Friday, 29 June 2012
Site to Site VPN, Remote VPN
A virtual private network (VPN) is a private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a head office network through the public Internet. A VPN can also be used to interconnect two similar-type networks over a dissimilar middle network for example, two IPv6 networks over an IPv4 network.
There are two main types of VPN: remote-access VPNs and Site-to-site VPNs.
Remote-access VPNs allow individual users to connect to a remote network such as roaming salespeople connecting to their company's intranet.
Site-to-site VPNs allow inter-connection of networks of multiple users for example, branch offices to the main company network. VPNs hence reduce costs as they eliminate the need for dedicated leased lines between networks, but instead use existing infrastructures to connect networks while adding a layer of security.
Intranet-based
It is when there are one or more remote locations that wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
Extranet-based
Extranet-based is like connecting LANs together. This extranet VPN allows different intranet to work together in a secure, shared network environment while preventing access to their separate intranets.
Client software
This software is require for people who wants to use VPN from their computers. This is needed to establish and maintain a connection to the VPN.The client software sets up the tunnelled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure.
IPSec (ESP, AH, DES, MD5, SHA, DH)
Internet Protocol security (IPSec) is a framework of open standards for helping to ensure private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP.
The examples of IPsec are ESP, AH, DES, MD5, SHA, and DH.
IPSec helps provide defense-in-depth against:
• Network-based attacks from untrusted computers, attacks that can result in the denial-of-service of applications, services, or the network
• Data corruption
• Data theft
• User-credential theft
• Administrative control of servers, other computers, and the network.
Authentication Headers (AH)
AH provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
Encapsulating Security Payloads (ESP)
ESP provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.
Data Encryption Standard(DES)
DES is a widely-used method of data encryption using a private (secret) key . DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations.
Message Digest 5(MD5)
MD5 is a widely used cryptographic hash function with a 128-bit hash value. MD5 is widely used in security-related applications, and is also frequently used to check the integrity of files. MD5 value of file is considered to be a highly reliable fingerprint that can be used to verify the integrity of the file's contents. If as little as a single bit value in the file is modified, the MD5 value for the file will completely change. Forgery of a file in a way that causes MD5 to generate the same result as that for the original file is considered to be extremely difficult.
SHA
The Secure Hash Algorithm is one of a number of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS):
Diffie-Hellman(DH)
The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, which is capable of generating every element from 1 to p-1 when multiplied by itself a certain number of times, modulo the prime p. However, it is vulnerable to a middleperson attack.
Security Associations (SA)
SA provides the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
Public Key Infrastructure (Digital Cert)
PKI is a security architecture that has been
introduced to provide an increased level of confidence for exchanging
information over an increasingly insecure Internet. Public key
cryptography uses a pair of mathematically related cryptographic keys.
If one key is used to encrypt information, then only the related key can
decrypt that information.
A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA). Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated hashing algorithm, dates of validity of the certificate and the actions the key can be used for. The CA takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued, and ensures that the information contained within the certificate is correct and digitally signs it.
A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA). Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated hashing algorithm, dates of validity of the certificate and the actions the key can be used for. The CA takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued, and ensures that the information contained within the certificate is correct and digitally signs it.
Applications that use PKI:
- · Digital signatures
- · Smart card logon
- · Secure e-mail
- · Software code signing
- · IP Security (IPSec)
- · Software restriction policy
- · Internet authentication
- · Encrypting File System
- · PKI consist of a few components which are closely related together:
- · Certificate and CA management tools
- · Certification Authority (CA)
- · Registration Authority (RA)
- · Validation Authority (VA)
- · Attribute Authority (AA)
- · Attribute Certificates
- · Certificate Template
- · Digital Certificate
- · PKI enabled applications and services
Subscribe to:
Comments (Atom)