virtual private network
play

Virtual Private Network 1 Introduction Private network - - PowerPoint PPT Presentation

May 03, 2023 •190 likes •598 views

Virtual Private Network 1 Introduction Private network - physically disconnected from the outside Internet Users Authenticated Still vulnerable if the internal resources use IP address as the basis for authentication Content

  1. Virtual Private Network 1

  2. Introduction • Private network - physically disconnected from the outside Internet • Users Authenticated – Still vulnerable if the internal resources use IP address as the basis for authentication • Content Protected – Communication within the private network cannot be sniffed from outside. • Integrity Preserved – Nobody from outside the network can spoof. • If we grant access from outside to the private network, the attack surface will significantly broaden. 2

  3. Virtual Private Network VPN allows users to create a secure, private network over a public network, such as the Internet. • Outside computers must go through the VPN server to reach the hosts inside a private network via authentication. • VPN server is exposed to the outside, and the internal computers are still protected via firewalls or reserved IP addresses. Internet Firewall Client 3 VPN Server

  4. A Typical Setup This is a typical VPN setup where the “Client” machine wants to connect with machine “V” on a private network. “Client” uses the “VPN Server” to get authenticated to the private network IP Tunneling 4

  5. IP Tunneling IP Tunneling Firewall VPN Client IP Packet Destination for the destination IP Packet IP head Encrypted packet IP head Encrypted packet to VPN Server decrypt IP Packet IP head Encrypted packet IP head for the VPN server Forward to destination 9 5

  6. Two Types of IP Tunneling • IPSec tunneling – It uses IPSec protocol which operates at the IP layer and has a tunneling mode. – The entire IP packet is encapsulated into a new IP packet with a new header added. – Done at the kernel level 6

  7. Two Types of IP Tunneling • TLS tunneling – It uses TLS library at the application layer to achieve tunneling. – The entire IP packet is encapsulated into a new TCP/UDP packet with a new header added. – Done at the application level 7

  8. An Overview of How TLS/SSL VPN Works This is just a normal TCP or UDP based SSL connection Satellite Site Primary Site 8

  9. An Overview of How TLS/SSL VPN Works 1. Mutual authentication using PKC, password authentication 9

  10. An Overview of How TLS/SSL VPN Works Any packet to 10.0.8.x will be Any packet to 10.0.7.x will be 2. Routing routed to the VPN client routed to the VPN server 10

  11. An Overview of How TLS/SSL VPN Works • Encapsulate the frame received in a TLS packet and directed to the VPN server • Done in the application layer • Not easily achieved Promiscuous mode, Raw packets, filtering • Alternatively: Virtual Network Cards 11

  12. Virtual Network Cards • Most operating systems have two types of network interfaces: – Physical: Corresponds to the physical Network Interface Card (NIC) – Virtual: A virtualized representation of computer network interfaces that may or may not correspond directly to the NIC card. Example: loopback device • TUN Virtual Interface – Work at OSI layer 3 or IP level – Sending any packet to TUN will result in the packet being delivered to user space program • TAP Virtual Interfaces – Work at OSI layer 2 or Ethernet level – Used for providing virtual network adapters for multiple guest machines connecting to a physical device of the host machine 12

  13. TUN/TAP Interface • How can the Tunnel application get an IP packet? Socket – Typically, applications Interface interact with kernel using socket – Using socket, kernel only gives the data part of a packet to applications – Applications need to use a different way to interact with kernel 13

  14. Creating a TUN Interface The flag IFF_TUN specifies that we are creating a TUN interface Register a TUN device with the kernel 14

  15. Configure the TUN Interface • Find the TUN interface • Assign an IP address to the TUN interface and bring it up 15

  16. Set UP the Routing Routing packets to the tunnel 16

  17. Set UP the Routing All other traffic will be routed to Packets to this destination should be routed to the tun0 interface, i.e., they should go this interface, i.e., they will not go through the tunnel through the tunnel. 17

  18. Experiment: Reading From TUN Interface We did an experiment by sending a ping packet to 10.0.8.32. The packet was sent to the TUN interface and then to our program. We use “xxd” to read from the interface and convert the into hexdump . 0a00 0863: Source IP (10.0.8.99) IP Header 0a00 0820: Destination IP (10.0.8.32) 18

  19. Experiment: Writing To TUN Interface • We can write data to TUN interfaces. • We can create a valid packet using the same “xxd” command. • Copy-paste the xxd output from the previous slide into a file called “hexfile” and run “xxd –r hexfile > packetfile”. • Now we write the packetfile to the interface: • We should be able to observe the packet using Wireshark. 19

  20. Establish a Transport-Layer Tunnel • A tunnel is just a TLS/SSL connection. • Two applications (VPN client and server applications) just establish a TLS/SSL connection between themselves. • Traffics inside are protected by TLS/SSL • What makes this TLS/SSL connection a tunnel? – The payloads inside are IP packets – That is why it is called IP tunnel 20

  21. How to Send/Receive Packets via Tunnel Sending a packet via the tunnel Get an IP packet from the TUN interface • Encrypt it (also add MAC) • Send it as a payload to the other end of • the tunnel Receiving a packet from the tunnel Get a payload from the tunnel • Decrypt it and verify its integrity • We get the actual packet • Write the packet to the TUN interface • 21

  22. Monitoring Both Interfaces Each tunnel application has • two interfaces: socket and TUN Need to monitor both • Forward packets between • these two interfaces 22

  23. Implementation (Monitoring the 2 Interfaces) select() will be blocked until one of the interfaces has data. 23

  24. Implementation (TUN à Socket) Note: the encryption step is omitted from the code (for the sake of simplicity) 24

  25. Implementation (Socket à TUN) Note: the decryption step is omitted from the code (for the sake of simplicity) 25

  26. Case Study: Configuring a VPN 26

  27. Configure VPN Server • On VPN Server, we first run the server program. • Configure the tun0 interface. – We use 10.4.2.0/24 as IP prefix for the TUN interface (for both VPN Client and VPN Server) • The following two commands assign the IP address to the tun0, bring it up and then add a corresponding route to routing table. 27

  28. Configure VPN Client • On VPN Client, we first run the client program. • Add route for the 10.4.2.0/24 network. • Add a route, so that all the packets for 192.168.60.0/24 are routed to the tun0 interface. 28

  29. Configure Host V • The reply packets should go back via the same VPN tunnel, so that they are protected. • To ensure that, route all packets for the 10.4.2.0/24 network toward the tunnel. • For Host V, we route such packets to VPN Server. • Add the following routing entry to Host V: 29

  30. Testing VPN: ping Testing • Ping Host V from Host U and we see the following result: • The following figure shows the packets generated when we ping Host V (192.168.0.6). 30

  31. Packet Flow from Telnet Client to Server How packets flow from client to server when running “telnet 10.0.20.100” using a VPN VPN Program (Point A) VPN Program (Point B) Telnet 10.0.20.100 IP IP IP IP Encrypt Decrypt TCP TCP Telnet Program TCP TCP Data Data Data Data Data 10.0.4.1 10.0.5.1 UDP Port TCP Port UDP Port tun0 tun0 New IP New IP IP IP UDP UDP TCP Routing TCP Routing IP IP Data TCP TCP Data Data Data Kernel Kernel eth2 209.164.131.32 eth1 128.230.208.97 eth1 NIC Card NIC Card NIC Card Internet IP: 10.0.4.1 => 10.0.20.100 ` ` New IP: 209.164.131.32 => 128.230.208.97 10.0.20.100 10.0.20.101 31 (a) An Example of packet flow from telnet client to server in Host-to-Gateway Tunnel

  32. Packet Flow from Telnet Server to Client How packets return from server to client when running “telnet 10.0.20.100” using a VPN VPN Program (Point A) VPN Program (Point B) IP IP IP IP Telnet 10.0.20.100 Decrypt Encrypt TCP TCP TCP TCP Telnet Program Data Data Data Data Data 10.0.4.1 10.0.5.1 UDP Port TCP Port UDP Port tun0 tun0 New IP New IP IP UDP UDP IP TCP IP IP Routing TCP Data TCP TCP Data Data Data Kernel Kernel eth2 209.164.131.32 eth1 128.230.208.97 eth1 NIC Card NIC Card NIC Card Internet IP: 10.0.20.100 => 10.0.4.1 ` ` New IP: 128.230.208.97 => 209.164.131.32 10.0.20.100 10.0.20.101 (b) An Example of packet flow from telnet server to client in Host-to-Gateway Tunnel 32

  33. Bypassing Firewalls using VPN 33

  34. Bypassing Firewall using VPN: the Main Idea Send our Facebook-bound packets to the TUN interface towards VPN server • • VPN server will release our Facebook-bound packets to the Internet Facebook’s reply packets will be routed to the VPN server (question: why?) • VPN server sends the reply packets back to us via the tunnel • 34

  35. Experiment: Network Setup 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

create your own exercise Hugues Fafard, Markus Mller Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend private network over public ones Useful for companies Remote access Network bridging

256 views • 9 slides
Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public lines that are insecure Need to communicate securely Private lines : costly option VPN Secure private communications over public

671 views • 27 slides
VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private network that encompasses links across shared or public networks like the Internet. Enable to send data between two computers across a shared or

942 views • 19 slides
Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM

Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM

Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM Adapted from Gordon Chaffees slides http://bmrc.berkeley.edu/people/chaffee/advnet98/ 4: Network Layer 4: Network Layer 4a-1 4a-2 Virtual

201 views • 9 slides
VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public telecommunication channels, such as the Internet or other network service, instead of leased lines channels. Described as Virtual because it is distant

563 views • 23 slides
VPN Virtual Private Network zswu Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network zswu Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network zswu Computer Center, CS, NCTU Introduction Uses public telecommunication channels, such as the Internet or other network service, instead of leased lines channels. Described as Virtual because it is distant

680 views • 23 slides
A virtual private network (VPN) allows the provisioning of private network services for an

A virtual private network (VPN) allows the provisioning of private network services for an

537 views • 30 slides
Sustainable Network Resource Management System for Virtual Private Clouds Takahiro Miyamoto

Sustainable Network Resource Management System for Virtual Private Clouds Takahiro Miyamoto

Sustainable Network Resource Management System for Virtual Private Clouds Takahiro Miyamoto Michiaki Hayashi Kosuke Nishimura KDDI R&D Laboratories Inc. CloudCom2010 Cloud computing environment Infrastructure as a Service (IaaS)

377 views • 20 slides
Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig

Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig

Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig Partridge Samuel Nelson Derrick Kong Th This document does not contain technology or te technical data controlled under either the U.S. In Inter

431 views • 13 slides
The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a

The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a

The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a secure private network over the public Internet Public Internet Intranet virtual leased line Intranet Tonight Think about what the Web

758 views • 63 slides
Corsi Linux Avanzati 2019 WireGuard (VPN) Davide Depau <davide@depau.eu> What is a Virtual

Corsi Linux Avanzati 2019 WireGuard (VPN) Davide Depau <davide@depau.eu> What is a Virtual

Corsi Linux Avanzati 2019 WireGuard (VPN) Davide Depau <davide@depau.eu> What is a Virtual Private Network? It's an infrastructure that extends a private network across a public network Devices connected to a VPN can contact the

587 views • 29 slides
Safiqul Islam INF -9090 Project Presentation University of Oslo 2 Outline

Safiqul Islam INF -9090 Project Presentation University of Oslo 2 Outline

Encrypted Tunnel Through Virtual Network Interface Safiqul Islam INF -9090 Project Presentation University of Oslo 2 Outline Introduction Background Virtual Private Network Virtual Network Interface Link Local

229 views • 22 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides
4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed Systems local area networks that you would like to have connected securely Virtual Private Networks Solution Set up a private network line

221 views • 3 slides
Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networking Outline Introduction Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations Encryption November 25 - 2004 Future of VPNs VPN - Definition a way to provide

595 views • 11 slides
Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

4/25/08 Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You have several geographically separated local area networks that you would like to have connected securely Solution Set up a private

425 views • 7 slides
9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different

9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different

9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different ways: Black box model Search problems CS 419/519 Optimization vs constraint satisfaction NP problems / 20 Black box model

489 views • 9 slides
Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding

Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding

Notes Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding shortest paths Notes Weve already seen how to calculate the shortest path in an unweighted graph (BFS traversal) Well now study how to

634 views • 6 slides
Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1

Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1

Chapter 7 Approximation Algorithms CS 573: Algorithms, Fall 2013 September 17, 2013 7.0.0.1 Todays Lecture Dont give up on NP-Hard problems: (A) Faster exponential time algorithms: n O ( n ) , 3 n , 2 n , etc. (B) Fixed parameter

583 views • 13 slides
Testing Spontaneous Wavefunction Collapse Models on Classical Mechanical Oscillators Lajos Di

Testing Spontaneous Wavefunction Collapse Models on Classical Mechanical Oscillators Lajos Di

Testing Spontaneous Wavefunction Collapse Models on Classical Mechanical Oscillators Lajos Di osi Wigner Center, Budapest 28 Nov 2016, Budapest Lajos Di osi (Wigner Center, Budapest) Testing Spontaneous Wavefunction Collapse Models on

724 views • 13 slides
Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A. Quereilhac, T. Turletti, W. Dabbous {claudio-daniel.freire,alina.quereilhac,thierry.turletti,walid.dabbous}@inria.fr A primer to PlanetLab A worldwide

869 views • 39 slides
SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz Finding Bugs in C/C++ Manual Analysis Static Analysis Dynamic Analysis AddressSanitizer MemorySanitizer Code

658 views • 39 slides
OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3 - 4, 2015 Levente Mszros Overview Network node architecture refactoring Cross-layer communication and optimization Mobility refactoring

1.09k views • 38 slides
Private Networks Physically disconnected from the outside Internet. Three properties: Users

Private Networks Physically disconnected from the outside Internet. Three properties: Users

1 Virtual Private Networks Chester Rebeiro IIT Madras 2 Private Networks Physically disconnected from the outside Internet. Three properties: Users Authenticated. Users are authorized and their identities verified. Content Protected.

684 views • 37 slides

More recommend