VPN? VPN VPN Tunneling L2F PPTP L2tp IPSEC IKE PDF 무료 다운로드

VPN ( )

VPN? VPN VPN Tunneling L2F PPTP L2tp IPSEC IKE -2 -

VPN Virtual Private Network : Extranet Intranet -3 -

-4 -

, network network network network, -5 -

Network interactive (, ) contents hosting, -6 -

, (,, ) (resource) QoS (best-effort), QoS,, (Leased Line), VPN +, -7 -

WAN network Leased Line, FrameRelay intranet -8 -

(VPN) ISP ISP ISP POP network, QoS pop : points of presence ISP -9 -

VPN, mobile user, telecommuter, extranet - 10 -

VPN ( ) - 11 -

intranet VPN : LAN. Extranet VPN : Intranet VPN Remote Access VPN. Remote Access VPN : ISP. - 12 -

- 13 -

DATA Key management LAN to LAN Dial-up to LAN VPN IPSec(IP Security) Tunnel Endpoints Transit Internetwork Header Payload Transit Internetwork Tunnel Payload Tunneled Payload - 14 -

VPN server Router firewall VPN client, - checkpoint, radguard, vpnet, shiva router access server VPN router VPN point-to-point tunneling - router cisco, shiva, intel,... firewall VPN bottleneck checkpoint,, - 15 -

VPN Remote Access VPN PSTN, ISDN, DSL, Cable Modem... LAN to LAN VPN(Site-to-site VPN) LAN to LAN VPN LAN to Client VPN ISP VPN - 16 -

Mobile Worker, Telecommuter, Client Initiated VPN PC QoS NAS( Network Access Server) Initiated VPN ISP - 17 -

Client Initiated VPN PC VPN S/W server(gateway) tunnel public IP public IP : internet private IP : network : VPN S/W, upgrade Tunneling IPSec PPTP, L2TP - 18 -

Client Initiated VPN - 19 -

NAS Initiated VPN ISP NAS(Network Access Server) server(gateway) tunnel NAS VPN private IP internet, network client VPN s/w Tunneling L2TP, L2F cisco, Lucent, 3Com - 20 -

NAS Initiated VPN - 21 -

network network IP VPN CPE based VPN site VPN Core based VPN ISP VPN MPLS * CPE : Customer Promise Equipment - 22 -

CPE based VPN VPN Microsoft, Novell, Checkpoint, VPNet, Lucent, Cisco, 3Com, CPE VPN ISP VPN management network manage Firewall manage VPN manage Tunneling IPSec - 23 -

CPE based VPN - 24 -

Core based VPN ISP (Router..) VPN VPN Core network QoS Service Management Tunneling IPSec MPLS - 25 -

Core based VPN MPLS (Multi-Protocol Label Switching) Cisco Tag switching ATM, FrameRelay Label packet forwarding load Traffic Engineering QoS service - 26 -

Core based VPN - 27 -

LAN to LAN VPN VLL(Virtual Leased Line) Remote Authentication Dial-in User Service (RADIUS) - 28 -

LAN to Client VPN PC VPN RAS - 29 -

ISP VPN ISP VPN - 30 -

- 31 -

Tunneling point-to-point tunnel Security Quality of Services Leased Line, FR Bandwidth - 32 -

Tunneling Layer2 L2F(layer 2 Forwarding) PPTP(Point-to-Point Tunneling Protocol) L2TP(Layer 2 Tunneling Protocol) Layer 3 IPSEC(Internet Protocol Security) ATMP(Ascend Tunnel Management Protocol) VTP(Virtual Tunneling Protocol) - 33 -

Tunneling - 34 -

Security authentication( ) Integrity( ) encryption( ) DES (Data Encryption Standard) : CPU intensive 3DES RC5 MPPE - 35 -

Quality of Service(QoS) Bandwidth RSVP : cisco CR-LDP : nortel diffserv (Differentiated Service) RFC 2474 RFC 2475-36 -

L2F(Layer 2 Forwarding) Cisco, Nortel, Shiva ISP server tunnel server L2F tunnel direct-dial PPP/RAS home site home site gateway server domain ID FrameRelay ATM (tunneling IP ) PPP(point-to-point) : TACACSA+, RADIUS - 37 -

- 38 -

L2F(Layer 2 Forwarding) - 39 -

L2F Flow (PPP authentication) - 40 -

L2F Tunnel Authentication - 41 -

Frame - 42 -

PPTP ( Point-to-Point Tunneling Protocol) 3COM, Microsoft, Ascend, US Robotics first popular tunneling standard, PPP Client/Server Windows 95 Windows NT 4.0 Mobile user home site Allows you to tunnel or encapsulate IPX and NetBEUI packets in a standard TCP/IP dial-up connection or a dedicated Internet connection PPTP uses the security policy you already have set up on the network Over 90 million PCs are PPTP-enabled--unlike other protocols - 43 -

Bi-directional Tunnel Two mode client enabled ISP enabled Non IP protocol : IPX, Appletalk PAP, CHAP, MS-CHAP RC4(40bits/128bits) Microsoft dependent (Windows NT ) RAS vendor - 44 -

L2TP : Layer2 Tunneling Protocol remote LAC(L2TP Access Server) Home gateway LNS(L2TP Network Server) remote access cost overhead flexibility scalability client initiated VPN - 45 -

Hybrid of L2F and PPTP Emerging standard for VPN tunneling Multiple protocol : IP, IPX, AppleTalk non-ip network LAN-to-LAN VPN WAN : X.25, ATM, Frame Relay, SONET network traffic flow control : server congestion handling ( netw ork access system home gateway ) LAC (L2TP Access Concentrator) ISP NAS LNS (L2TP Network Server) edge (router, firewall) - 46 -

L2TP Tunnel Structure - 47 -

L2TP Incomming Call Flow emote user ISP PPP. SP Network LAC POP PPP Link nd User LNS LCP Negotiation LAC CHAP PAP End User Authentication ser name, Domain name User VPDN client User VPDN Client Client Access. VPDN client user name End Point mapping The LNS ) unnel End Point LAC LNS Session Tunnel. unnel L2TP Session End User. AC LCP CAHP/PAP Authentication LNS - 48 -

2 Message Type ( ) - Control message : Establish, Maintenance, Clearing. L2TP Control Channel - Data message : Encapsulation PPP. Packet Loss Retransmit. 0 L2TP 32 T L X X S X O P X X X X Ver Tunnel ID Ns (opt) Offset size(opt) Length(opt) Session ID Nr (opt) Offset size(opt) - 49 -

- - T bit: Message. 0 Data message 1 Control message -L bit : 1 Length. Control message 1. - X bit : - S bit : 1 Ns Nr. Control message 1. - O bit : 1 Offset. Control message 0. - P bit : 1 Data message Local queuing. Data message. Control message 0 - Ver : 2 L2TP 1 L2F - Length : Message - Tunnel ID : Control Connection ID - Session ID : Session ID - Ns : Data Control Message Sequence Number. 0 2 16 1 -Nr: Control message Sequence Number. 0 2 16 1 - Offset : Payload. 0 32 T L X X S X O P X X X X Ver Tunnel ID Ns (opt) Offset size(opt) L2TP - 50 - Length(opt) Session ID Nr (opt) Offset size(opt)

L2F/L2TP opertation - 51 -

PPTP L2TP Media IP GRE PPP PPP Payload draft-ietf-pppext-pptp-07.txt Media IP L2TP L2TP Payload draft-ietf-pppext-l2tp-12.txt - 52 -

IETF IPSec working Group VPN tunneling layer 3 IPv6 Non-IPSec protocol Authentication Header(AH) protocol : Packet Payload Encrypt. Encapsulating Security Payload(ESP) protocol : Fully Encrypt Overload Encryption Algorithms DES(Data Encryt Standards), 3DES, RC5 Authentication Algorithms MD(Message Digest )5->128bit, SHA(Secure Hash Algorithm)1->160 bit IKE - 53 -

(Authentication Header) ESP(Encapsulation Security Payload) IP (Security Association) - 54 -

Enables transmission of sensitive information over unprotected networks such as the Internet IPSec (Confidentiality): packets encrypted before transmission (Integrity): authenticates packets at the destination peer to ensure that data has not been tampered during transmission (Authentication): peers authenticate source of all IPSEC protected packets (Anti-replay): prevents capture and replay of packets - 55 -

. IPSec. IPSec RFC RFC 1825 : Security Architecture for the Internet Protocol RFC 1826 : IP Authentication Header RFC 1827 : IP Encapsulating Security Payload (ESP) RFC 1828 : IP Authentication Using Keyed MD5 (Message Digest) RFC 1829 : The ESP DES-CBC Transform RFC 2085 : HMAC-MD5 IP Authentication with Replay Prevention RFC 2104 : HMAC: Keyed-Hashing for Message Authentication - 56 -

AH - Authentication Header IP datagram authentication, integrity data integrity, data origin authentication, optional Anti-replay protection : RFC 2402 inserted after the IP header and before any upper layer headers (integrity) MD5,SHA-1 message checksum IP (secret shared key) Replay AH header sequence number - 57 -

IP Payload IP IP AH Payload AH IP IP AH Payload Next Payload (16 bits) Security Parameter Index (SPI) (32 bits) Sequence Number (32 bits) Authentication Data ( ) 32 bits - 58 -

IP Payload IP IP IP Payload IP IP AH IP Payload AH IP - 59 -

ESP - Encapsulating Security Payload Payload Encrypt -> AH Overhead IP datagram confidentiality, integrity data confidentiality optional data integrity, peer authentication, anti-replay protection : RFC 2406 Inserted after the IP header and before any upper layer headers DES(Data Eecrytion Standard, 53bit)/3DES IP packet : Replay sequence number - 60 -

IP ESP Payload ESP tail ESP Auth Authentication Encryption Security Parameter Index Sequence Number Payload Data ( ) Padding (0~255 bytes) Pad Next Authentication Data ( ) 32 bits - 61 -

IP Payload IP IP IP Payload IP IP ESP IP Payload ESP tail ESP Auth Encrypted Authenticated - 62 -

Transport Mode IP payload Encrypt original IP header. byte. Public network device Source/Destination. QoS Processing. IP header clear 4 Traffic. AH-transfer mode IP header AH IP payload Authenticated except for mutable fields in IP header ESP-transfer mode IP header ESP header IP payload ESP trailer ESP auth Encrypted Authenticated - 63 -

Tunnel Mode Original IP datagram Encrypt New IP Payload. Router Ipsec proxy Router Hosts Encryption Source Router Encrypt Ipsec Forwarding. Destination Router. End system Ipsec modyfi. Traffic. AH-tunnel mode New IP header AH IP header IP payload Authenticated except for mutable fields in New IP header ESP-tunnel mode New IP header ESP header IP header IP payload ESP trailer ESP auth Encrypted Authenticated - 64 -

Transport Mode Tunnel Mode - 65 -

Transport Mode Tunnel Mode IP Hdr AH TCP Hdr Data Authenticated Outer Original IP Hdr AH Inner IP Hdr TCP Hdr Data Authenticated IP Hdr ESP TCP Hdr Data Authenticated Encrypted Outer Original IP Hdr ESP Inner IP Hdr TCP Hdr Data Authenticated Encrypted IP Hdr AH ESP TCP Hdr Data Authenticated Encrypted - 66 -

1472 1472 ESP : host AH : secure gateway Host A Secure gateway 1 Secure gateway 2 Host B IPSEC Authentication only Encryption and authentication IPSEC Between Host A and Secure gateway 1 IP header ESP header Payload ESP trailer ESP auth etween two ecure gateways New IP header AH IP header ESP header Payload ESP trailer ESP auth etween Host B and ecure gateway 2 IP header ESP header Payload ESP trailer ESP auth AH Added ESP applied packet - 67 -

IPSec IP Certificate Authority Non-IPSec VPN VPN L2F, L2TP, PPTP, SOCKS - 68 -

( ) VPN LAN-to-LAN VPN Dialup-to-LAN VPN IPv6 Non-IPSec - 69 -

Security association(sa) nego : protocol,, key key SA under IPSEC specifies next things the mode of the authentication algorithm used in AH and the keys to that authentication algorithm the ESP encryption algorithm mode and the keys to that encryption algorithm. the presence and size of(or absence of) any cryptographic synchronization to be used in that encryption algorithm. how you authenticate your communications(using what protocol, what encrypting algorithm, and what key). how you make your communication private(what algorithm, and what key). how often those keys are to be changed. the authentication algorithm mode, and transform for use in ESP plus the keys to be used by that algorithm. the key lifetimes. the lifetime of the SA itself. - 70 -

SA VPN SA SPI SA : SPI : SA unique number(32bit), AH /ESP header - 71 -

Internet Key Exchange (IKE) a powerful, flexible negotiation protocol that allows users to agree on authentication methods, encryption methods, the keys to use, how long to use the keys before changing them, and that allows smart, secure key exchange key : Diffie-Helman Strong data encryption requires frequent key change Phase I - IKE peer secure channel Phase II - peer SA negotiation Dynamically exchanges keys for bulk data encryption - 72 -

Internet Key Exchange (IKE) - 73 -

Internet Key Exchange (IKE) Coupled with IPSec s key management systems Employed to exchange information used to generate encryption key Agrees on encryption and data authentication algorithms Each participant has pair of keys; one private and one public. Digital signatures supplied by a Certificate Authority. This is a Top Secret Message for ACME Customers The Customers Data + + The Encryption Operation (e.g. DES) The Key = The Encrypted Data - 74 -

Encrypted communication Transmitted sender Ciphertext plaintext Encryption Decryption receiver plaintext Encryption Key Secret key public key Decryption Key secret key single key, encryption key decryption key symmetric key, N N key public key a pair of keys, public key private key asymmetric key - 75 -

Secret key -> Private Enterprise Network DES(Data Encryption Standard) Triple-DES IDEA, Blowfish, CAST-128 DES block cipher : 64bit plaintext ==> 64bit ciphertext key length = 56 bits 16 permutation( ) of secret key Triple-DES DES 3 key length = 56bit * 3 = 168 bits - 76 -

DES 3-DES DES : brute-force attack, plaintext resource 3-DES : brute-force attack computer system Transmitted sender Ciphertext plaintext Encryption Decryption receiver plaintext Secret Key Secret Key - 77 -

Public key RSA(Rivest-Shamir-Adleman) system 2 key (Public key, Private key) Public key :, Private key : receiver,, Transmitted sender Ciphertext plaintext Encryption Decryption receiver plaintext Receiver s Public Key Receiver s Private Key - 78 -

Public key -> CPU load secret key key digital signature application encryption : sender : receiver public key receiver: receiver private key authentication : sender : sender private key everyone : sender public key - 79 -

PKI :,,, PKI - 80 -