Introduction to Virtual Private Network (VPN).ppt

AhmedJaha 143 views 69 slides Jun 30, 2024
Slide 1
Slide 1 of 69
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56
Slide 57
57
Slide 58
58
Slide 59
59
Slide 60
60
Slide 61
61
Slide 62
62
Slide 63
63
Slide 64
64
Slide 65
65
Slide 66
66
Slide 67
67
Slide 68
68
Slide 69
69

About This Presentation

Introduction to Virtual Private Network (VPN)

Size: 2.43 MB
Language: en
Added: Jun 30, 2024
Slides: 69 pages

Slide Content

Higher industry institute
Post Graduate Programme
ةيضارتفلإا ةصاخلا ةكبشلا
VPN
by
Ahmed joha

Introduction (ةمدقم)
كانهناتقيرطلاصتلالنعدعب:
الامعتسطخصاخ(ةكبشةصاخ).
–ةكبشنمعقومىلاعقوم(ريجأتطوطخةصاخطبرلعقاوملا–ةفلكتةيلاع).
–لوصولانعدْعُب
 مدوم(بلطيفتاه)
لامعتساتنرتنلإا.
–سيَل،صاخاذلجاتحيلنيمأتلاصتلاا.
–ةجاحلاءافخلإةكبشلاةيلخادلالخادتنرتنلإا.
–ةجاحلالوخدللىلاةكبشتلااصتاةيلحمنميأعقومثيحبحبصياذهعقوملاأكهن
ءزجنمةكبشلااهسفن.
لوصولانملآالامعتسابتنرتنلإالادبنمطخلاصاخلايمتنعقيرط
ةكبشلاةّصاخلاةيضارتفلاا.

ةصاخلا ةكبشلا
و نمآ لاصتاقوثوم.
ةصاخ طوطخ ريجأت ىلإ جاتحي هنلأ ةيلاع ةفلكت. ِ
عقوم1
صاخ طخ
عقوم2

Internet
ةيضارتفلاا ةصاخلا ةكبشلا(VPN)
ةكبشةصاخلمعتسَتةكبشةماع(ةداعتنرتنلإا)لطبر

عقاوملاوَأيمدختسملاننعدعب
عمضعبسفنبتازيمممأوانةكبشلاةصاخلا.
ةداعمتياهنيوكتنعقيرط:
–ءاشناقفن.
–ريفشتتانايبلا.
–ققحتلانمنيمدختسملا.
Acme Corp
Site 1VPN VPN Site 2

عاونأVPNs
Remote Access VPN(لاصتلاادعب نع)
– لوصو ةيناكمإ رفوي نيمدختسملاخادلا ةكبشلا ىلإ ةيل
للناكم يأ نم ةسسؤم.
–تليلق ةفلكتصتا ةصاخو فتاهلا قيرط نع لاصتلاا تلاا
ةليوطلا تافاسملا.
Internet
Corporate
Site
Remote
User

عاونأVPNs
RemoteAccessVPN(لاصتلاانعدعب)
Site-to-SiteVPN(عقومىلاعقوم)
–رفويةيناكمإطبرعورفةسسؤملاعماهضعبضعبلا.
–تليلقةفلكتلاصتلاانعقيرططوطخلاةصاخلاةرجؤملا.
Corporate
Site
Branch
Office
Internet

عاونأVPNs
RemoteAccessVPN(لاصتلاانعدعب)
Site-to-SiteVPN(عقومىلاعقوم)
ExtranetVPN
– لوصولا نم ءلامعلاو ءاكرشلا نكمي
تانايب ضعب ىلاةسسؤملا ةكبش.
–تليلقتايلمعلاو تاقفصلا ةفلكت.
Corporate
Site
Internet
Partner
Supplier

عاونأVPNs
RemoteAccessVPN(لوادتلنعدْعُب)
Site-to-SiteVPN(عقومىلاعقوم)
ExtranetVPN(ةكبشتامولعملاةدعاسملا)
Client/ServerVPN)ليمع/مداخ)
–يمْحَت ُتلااصتإ ُةيلخاد ُةساّسح
– ُأشْنَترثكأ تامجهلانمضةسسؤملا
Internet
LAN
clients
Database
Server
LAN clients
with
sensitive
data

تازيممVPNs
ةضفخملا ةفلكلا
– ةرجؤملاو ةصاخلا طوطخلا ةفلك ضيفخت
–ةليوطلا ةفاسملا تاملاكم ضيفخت
– ِ ةزهجلأا ةفلكت ضيفت(مدوملا فرصمModem Bank /CSU /DSUS)
– ُةينقتلا ةدعاسملا ةفلكت ضيفخت
رثكأ ةنورم
– تنرتنلإا ةمدخ دّوزم ةميق نم عفرلا
– ةدّدعتملا لاصتلإا عاونأ لامعتسا(cable, DSL, T1, T3)
رثكأ عسوت
–ةعرسب ددج نيمدختسم و َةديدج َعقاوم ةفاضإ
– بلطلا ةي بْلَتل ةعسلا نينقت

VPN تاجايتحا
مدختسملا نم ق�قحتلا
–وصولا دودح ُدّدحُيو لمعتسملا ةيوه نم َقّقحُتي ْنَأ ُب جَي نإ يب يفةكبشلا ىلا َل
–اىتمو مدختسملا اهيلع علطي نا بجي يتلا تامولعملا نيبت َتلاجس ددحي.
 ناونع ةرادإ
– ّصاخلا ةكبشلا ىلع مدختسملا َناونع َصّصخُي ْنَأ ُب جَي نإ يب يف نيوانعلا ّنأب ُنمْضَيو ة
ةّصاخ ىقْبَت.
 تانايبلا ريفشت
–ب ةءارقلل ةحلاص ريغ ىقبتت ْنأ بجي ةّماعلا ةكبشلا لخاد ةلوقنملا تانايبلا نئابزلل ةبسنلا
ةكبشلا ىلع نيلّوخم ريغلا.
حاتفملا ةرادإ
–خلاو ليمعل ريفشتلا َحيتافم َشعنُيو َدّلوُي ْنَأ ُب جَي نإ يب يف مدا.
ماظنلا دّدعتم معد
–ختسملا تلاوكوتوربلا ةَجَلاَعُم ىلع رداق َنوُكَي ْنَأ ُب جَي نإ يب يف ةّماعلا ةكبشلا لخاد ةمد .
تنرتنلإا لوكوتورب نمضتت هذه(يب يآ)اذكهو ،.

Tunneling
ش تانايب لقنل ةطيسولا ةكبشلا لخاد قفن رْفَحىرخأ ةكب
 ةلوقنملا تانايبلا( وَألاةلومح )وُكَت ْنَأ ُنكمُي َتاراطإ َن( وَأ
مَزُر ) رخلآا ماظنلا ْن م.
Transit Internetwork
Tunnel Endpoints
Payload Payload
Tunneled
Payload
Transit
Internetwork
Header
Tunnel

Tunneling
 الادب ْن ملاسرأتانايبلاامكمتاهنيوكتيفردصملامتياهفيلغتنعطقير
لوكوتوربقفنلاةفاضإبناونعلوكوتوربقفنلااهيلع.
ةطساوبناونعلوكوتوربقفنلانكميهيجوتتانايبلاةف�لَغُملايكل َربْعَتةكبشلا
َةطيّسولا.
تانايبلا َةف�لَغُملاتي ّماهرييستنيبيتياهن قفنلاللاخبشلاةكةطيسولا.
 ّنإ َقيرطلا �يقطنملايذلاربعتهتطساوبتانايبلاةف�لَغُملالاخلةكبشلاةطيسولا
ىمسيقفن.
امدنع ُل صَتتانايبلاةف�لَغُملاىلإةياهنقفنلاىلعةكبشلاولاةطيس،متيةلازإ
فلاغلااهنعلسرتوىلإاههاجتا يئاهنلا.
ةظحلاُم:ةيلمع ُرفْحقفن ُنّمضتَتءارجإتايلمعلاةيلاتلاىلعبلاتاناي
–فيلغت
–لاسرإ
–ةلازإفلاغلا

Voluntary tunnels(ةيعوطلا قافنلأا)
رْفَحقفنلا َأدَبين ملب قمدختسملا
– ُبّلطتَت ُجماربمعد قفنلاىلع بوساح مدختسملا
 ُلمْعَيعميأتانوكمةكبش
قفنلانوكيفاّفشتانوكملةكبشلاةطيسولا
جماربقفنلابجينأنوكتةقفاوتملكلنمليمعلاو مداخلا
–PPTP،L2TP،L2F،IPSec،IP-IP
ةيناكمإلوصولانمازتملاىلإ تنارتنلإا(نعقيرط قفنلا)تنرتنلإاو
نومدختسملا ُن كْمُي ْنَأاولمعتسَي َتاباسح َةيصخشوصولل لىلاةكبشةكرشلا
–تاقيبطت بتاكملا ةديعبلا
–بلطلايفتاهلايفيبنإيفتلااح رورملاضفخنملا

Voluntary tunnels
DialAccessProvider
VPNService
ecsAcs
Server
DialAccess
Server
ClientHost
PPPaccessprotocol
Tunnel

Compulsory Tunnels(ةيمازللإا قافنلأا)
 ةطيسولا ةكبشلا ىلا لوصولا مداخ لبق نم أدبي قفنلا رفحNAS وَأ
Router
– ىلع قفنلا معد جمارب بلطتتNAS وَأRouter
نوبز ّيأ عَم ُلمْعَي
NAS اهسفن قفن َةقيرط َمعْدَي ْنَأ ُب جَي
 ل فافش نوكي قفنلاrouters ةطيسولا
 قفنلا مداخ ةَرَطْيَس َتْحَت ُةكبشلا ُلخْدَت
طقف قفنلا للاخ رمت ُن كْمُي مدختسملا تانايب
تنرتنلإاب لاصتلإا ةيناكمإ
–اقبسم ةف�رَعُملا لئاسولاب َنوُكَي ْنَأ ُب جَي
–رثكأ مكحت رثكأ
–بقارُي ْنَأ ُن كْمُي

Tunneling Protocols
GenericRoutingEncapsulation(GRE),asdefinedinRFCs
1701/1702,isusedbyawidevarietyoftunnelingprotocols
ThePoint-to-PointTunnelingProtocol(PPTP),createdby
MicrosoftandAscendCommunications,isanextensionof
Point-to-Pointprotocol(PPP)forWindowsandNetware
client/serverenvironments.
Layer-2Forwarding(L2F)isatunnelingprotocolcreatedby
CiscoSystems.
TheLayer-2TunnelingProtocol(L2TP)isproposedstandardto
combinebestfeaturesofL2FandPPTP.
IPsecsupportstunnelingwithorwithoutencryption.

Why So Many VPN Solutions?
Forsomecompanies,aVPNisasubstitutefor
remote-accessservers.
Forothers,aVPNmayconsistoftrafficoverthe
InternetbetweenprotectedLANs.
TheprotocolsthathavebeendevelopedforVPNs
reflectthisdichotomy.
PPTP,L2FandL2TParelargelyaimedatdialupVPNs
IPSec'smainfocushasbeenLAN-to-LANsolutions.

PPP (Point to Point Protocol )
Flag-indicatesbeginningorendofframe(b^01111110).
Address-containsstandardbroadcastaddress.
Control-callsfortransmissioninuserdata.
Protocol-identifierforencapsulatedprotocolin
informationfield.
Information-datagramforprotocol.
FCS-FrameCheckSequence.

PPP (Point to Point Protocol )
Layer-2frameformatحضومهبframedelimitation(ةيادب
ةياهنوراطلإا)وerrordetection( فشكأطخلا).
PPP َمّمُصلاسْرلإ تانايبلاربعdial-up(بلطلايفتاهلا)وأ
dedicatedpoint-to-pointconnections(طخلاصصخملا)
LinkControlprotocol(LCP):
–Connectionestablishment(سيسأت لاصتلإا)،test
(رابتخإ)،negotiation(تاضوافم)وreleaseءاهنإلاصتلإا.
NetworkControlProtocols(NCPs):
–negotiatenetworklayeroptions(اضوافتلىلعتارايخ
ةقبطةكبشلا)ةقيرطبةلقتسمنععونةقبطةكبشلاةمدختسملا.
–NCPفلتخملكلةقبطةكبشمتياهمعد.

PPP (Point to Point Protocol )
Authenticationprotocols:
PasswordAuthenticationProtocol(PAP)
ChallengeHandshakeAuthenticationProtocol(CHAP)
ExtensibleAuthenticationProtocol(EAP)
Encryptionprotocols:
EncryptionControlProtocol(ECP)fornegotiation
PPPDESEncryptionProtocol(DESE)
PPPTripleDESEncryptionProtocol(3DESE)

PPP (Point to Point Protocol )
PPP
PPP
EncapsulationIP, IPXPayload
PSTN (POTS / ISDN)
IP, IPXPayload
Private
Network
Public Switched Telephone
Network
Remote Client Remote Access Server

GRE (Generic Routing Encapsulation)

GRE (Generic Routing Encapsulation)
موقياذهلوكوتوربلاةيلمعبفيلغتيألوكوتوربامبيفكلذIP
لخادIPProtocol

Point-to-Point Tunneling Protocol (PPTP)
PAC

Point-to-Point Tunneling Protocol (PPTP)
Mainlyimplementedandused (تقبطوتمدختسا) byMicrosoft[RFC
2637]
–Extension (دادتما) ofPPP.
–Easytouseandtoimplement (ةلوهسمادختسلااوقيبطتلا) .
Allowstunnelling (رفحقفن) ofPPPdatagramsbetweenPPTP
Client (ليمع),andPPTPserver (مداخ), موقيلصفب NAS دوجوملايف PPPىلا
–PPTPAccessConcentrator(PAC)
NetworkaccessdevicesupportingPPTP
–PPTPNetworkServer(PNS)
Corporate(VPN)gateway.
Authentication
–UsesPPPauthentication.
Encryption
–MPPE(MicrosoftPoint-to-pointencryption).
Manysessionsmultiplexedonasingletunnel.
(ةدعتاسلجىلعقفنديحو)

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP)
IP, IPXPayload
Private
Network
Internet
IP
ISP NASRemote Client Network Access Server
PSTN
PPP
over PSTN
PPPIP, IPXPayload
PSTN
Layer 2
IPGREPPPIP, IPXPayloadLayer 3

Point-to-Point Tunneling Protocol (PPTP)
SecurecommunicationcreatedusingPPTPtypicallyinvolvesthree
processes.Eachrequiressuccessfulcompletionoftheprevious
process. (تاوطخلاصتلااحجانلا)
PPPConnection
–APPTPclientusesPPPtoconnecttoanISPbyusingastandard
telephonelineorISDNline.
(موقيليمعلاءاشنإبلاصتإىلادوزمةمدختنرتنلاا)
PPTPControlConnection
–UsingtheconnectiontotheInternetestablishedbythePPPprotocol,the
PPTPprotocolcreatesacontrolconnectionfromthePPTPclienttoa
PPTPserverontheInternet.ThisconnectionusesTCPandisacalleda
PPTPtunnel.
(مادختسابلاصتلاادوزمبةمدخلامتيرفحقفنلا)
PPTPDataTunneling
–PPTPcreatesIPdatagramscontainingencryptedPPPpacketswhichare
sentthroughPPTPtunneltothePPTPserver.
(فيلغتتانايبلاةرفشملاواهلاسراربعقفنلاىلامداخلا)
–ThePPTPserverdisassemblestheIPdatagramsanddecryptsthePPP
packets,andthenroutesthedecryptedpacketstotheprivatenetwork.
(دنعةياهنقفنلامتتةلازافلاغلاوكفةرفشلانعتانايبلاةلسرملااهرييستوىلالبقتسملا)

Layer 2 Forwarding Protocol (L2F)
IP, IPXPayload
Private
Network
Internet
IP
ISP NASRemote Client Network Access Server
PSTN
PPP
over PSTN
PPPIP, IPXPayload
PSTN
Layer 2
IP
UDP Port 1701
over IP
UDPL2FPPPIP, IPXPayloadLayer 3

Layer 2 Forwarding Protocol (L2F)
Developed (متتوطيرهةطساوب) byCisco[RFC2341]
L2FprovidestunnelingbetweenanISP’sdial-up
serverandthenetwork.UserconnectstotheISP
usingPPP.
ThePPPframesarethenencapsulatedinsidean
L2Fframewhichisthenforwardedtoarouterfor
transmissionacrosstheInternet.
Authentication
–LikePPTP,UsesPPPauthentication.
Encryption
–doesnotprovideanydataencryption.
لا ُدّوزُي ّيأريفشتتانايب) )
Allowsmultipletunnelsandmultipleconnections
ontunnel (قافنأةددعتموتاسلجةددعتملكلقفن)

Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
CombinesbestfeaturesofL2FandPPTP جمدتلضفأتازيم) )
–DevelopedbyIETF[RFC2661]
AllowstunnellingofPPPdatagramsbetweenL2TPClient,and
L2TPserver, موقيلصفب NAS دوجوملايف PPPىلا
–L2TPAccessConcentrator(LAC)
NetworkaccessdevicesupportingL2TP
–L2TPNetworkServer(LNS)
Corporate(VPN)Gateway
Allowsmultipletunnelswithmultiplesessionsinsideevery
tunnel (قافنأةددعتموتاسلجةددعتملكلقفن)
CPEbaseddeploymentmodebyincludingLACfunctionalities
withinuserterminal
Commonly used with IPSec -> L2TP/IPSec

Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
IP, IPXPayload
Private
Network
Internet
IP
ISP NASRemote Client Network Access Server
PSTN
PPP
over PSTN
PPPIP, IPXPayload
PSTN
Layer 2
IP
UDP Port 1701
over IP
UDPL2TPPPPIP, IPXPayloadLayer 3

Internet Protocol Security (IPSec)
InternetProtocolSecurity(IPSEC)isaframework (راطإلمع) to
providesecuredcommunication (لاصتإنمآ) forIP.
ThisIETFframeworkisdefinedinasuiteofRFCs.
Itdoesnotspecifytheauthenticationandencryptionprotocol
touse.Thismakesitflexible(نرم) andabletosupportnew
authenticationandencryptionmethodsastheyaredeveloped.
IPSECprovideanewsub-layerjustabove (ةقبطةديدجقوف) IP,
layer3ofOSImodel.Thishas2mainadvantages:
–Layer3isthelowestlayerintheOSImodelthatprovidesend-to-
endconnectivitybetween2nodes.Thatmeansthattheend-to-
endcommunicationissecured,youdonotneedtoprovide
securityserviceateachlinkinthepath. (لاصتانمآنمةدقعىلاةدقع)
–Thesecurityservicesaretotallytransparenttoupperlayers.
Specifically,TCPandUDPcantransparentlyusetheseservices.
ThisalsomeansthatallapplicationsthatuseTCPorUDPas
transportmechanismcannowhavetheircommunicationsecured
withoutanychanges.Canwethinkofsomeapplicationsthatcan
benefitfromthat? (تامدخنملااةفافشتاقبطللايلعلا–تاقيبطتلاديفتستنمهذه
ةزيملا)

IPSEC IETF Documents
RFC2401–Architecture
RFC2411–Roadmap
RFC2402–AuthenticationHeader(AH)
RFC2406–EncapsulatingSecurityPayload(ESP)
RFC1828–IPAuthenticationusingMD5
RFC2412–Oakleykeydetermination
RFC2408–ISAKMP(InternetSecurityAssociationandKey
ManagementProtocol)
RFC2409–IKE–InternetKeyExchange
RFC2104–HMAC–HashingforMessageAuthentication

IPSec: Network Layer Security
IPSec = AH + ESP + IPcomp + IKE
Protection for IP traffic
AH provides integrity and
origin authentication
ESP also confidentiality
Compression Sets up keys and algorithms
for AH and ESP
AHandESPrelyon (دمتعتىلع) anexistingsecurityassociation
–Idea:partiesmustshareasetofsecretkeysandagreeoneach
other’sIPaddressesandcryptoalgorithms
(فارطلااكرتشتيفةعومجمنمحيتافملاةيرسلاوقفتتىلعنيوانعلاتايمزراوخوريفشتلا)
InternetKeyExchange(IKE)
–Goal:establishsecurityassociationforAHandESP
–IfIKEisbroken (قارتخإ) ,AHandESPprovidenoprotection!

IPSec Architecture
IPSecisdefinedbythefollowingsetsof
specifications:
–Protocolmodes.
Transportandtunnelmode
–Authenticationheaderprotocol(AH)
–Encapsulatedsecurityprotocol(ESP)
–InternetKeyExchange(IKE)
–SecurityAssociations(SA)
–Encryptionalgorithms

IPSec Modes
Transportmode
–End-to-endsecuritybetweentwohosts
Typically,clienttogateway(e.g.,PCtoremotehost)
–RequiresIPSecsupportateachhost

IPSec Modes
TunnelMode
Gateway-to-gatewaysecurity
–Internaltrafficbehindgatewaysnotprotected
–Typicalapplication:virtualprivatenetwork(VPN)
OnlyrequiresIPSecsupportatgateways

Transport mode vs Tunnel mode
Transport mode
–secures packet payload and leaves IP header
unchanged
Tunnel mode
–encapsulates both IP header and payload into
IPSec packets
IP header
(real dest)
IPSec headerTCP/UDP header + data
IP header
(gateway)
IPSec header TCP/UDP header + data
IP header
(real dest)

Authentication Header (AH)
Provides integrity and origin authentication
Authenticates portions of the IP header
Anti-replay service (to counter denial of service)
No confidentiality
Next header
(TCP)
Payload length Reserved
Security parameters index (SPI)
Sequence number
ICV: Integrity Check Value
(HMAC of IP header, AH, TCP payload)
Identifies security
association (shared
keys and algorithms)
Anti-replay
Authenticates source,
verifies integrity of
payload

Authentication Header (AH)
IP HDR IP Payload
New IP HDR AH HDR IP HDR IP Payload
Tunnel Mode
authenticated
IP HDR AH HDR IP Payload
Transport Mode
authenticated

Encapsulating Security Payload (ESP)
Adds new header and trailer fields to packet
Confidentiality and integrity for payload
Optionally provides authentication
Identifies security
association (shared
keys and algorithms)
Anti-replay
TCP segment (transport mode)
or
entire IP packet (tunnel mode)
Pad to block size for cipher,
also hide actual payload length
Type of payload
HMAC-based Integrity
Check Value (similar to AH)

Encapsulating Security Payload (ESP)
IP HDR IP Payload
Transport Mode
IP HDR ESP HDR IP Payload
ESP
Trailer
ESP
Auth
encrypted
authenticated
Tunnel Mode
New IP HDR ESP HDR IP HDR IP Payload
ESP
Trailer
ESP
Auth
encrypted
authenticated

Internet Key Exchange (IKE)
IKEprotocolisakeyexchangeandmanagementsystem,which
providesecurekeydistributionservicesbetweenpartieswishing
tocommunicateoveranuntrustednetwork.
( ماظنلدابتةرادإوحيتافملاةيرسلارفويعيزوتنمآحيتافمللنيبفارطلااةلصتملاىلعةكبش
ريغةنمآ)
IKEisahybrid (نيجه) protocolcomposedoffeaturesfrom
–InternetSecurityAssociationandKeyManagement Protocol
(ISAKMP)framework
–OakleyKeyExchange
–SecureKeyExchangeMechanism(SKEME).
IKEisgeneralpurposesecurityexchangeprotocolSupports:
–Policy negotiation (تاسايسلا ىلع ضوافتلا )
–Establishment of authenticated keying material(ءاشنإ ) for security
associations.
ThesefacilitiescanbeusedfornegotiatingVPNlinks,aswellas
forprovidingremoteuserswithsecureaccesstoahostor
network.

Security Association (SA)
SAisonewayrelationshipbetweensenderandreceiverthat
definesasecurityrelationship
(ةقلاعهاجتإدحاونيبلسرملاولبقتسملافرعتلاصتلاانملآانيبنيفرطلا)
–Authentication and encryption algorithms (ريفشتلا و ققحتلا تايمزراوخ )
–Key exchange mechanisms (حيتافملا لدابت تايلآ )
–And other rules for secure communications (نملآا لاصتلال ىرخأ دعاوق )
Itisuniquelyidentifiedbythreeparameters (متياهزييمتيلاتلاب)
–SecurityParameterIndex(SPI)-
32bitidentifier
–IPDestinationAddress
–SecurityProtocolIdentifier
Securityassociationsarenegotiatedatleastoncepersession
–possiblymoreoftenforadditionalsecurity
(ضوافتلاةرمةدحاوىلعلقلاالكلةسلج,نملمتحملارثكأنملأليفاضلإا)
Bi-directionalcommunicationrequires (الالاصتيئانثهاجتلااجاتحيىلا)
twosecurityAssociations.

Security Association Database (SAD)
SADdefinesparametersassociated (ةطبترملا) with
eachSA.
Parametersinclude
–Sequencenumbercounter
–Sequencenumberoverflow
–Anti-replaywindow
–AHinformation
–ESPinformation
–LifetimeofSA
–IPSecProtocolmode
–PathMTU

Security Policy Database (SPD)
SPDdefinesthewayinwhichIPSecservicesareappliedtoIP
traffic. (فرعيةقيرطلايتلاقبطتاهبتامدخنملأاىلعتانايبلاةرباعلا)
EachSPDentry (لوخد) isdefinedbyselectorswhichareusedto
map (هيجوت) outgoingpackettoSA.
–DestinationIPaddress
–SourceIPaddress
–Transport layer protocol
–IPSec protocol
–Source/destinationportnumber
–UserID(ifavailabletotheIPSECsoftware)
–TOSorDiffServ
SPIofSAisobtained (متيلوصحلاهيلع) andIPSecprocessingdone
accordingly (اقفوكلذل) .
ifpacketdoesnotmatchanySPDcondition (قفاوتتلا)
–Dropthepacket
–Transmititinclear
ProvidesveryflexiblewayofapplyingIPSecservicestoIPtraffic.

SA Establishment
Phase 1 -IKE SA is established
Cookie exchange(يكوكلا لدابت)
Protects responderby requesting that initiator submits valid
cookie before value exchange and Diffie-Hellman key
exchange
( يمْحَيبيجتسملا ةميقلا لدابت لبق َحيحص يكوك ُمّدقُي ئدابلا ّنأب بَلَطلابلدابتوحيتافملا )
Valid cookie: computed and verified by the responder
Need cookie exchange
Value exchange(ميقلا لدابت)
Establishes a shared secret key(كرتشم يرس حاتفم ءاشنا)
Uses Diffie-Hellman key exchange ( حاتفملا لدابت ةقيرط مادختسا)
Negotiate parameters
Result: shared, un-authenticated secret key
Authentication exchange(ققحتلا لدابت)
Keys and SA are authenticated
Methods: preshared keys, DSS, RSA digital signature,
encrypted nonce with RSA

SA Establishment
Phase 2 -IPSec SA is established
IKESAisusedtoestablish( مدختسيءاشنلا)IPsec
SAbetweencommunicatingpeers(رئاظنلا
ةلصتملا)
Quickmodeexchange( طمنلدابتلاعيرسلا )
Negotiate(تاضوافم)IPsecSAunderthe
protectionof(تحتةيامح)IKESA
KeysderivedfromIKEsecretstate

Plain IPSec
Outgoing Packets: SAD Selects SA
Network A
Network B
Network C
SA #1
SAD
Selector SA
<A,B,*,*,*> #1
<A,C,*.*.*> #2
SPD
Selector Action
<A,B,*,*,*> Encrypt
<A,C,*.*.*> Encrypt
<A,*,*,*,*> Drop
A -> B
A -> B
A -> B

Plain IPSec
Incoming Packets: SAD Checks SA
Network A
Network B
Network C
SA #1
SAD
Selector SA
<A,B,*,*,*> #1
<A,C,*.*.*> #2
C->A
Let’s
Spoof C
C->A
Packets from
SA#1
Should match
<A,B,*,*,*>
Drop !

Plain IPSec
Incoming Packets: SPD Checks
Network A
Network B
Network C
SPD
Selector Action
<A,B,*,*,*> Encrypt
<A,C,*.*.*> Encrypt
<A,*,*,*,*> Drop
Let’s
Spoof C
Packets
<A,C,*,*,*> should
be encrypted
Drop !

Plain IPSec
Preventing Traffic Injection
Network A
Network B
Network C
SPD
Selector Action
<A,B,*,*,*> Encrypt
<A,C,*.*.*> Encrypt
<A,*,*,*,*> Drop
No
spoofing,
I’m D
Packets <A,*,*,*,*>
must be dropped !

Encryption Explained
Usedtoconvertdatatoasecretcodefor
transmissionoveranuntrustednetwork
 ُلمعَتسُيليوحَتل تانايبلاىلإمروزيرس لاسرلإلىلعش ةكب
ريغ ةنمَتْؤُم
Encryption
Algorithm
“The cow jumped
over the moon”
“4hsd4e3mjvd3sd
a1d38esdf2w4d”
Clear Text
Encrypted Text

What are Keys?
A series of numbers and
letters… ةلسلس نمدادعلأاولافورح
…usedinconjunctionwithan
encryptionalgorithm… لمعتست
طابترلإابعم َةيمزراوخ ريفشت
…toturnplaintextintoencrypted
textandbackintoplaintext
ليوحَتل ّصنيداعىلإ ّصَن رّفشموسكعلاب
Thelongerthekey,thestronger
theencryption
 حاتفملالوطلاايطعيريفشتىوقأ

Symmetric Encryption رظانتملا ريفشتلا
Samekeyusedtoencryptanddecryptmessage
سفنحاتفملامدختسيريفشتللوكفلريفشتلا
Fasterthanasymmetricencryption
عرسأ ْن م ريفشتلالالا ر ظانَتُم
UsedbyIPSectoencryptactualmessagedata
IPsec مدختسيريفشتلتانايبلاةيلعفلانملبف
Examples:DES,3DES,RC5,Rijndael
Shared Secret Key

Asymmetric Encryption رظانتملالا ريفشتلا
Differentkeysusedtoencryptanddecryptmessage(Onepublic,
oneprivate)
حيتافمةفلتخمريفشتللوكفلريفشتلا(دحاوماعورخآصاخ)
Providesnon-repudiationofmessageormessageintegrity
 رفويةملاستانايبلا
ExamplesincludeRSA,DSA,SHA-1,MD-5
Alice Public Key
Encrypt
Alice Private Key
Decrypt
Bob Alice

Key Management حاتفملا ةرادا
Amechanismfordistributing
keyseithermanuallyor
automatically
ةيلآعيزوَتل

حيتافملااّمأ اايوديوَأيلآ اا
Includes:
–Keygeneration ديلوتحاتفملا
–Certificationةداهشلا
–Distributionعيزوتلا
–Revocationءاغللاا

Key Management حاتفملا ةرادا
SharedSecret رسكرتشم
–Simplestmethod;doesnotscale
–Twositessharekeyout-of-band(overtelephone,
mail,etc)
PublicKeyInfrastructure
–Providesmethodofissuingandmanaging
public/privatekeysforlargedeployments
InternetKeyExchange
–Automatestheexchangeofkeysforscalabilityand
efficiency

VPN Classification فينصت
CustomerPremiseEquipment(CPEbasedVPNs)are
implementedwithincustomerpremiseequipment,
whereacustomercancreatetheirownVPNacrossan
Internetconnectionwithoutanyspecificknowledge
orcooperationfromtheserviceprovider.
ةكولممليمعللثيحيشنيليمعلالاصتاصاخيضارتفاللاختنرتنانودبيأ
ةفرعموانواعتنيعمنمدوزمةمدخلا
ProviderprovisionedVPNdonotrequirethe
deploymentofanyCPEdevicesbeyondbasicinternet
access.AllVPNservicesandequipmentareprovided
bytheserviceprovider’scoreinfrastructure.
ةكولممدوزملةمدخلاثيحنأ ّلُكتامدخلاولأاةزهجةدوزمةينبلابةيتحتلا
دوزملةمدخلا

Comparison of CPE Based Protocols
Security Issues

Comparison of CPE Based Protocols
Vulnerabilities

Comparison of CPE Based Protocols
Routed Desktop Protocols

Comparison of CPE Based Protocols
OSI reference model

Comparison of CPE Based Protocols
Performance: throughput and Latency.
L2TPutilizesmorecommandandcontrolmessages.
SothroughputmaybelessthanPPTP.Butit
performsbetterinhighlatencynetworkbecauseit
usesUDPforitscontrolpackets
PPTPusesTCPforcontrolpacketsandalsouses
lesscontrolmessagewhichmakesithighthroughput
protocolbutmakesisvulnerabletohighlatency
network.
IPSecuseslotofsecurityrelatedoverheadwhich
degradestheperformancefromboththroughputand
latencyprospective.
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 143
  • Slides 69
  • Age 532 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
39 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
42 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
38 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
36 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
34 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
37 views
View More in This Category