Srisp Curs 11

Curs 11Tunelare. VPN

Servicii de ret,ea pentru ISP

13 mai 2010

SRISP Curs 11, Tunelare. VPN 1/25

Outline

Introducere

VPN Virtual Private Networks

IPsec

OpenVPN

Concluzii

Intrebari


Tunelare

I ncpasularea unui payload de protocol n alt protocol

I securitate

I compatibilizare

I n general protocolul de livrare opereaza la un nivel superior(invers decat ntr-o stiva de protocoale)


Tunelare la nivel legatura de date

I L2TP Layer 2 Tunneling Protocol

I protocol de nivel sesiune (foloses, te UDP)

I folosit pentru implementarea de ret,ele private virtuale (VPNs)

I fara suport de criptare sau asigurare a confident, ialitat, ii


Tunelare la nivel ret,ea

I IP-IP

I 4in6

I 6in4I GRE Generic Routing Encapsulation

I ncapsulare n cadrul pachetului IPI stateless

I PPTP Point-to-Point Tunneling ProtocolI canal de control peste TCP s, i tunelare GREI ncapsuleaza pachete PPP


Tunelare la nivel aplicat, ie

I tunelare SSHI ssh user@IP_NUMBER -L 10080:www.google.com:80

I tunelare HTTPI ncapsulare n protocolul HTTPI necesita un server mediator

I corkscrew tunelare SSH prin proxy-uri HTTP


Outline

Introducere


IPsec

OpenVPN

Concluzii

Intrebari


VPN

I comunicat, ie privata peste o infrastructura publica

I nu este nevoie de alocarea unei linii/infrastructuri dedicate

I foloses, te tunelare ncapsularea unui protocol n cadrul altuiprotocol

I condent, ialitate, autentificare, integritate


Securizare VPN / Tipuri de implementari

I IPsec

I TLS/SSL

I DTLS/MPPE/SSTP (Cisco, Microsoft)

I SSH


Outline

Introducere


IPsec

OpenVPN

Concluzii

Intrebari


IPsec

I suita de protocoale pentru securizarea IP (IPsec suite)

I autentificarea s, i criptarea fiecarui pachet IP

I aplicat, iile nu sunt cons, tiente de folosirea IPsec (nu trebuiemodificate/regandite)


Suita IPsec

I SA (security association) IKE/IKEv2 (Internet KeyExchange)

I protocoale/algoritmi de negociere s, i generare a cheilor

I AH (Authentication Header) autentificare s, i integritate

I ESP (Encapsulation Security Payload) confident, ialitate

I stiva IPsec: *BSD, Windows, Linux


Imagine IPsec


IPsec n Linux

I istoric: FreeS/WAN, KAME

I patch-uri n nucleu

I KLIPS pentru kernel-ul 2.4

I actualmente Linux NETKEY (nativ) bazat pe KAME

I pachetele ipsec-tools s, i racoon


OpenSwan

I fork/continuare a FreeS/WAN

I crearea unui certificat

I apt-get install openswan

I /etc/ipsec.secrets, /etc/ipsec.conf

I /etc/init.d/ipsec


StrongSwan

I pachete: strongswan-ikev2, strongswan-starter

I se genereaza un certificat

I /etc/ipsec.conf, /etc/ipsec.d/

I /etc/init.d/ipsec


Outline

Introducere


IPsec

OpenVPN

Concluzii

Intrebari


OpenVPN

I implementare de VPN peste TLS/SSL

I autentificare pe baza de certificate/chei sau username

I foloses, te OpenSSL

I ruleaza peste TCP sau UDP

I ruleaza n user space


Networking n OpenVPN

I TCP/UDP

I interfet,e TUN (nivel 3, IP tunnel)

I interfet,e TAP (nivel 2, Ethernet)

I portul 1194 rezervat


Instalare s, i configurare

I apt-get install openvpn

I mknod /dev/net/tun c 10 200

I modprobe tun

I (A) openvpn -remote public B dev tun0 -ifconfig a.a.a.ab.b.b.b -port yyyy

I (B) openvpn -remote public A dev tun0 -ifconfig b.b.b.ba.a.a.a -port yyyy

I openvpn -genkey -secret key


Configurare

I /etc/openvpn/

I /etc/init.d/openvpn

I /etc/openvpn/openvpn.conf

I openvpn config /etc/openvpn/openvpn.conf


Outline

Introducere


IPsec

OpenVPN

Concluzii

Intrebari


Cuvinte cheie

I tunelare

I VPN

I L2TP

I GRE

I IPsec

I AH, ESP

I Free S/WAN

I StrongSwan

I OpenVPN


Link-uri utile

I http://en.wikipedia.org/wiki/Tunneling_protocolI http://en.wikipedia.org/wiki/Virtual_private_networkI http://www.ipsec-howto.org/I http://www.openswan.org/I http://www.strongswan.org/I http://openvpn.net/


Outline

Introducere


IPsec

OpenVPN

Concluzii

Intrebari


IntroducereVPN Virtual Private NetworksIPsecOpenVPNConcluziintrebari

Srisp Curs 11

Documents

Transcript of Srisp Curs 11