Chapter%2019%20VPN%20and%20NAT - PowerPoint PPT Presentation

About This Presentation



Chapter 19 VPN and NAT Nelson Azadian Victor Seletskiy Pavel Dikhtyar VPN Overview Why we need Virtual Private Networks. What a Virtual Private Network consists of. – PowerPoint PPT presentation

Number of Views:138
Avg rating:3.0/5.0
Slides: 70
Provided by: Nelson152
Learn more at:


Transcript and Presenter's Notes

Title: Chapter%2019%20VPN%20and%20NAT

Chapter 19VPN and NAT
  • Nelson Azadian
  • Victor Seletskiy
  • Pavel Dikhtyar

VPN Overview
  • Why we need Virtual Private Networks.
  • What a Virtual Private Network consists of.
  • What a Virtual Private Network does.
  • How a Virtual Private Network does what it does.
  • Pros and Cons of VPNs

Imagine the Following Scenario
  • You are a network administrator hired by a
    company to create a network which is both private
    yet able to access the internet.
  • How would you do it?

You Could
  • Create a network comprised of both an internal
    and external network. By internal we mean a
    network which is unavailable to those outside of
    the network. Conversely, by external we mean a
    network which is available to those outside of
    the network.

  • As you can see, we have two networks. An internal
    network, on the right, which lacks access to the
    internet, i.e. is private, as well as an external
    network, on the left, which is allowed access to
    the internet, i.e. is public.

Continuing With Our Previous Scenario
  • Lets say the same company, which had previously
    hired you to build a network, decides to build
    another office building 100 miles away from their
    current office building. You are once again hired
    by the company to build a private network between
    the two office buildings.
  • How would you do it?

What Wont Work
  • A LAN based private network would be out of the
    question due to the amount of money to both build
    and maintain such a network.

Continuation of What Wont Work
  • We could use a WAN based network to connect both
    office buildings. However, problems associated
    with the amount of money to build and maintain
    such a network would once again arise.
  • What about Leased Lines?

What Will Work
  • What are Leased Lines?
  • Leased Lines are connection based, rather than
    packet switch based, lines which a phone company
    or internet service provider will lease to an
    individual or corporation.
  • Due to their connection based nature leased lines
    are guaranteed to remain private.
  • Unfortunately, leased lines are expensive and for
    many companies out of their budget.

Why We Need Virtual Private Networks
  • VPN or Virtual Private Networks are a cheaper and
    effective alternative to leased lines which, as
    with leased lines, allow for networks to remain
  • Unlike leased lines, VPNs do so using packet
    switched networks, i.e. virtual lines.

What a Virtual Private Network Consists of
  • A Virtual Private Network basically consists of a
    router, with specialized software, which acts as
    a gateway between an external network, i.e. the
    internet, and an internal network, i.e. some
    private network.

What a Virtual Private Network Does
  • When a host on an internal, i.e. private, network
    needs to send a packet to a host not on its own
    internal network it sends the packet to the
    specialized router.

Continuation of What a Virtual Private Network
  • Once the specialized router receives the packet
    it examines the destination of the packet.
  • The router than encrypts the packet, places it in
    a datagram, and sends it off to its destination.
    The destination in question belongs to another
    specialized router, similar to our previous
    specialized router. This second specialized
    router belongs to the destined hosts VPN and
    acts as its gateway.
  • We are not initially sending the packet to the
    destined host.

How a Virtual Private Network Does What it Does
  • Virtual Private Networks use two basic techniques
    to allow them to remain both private, yet at the
    same time do so without the use of expensive
    connection based networks.
  • The two techniques in question
  • Encryption
  • Tunneling

What is Encryption?
  • Simply put, encryption is the process of
    modifying data in such a way that it becomes
  • Take for instance the following example, L ORYH
    QDFKRV is really I LOVE NACHOS using a
    simple Caesar or
  • Shift - 3 Cipher.

Why Use Encryption?
  • The reason is simple, in order to keep data on an
    internal network private we need to use some way
    of keeping the data on that network private.
    Hence, we use encryption, taking our original
    data and modifying it in some way as to keep its
    original content secret.
  • Examples of some Encryption Algorithms include
    DES, Triple DES, AES, RSA, etc.

Why Do We Encrypt the Entire Packet?
  • You may recall that I mentioned that the entire
    packet needed to be encrypted, i.e. data and
    header why?
  • Encrypting the data portion of the packet is not
    enough to ensure that our private network remain
    private. In order for our private network to
    remain truly private we must not only hide the
    data on the network but also the topology of that
  • Note We still require the use of a globally
    valid IP address, otherwise we wouldnt be able
    to send the packet over the global external
    internet. However, this globally assigned IP
    address is assigned only to the VPN gateway and
    not to any of the hosts on the internal private

Continuation of Why We Encrypt the Entire Packet
  • Lets say we hadnt encrypted the entire packet,
    i.e. we hadnt encrypted the packets header only
    its data, and an unauthorized party was able to
    sniff or attain a copy of the packet using a
    program such as Ethereal. Though the unauthorized
    party would not be able to access the data, i.e.
    would not have the key necessary to decrypt the
    packet, the unauthorized party would still know
    the packets source and destination, i.e. would
    know which specific host on the first VPN sent
    the packet to which specific host on the second

Whats the Big Deal?
  • The big deal is that if the unauthorized party or
    attacker is able to find out where the packet
    came from as well as where it was destined to,
    the attacker may be able to further compromise
    the security of any of the two VPNs, i.e. may be
    able to break into one or both of the VPNs.
  • By encrypting the entire packet we keep both the
    data within the packet private as well as the
    existence, or location, of the two hosts
    private, i.e. we keep the topology of the
    internal private network hidden.

What is Tunneling?
  • Tunneling is basically a way of specifying that
    datagram be sent to a specific router, rather
    than a specific host.

Why Specify a Router?
  • Question How do we decrypt the packet the source
    host had originally sent?
  • Wrong Answer Sending the key along with the
    encrypted packet is not a viable solution.
  • Correct Answer Both routers must have agreed
    upon a key before any transmission of packets
    occur. Therefore, in order to agree upon a
    specific key both routers must have already known
    about each others existence, i.e. already had an
    entry in their routing tables for one another.

A Common Misconception About Tunneling
  • The word tunneling tends to imply that a
    tunnel is a single path, leading from one
    endpoint to another.

Unfortunately This is Not True
  • With respect to VPNs, the word tunneling is
    used because in order to tunnel a packet the
    two endpoints of the tunnel, i.e. the routers
    which will encrypt or decrypt, must be known
    before a packet is encrypted and sent out into
    the internet. We do not however specify a
    specific route a packet must follow, merely the
    last or first router to receive or send the
    encrypted packet.

Pros of Virtual Private Networks
  • Practically guarantee network and data privacy.
  • Are a cheap and effective alternative to WANs or
    Leased Lines.
  • Easily map onto an existing network with little

Cons of Virtual Private Networks
  • Unlike most routers, VPN gateway router tables
    are not dynamic, i.e. must be input by a network
  • If a VPN gateway goes down, its very possible
    that the entire private network will lose
    connectivity to the external internet.
  • Absolute privacy is not guaranteed, the reason
    being that no current encryption algorithm is
    100 full proof.

NAT Overview
  • VPN Types
  • Tunneling Types
  • Application Gateway
  • NAT

VPN Implementation
  • There are two common VPN implementations
  • Client-to-Site (Remote Access VPN)
  • Site-to-Site

Remote Access
  • Mobile user access from public network to private
    network, who needs to connect to secure
    materials remotely, or need access to secure
    remote management portal.

Remote Access Continued
  • It secures a path to the site's LAN, allowing the
    client to access a private network address ( RFC
  • The client-to-site VPN is a many-to-one VPN
  • One or more clients can initiate a secure VPN
    connection to the VPN server, thus securely
    accessing internal data from an insecure remote

  • When office requires sharing information across
    multiple LANs. The typical example of this is a
    company that has offices in two different
    geographical locations.

Site-to-Site Continued
  • Allows LANs to share information across Internet
    without fearing that outsiders could view the
    content of the data stream.
  • The site-to-site VPN is a one-to-one VPN tunnel.
    Two servers or routers set up an encrypted IP
    tunnel to securely pass packets back and forth
    over the Internet. The VPN servers create a
    logical point-to-point connection over the

Tunneling in Detail
  • Tunneling requires three different protocols
  • Carrier protocol - The protocol used by the
    network that the information is traveling over
    for example, PPP is used as the carrier protocol
    in IP-based transit networks.
  • Encapsulating protocol - The protocol (GRE,
    IPSec, L2F, PPTP, L2TP) that is wrapped around
    the original data
  • Passenger protocol - The original data (IPX,
    NetBeui, IP) being carried

Tunneling Protocols
  • PPTP
  • (Point-to-Point Tunneling Protocol)
  • L2TP
  • (Layer 2 Tunneling Protocol)
  • IPSec
  • Tunneling Mode
  • (Secure Sockets Layer/Transport Layer Security)

  • Point-to-Point Tunneling Protocol
  • Data is first encapsulated inside PPP packets
  • PPP packets are then encapsulated in GRE packets
    and sent over the link
  • Weak Security
  • Low Performance
  • Was integrated in L2TP that combines PPTP L2F

  • Internet Protocol Security (IPSec)
  • For Site-to-Site and Remote-Access VPNs
  • Features encryption modes
  • Tunnel
  • Encrypts data header and payload
  • Transport
  • Encrypts payload only
  • Encrypts data between various devices
  • Router to router
  • Firewall to router
  • PC to router
  • PC to server

IPSec Tunneling
  • IP Encapsulation Security Payload (ESP)
  • Provides message integrity and privacy using
    DES or EAS
  • It also includes anti-replay mechanism.
  • Internet Key Exchange (IKE)
  • AH and ESP needs shared secret key between
    peers. IKE defines an automatic means of
    negotiation and authentication for security
    associations (SA). Security associations are
    security policies defined for communication
    between two or more entities

  • The SSL (Secure Sockets Layer) is a protocol
    designed by Netscape Communications to enables
    secure data transfer between two devices over a
    public network. SSL protects applications running
    over TCP, and is mostly utilized to protect HTTP
    transactions. SSL has been replaced by Transport
    Layer Security (TLS).
  • To convert SSL/TLS into a remote access VPN,
    firms install an SSL/TLS VPN gateway at each
    site. The client establishes an SSL/TLS
    connection with this gateway, rather than to
    individual hosts within the site.

How SSL Works
  • In many cases, the SSL/TLS VPN gateway simply
    connects the client PC to a webserver. This is
    the traditional use of SSL/TLS in VPNs. However,
    the SSL/TLS gateway decrypts client traffic
    coming into the network. This allows a firewall
    to check the traffic right after the VPN/SSL

SSL / TLC Continued
  • In other cases, the VPN gateway connects the
    client PC to a database server or other server
    that cannot communicate with a browser natively.
    The VPN gateway then intercepts messages from the
  • server to the client PC. The VPN gateway webifies
    these messages (converts them into webpages).

SSL / TLC Continued
  • In yet other cases, the SSL/TLS VPN gateway
    connects the client PC to a subnet of the
    network. The client can then connect to any host
    on the subnet.

SSL / TLS Client
  • Question What does the client need to have?
  • For basic operation, the client only needs to
    have a browser that works with SSL/TLS. It is
    difficult to find a computer that does not have a
    browser or whose browser cannot work with
    SSL/TLS. Consequently, SSL/TLS can work with any
    client PC connected to the Internet. This makes
    SSL/TLS extremely attractive as a remote access

  • Communication
  • Compared to IPSec, SSL is an application level
    transport protocol that transmits data over a
    standard TCP port (typically TCP port 443). IPSec
    provides application-transparent communication
    over layer 3, IP, network traffic while SSL was
    designed to encrypt application traffic.
  • Information Exposure
  • Only designated people /computers are allowed
    access by IPSec, while SSL allows access from
    everywhere (e.g. internet kiosks). Information
    can be left behind (intentionally or
  • Software Required
  • IPSec requires client software, while SSL needs
    only Standard Web browser

IPSec vs. SSL VPN Continued
  • SSL allow more precise access control.
  • First of all they provide tunnels to specific
    applications rather than to the entire corporate
    LAN. So, users on SSL VPN connections can only
    access the applications that they are configured
    to access rather than the whole network. Second,
    it is easier to provide different access rights
    to different users and have more granular control
    over user access.
  • Connectivity
  • IPSec connectivity can be adversely affected by
    firewalls or other devices between the client and
    gateway (i.e. firewall or NAT devices) while SSL
    operates transparently across NAT, proxy, and
    most firewalls (most firewalls allow SSL traffic)
  • Security
  • SSL provides limited control over information
    access and client environment good for accessing
    less-sensitive information

Private Address Protection
  • VPN must protect internal information and
    prevent any direct connection between a trusted
    server or client and an un-trusted host. It
    gives improved security because without knowing
    the true IP address of a host, it is harder for
    an intruder to attack that machine.

Private Address Protection Continued
  • SSL IPSec and other VPN's use two general
    communication schemes to ensure private network
  • Application Gateways
  • NAT

Application Gateways
The application gateway acts as an intermediary
between the two endpoints. When a client issues a
request from the untrusted network, a connection
is established with the application gateway. The
proxy determines if the request is valid and then
sends a new request on behalf of the client to
the destination. By using this method, a direct
connection is never made from the trusted network
to the untrusted network and the request appears
to have originated from the application gateway.
Advantages of the Application Level
  • Application-specific proxies accept only packets
    generated by services they are designed to copy,
    forward, and filter without offering IP- level
  • Only packets generated by these services could
    pass through the firewall. All other services
    would be blocked.
  • If a network relies only on an application-level
    gateway, incoming and outgoing packets cannot
    access services for which there is not a proxy.
  • For example, only a Telnet proxy can copy,
    forward, and filter Telnet traffic.
  • Able to work without changes to the underlying
    infrastructure or addressing.
  • It can, for instance, tell the difference between
    a piece of e-mail containing text and a piece of
    e-mail containing a graphic image or the
    difference between a webpage using Java and a
    webpage without.

Advantages of the Application Level
  • Application-level Filtering
  • examine and filter individual packets, rather
    than simply copying them and blindly forwarding
    them across the gateway.
  • check each packet that passes through the
    gateway, verifying the contents of the packet up
    through the application layer.
  • can filter particular kinds of commands or
    information in the application protocols (e.g.,
    FTP GET but not PUT no retrieving HTTP objects
    ending in .exe)

Disadvantages of the Application Level
  • Lack of generality each application gateway
    handles only one specific service multiple
    gateways are required for multiple services.
  • Performance significant disadvantage of
    application gateways is the impact it can have on
    performance. Since all incoming and outgoing
    traffic is inspected at the application level,
    they are typically slower All traffic must pass
    through all seven layers of the OSI model prior
    to being inspected.

  • Network Address Translation provide IP level
    access between hosts at a site and the rest of
    the Internet without requiring each host at the
    site to have a globally valid IP address
  • One valid IP address requires site to have a
    single connection to the global Internet and at
    least one globally valid IP address.
  • NAT box runs NAT software, all datagram's pass
    through it as they travel from site out to the
    Internet or from Internet into the site

NAT Continued
  • Outgoing traffic replaces source IP address
  • Incoming traffic replaces destination IP address

Translation Table
  • It identifies correct host to which the datagram
    should be forwarded.
  • Has Two values
  • Internal host IP address
  • External host IP address

Translation Table
  • Table Initialization
  • Manual
  • A manager configures the translation table
    manually before any communication occurs.
    Provides permanent mapping and allows IP
    datagrams to be send in either direction.
  • Outgoing datagram's
  • NAT uses the outgoing datagram to create a
    translation table entry that records the source
    and destination addresses. It is automatic, but
    does not allows communication to be initiated
    from outside.
  • Incoming name lookups
  • The table is build as side effect of handling
    domain name lookups. When a host on the Internet
    looks up the domain name of an internal host, and
    then creates an entry in the NAT translation
    table to forward incoming datagrams to the
    correct internal host.

NAT and ICMP Overview
  • Port Mapped NAT
  • Interaction between NAT and ICMP
  • Interaction between NAT and Applications
  • NAT in the presence of Fragmentation
  • Conceptual Address Domains
  • Implementations of NAT

Port-Mapped NAT
  • NAPT Network Address Port Translation
  • Provides concurrency by translating port numbers
    as well as addresses.
  • Expands on NAT translation table to contain
  • Source and destination IP addresses (NAT)
  • Source and destination port numbers
  • Protocol port number (used by NAT router)

NAPT Diagram
Port-Mapped NAT Continued
  • In the process of communications NAPT assigns a
    unique port number to each communication that is
    used on the internet.
  • After NAPT translation, the receiving computer
    receives datagram's with NAPT box global address
    and NAPT port number.
  • Biggest advantage is the amount of generality
    NAPT achieves with one global IP address.
  • Biggest disadvantage is that NAPT restricts
    communications to TCP or UDP only.

NAPT Process
Operation Of Port-Based NAT
  • Inside Client Generates Request And Sends To NAT
  • Device generates an HTTP request to the server.
  • The datagram is sent to the NAT-capable router
    that connects the organization's internal network
    to the Internet.
  • NAT Router Translates Source Address And Port And
    Sends To Outside Server
  • The router substitutes the inside global address
    and also chooses a new source port number for
    this request.
  • The destination address and port are not
  • The NAT router puts the address and port mapping
    into its translation table. It sends the modified
    datagram out, which arrives at the outside
  • Outside Server Generates Response And Sends Back
    To NAT Router
  • The outside server generates an HTTP response.
  • it sends back the response to the NAT router
  • NAT Router Translates Destination Address And
    Port And Delivers Datagram To Inside Client
  • The NAT router consults its translation table and
    knows who this datagram is intended for.
  • The destination address and port are changed but
    not the source.
  • The router delivers the datagram back to the
    originating client.

Interaction between NAT and ICMP
  • Unexpected side effects of NAT.
  • NAT changes IP address of the from field.
  • NAT must handle higher layer protocols.
  • Must handle ICMP (one of the most important
  • Determines if ICMP should be handled locally or
    sent to an internal host.
  • If sending to an internal host NAT must translate
    the ICMP message.
  • ICMP message translation example.
  • Example message destination unreachable.
  • Message contains header from a datagram D that
    caused error.
  • Since NAT translated the address in header of D
    before sending it, NAT must open the ICMP message
    and translate the address in D header back to the
    original hosts address.
  • NAT must also re-compute the checksum of the D
    header and of the ICMP message.

Interaction Between NAT and Applications
  • NAT Effect on application protocols.
  • In general NAT will not work with any application
    that sends IP addresses or protocol ports as
  • Example application protocol FTP.
  • Part of FTP protocol is one machine obtaining the
    port number of another machine over a TCP
  • In FTP protocol the port number is sent as data.
  • In order for this protocol to function properly
    through NAPT, the port number in the data stream
    must be changed to agree with the NAPT port
  • NAT recognition of application protocols.
  • Implementations of NAT have been created that
    recognize popular protocols such as FTP and make
    the necessary changes in the data stream.

Interaction Between NAT and Applications Continued
  • Custom application protocols nonfunctional with
  • NAT affects ICMP and higher level protocols.
  • An application protocol that passes IP addresses
    or protocol port numbers as data will not operate
    correctly across NAT.
  • Changing items in a data stream increases the
    complexity of NAPT. (making application protocols
  • NAPT must have detailed knowledge of each
    application that transfers such information.
  • If items are represented in ASCII (FTP protocol)
    changing the value can change the number of
    octets transferred.
  • Inserting or removing octets in the data stream
    is difficult because all octets have a sequence
    number in a stream.
  • Sender and receiver dont know that octet number
    has been changed and they will get out of sync.
  • NAT will have to translate the sequence numbers
    in each outgoing segment and each incoming

NAT in the Presence of Fragmentation
  • Assumptions about IP.
  • In describing NAT an assumption was made that NAT
    system receives complete IP datagram's and not
  • Fragmentation creates added complexity in NAPT
    (widely used version of NAT)
  • NAPT uses information (port numbers) from the
    transport header.
  • Only the first fragment of a datagram carries the
    transport protocol header.
  • Before NAPT can operate on a datagram, it must
    receive and examine the first fragment of the
  • Resolutions of the NAPT Datagram Fragmentation
  • Slow speed networks save fragments and reassemble
    the datagram.
  • Other networks reject fragmented datagram's.

Conceptual Address Domains
  • Standard NAT use is to connect a private network
    to a global internet.
  • NAT can be used to interconnect any two address
  • It can be used between two corporations that use
    the same private address space. (
  • NAT can also be used at two levels.
  • It can be used between customers private domain
    and ISPs private address domain.( first level)
  • It can also be used between ISPs address domain
    and global internet. (second level)
  • Combination of NAT and VPN.
  • Hybrid architecture can be created in which
    private addresses are used within the
    organization and NAT is used to provide
    connectivity between each site and to the global
  • Example of multiple levels of NAT
  • Employee working from several computers at home
    connected to a LAN.
  • He can assign private addresses to his machines
    and use NAT between home and corporate intranet.
  • Corporation can assign private addresses to their
    intranet and use NAT between their intranet and
    global internet.

Slirp and IP Tables
  • There are 2 most popular implementations of NAT
  • Slirp (derived from 4.4 BSD)
  • Combines PPP and NAT.
  • Is used in a dialup architecture.
  • One valid global IP address.
  • Permanent internet connection.
  • One or more dialup modems.
  • Implements NAPT. (uses protocol numbers)
  • Multiple computers can access internet at the
    same time.
  • Main advantage is that it can use a general UNIX
    account with internet access.
  • IP-Tables (Linux operating system)
  • Combination of tools for packet rewriting and
  • Provides stateful packet inspection.
  • NAT or NAPT can be formed using specific sets of
    IP-Tables rules.

  • VPN offers low cost alternative that allows an
    organization to use the global internet to
    securely interconnect multiple sites.
  • Two technologies exist that provide communication
    between the hosts in different address domains.
  • Application gateways act as a proxy by receiving
    a request from a host in one domain, forwarding
    it to another domain, and later returning the
    result to an original host.
  • Network Address Translation provides transparent
    IP-level access to the internet from a host with
    a private address.
  • Most NAT implementation perform Network Address
    and Port Translation. (NAPT)

  • http//
  • http//
  • IPSec vs. SSL VPNs for Secure Remote
  • http//
  • Virtual private networks / Charlie Scott
  • Internetworking with TCP/IP Principles,
    Protocols, and Architecture Volume 1 Fifth
    Edition. Author Douglas E. Comer. Publisher
    Pearson Prentice Hall

Write a Comment
User Comments (0)