VPN(Virtual Private Network)

Done By:
Abdel-Wahab Mahmoud
Abdel-Rahman Mohammed
Ali Hamed
Mohammed Belal
Mustafa Atallah

Under the supervision of:

Dr. Eman salah
 Introduction

• A virtual private network (VPN) extends a private network across a public

network, and enables users to send and receive data across shared or public
networks as if their computing devices were directly connected to the
private network.
• A virtual private network (VPN) that creates a safe and encrypted
connection over a less secure network, such as the internet.
• To ensure safety, data travels through secure tunnels and it is known as
tunneling.
Connection withoutVPN Connection withVPN
VPN working
 Types of VPN
• Remote accessVPN

• Site-to-siteVPN
 Remote access VPN
• It allows a user to connect to a private network and access its services and
resources remotely.
• The connection between the user and the private network happens
through the Internet and the connection is secure and private due to
tunnel.
• Example: A corporate employee, while traveling, uses a VPN to connect
to his/her company’s private network and remotely access files and
resources on the private network.
 Site-to-site VPN
• It is also called as Router-to-Router VPN and is mostly used in the
corporates.
• When multiple offices of the same company are connected using Site-to-
SiteVPN type, it is called as Intranet basedVPN.
• When companies use Site-to-siteVPN type to connect to the office of
another company, it is called as Extranet basedVPN.
• It create a virtual bridge between the networks at geographically distant
offices and connect them through the Internet and maintain a secure and
private communication between the networks.
 VPN Tunneling

• Tunneling is a protocol that allows for the secure movement of data from one
network to another.
• Tunneling involves allowing private network communications to be sent across a
public network, such as the Internet, through a process called encapsulation.
• The encapsulation process allows for data packets to appear as though they are of
a public nature to a public network when they are actually private data packets,
allowing them to pass through unnoticed.
• Tunneling is also known as port forwarding.
Tunneling
 VPN protocol

• Internet Protocol Security or IPSec

• Layer 2Tunneling Protocol (L2TP)
• Point – to – PointTunneling Protocol (PPTP)
• Secure Sockets Layer (SSL) andTransport Layer Security (TLS)
1.Internet Protocol Security or IPSec
• It is used to secure Internet communication across an IP network.
• IPSec secures Internet Protocol communication by authenticating
the session and encrypts each data packet during the connection.
• IPSec operates in two modes, Transport mode and Tunneling
mode, to protect data transfer between two different networks.
• The transport mode encrypts the message in the data packet and
the tunneling mode encrypts the entire data packet.
• IPSec can also be used with other security protocols to enhance the
security system.
 2.Layer 2 Tunneling Protocol (L2TP)

• Layer 2Tunneling Protocol is a tunneling protocol that is usually combined

with anotherVPN security protocol like IPSec to create a highly secure
VPN connection.
• L2TP creates a tunnel between two L2TP connection points and IPSec
protocol encrypts the data and handles secure communication between the
tunnel.
3. Point – to – Point Tunneling Protocol (PPTP)
• Point-to-PointTunneling Protocol creates a tunnel and
encapsulates the data packet.
• PPTP is one of the most widely usedVPN protocol and has been in
use since the time ofWindows 95.
• Apart fromWindows, PPTP is also supported on Mac and Linux.
 4. Secure Sockets Layer (SSL) and Transport Layer
Security (TLS)

🠶 SSL andTLS protocol is most commonly used by online shopping websites and service providers.
🠶 SSL connections have https in the beginning of the URL instead of http.
 Advantages of VPN

• Greater scalability
• Reduced long-distance telecommunications costs
• Remote controlling
• Security
• Online anonymity
• Unlock restricted content
 Disadvantages of VPN

• Understanding of security issues

• Unpredictable Internet traffic
• Difficult to accommodate products from different vendors
• Complexity
• Less Bandwidth
 What Security Problem?

Today's Internet is primarily comprised of :

• Public
• Un-trusted
• Unreliable IP networks

Because of this inherent lack of security,

the Internet is subject to various types of
threats…
 Internet Threats

• Data integrity
The contents of a packet can be accidentally or deliberately modified.
• Identity spoofing
The origin of an IP packet can be forged.
• Anti-reply attacks
Unauthorized data can be retransmitted.
• Loss of privacy
The contents of a packet can be examined in transit.
 Understanding TCP/IP
OSI Reference Model

Application Layer Application

Presentation Layer

Session Layer

Transport Layer TCP, UDP

Network Layer IP

Logical Link Layer Device Driver

Physical Layer Network Adapter

 Understanding TCP/IP
Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Network Layer Header 2 Data 2

(IP)

Data Link Header 1 Data 1

Layer
 Security at What Level?

Application Layer PGP, Kerberos, SSH, etc.

Transport Layer Transport Layer Security (TLS)
Network Layer IP Security
Data Link Layer
Hardware encryption
 IP Security

• IPSec is a framework of open standards developed by the Internet

EngineeringTask Force (IETF).

Creates secure, authenticated, reliable communications over IP networks

 IPSec Security Services
• Connectionless integrity
Assurance that received traffic has not been
modified. Integrity includes anti-reply defenses.
• Data origin authentication
Assurance that traffic is sent by legitimate party or parties.
• Confidentiality (encryption)
Assurance that user’s traffic is not examined by non-
authorized parties.
• Access control
Prevention of unauthorized use of a resource.
 Applications of IPSec

• Secure branch office connectivity over the Internet

• Secure remote access over the Internet
• Establishing extranet and intranet connectivity with partners
• Enhancing electronic commerce security
 Benefits of IPSec

• In a firewall/router, provides strong security to all traffic

crossing the perimeter
• Is below transport layer, hence transparent to applications
• Can be transparent to end users
• Can provide security for individual even mobile users
• Secures routing architecture
IPSec Uses
 Network Layer Security

• IP security (IPsec)
• Two protocols
• Authentication protocol, using anAuthentication Header (AH)
• Encryption/authentication protocol, called the Encapsulating Security Payload (ESP)
• Two modes of operation
• Transport mode: provides protection for upper-layer protocols
• Tunnel mode: protects the entire IP datagram
 IPSec protocols – AH protocol
• AH - Authentication Header
• Defined in RFC 1826
• Integrity:Yes, including IP header
• Authentication:Yes
• Non-repudiation: Depends on cryptography algorithm.
Transport Packet layout

• Encryption: No
IP Header AH Header Payload (TCP, UDP, etc)

• Replay Protection:Yes
Tunnel Packet layout
IP Header AH Header IP Header Payload (TCP. UDP,etc)
 IPSec protocols – ESP protocol
• ESP – Encapsulating Security Payload
• Defined in RFC 1827
• Integrity:Yes
• Authentication: Depends on cryptography algorithm.
• Non-repudiation: No
Tunnel Packet layout

• Encryption: Yes
IP Header ESP Header Payload (TCP, UDP, etc)

• Replay Protection:Yes
Tunnel Packet layout
IP Header ESP Header IP Header Payload (TCP. UDP,etc)

Unencrypted Encrypted
 What protocol to use?

• Differences betweenAH and ESP:

• ESP provides encryption, AH does not.
• AH provides integrity of the IP header, ESP does not.
• AH can provide non-repudiation. ESP does not.
• However, we don’t have to choose since both protocols can be used in together.
• Why have two protocols?
• Some countries have strict laws on encryption. If you can’t use encryption in those
countries, AH still provides good security mechanisms. Two protocols ensures wide
acceptance of IPSec on the Internet.
Data Integrity and Confidentiality

Basic difference between AH and ESP

 Transport Versus Tunnel Mode

Transport Mode:
• Used for Peer to Peer communication security
• Data is encrypted

Tunnel Mode:
• Used for site-to-site communication security
• Entire packet is encrypted.
 IPSec Modes of Operation
• Transport Mode: protect the upper layer protocols
Original IP IP TCP Data
Datagram Header Header

Transport Mode IP IPSec TCP Data

protected packet Header Header Header

protected
 Tunnel Mode: protect the entire IP payload

Tunnel Mode New IP IPSec Original IP TCP Data

protected packet Header Header Header Header

protected
 Transport versus Tunnel mode (cont)
Transport mode is used when the cryptographic endpoints are also the communication endpoints of the
secured IP packets.

Cryptographic endpoints: The entities that generate / process an IPSec header (AH or ESP)
Communication endpoints: Source and Destination of an IP packet
 Transport versus Tunnel mode (cont)
Tunnel mode is used when at least one cryptographic endpoint is not a communication endpoint of the
secured IP packets.

Outer IP Header – Destination for the router.

Inner IP Header – Ultimate Destination
 Tunnel Mode

• Host-to-Network, Network-to-Network
Application Application
Layer Layer
Protected Protected
Transport Data Data Transport
Layer Layer
Interne
IP t IP
Layer Layer

Host A IPSec IPSec Host B

IP Layer IP Layer
SG SG

SG = Security Gateway
 Transport Mode
• Host-to-Host

Application Layer Application Layer

Transport Layer Transport Layer

IPSec IPSec
IP Layer IP Layer
Data Link Layer Data Link Layer

Host A Host B
Transport Mode

Tunneling Mode
 Outbound/Inbound IPSec Processing

Packet

• The inbound and outbound IPsec processing is completely

independent
 Outbound IPSec Processing
SPD
IPSec policies

Packet SAD

SAout

1. Drop the packet.

SPD = Security Policy Database 2. Bypass IPSec.
SAD = Security Association Database 3. Apply IPSec.
SA = Security Association
 Inbound IPSec Processing
Packet Case 1:
If IPSec headers exists
1. Headers are processed.
2. SPD is consulted to
determine if the packet
can be admitted based on
the Sain.

SPD
IPSec policies
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association
 Inbound IPSec Processing
Packet Case 2:
If IPSec headers are absent
1. SPD is consulted to
determine the type of
service to afford this packet.
2. If certain traffic is required
to be IPSec protected and its
not it must be dropped.

SPD
IPSec policies
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association
 Real World Deployment E xamples

Encrypted / Authenticated

• VPNs Internet

SG

• Wireless
Internet
 Conclusion

• The Internet was not created with security in mind.

• Communications can be altered, examined and exploited.

• There is a growing need to protect private information

crossing the public networks that make up the Internet
infrastructure.

• IPSec is a set of protocols and methodologies to create secure

IP connections.