Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

Convert your Linux box in to security Gateway Part-2 (VPN)By MurtujaBharmalhttp://null.co.in/http://nullcon.net/

http://null.co.in/http://nullcon.net/About MeNo Work Busy Man….Unemployed….Interest…. /dev/random….Co-founder of null…. :-DX-IBMer ….. Dal, Roti ka jugad, Security Consulting/Training

Prerequisiteshttp://null.co.in/http://nullcon.net/Basic concept of networking/routing/natting.Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. How to Install and use Linux OSSome hands on Linux command line

Full Picturehttp://null.co.in/http://nullcon.net/Security Features of Linux..Hardening OSFirewall Concept/ConfigurationVPN Concept/ConfigurationIDS/IPS Concept/ConfigurationProxy Concept/ConfigurationAntivirus Concept/ConfigurationHardening Services i.e. Web Server/Mail Server/Database etc.

Agenda for TodayWhat is VPNWhy VPNBenefits of VPNTypes of VPNVPN ConceptVPN Configuration – (Openswan)http://null.co.in/http://nullcon.net/

What is VPN (Misconception)http://null.co.in/http://nullcon.net/

What is VPN (Conceptually)http://null.co.in/http://nullcon.net/

What is VPN (Actually)http://null.co.in/http://nullcon.net/

Why VPNhttp://null.co.in/http://nullcon.net/Business have grown beyond local and regional concern. We now have to worry about global markets and logisticsWe need to get connected efficiently and securely to our offices.Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive.With the wide use of Internet, it became the medium to connect business together and also connect offices using VPNVPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.

Benefits of VPNExtend Geographic connectivityReduce Operational costs versus traditional WANImprove SecurityImprove productivity?Provide global networking opportunityProvide broadband networking compatibilityProvide telecommuter supporthttp://null.co.in/http://nullcon.net/

Types of VPN (Based on Technology)IPSec VPN – IP SecuritySSL VPN – Secure Socket Layer MPLS – Multiprotocol Layering SwitchGRE – Generic Route Encapsulation PPTP – Point-to-Point Tunneling ProtocolL2TP – Layer 2 Tunneling Protocolhttp://null.co.in/http://nullcon.net/

Types of VPN (Based on functionality)Site-to-Site VPNClient-to-Site VPNhttp://null.co.in/http://nullcon.net/

Site-to-Site VPNhttp://null.co.in/http://nullcon.net/Courtesy: http://nirlog.com

Client-to-Site VPNhttp://null.co.in/http://nullcon.net/Courtesy: http://nirlog.com

VPN Concept (Encryption)Translation of data into secret code is called encryptionTo decrypt data you must have access to a secret key or passwordUnencrypted data is called plain textEncrypted data is called cipher texthttp://null.co.in/http://nullcon.net/Courtesy: http://www.webopedia.com

VPN Concept (Encryption)There are two main forms of encryptionSymmetric encryptionEach computer uses a secret key that it can use to encrypt data. The same key is used to decrypt data too.Public Key encryptionUses a combination of two keys called as private key and public key. The public key is given to everyone. The data is encrypted using the publickey and the privatekey is used to decrypt it.http://null.co.in/http://nullcon.net/Courtesy: http://www.webopedia.com

VPN Concept (HASH)Cryptographic hash functions are used for example to create a message digestA hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message.Most widely used hash functions are md5 and sha-1http://null.co.in/http://nullcon.net/Courtesy: http://www.webopedia.com

VPN Concept (IPSec)Why do we need IPSec ?Suite of protocols for securing network connectionsIPSec provides mechanism and not policyYou can decide on any encryption algorithm or authentication method as long as both the connecting parties agreehttp://null.co.in/http://nullcon.net/Courtesy: http://www.unixwiz.net

IP Headerhttp://null.co.in/http://nullcon.net/Courtesy: http://www.unixwiz.net

VPN Concept (IPSec Overview)IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH). IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.http://null.co.in/http://nullcon.net/Courtesy: http://cisco.comCourtesy: http://ipv6.com

VPN Concept (IPSec Overview)IPSec consists of the following two main protocols:Authentication Header (AH)Encapsulating Security Payload (ESP)http://null.co.in/http://nullcon.net/

VPN Concept (IPSec Mode)•TransportmodeIPsec transport mode works by inserting the ESP or AH header between the IP header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet.•TunnelmodeTunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header. Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network.http://null.co.in/http://nullcon.net/Courtesy: http://www.unixwiz.net

Optional EncryptionOptional EncryptionOuter IP HeaderInner IP HeaderVPN Concept (Difference in Modes)Original PacketTransport Mode IP HeaderDataOriginal IPHeaderIPSec ESPHeaderDataTunnel Mode New IPHeaderIPSec ESPHeaderDataOriginal IPHeaderhttp://nullcon.net/http://null.co.in/

http://null.co.in/http://nullcon.net/Courtesy: http://www.unixwiz.net

VPN Concept (Security Association)A Security Association (SA) is an agreement between two peers engaging in a crypto exchange. This agreement includes the type and strength of the encryption algorithm used to protect the data. The SA includes the method and strength of the data authentication and the method of creating new keys for that data protection.ISAKMP Security Association (ISAKMP Phase 1)The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2.IPsec Security Associations (ISAKMP Phase 2) Data TunnelIn this phase the ISAKMP SA established in Phase 1 is used to create SAs for othe security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.http://null.co.in/http://nullcon.net/

VPN Concept (Phase 1: Main Mode)http://null.co.in/http://nullcon.net/Courtesy: http://www.eetimes.com

VPN Concept (Phase 1: Aggressive Mode)http://null.co.in/http://nullcon.net/Courtesy: http://www.eetimes.com

VPN Concept (Phase 1: Authentication)IKE phase 1 has three methods to authenticate IPSec peers.1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509 Digital Certificates. 3. RSA encrypted nonceshttp://null.co.in/http://nullcon.net/

VPN Concept (Phase 2: Quick Mode)http://null.co.in/http://nullcon.net/Courtesy: http://www.eetimes.com

VPN Configuration (OpenSwan)Site-to-Site VPNhttp://null.co.in/http://nullcon.net/5.6.7.8172.16.1.1eth0eth15.6.7.91.2.3.5eth1Office 2 LAN172.16.1.0/24 1.2.3.4eth0192.168.1.1Office 1 LAN192.168.1.0/24

http://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.confCourtesy: http://www.linuxhomenetworking.com

Conn net-to-netauthby=secret #Key exchange methodleft=1.2.3.4leftsubnet =192.168.1.0/24leftnexthope=%defaultrouteright=5.6.7.8rightsubnet=172.16.1.0/24rightnexthope=5.6.7.9auto=start/addhttp://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.confCourtesy: http://www.linuxhomenetworking.com

1.2.3.4 5.6.7.8 : PSK "nonebutourselvescanfreeourminds"http://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.secretsCourtesy: http://www.linuxhomenetworking.com

net/ipv4/ip_forward = 1iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 172.16.1.0/24 -j MASQUERADEhttp://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – OthersettingCourtesy: http://www.linuxhomenetworking.com

104 "net-to-net" #1: STATE_MAIN_I1: initiate 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established 112 "net-to-net" #2: STATE_QUICK_I1: initiate 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe0bdd0e9 <0x13ac7645}http://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – LogCourtesy: http://www.linuxhomenetworking.com

[root@vpn2 tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irttIface10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 6.25.232.0 0.0.0.0 255.255.255.248 U 40 0 0 eth0 172.16.1.0 1.2.3.4 255.255.255.0 UG 40 0 0 ipsec0tcpdump -n -i ipsec0 icmp03:05:53.971308 IP 192.168.1.5 > 172.16.1.5: icmp 64: echo request seq 89 03:05:53.995297 IP 172.16.1.5 > 192.168.1.5: icmp 64: echo reply seq89tcpdump -n -i eth1 host 5.6.7.8 02:08:23.637149 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0xf4909a7e,seq=0x73) 02:08:24.635302 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x808e9a87,seq=0x74) http://null.co.in/http://nullcon.net/VPN Configuration (OpenSwan)Site-to-Site VPN – Verification/DebugCourtesy: http://www.linuxhomenetworking.com

Questions?http://null.co.in/http://nullcon.net/

void@null.co.inbharmal.murtuja@gmail.comhttp://null.co.in/http://nullcon.net/Courtesy http://www.wien2k.at

Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

More Related Content

What's hot (19)

Viewers also liked (10)

Similar to Converting your linux Box in security Gateway Part – 2 (Looking inside VPN) (20)

More from n|u - The Open Security Community (20)

Recently uploaded (20)

Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)

Editor's Notes