虛擬私有網路 VPN (Virtual Private Network) VPN的資料安全 - PPTP、L2TP、IPSec 第十章 VPN與通道技術IPSec 虛擬私有網路 VPN (Virtual Private Network) VPN的資料安全 - PPTP、L2TP、IPSec
課程大綱 VPN 基本原理 PPTP ( Point-to-Point Tunneling Protocol ) L2TP ( Layer 2 Tunneling Protocol ) IPSec ( IP Security )
什麼是 VPN ? Virtual (虛擬) – 邏輯連結 Private (私人) – 僅限某些人可以使用 Network (網路) – 藉由通訊纜線連結的電腦 「虛擬私人網路」- “公器私用”的技術,透過隨處可得的 Internet(公器) 來建立安全的通訊管道(tunnel) ,合法的使用者可以很方便的從任何地方登入公司的內部網路,並安全地使用公司私有的網路資源(私用)
What is VPN ? VPN (Virtual Private Network)在公眾數據網路(Internet)上建構如同專線連線的企業網路內部網路,稱為“虛擬私有網路(Virtual Private Network),可以讓遠端的區域網路(LAN)或是個人用戶透過身份驗證與加密技術的保護,在公眾網路上建立一個個獨立的通道(tunnel)連接到企業網路上來傳遞語音或數據資料。
傳統遠地通訊連線架構 數據專線 T1, Frame Relay ISDN, ATM 遠地分公司 企業總部 客戶及供應商 In the traditional networking model, companies purchased dedicated leased lines to link corporate sites. For remote employees, companies purchased 800 numbers and large modem banks. This solution often made it impossible to justify connecting small remote offices to the corporate network. Furthermore, connecting suppliers, contractors and business partners was simply too time consuming and too expensive to even consider. Do to the growing demand of virtual networking, it became obvious that this solution was not scalable. 客戶及供應商 Remote User 撥接長途連線 Modem Bank
應用 Internet VPN 大幅降低遠程通訊連線成本 Virtual Private Networking 應用 Internet VPN 大幅降低遠程通訊連線成本 通勤及全球出差漫遊員工 Internet 企業總部 沒有 VPN 加密功能 eMail 就如寄 “明信片” A Virtual Private Network (VPN) is an umbrella term that refers to all technologies enabling secure communications over the public Internet. VPNs allow organizations to securely extend a LAN over the Internet to remote networks and remote clients by encrypting the data traffic. With the advent of VPN technology, it is now possible to use public networks to cost-effectively broaden the reach of Intranet applications. VPNs constitute the ideal infrastructure for creating extranets, making them practical and affordable. Companies can now provide a secure method for the exchange of data and other resources with trusted partners, suppliers, and key business associates. 客戶及供應商 遠地分公司
為什麼 VPN 可降低通訊成本 ? Public Internet 企業總部 客戶及供應商 遠地分公司 通勤及全球出差漫遊員工 本地 ISP ADSL, Cable 服務 本地 ISP T1 高速專線 客戶及供應商 Public Internet 本地 ISP ADSL, Cable, T1 服務 By replacing long-haul leased lines with local connections to Internet Service Providers, companies save on mileage charges. Because local Internet connections are less expensive, it becomes possible to connect remote offices and business partners together without the added cost of leased connections. Mobile employees can simply dial into a local service provider, eliminating the need for costly 800 numbers and modem banks. 撥接本地 ISP 服務 遠地分公司 通勤及全球出差漫遊員工
VPN 是如何運作的 ? Internet 1. 連線到Internet. 2.從遠端連線到公司內部私有網路. 3. 啟動安全連線機制並連線到公司網路的 VPN gateway. Internet 4.安全認證(Authenticate)連線者身份. 5. VPN 通道(Tunnel)建立完成 6. 開始傳送連線資料 Intranet Step 1: Connect to the Internet The first step is for the user to establish an Internet connection via their Internet Service Provider (ISP) or broadband service. Step 2: Attempt to Access Remote, Private Network The second step is to access the remote private network (i.e. network protected by the firewall) Step 3: Initiate Secure Connection to Remote VPN Gateway The VPN device (client or gateway) automatically initiates the secure connection to the private network. Step 4: Authenticate Connection The fourth step is to check the authentication of the user. If the user is not known, the connection is terminated. If the user is known, the user proceeds to step 5. Step 5: VPN Tunnel is Complete The user is now connected to the protected network and can now access company resources such as email or databases. Database
VPN 採用的相關技術 將開放的網路 (Internet) 模擬為私人的網路使用,主要藉由下列技術: Authentication 身份辨識技術:CHAP、RAP Encryption 資料加密技術:DES、RAS Tunneling 建立通道技術: PPTP、L2TP、IPSec
VPN 示意圖
VPN 的種類 遠端存取 VPN (Remote Access Scenario) Intranet VPN (分公司連線) Extranet VPN (企業合作伙伴/供應商網路連線)
VPN 實際運作 56KBps 撥接用戶 ADSL, Cable 寬頻 T1-T3 高速專線 總公司 LAN Mobile Users 遠端撥接用戶 總公司 LAN 56KBps 撥接用戶 安裝 VPN Client Software VPN Gateway Mobile Users 總公司 LAN ADSL, Cable 寬頻 小型 VPN Gateway VPN Gateway 遠地分公司; 工廠 LAN VPN allows traveling employees to securely access the corporate LAN. As viewed in the first illustration, the man on the beach can use his cell phone to dial-up though a local ISP and connect to the corporate LAN. With VPN Client installed on his laptop, this employee is able to access information and get a tan at the same time. The most common use for VPN is referred to as Box to Box VPN. The second and third illustrations depict this. In the second illustration, an at home employee with broadband Internet access is securely connecting to the corporate LAN. This employee is able to access information and resources as if he was at work. Furthermore, the firewall is protecting him from any hackers or vandals on the Internet. The third illustration depicts a branch office with broadband access connecting to the corporate LAN via the VPN device. Every desktop and laptop behind the device is able to securely access the resources on the corporate network. Not only are companies able to affordably communicate and share resources, the firewalls are securing the entire network from hackers and vandals on the Internet. 總公司 LAN T1-T3 高速專線 VPN Gateway VPN Gateway 商業伙伴或供應商內部網路
遠端存取 VPN 在遠端存取VPN 中,使用者撥號進入 ISP 的連接點,透過 ISP 的網路或 Internet 建立一條通道連回總公司,並通過身份認證存取企業網路 安裝 VPN Client Software Digital VPN設備 Internet VPN通道
Intranet VPN 透過 Internet 來連結企業散佈各處之據點可為企業節省 WAN 成本,屬於Site 對 Site 的連線方式。 VPN通道 VPN設備 分公司 Internet
Extranet VPN 基本上也是Extranet 的一種,但所建立的通道通常是不屬於同一線路公司,與 Extranet 最主要差別為安全性。 Internet 商業伙伴或供應商內部網路
VPN Tunneling 通道建立技術 PPTP ( Point to Point Tunneling Protocol ) 由 Microsoft 制定 L2TP ( Layer 2 Tunneling Protocol ) 由 Cisco 制定 IPSec ( Internet Protocol Security ) 由 IETF (網際網路工程任務小組) 制定
虛擬私人網路 (VPN) VPN 基本原理 PPTP ( Point-to-Point Tunneling Protocol ) PPTP的實作 ( Client to Site ) CHAP 認證方式 MPPE 認證方式 L2TP ( Layer 2 Tunnel Protocol ) IPSec ( IP Security )
PPTP Point-to-Ponit Tunneling Protocol Layer 2 的協定 PPP ( Point to Point ) 的延伸 可封裝LAN 的協定,如IP, IPX, NetBeui …… 利用IP network 傳輸資料 使用MPPE ( Microsoft Point to Point Encryption )進行資料加密
PPTP的運作原理 資料由第三層送至第二層的PPTP Driver加密 由第二層的PPTP Driver回送至第三層重新封裝 定址後依正常程序送至第一層傳輸
PPTP的驗證及加密 PPTP的使用者驗證方式採用PPP的驗證方式 PPTP使用MPPE進行資料的加密 PAP, SPAP, CHAP, MS-CHAP V1, V2, and EAP PPTP使用MPPE進行資料的加密 只有採用MS-CHAP V1 or 2 or EAP-TLS的驗證方式才能用MPPE進行資料加密
PPTP的運用 單一使用者對遠端網路的資料存取,適用於 Win98/XP/NT4/2000 Client
PPTP的運用 網路對網路的資料存取
PPTP 的實作(CHAP ) Internet 總公司(台北) 192.168.0.0/24 PPTP Server 203.77.21.10 192.168.0.254 DB Server 192.168.0.3 Mobile User (高雄) 撥號 Internet 總公司(台北) 192.168.0.0/24
PPTP 的實作(CHAP ) 測試環境:RedHat 7.3 安裝相關套件 利用 rpm –Uvh 安裝 ppp-2.4. *.rpm http://www.spenneberg.org/VPN/ pptpd-1.1.3-2.i386.rpm 利用 rpm –Uvh 安裝
PPTP 的實作(CHAP ) /etc/ppp/options debug name servername auth require-chap /etc/pptpd.conf speed 115200 localip 192.168.0.254 remoteip 192.168.0.11-20 /etc/ppp/chap-secrets alex servername password * service pptpd start
PPTP 的實作(CHAP )
PPTP 的實作(CHAP )
虛擬私人網路 (VPN) L2TP的運作方式 L2TP的驗證及加密 L2TP的運用 VPN 基本原理 PPTP ( Point-to-Point Tunneling Protocol ) L2TP ( Layer 2 Tunneling Protocol ) L2TP的運作方式 L2TP的驗證及加密 L2TP的運用 IPSec ( IP Security )
L2TP Layer 2 Tunneling Protocol 第二層的協定 可封裝LAN 的協定,如IP, IPX, NetBeui …… 可利用IP, X.25, ATM, Frame Relay傳輸資料 使用IPSec進行資料加密
L2TP的運作原理 資料由第三層送至 第二層的 L2TP Driver封裝 由第二層的 L2TP Driver回送至第三層經由IPSec加密並定址 定址後依正常程序送至第一層傳輸
L2TP驗證及加密 L2TP的驗證方式分為二階段,電腦驗證及使用者驗證 L2TP使用IPSec來進行資料的加密 電腦的驗證是採certificate base,當IPSec進行SA的建立同時完成 使用者的驗證方式採用PPP的驗證 EAP, MS-CHAP V1, V2, CHAP, SPAP, and PAP L2TP使用IPSec來進行資料的加密 DES with a 56-bit key Triple DES (3DES)
L2TP運用 單一使用者對遠端網路的資料存取,適用於W2K Client
L2TP運用 網路對網路的資料存取
Q&A