Tải bản đầy đủ - 0 (trang)
Chapter 1. Introduction to VPN Technologies

Chapter 1. Introduction to VPN Technologies

Tải bản đầy đủ - 0trang

VPNOverviewofCommonTerms

AVPNisameanstosecurelyandprivatelytransmitdataover

anunsecuredandsharednetworkinfrastructure.VPNssecure

thedatathatistransmittedacrossthiscommoninfrastructure

byencapsulatingthedata,encryptingthedata,orboth

encapsulatingthedataandthenencryptingthedata.Inthe

contextofVPNdeployments,encapsulationisoftenreferredto

astunneling,asitisamethodthateffectivelytransmitsdata

fromonenetworktoanothertransparentlyacrossashared

networkinfrastructure.

AcommonencapsulationmethodfoundinVPNstodayis

GenericRoutingEncapsulation(GRE).IP-basedGREisdefined

inIETFRFC2784asameanstoenclosetheIPheaderand

payloadwithaGRE-encapsulationheader.Networkdesigners

usethismethodofencapsulationtohidetheIPheaderaspart

oftheGRE-encapsulatedpayload.Indoingso,theyseparateor

"tunnel"datafromonenetworktoanotherwithoutmaking

changestotheunderlyingcommonnetworkinfrastructure.

AlthoughGREtunnelshaveprimitiveformsofauthentication,as

we'llexploreinlaterchapterswhendiscussingdynamic

multipointVPN(DMVPN)deployments,theycurrentlyprovide

nomeanstoprovideconfidentiality,integrity,andnonrepudiationnatively.Nevertheless,GREtunnelingisa

fundamentalcomponentofmanydifferentIPSecurityProtocol

(IPsec)designs,andwillbediscussedfrequentlyinsubsequent

chapters.



Note

AlthoughIPSec-processeddataisencrypted,itisalso

encapsulatedwitheitherEncapsulatingStandardProtocol(ESP)

orAuthenticationHeaders(AH).



Encryptionreferstotheactofcodingagivenmessageintoa

differentformat,whiledecryptionreferstodecodingan

encryptedmessageintoitsoriginalunencryptedformat.For

encryptiontobeaneffectivemechanismforimplementinga

VPN,thisencrypted,encodedformatmustonlybedecipherable

bythosewhomtheencryptingpartytrusts.Inordertodeliver

upontheserequirements,encryptiontechnologiesgenerally

requiretheuseofamathematicaloperation,usuallyreferredto

asanalgorithm,orcipher,andakey.Althoughgenerally

complexinnature,mathematicalfunctionsareknown.Itisthe

symmetrickey,orasyou'llseeinthecaseofasymmetric

cryptography,theprivatekey,thatistobekeptunknownto

would-beattackers.Thekeyistheprimarywaytokeepthe

encryptedtunnelsecure.Thisbookdiscussesthesetwo

commontypesofcryptographicoperations:symmetrickey

encryptionandasymmetrickeyencryption.Othertypesof

encryptiondiscussedintheframeworkofthisbookinclude

securehashesanddigitalsignatures.



CharacteristicsofanEffectiveVPN

VPNsexisttoeffectively,securely,andprivatelyprotectdata

thatistransmittedbetweentwonetworksfromthecommon,

shared,andseparatelymaintainedinfrastructurebetweenthe

twonetworks.Inordertoeffectivelyperformthistask,there

arefourgoalsthataconfidentialVPNimplementationmust

meet:

Dataconfidentiality:Protectsthemessagecontentsfrom

beinginterpretedbyunauthenticatedorunauthorized

sources.

Dataintegrity:Guaranteesthatthemessagecontents

havenotbeentamperedwithoralteredintransitfrom

sourcetodestination.

Sendernon-repudiation:Ameanstopreventasender

fromfalselydenyingthattheyhadsentamessagetothe

receiver.

Messageauthentication:Ensuresthatamessagewas

sentfromanauthenticsourceandthatmessagesarebeing

senttoauthenticdestinations.

Incorporatingtheappropriatedataconfidentialitycapabilities

intoaVPNensuresthatonlytheintendedsourcesand

destinationsarecapableofinterpretingtheoriginalmessage

contents.IPsecisveryeffectiveatencryptingdatausingthe

encapsulatingsecurityprotocol(ESP),describedinRFC1827.

UtilizingESP,IPsectransformscleartextintoencrypteddata,

orciphertext.BecauseESP-transformedmessagesareonly

sentacrossintheircipheredrepresentations,theoriginal

contentsofthemessagearekeptconfidentialfromwouldbe



interceptorsofthemessage.Figure1-1illustratesahigh-level

exchangeofencryptedmessagebetweentoendpoints,James

andCharlie.



Figure1-1.ConfidentialityandAuthenticityin

EncryptedCommunications



[Viewfullsizeimage]



Encryptingmessagesreliesontheuseofakeytoencryptclear

textandtodecryptcipheredmessages.Intheexchangeof

messagesinFigure1-1,bothJamesandCharlierequirethe

appropriatekeystoencryptanddecryptcommunicationsfrom

eachother.Assumingthatthesekeyswereexchangedor

derivedsecurely(forexample,viaaDiffie-Hellmanexchange,

whichisdiscussedindetailinChapter2,"IPsec

Fundamentals"),whenJamesreceivesamessagefromCharlie

thatheisabletodecrypt,hecanbeassuredthatthemessage

hasbeendeliveredwithfullconfidentiality,andviceversa.

Hashesanddigitalsignaturesprotecttheintegrityofaspecific

communicationofdata.Hashesanddigitalsignaturesappend



uniquemessagestotheoriginalmessagebeforetransmission

thatensurethatthemessagehasnotbeentamperedwithin

transit.Figure1-2illustratestheoperationofahashperformed

onamessagetoensuredataintegrity.



Figure1-2.DataIntegrity,SecureHashes



[Viewfullsizeimage]



Byprovidingauniquefingerprintspecificonlytothesenderof

themessage,adigitalsignaturealsoprovidesthereceivera

methodofmessageauthenticationandsendernon-repudiation.

NoticeinFigure1-3thatdigitalsignaturesrequiretheuseofa

publicdecryptionkeyuniquetothesender'sprivateencryption

key.Theuseofthiscryptographickeypairthusguarantees

messageauthenticity,ensuringthatthemessagewassentfrom

theauthenticorigin,andsafeguardsagainstsendernonrepudiation,preventingasituationinwhichthesenderofa

specificmessageintentionallyandfalselydeniestheir

transmittalofthemessage.Whileasecurehashcanprovide



dataintegrity,digitalsignaturesprovideaddedlevelsofsecurity

byofferingmessageauthenticationandsendernon-repudiation,

theoperationofwhichisillustratedinFigure1-3.



Figure1-3.MessageAuthenticityandDataNonRepudiationwithDigitalSignatures



[Viewfullsizeimage]



VPNTechnologies

AlthoughIPsec-basedVPNsrepresentoneofthemostsecure

andwidelydeployedtypesofVPNs,theyareonlyoneofmany

VPNtechnologiesinexistencetoday.Aswe'lldiscussthroughout

thecourseofthisbook,VPNshavebeendesignedtoprotect

dataatalmosteverylayeroftheOSIstack.Forexample,

customersindifferentmarketverticalswilldeployarangeof

encryptiontechnologies,fromLayer1bulkencryptorsto

encryptiontechnologiesembeddedwithintheapplications

themselves(SSL-basedVPNs).

TheOSImodelconsistsof7layers,Physical,Data-Link,

Network,Transport,Session,Presentation,andApplication.

AlthoughourprimaryfocuswillbeIPsecVPNs,whicharea

Layer3VPNtechnology,itisimportanttounderstandIPsec

VPNswithinthecontextofotherVPNtechnologies

correspondingtodifferentlayerswithintheOSIstack.Figure14illustratestheOSIstackandprovidessomeexamplesofVPN

technologiesthatoperateateachcorrespondingOSIlayer



Figure1-4.VPNTechnologiesandtheOSIModel



[Viewfullsizeimage]



VirtualPrivateDialupNetworks

Virtualprivatedialupnetworks(VPDN)areusedtotunneldata

acrossasharedmedia.AlthoughtheprimarygoalofaVPDNis

totunneldataacrosssharednetworkinfrastructures,some

VPDNsmayalsoincorporatedataconfidentiality.MostVPDNs

relyontheuseofPPPtoencapsulatedataintransitacrossa

commonnetworkinfrastructure.TypicalVPDNdeployments

consistofoneormanyPPPclientsestablishingaPPPsession

thatterminatesonadeviceattheoppositeendofthetunnel,

usuallylocatedatacentrallocationwithintheenterpriseor

serviceprovideredge.Indoingso,asecurepoint-to-point

tunnelisestablishedfromtheclient'snetworktothePPP

concentrator.Afterthetunnelhasbeenestablished,theclient's

networkappearsasifitwerethesamenetworkasthe

enterpriseside,whiletheunderlyingcommonnetwork



infrastructureacrosswhichdataistunneledremains

unchanged.CommonVPDNtechnologiesdeployedintoday's

networksincludeLayer2ForwardingProtocol,Point-to-Point

TunnelingProtocol,andLayer2TunnelingProtocol.



Layer2ForwardingProtocol

TheLayer2Forwarding(L2F)Protocolwasoriginallydeveloped

byCiscoSystemsasawaytotunnelprivatelyaddressedIP,

AppleTalk,andNovellInternetProtocolExchange(IPX)overPPP

orSerialLineInternetProtocol(SLIP)dialupconnectionsover

sharednetworks.Inordertodothis,thisVPDNtechnology

concentratestunnelsatahomegateway,allowingalldial-up

networkstoappearasiftheirphysicalpointofterminationis

thehomegatewayitself,regardlessofthelocationoftheir

actualdialupterminationpoint.L2Fusescontrolmessageson

UDPport1701toestablishthesession.Onceatunnelis

established,L2F-encapsulatedpacketsareforwardedinparallel

withL2Fcontroldatagrams.BothL2Fcontrolandpayload

datagramsareforwardedonUDP1701.TheL2Fencapsulated

PPPpacketshavetheformatdescribedinFigure1-5.



Figure1-5.L2FDataPacketFormat



DuringthecreationofanL2Ftunnel,initiallyauserdialsinto

theNetworkAccessServer(NAS),negotiatesPPP,andis

authenticatedwitheitherPasswordAuthenticationProtocol

(PAP)orChallengeHandshakeAuthenticationProtocol(CHAP),

asillustratedinFigure1-6.



Figure1-6.L2FTopologyandTunnel

Establishment



[Viewfullsizeimage]



Note

InanL2Fenvironment,a"home"gatewayreferstoagateway

locatedatthecorporateheadquarters.



ThefollowingstepsdescribethecreationofanL2Ftunnel,as

illustratedinthestepsinFigure1-6:

1. NASandthePPPclientnegotiateaPPPsession.NAS

authenticatesthePPPclientwithCHAP(or,optionally,PAP).



Note

TheNAScanoptionallyauthenticatePPPconnectionsagainst



theAAA(orinthiscase,CiscoSecureAccessControl

Server)serverintheserviceprovidercloud.Managinguser

connectionscentrallywouldeasetheadministrativeburden

andprovideadditionalaccountinganduserdatabase

synchronizationcapabilities(thatis,synchronizationwithNT

databasesandautomatedbackupofAAAdataonpeer

CSACSdatabases).

OncethePPPsessionhasbeenauthenticated,aseriesof

exchangesareperformedtooffloadtheterminationofthe

dialupsessiontothehomegateway.Figure1-7illustrates

theCHAPhandshakebetweenthePPPclientandtheNAS

showninFigure1-6.



Figure1-7.PPPAuthenticationwithCHAP

[Viewfullsizeimage]



2. NASinitiatesatunnelconnectiontothehomegateway.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 1. Introduction to VPN Technologies

Tải bản đầy đủ ngay(0 tr)

×