VPNs Flashcards

Question

VPN Hierarchy

Answer 1

Ethernet frames are exchanged between hosts. * VP LAN Service: terminals are connected as if they were in the same LAN; broadcast packets are allowed. * VP Wire Service: virtualizes a dedicated line; any protocol can be used. * IP-only LAN-like Service: virtualized IP network, only IP packets are allowed(ICMP ARP); CE are IP routers or hosts (not Ethernet switches).

Answer 2

Layer 3 packets are forwarded through the public network. Routing based on layer 3 addresses: * - peer: vpn/corporate/customer addresses. * - ovelay: backbone addresses. CEs are either ip routers or hosts. Tunneling: * - GRE, IPSec: IP-in-IP * - L2TP, PPTP (based on GRE): layer 2 frame within IP packet. Tunnelling does not ensure security by itself

Answer 3

VPN built using TCP connections: tunnels realized by TCP. Security achieved with SSL/TLS. Tunnels can possibly be terminated on end systems.

Answer 4

Generic Routing Encapsulation Able to encapsulate any protocol inside a virtualized point-to-point links over IP. Deployed by PPTP. GRE header sits between IP header and payload. Campi interessanti: * - CRKS: presence/absence of flags * - strict source routing (s): discarded packet if source routing list is empty and destination hasn't been reached yet. * - Recur: max number of additional encapsulation permitted. * - Protocol: ID of payload protocol * - Routing: Sequence of router ip addresses for for source routing. Other mechanisms: * - Flow control (sliding window) * - Out of order packets (discarded bc PPP cannot handle out of order) * - Timeout values: recomputed each time an ack packet is received * - Congestion control: * - Timeout do not cause retrasmission (their value shoud be rapidly increased).

Answer 5

Contains also source routing info. IP address list: source routing information (list of ASs or routers to traverse). SRE Offset: byte of IP address of current next hop (updated at each source route hop) SRE Length: total address list length (in bytes).

Answer 6

Deployed by PPTP. Contains Ack. number, so that delivery of packets by remote-end point can be notified. Advanced features: * Key High: Payload length: no of byets excluding GRE header. * Key low: call id: session id for this packet * Sequence number: order delivery, error detection and correction * Ack number: Cumulative ack.

Answer 7

Ensure data has not been modified

Answer 8

Data cannot be accessed by anyone else than intended destination.

Answer 9

1. Users requests remote access PPP connection to NAS, asking to negotiate config parameters (LCP, NCP). 2. NAS verifies user idenity through security server (RADIUS PROTOCOL) 3. NAS requests to open a VPN tunnel, linked to the user, with the corporate GW, using an IP packet, using the public IP addr. of Corp GW. 4. Corp. GW verifies idenitity via Corp. Security Server. 5. Corp. GW gives the NAS the configuration parameters for VPN tunnel, including private corporate IP. 6. NAS (optionally) records the connection and the traffic for billing pourpuses. 7. Corporate GW gives the user configuration parameters for PPP connection, including private IP address of Corp. Gateway. 8. NAS forwards the reply to the user. Once the VPN connection is live, the user has only the corporate ip address, they are not aware of the tunnel between the NAS and the company. Pros: user can access internet only through Corp. GW. Cons: user is dependent upon SP, can't change it, otherwise connection will not work. packet: IP H | PPP H| IP H | payload IP s: nas| |s:user corp ip| d: gw | |d:corp ip|

Answer 10

1. Users requests remote access PPP connection to NAS, asking to negotiate config parameters (LCP, NCP). 2. NAS verifies user idenity through security server (RADIUS PROTOCOL) 3. NAS sends the user config. param.s to connect via PPP to the remote access, in particular public IP address. 4. User request opening of VPN tunnel via the corporate gateway, sending an IP packeting inside a PPP frame, where the destination IP address is the one of the Corp. GW. 5. NAS forwards the requests. 6. Corp. GW verifies idenitity via Corp. Security Server. 7. Corp. GW gives the user the configuration parameters for VPN tunnel, including private corporate IP. 8. NAS forwards the reply to the user. Pros: user is indipendent from SP, the latter provides only the internet connection Cons: the user could disable the connection temporarily, getting infected and infecting the corp. network

Answer 11

Customer Provider remote host has 2 addr. |r.h. 1 address (corp) r. h. terminates vpn tunn.|NAS terminates tunn. r. h. must activate tunnel |r.h. always on vpn can use any isp |require specific isp

Answer 12

Link control protocol Used in access VPNs to negotiate config parametrs for layer 2. Opens and closes PPP connections.

Answer 13

Network control protocol Used in access VPNs to negotiate config of layer 3 params.

Answer 14

Point to point protcol Layer 2 protocol used in point-2-point connections (remote access, ISDN) to incapsulate higher level protocols.

Answer 15

Layer 2 Tunneling protocol It enables the tunneling of any layer 2 protocol through IP. The LAC simulates a PPP connection with the corporate server. 1. PPP frames arrives to LAC, that instantiate a tunnel L2TP with LNS if not already present. 2. To establish connection with LNS, LAC authenticates to the LNS using Challenge Handshake Auth. Prot., creating a new connection. There are 2 channels for each connection: - data channel - control channel: to manage communication, to control the order of the packets and to relay to lost ones. Notice that PPP frames are always in order and can be lost. Multiple sessions can exist inside the same tunnel, that share the same control channel. Security: it does not make sense to use crypto for L2TP packets, since the service provider can see layer 2 frames. Any security measure must be implemented end2end. Optionally IPSec can be used through the tunnel, even though it's complicated to configure.

Answer 16

T: 0 -\> data 1 -\> control Ns: sequence number Nr: sequence number of next control messae

Answer 17

The reason for UDP? A packet without a layer 4 incapsulation is more likely to be discarded by a firewall. Also since L2TP wants to be an alternative to PPTP (proposed by OS vendors), L2TP engineers wanted the protocol to be accessible at the application level, not kerenl level, since OS is responsible for layer 3.

Answer 18

Point-to-Point Tunneling Protocol Originally developed for Customer Provisioned Access VPNs, later was expanded for the use in Provider provisioned Access VPNs by adding a PAC (PPTP Access Concetrator) that is similar to a LAC. Developed by OS vendors, like Microsoft. PPTP enables the remote user to connects directly to the PPTP network server (PNS). PPTP doesn't allow for protocol negotiation, there are optional security measures, like MPPE (crypto protocol by MSFT) and MS CHAP for authentication. For these reasons security is considered poor.

Answer 19

Data channel: PPTP ses Enhanced GRE to incapsulate PPP frames in IP. Payload could be encrypted with MPPE. Control channel: Control messages are necessary for establishment, management and closure of the connection. Sent at TCP port 1723 (PNS).

Answer 20

Security Association Identified by SPI that is included in both AH and ESP headers. Set of agreements between the two parties, about the keys and the algorithms to use for authentication (AH) and cryptography (ESP).

Answer 21

Inside: no inspection of VPN traffic Prallel: potential uncontrolled access Outside: most consistent, VPN gw protected by access router. Integrated: maximum flexibility.

Answer 22

AH: AH authenticates the entire IP Header -\> NATs need to change src/dst IP addresses, thus the authentication will not work. ESP: Encrypts IP payload, NATs will not be able to read tcp/upd prots and change IP adresses to manage multiple VPN-sites. Do we really need NAT for VPN? Well, no, if multiple sites' address spaces are not colliding, since the IP packet has the VPN gateway as a destination (public address and unique). If, we are in an extranet deployment scenario this might not be the case, most of the time we need a NAT inside the external company network that translates source addresses before packets reach the external company's VPN gateway. Only in this situation NAT works, in any other case NAT impedes IPsec from working.

Answer 23

IDS === Intrusiond detection system IDS is isually outside firewall, this is a problem because it cannot inspect VPN traffic. Solution: Multiple Probes, outside the firewall and after the unwrapping of the VPN traffic.

Answer 24

Dedicated Router: * - Service provider operates a network of routers dedicated to the single customer * - Viable only for major clients Shared Router: * - Also called virtual router. * - Service provider virtualizes rotuers to separate clients instances. * - High-end routers hundreds of virtual routers * - Packet exchange through IPsec or GRE tunnels. MPLS.

Answer 25

PWE3 === Pseudo Wire Emulation End-to-End. * - Several devices on the same network: IP, leased lines, Frame relay, ATM, ethernet * - CE device has native service interface * - Traffic between CEs is carried through an LSP. * - 2 labels: external (LSP between LSRs) and internal (multiplexing serveral users/services to the same access point) * - LSP setup is mainly manual. * - There may be aggregation devices inside the network (ATM switch)

Answer 26

Provider provisioned solutions: * - policies implemented by SP * - Customers need no experience Scalability: large scale deployments Two solutions: * - BGP: initially supported by Cisco systems, most widely deployed * - Virtual router: initially supported by Nortel and Lucent

Answer 27

CE routers connect with PE r.: * - advertising destinations * - receiving advs of other VPN destinations * - Static routing or IGP Provider routers have routes only to PE routers. PEs setup LSP among themselves: * - LDP and/OR RSVP * - Topology based label binding PE routers exchange routing info: * - I-BGP (Interior-border gateway protocol) * - IGP in VR solutions PE keeps routes only for active VPN connections.

Answer 28

PE Routing exchanges info through I-BGP. VRF table, VPN Routing and Forwarding: * It is contained in PE routers, they use it to understand to which PE they need to send the packet, then they attach the label referring to it on top of the label for the Customer edge. * Associated to one or more ports. * contains forwarding information to be used for traffic received through the port. Benefits of VRF: * - no addressing plan constraints * - no exchange of info between CEs * - Provider don't have a virtual backbone per customer. * - VPN can span multiple providers * - Security equivalent to frame relay or atm (traffic isolation but no crypted) * - QoS supported through experimental bits in MPLS header. Routing exchanges at edges based on MP-BGP: support for different families of adresses. Route Filtering: PE routers determine which routers to install in VRF. Support for overlapping addresses: Route Distinguisher + IP address

Answer 29

PEs execute a virtual ruoter instance for each VPN. Each VR instance has separate data structures. VRs of same VPN communicate through LSPs.

Answer 30

Could be used to create Site-to-Site VPN and Access VPN, but is mainly used in Pseudo VPN to guarantee secure access to services, through TCP/UDP based tunneling. The main point favoring SSL VPNs is the high probability they have to work in any network scenario, without problems with NAT, Firewalls and routers.

Answer 31

IPsec vs SSL: Pros: * IPsec is much more complicated to configure and manage. SSL requires only to compile the application with an SSL library. * Security: an SSL attack involves only the application, not compromising the OS. * Maturity: used since many years with many versions =\> few bugs. * Compatibility with NAT traversal: * no authentication at the IP level -\> ssl is the payload of tcp/udp * no crypto. of the ports as with ESP of IPsec Cons: * Vulnerable to DDoS attacks: packets need to be processed until the transport layer, IPsec process the packets only at IP level SSL overcomes some limits of PPTP: * low interoperability outside MSFT platforms * some net admins could configure routers to block GRE, since they might dislike source routing.

Answer 32

* Web Proxying * Application Translation * Port forwarding * SSL'ed protocols * Application proxying * Network extension (Only non-pseudo VPN option) * Site-to-site connectivity

Answer 33

The server might not support HTTPS: use VPN gatewar at the border of the company, download the web page from the server via HTTP, then deliver the packet outside the company network through HTTPS.

Answer 34

Client runs an application that supports a applicative protocol: a port forwarder installed inside the client converts the packets, sent to a specific port, from the applicative protocol in HTTPS packets, sending them to another port.

Answer 35

Web server it's an applicative server (mail server) that supports an applicative protocol, the VPN gateway converts HTTPS into applicative protocol and viceversa suing port forwarding inside the VPN gateway. Example: gmail.

Answer 36

Some protocols can integrate natively SSL (STMP-over-SSL, POP-over-SSL). Client and server can communicate directly in a secure way, without any VPN gateway.

Answer 37

Client uses an SSL'ed protocol, but server does not support it, so a VPN gateway is necessary a port forwarding mechanism.

Answer 38

Web server doesn't support SSL: 2 VPN gateways are necessary, one one the server-side and one on the client-side.

Answer 39

* Interoperability * Product specific features * Implementation weaknesses * Availability of client on specifi platforms

VPNs Flashcards

(64 cards)