Protocol)
Very simple send of name and passwd in plaintext
CHAP (Challenge Handshake Authentication
Protocol)
Challenge-response mechanism
Client generates a fingerprint from the received
challenge (MD5)
Shared secret key
Send of challenge to renew identity

58
PPTP

PPTP authentication
Two new mechanisms
SPAP (Shiva Password Authentication Protocol)
PAP with the send of an encrypted client passwd
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)
Proprietary CHAP-based-Algorithm by Microsoft
Mutual authentication process (client server)
Due to a security failure in Windows NT, MS-CHAP
v2 was created

59
PPTP

Data transmission
Uses a modification of GRE (Generic Routing
Encapsulation) protocol RFC 1701 y 1702
Establishes a functional division in three
protocols
Passenger Protocol
Carrier Protocol
Transport Protocol

Transport
Carrier
Protocol
60
PPTP

Data transmission
Send of PPP frames -gt encapsulated in IP datagrams

TCP
Data
IP
IP
Data
MAC
GRE
PPP
61
PPTP

Encryption
MPPE (Microsoft Point-To-Point Encryption)
RFC 3078
uses RSA RC4 algorithm-gt Session key from a
client pvt key
Only with CHAP or MS-CHAP
Allows non-encrypted tunneling (PAP or SPAP) -gt
No VPN

62
PPTP

Advantages
Implementation low cost (uses public network)
No limit for the number of tunnels due to server
physical interfaces (but more resources are
necessary in the server for every tunnel)
Disadvantages
Very vulnerable
Non-authenticated TCP connection control
Weakness of MS-CHAP protocol in NT systems
Weakness of MPPE protocol
Use of pvt passwd

63
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

64
L2TP

Features
Layer 2 tunneling protocol (RFC 2661) - PPP
L2TP v3 (RFC 3931) - multiprotocol
Based in 2 network protocols to carry de red PPP
frames
PPTP
L2F (Layer Two Forwarding)
Used together with IPSec to offer more security
(L2TP/IPSec, RFC 3193)

65
L2TP

Functioning
LAC L2TP Access Concentrator
LNS L2TP Network Server
Server acts as a bridge

192.168.1.31
L2TP Server (LNS) 192.168.1.1
67.187.11.25
LAN
ISP
Compulsory
192.168.1.32
Remote user
192.168.1.100 - 120
LAC
Voluntary
66
L2TP

Types of tunnels
Compulsory
User starts a PPP connection with ISP
ISP accepts connection PPP link
ISP requests authentication
LAC starts L2TP tunnel to LNS
If LNS accepts, LAC encapsulates PPP with L2TP
and sends frames
LNS accepts L2TP frames process them as if they
were PPP frames
LNS authenticates PPP valid user -gt assigns IP
addr

Voluntary
Remote users is connected to ISP
L2TP client starts L2TP tunnel to LNS
If LNS accepts, LAC encapsulates PPP with L2TP
and sends through tunnel
LNS accepts frames process them as if they were
PPP frames
LNS authenticates PPP valid user -gt assigns IP
addr

67
L2TP

Messages
Two types
Control
Used during the establishment, keepalive
termination of the tunnel
Reliable control channel (guarantees msg
delivery)
Data
Encapsulates information into PPP frame
Uses UDP port 1701

68
L2TP

Control msgs
Connection keepalive
Start-Control-Connection-Request Session start
request
Start-Control-Connection-Reply Session start
response
Start-Control-Connection-Connected Established
session
Start-Control-Connection-Notification Session
end
Hello sent during inactivity periods

69
L2TP

Control msgs
Call keepalive
Outgoing-Call-Request start of outgoing call
Outgoing-Call-Reply start of outgoing call
response
Outgoing-Call-Connected outgoing call
established
Incoming-Call-Request start of incoming call
Incoming-Call-Reply start of incoming call
response
Incoming-Call-Connected incoming call
established
Call-Disconnect-Notify call stop

70
L2TP

Control msgs
Error notification
WAN-Error-Notify
PPP Control session
Set-Link-Info configures client-server connection

71
L2TP

Advantages
Implementation low cost
Multiprotocol support
Disadvantages
Only the two terminals in the tunnel are
identified (possible impersonation attacks)
No support for integrity (possible service denial
attack)
Does not develop confidentiality
Does not offer encryption, though PPP may be
encrypted (no mechanism for automatic key
generation)

72
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

73
IPSec

Features
Internet Protocol Security
Offers security services for the network layer
Allows linking different networks (remote
offices)
Allows a remote user to access the pvt resources
in a network
IETF (Internet Engineering Task Force) Standard
Integrated in IPv4 default included in IPv6
IPSec is connection oriented

74
IPSec

Features
Services
Data integrity
Source authentication
Confidentiality
Replay attack prevention
Functioning modes
Transport mode
Tunnel mode

75
IPSec

Security association
Definition (SA)
Unidirectional agreement between the parties in
an IPSec connection according to the methods
parameters used for the tunnel structure. They
must guarantee transmitted data security
An entity must store
Used security algorithms and keys
Functioning mode
Key management methods
Valid time for the established connection
Database with SA

76
IPSec

Security association
Example
SPI 12345
Source IP 200.168.1.100
Dest IP 193.68.2.23
Protocol ESP
Encryption algorithm 3DES-cbc
HMAC algorithm MD5
Encryption key 0x7aeaca
HMAC key0xc0291f
Methods for key distribution management
Manual personal delivery
Automatic AutoKey IKE

77
IPSec

IKE Protocol
Internet Key Exchange Protocol (IKE)
Defined in IETF
key distribution management
SA establishment
Standard is not only limited to IPSec (OSPF or
RIP)
Hybrid protocol
ISAKMP (Internet Security Association and Key
Management Protocol)
Define msg syntax
Necessary proceedings for SA establishment,
negotiation, modification and deletion
Oakley
Specifies the logic for the secure key exchange

78
IPSec

IKE IPSec tunnel negotiation
Two phases
Phase 1 Establishment of a secure bidirectional
communication channel (IKE SA)
IKE SA different to IPSec SA
Called ISAKMP SA
Phase 2 Agreements about cipher and
authentication algorithms -gt IPSec SA
Uses ISAKMP to generate IPSec SA
The precursor offers different possibilities
The other entity accepts the first configuration
according to its limitations
They inform each other about the type of traffic

79
IPSec

Advantages
Allows remote access in a secure way
Best option for e-commerce (secure infrastructure
for electronic transactions)
Allows secure corporate networks (extranets) over
public networks

80
IPSec

Protocols
Authentication Header Protocol (AH)
Encapsulated Secure Payload (ESP)

81
IPSec

AH Protocol
Network layer Protocol field 51
Provided services
Integrity
Authentication
Does not guarantee confidentiality (no data
encryption)
HMAC (Hash Message Authentication Codes)
Generation of digital fingerprint (SHA or MD5)
Encryption of digital fingerprint with shared
secret

82
IPSec

AH Protocol
HMAC

Transmitter
Receiver
IP
AH
DATA
IP
AH
DATA
HMAC
HMAC
83
IPSec
32 bits

AH Protocol
Format

IP header
Next header
Payload length
Reserved
Security Parameters Index (SPI)
AH header
Sequence number
Authentication data
Data
84
IPSec

AH Protocol
Format
Next header superior layer protocol
Payload length Data field length (32 bits)
Security Parameters Index (SPI) SA identifier
Sequence number
Authentication data Variable length HMAC

85
IPSec

ESP Protocol
Network layer Protocol field 50
Supported services
Integrity (optional)
Authentication (optional)
Confidentiality (data encryption)
Symmetric key encryption algorithm Algoritmo de
(DES, 3DES, Blowfish)
Usually block encryption (padding)
Requires a secure mechanism for key distribution
(IKE)

86
IPSec

ESP Protocol

Transmitter
Receiver
IP
ESP
DATA
IP
ESP
DATA
ESP
ESP
87
IPSec
32 bits

ESP Protocol
Formato

IP header
Security Parameters Index (SPI)
Sequence number
ESP
Datos
Encryption
Next header
Pad length
Padding
Authentication data
88
IPSec

ESP Protocol
Format
Security Parameters Index (SPI) SA Identifier
Sequence number
Padding
Pad length padding length (bytes)
Next header Superior layer protocol
Authentication data Variable length HMAC

89
IPSec

Modes of operation
Applicable to AH ESP

Transport Mode using AH Transport Mode using ESP
Tunnel Mode using AH Tunnel Mode using ESP
Most used
90
IPSec

Transport Mode
Data are encapsulated in an AH or ESP datagram
Ensures end-to-end communication
client-client scheme (both ends must understand
IPSec)
Used to connect remote users

IPSec host
IPSec host
IP 1
IP 2
IP 1
Data
IPSec
IP 2
91
IPSec

Transport mode
AH Next header Protocol in IP header
ESP Next header Protocol in IP header

AH header
Original IP header
Data
Authentication
ESP header
Original IP header
Data
Encryption
Authentication
92
IPSec

Tunnel mode
Data are encapsulated in a whole IP datagram
A new IP header is generated
Used when the final destination is not the IPSec
end (gateways)

Host without IPSec
gateway using IPSec
gateway using IPSec
IP 1
IP B
IP A
IP 2
Host without IPSec
IP A
Data
IPSec
IP B
IP 1
IP 2
93
IPSec

Tunnel mode
AH New IP header Protocol 51 Next header 4
ESP New IP header Protocol 50 Next header 4

AH header
New IP header
Original IP Header
Data
Authentication
ESP Header
New IP header
Original IP Header
Data
Encryption
Authentication
94
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

95
SSL

Project OpenVPN
Implementation of VPN based on SSL (OpenSSL)
Free software (GPL)
Reason Limitations of IPSec
Features
Driver is in charge of building a tunnel
encapsulating pkts through a virtual link
Allows authentication encryption
All communications using TCP or UDP port (default
1194)
Multiplatform
Allows compression

96
SSL

Project OpenVPN
Features
Client-server model (version 2.0)
Self-install packages and graphic interfaces
Allows remote management
Great flexibility (many script formats)

97
SSL Secure Sockets Layer

Widely deployed security protocol
Supported by almost all browsers and web servers
https
Originally designed by Netscape in 1993
Number of variations
TLS transport layer security, RFC 2246
Provides
Confidentiality
Integrity
Authentication
SSL provides application programming interface
(API) to applications
C and Java SSL libraries/classes readily
available

Virtual Networks
97
98
SSL general features

Handshake use of certificates and private keys
to authenticate each other and exchange shared
secret
Key Derivation use of shared secret to derive
set of keys
Data Transfer Data to be transferred is broken
up into a series of records
Connection Closure Special messages to securely
close connection

Virtual Networks
98
99
SSL handshake and key derivation
SSL hello
certificate
KB(MS) EMS

MS master secret
EMS encrypted master secret

Virtual Networks
99
100
Key derivation

Use different keys for message authentication
code (MAC) and encryption
Four keys
Kc encryption key for data sent from client to
server
Mc MAC key for data sent from client to server
Ks encryption key for data sent from server to
client
Ms MAC key for data sent from server to client
Takes master secret and (possibly) some
additional random data and creates the keys

Virtual Networks
100
101
Data Transfer and closure

SSL breaks stream in series of records
Each record carries a MAC
Receiver can act on each record as it arrives

length
data
MAC

sequence number into MAC
MAC MAC(Mx, sequencedata)
Note no sequence number field
Use of random numbers
record types, with one type for closure
type 0 for data type 1 for closure

Virtual Networks
101
102
SSL Record Format
Data and MAC encrypted
Virtual Networks
102
103
Real Connection
Everything henceforth is encrypted
TCP Fin follow
Virtual Networks
103
104
Chapter 5 Virtual Networks

5.2 Virtual Private Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area Networks, VLAN

5.1 Security in networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems

105
VLAN

Introduction
Las LANs institucionales modernas suelen
presentar topología jerárquica
Cada grupo de trabajo posee su propia LAN
conmutada
Las LANs conmutadas pueden interconectarse entre
sí mediante una jerarquía de conmutadores

S1
A
C
B
106
VLAN

Inconvenientes
Falta de aislamiento del tráfico
Tráfico de difusión
Limitar tráfico por razones de seguridad y
confidencialidad
Uso ineficiente de los conmutadores
Gestión de los usuarios

107
VLAN

VLAN
VLAN basada en puertos
División de puertos del conmutador en grupos
Cada grupo constituye una VLAN
Cada VLAN es un dominio de difusión
Gestión de usuario -gt Cambio de configuración del
conmutador

G
A
B
C
D
E
F
H
I
108
VLAN

VLAN
Cómo enviar información entre grupos?
Conectar puerto del conmutador VLAN a router
externo
Configurar dicho puerto como miembro de ambos
grupos
Configuración lógica -gt conmutadores separados
conectados mediante un router
Normalmente los fabricantes incluyen en un único
dispositivo conmutador VLAN y router

G
A
B
C
D
E
F
H
I
109
VLAN

VLAN
Localización diferente
Miembros de un grupo se encuentran en edificios
diferentes
Necesario varios conmutadores
Conectar puertos de grupos entre conmutadores -gt
No escalable

C
F
G
A
B
D
E
H
I
110
VLAN

VLAN
Localización diferente
Troncalización VLAN (VLAN Trunking)
Puerto troncal pertenece a todas las VLANs
VLAN Destino de la trama? -gt formato de trama
802.1Q

Enlace troncal
C
F
G
A
B
D
E
H
I
111
VLAN

IEEE 802.1Q
IEEE 802.3 (Ethernet)
IEEE 802.1Q

Dir. Destino
Dir. Origen
Datos
Preambulo
Tipo
CRC
Dir. Destino
Dir. Origen
CRC nuevo
Datos
Preambulo
Tipo
TPID
TCI
Información de control de etiquetado
Identificador de protocolo de etiquetado
112
VLAN

VLAN
VLAN basada en MAC (nivel 2)
El administrador de red crea grupos VLAN basados
en rangos de direcciones MAC
El puerto del conmutador se conecta a la VLAN
correspondiente con la dirección MAC del equipo
asociado
VLAN nivel 3
Basada en direcciones de red IPv4 o IPv6
Basada en protocolos de red (Appletalk, IPX,
TCP/IP)