Document Sample
VPN95 Powered By Docstoc
Virtual Private Networks
Gurdeep Singh Pall
Development Manager
Windows Internetworking
Microsoft Corporation


   VPN trends

   Technology overview

   Related Developments
    Why VPNs?
   Today’s workforce is increasingly mobile
       Telecommuting increasing
       Increasing focus on global operations
       Beyond “work from home”
   Firms need to provide employees with secure access
    to corporate information, wherever they may be
   Need scalable remote access solution
       Can’t keep up with modem pool demand
       Maintaining dedicated corporate modem pools not economical
       Growing trend to outsourcing of dialin infrastructure
       Replacing WANs, dedicated corporate networks with less
        expensive solutions based on Internet technology
   Result: VPNs are a critical part of every firm’s Intranet
Evolution of VPN Thinking
   1996: Tunneling protocols
       PPTP (Microsoft), L2F (Cisco)
       Focus on compulsory tunneling
   1997: VPN standardization
       Tunneling standardization: L2TP
       Authentication and encryption: EAP, IPSEC
       Increasing deployment of voluntary tunneling
   1998: VPN solutions
       Centralized user management: RADIUS,LDAP
       Auditing, accounting and alarming: RADIUS
       Network management: SNMP
Opportunities for ISPs
   Outsourcing of modem pools
       ISPs provide access for employees on the road
       Corporation or ISP maintains VPN server
       Tunnel set up by NAS (mandatory) or
       Tunnel set up by tunneling client (voluntary)
   Outsourcing of VPN servers
       ISP maintains backend VPN server
       Authentication against corporate database via
        RADIUS or LDAP
       PVCs set up to corporate intranet
       Similar to Web hosting
   Roaming
       Allows ISPs to provide national or global service
        without building POPs
    Where Microsoft is Today
   PPTP clients
        Shipped in Windows NT 4.0
        Windows 95 client released to Web
        Macintosh, Win 3.1 clients available from 3rd parties
   PPTP server
        “Steelhead” update released to Web 6/2/97
        Includes RADIUS authentication client
        Includes packet filtering support
   Shipping in PPTP forum members Network Access
    Servers (NASes)
        USR, Ascend, 3Com, Telematics
Where Microsoft is Today
   Support for encryption
       40 bit RC4 for export
       128 bit RC4 for domestic use (MPPE)
   “Basecamp” - Windows NT Options Pack
       Connection Manager Administration Kit
       Connection Point Services
           Phonebook server
       Internet Authentication Server
         RADIUS

   IETF drafts available
    Roadmap: Where We’re
   Improved security
       Extensible Authentication Protocol (EAP)
       IPSEC
   Unified user administration and management
       Active Directory
       Microsoft Management Console (MMC)
       EAP/RADIUS integration
       PPTP/L2TP/RADIUS integration
   L2TP
   Roaming support
       Eliminates need for 800 number dialin
Tunneling Technology
   Layer 2 vs. Layer 3 tunneling
       PPTP
       L2TP
       IPSEC
   Compulsory vs. voluntary tunneling
   Integration issues
Layer 2 vs. Layer 3 Tunneling
   Layer 2 tunneling
       PPTP, L2F, L2TP
       Tunnels PPP in IP
       Multi-protocol support
       Leverages existing dial-up protocols and
           CHAP, EAP for authentication
              EAP supports smart cards, OTP, crypto-
           IPCP for address assignment
           CCP, ECP for compression, encryption
           RADIUS for authentication and accounting
Layer 2 vs. Layer 3 Tunneling
    IPSEC tunnel mode
        Tunnels IP in IP
        IP only
        Requires new infrastructure
            ISAKMP for key management
            Tunneled DHCP for address assignment?
            IPSEC transforms for authentication, compression,
            Certificate server and directory for public key
             creation, storage
            Public-key based smartcards for proving “what
             you have”
            Unspecified protocol for auditing?
        Verdict
            Today: Only useful for static dedicated IP tunnels
    What is PPTP?
   Simply: PPP in IP
     Traditional PPP dial up frames are
      encapsulated in IP
     PPP is ubiquitous dial up standard
     PPP is multi-protocol, extensible, and
   Enables Internet to be used as a WAN
        Clients
        Networks
              PPTP Details
   Tunnel
      Between PPTP FEP or Client, and PPTP server
      Control and Data Channel
      Many PPP sessions carried
   Control Channel
      TCP based (IANA port 1723)
      Session establishment, tear down, and
   Data Channel
      Enhanced GRE encapsulation (Ethertype 0x880B,
       IP Protocol ID 47)
      Flow control for congestion and link feedback
A Typical PPTP Data

 Media   IP   GRE   PPP   PPP Payload
   Advantages
       On IETF standards track
           combines L2F and PPTP plus new features
       Support for authenticated tunnels
       Ability to run directly over multiple media: ATM, Frame
        Relay, X.25
       Ability to bundle multiple tunnels
       Firewall and NAT friendly (runs over UDP)
   Disadvantages
       Increased Payload overhead
   Specification stabilizing
       Proposed standard likely by December ‘97
   IETF draft available
IPSEC Tunnel Mode
   Advantages
       Universal IP-level security
           Authentication and encryption
           End-to-end security: A step beyond the “firewall”
   Largely complementary to PPTP/L2TP
       IPSEC tunnel mode not yet a complete
       IPSEC security + PPTP/L2TP tunneling: a
        marriage made in heaven?
   Interoperability testing proceeding
       First bake-off completed, manual keying
           Tunneling Protocol
                   PPTP      L2TP   IPSEC

Authenticated Tunnels    X    X     X
Compression              X    X     X
Cert-based Smart Cards   X    X     X
Crypto calculators       X    X
Address Allocation       X    X
Multiprotocol            X    X
Encryption               X    X     X
Flow control             X    X
IPSEC and Tunneling:
What is protected?
IPSEC Outside

Media     IP    IPSEC    GRE   PPP   IP   IPSEC   Data

MPPE Inside

Media     IP    IPSEC    GRE   PPP   IP   IPSEC   Data

IPSEC Inside

Media     IP    IPSEC    GRE   PPP   IP   IPSEC   Data

TLS or Kerberos Inside
 Media    IP    IPSEC    GRE   PPP   IP   IPSEC   Data
    IPSEC and Tunneling:
    How the elements fit together
   EAP
       Provides extended authentication for either dialup or VPN connections
       Can support one time passwords, smart cards, crypto calculators, etc.
       Does not protect against subsequent tunnel hijacking
   IPSEC applied to the outside of the packet
       Can provide both message integrity and privacy support
           Packet Authentication (AH) protects against tunnel hijacking
           Encryption (ESP) provides privacy
       Incompatible with NAT
   MPPE applied to PPP payload
       Provides privacy support
           Protects privacy of conversation between client and tunnel server
           Encryption of PPP payload (includes IP header and data)
           Useful in cases where IPSEC is not available or where it can not be used
       Compatible with NAT
Voluntary vs. Compulsory
   Voluntary tunnels
       Tunneling initiated by end-user
       Requires tunneling client
       No NAS support required
       No intermediate router support required
       End-user responsible for security
           MPPE or IPSEC (outer) encryption goes between client and
            tunnel server
           Keeps burden of encryption, compression off NASes and
             No router or NAS upgrades required
           NAS not involved in security
             ISPs not liable
     VPN: Voluntary Tunnel
                                                         Tunnel Server

                                                           ABC Corp.
                         POP A

               ...                       Internet
                         POP B                                 XYZ Corp.

 Tunnel                                                    IPX
                                                          Customer premise

                         POP C
                                      Carrier networks
                                                           LMN Corp.
Remote users          Access server
                        front ends
  VPN: Voluntary Tunnel With
  Direct Network Connection                        Tunnel server

                                                      ABC Corp.
                      POP A

               ...                 Internet
                      POP B                              XYZ Corp.

                                                    Customer premise

                                Carrier networks      LMN Corp.
Remote users
                       Client                       NBF
Voluntary vs. Compulsory
Tunneling (cont’d)
   Compulsory tunnels
       Tunneling initiated by NAS
       Requires NAS support for tunneling protocol
       Can use RADIUS for per-user tunnel setup
       No client support required?
           Not really true if NAS does not support encryption
           Client must then support MPPE or IPSEC
       No intermediate router support required
       NAS responsible for security
           NAS must set up tunnel
           NAS may be responsible for encryption
           ISPs liability?
    Types of Compulsory
   Static tunnels: all calls tunneled to
    a given server
   Realm-based tunnels: calls
    tunneled based on realm (i.e.,
   User-based tunnels: calls tunneled
    based on userID (i.e.,
    VPN: Compulsory
    Tunnel                                               Tunnel Server

                                                           ABC Corp.
                         POP A

               ...                      Internet
                         POP B                                 XYZ Corp.

                                                          Customer premise

                         POP C
                                      Carrier networks
                                                           LMN Corp.
Remote users          Access server
                        front ends
    Issues in Compulsory
   Who is responsible for security?
       IPSEC (outer) encryption can be used between NAS and tunnel server
       Problems
          Scalability
               Legacy NASes lack CPU, crypto acceleration to handle
          Compatibility
               Requires NAS to implement IPSEC, ISAKMP
          What if NAS does not implement IPSEC?
               Client not aware if encryption is in place
               Client must encrypt inner packet
               IPSEC or TLS can be used between client and endpoint
                   Result: encryption may or may not be in force for a specific
               Solution: PPP encryption
                   MPPE used between client and tunnel server
Supporting Protocols
   EAP
   Roaming
What is RADIUS?
   Remote Access Dial In User Service
   Supports authentication, authorization, and
    accounting for remote access
       Physical ports (analog, ISDN)
       Virtual ports (tunnels)
   Allows centralized administration and
    accounting of multiple tunnel servers
   IETF status
       Proposed standard: RFC 2138, RADIUS
       Informational: RFC 2139, RADIUS accounting
       Draft: RADIUS extensions, EAP, tunneling support,
        interim accounting
Compulsory Tunneling with
RADIUS                                    Tunnel Server

                                            BIGCO Corp.
                             POP A

                             POP B            RADIUS Server

                             POP C

Remote users              Access server
(            front ends
Why Use RADIUS For
Compulsory Tunneling?
    RADIUS enables per-user compulsory tunneling
        More flexible than static or realm-based tunneling
           What if is to be given Internet access,
            but should be tunneled
            to the marketing tunnel server?
    RADIUS enables accounting and auditing
        Both NAS and tunnel server can use RADIUS
        Allows enterprise to audit VPN usage, do alarming
        BIGCO can match accounting records from tunnel server with
         accounting records from ISP for auditing purposes
    RADIUS enables use of a single userID/password pair
        Both NAS and tunnel server can authenticate against the same
        RADIUS server backend
        LDAP backend
What is EAP?
   Extensible Authentication Protocol
   Extension to PPP, developed in IETF PPP
    Working Group
       Under consideration for proposed standard status
   Provides support for a very wide range of
    authentication methods
     Stored value cards
     Public key authentication (with or without
      smart card)
     Cryptographic calculators
     One-time passwords
   RADIUS support for EAP on standards track
Why Do We Need Smart
   Widespread tunneling support enables
    ubiquitous access to the Intranet
       Want to enable access to Intranet from home or
        private ISP accounts
       Want to enable roaming to other providers for
        global access
   Security issues
       Can no longer restrict tunnel sources to a given IP
        address range
       Authenticated tunnel setup not sufficient to provide
       How do you know that it’s really Fred logging in
        from Indonesia?
Why Do We Need Smart
Cards? (cont’d)
   Solution: smart cards
       Possession of smart card required for
       Foils brute force password guessing attempts
       Prevents sniffing of passwords over the network
       Can be used for ISP or VPN authentication, or
   Remaining issues
       Hijacking of sessions: need auth, encryption, too
Types of Smart Cards
   Cryptographic calculators
       Card with keypad and display
       No reader required
   Certificate-based smart cards
       Requires smart card reader
           Readers now available for PCMCIA, Serial ports
       Requires PIN# for access by user
       Holds certificate (read by PC)
       Sealed private key (cannot be gotten off card)
Related Developments

   “Steelhead” - Routing & Remote
    Access Service for Windows NT 4.0
   “Basecamp” - Windows NT Options
“Steelhead” Features

   Integrated RAS & Routing service
   IP & IPX routing support
   Remotable GUI & command-line UI
   APIs for extensibility
   Demand dial routing
   PPTP support
       server-to-server
       client-server
   Packet filtering for security
   Exploits multi-link & other RAS features
    “Steelhead” Features
    Routing Protocols

   RIPv2 for IP
   OSPF by Bay Networks
   DHCP relay agent
   RIP for IPX
   SAP for IPX
   Plus others can be “plugged in”
Packet Filtering Features
   IP packet filtering
       TCP port
           includes “Established”
       UDP port
       IP protocol ID
       ICMP type
   IPX packet filtering
       Source address, node, & socket
       Destination address, node, & socket
       Packet type
   Complements MS Proxy
   Using RAS & Routing
   LAN-to-LAN or LAN-to-WAN Routing


                 POTS, ISDN,    Public
                 INTERNET...   Networks
Remote PC

             T1, x.25,
             frame relay,                  Windows NT
             INTERNET...                   Server with
                                          RAS & Routing
 Branch Office                              Corporate
 running RAS                                  LAN
  & Routing
   Using RAS & Routing to Connect
   an Intranet to the Internet
                            DMZ LAN
 Full configuration

         Internet     firewall
                                  Proxy      Router

                                                      2-3 machines
Small business                   PPTP
configuration with               Internet
                                 Services             1 machine
NT Server, & MS                  Proxies
Proxy                            Filtering
                Internet         Routing
     Using RAS & Routing with
     Point-to-Point Tunneling

                                      Internet           Si

Remote PC   Encrypted
            PPP Packets               Tunnel
                                Encapsulated encrypted
                     Internet        PPP Packets
                      Service                            Windows NT
                     Provider                            Server with
                       POP                                 RAS &
 Branch Office                                           Corporate
    Server                                                 LAN

            Low-cost, secure VPN via the Internet
“Base Camp”

A secure, seamless, and inexpensive
end to end Internet remote access
solution that allows individuals to
connect to public and private networks.
             Base Camp Components & Features
      Road Warriors
                                                                  Wan/Lan resources
                                                Confirmation/denial &
                         Any POP                attribute information

                                          Access Request
     Consumer Services

   Client                           ISP                       Enterprise
Connection Manager       Connection Point ServicesInternet
 • Pre-configure          • Integrated phone books Authentication
   service profiles         (RAS and POP merged)   Server
 • Branded dialer          • Roaming agreements            • Radius server
 • Auto client PPTP        • Automated POP mgmt            • Directory ties into NT
 • Auto DUN              Internet Authentication             backend
 • Auto POP update       Server                            • Central management
 • Extensible Connect     Radius/Proxy                       of business policy and
   Actions               Connection Manager                  employees
 • Empty*.Exe in OS
 • 22 Languages
                         Administration Kit
                           • Wizard to configure dialer

Shared By:
Tags: VPN95
Tariq  Javiad Tariq Javiad http://