Building Enterprise VPNs PSINet Korea Elca Ryu (Elca@kr.psi.net)
Agenda VPN Taxonomy VPN Protocols (Layer 2 / Layer 3) VPN Services Tunneling Protocols IPSec Protocol MPLS VPN
VPN Taxonomy VPNs DIAL DEDICATED Virtual Circuit VPN Aware Networks Client Initiated NAS IP Tunnel Virtual Circuit VPN Aware Networks Security Appliance Router FR ATM VPNs DIAL DEDICATED
VPN Services VPN의 3가지 고려사항 암호화 (Encryption) : Public Network을 통해 전송되는 데이터를 암호화 인증 (Authentication) : 지정된 사용자간의 Identity를 확인 무결성 (Integrity) : 데이터 전송 과정 중 변조/대치 되어서는 안됨 기타 확장성, 호환성, 관리성
DIAL = Remote Access VPNs Ci-VPN = Voluntary Tunneling Ni-VPN = Compulsory Tunneling
Tunneling Protocols Src/Dst 간의 연결에 있어서 Data Encryption을 통하여 전달되는 Data의 내용을 공중망 사용자들로부터 보호 하기 위한 기술 Layer 2 Protocol - MAC Layer에서 Tunnel을 형성하여 Data를 전달하는 Protocol (L2F, PPTP, L2TP) Layer 3 Protocol - IP Layer 에서 이루어지는 Tunneling Protocol로 오직 IP Protocol만 지원 (IPSec, AMTP, VTP)
Tunneling Protocols 특징 비교
L2TP Operations Corporate Intranet SP Network/ Internet 2. Tunnel to LNS (Home Gateway) 1. User Identification Mobile Users and Telecommuters POP Corporate Intranet LAC SP Network/ Internet LNS NAT 5. End-to-End Tunnel Established Security Server (RADIUS) 4. PPP Negotiation with User (IP Allocation) 3. User Authentication NAC (N2TP Access Concentrator) LNS (L2TP Network Server)
PPTP Operations Corporate Intranet SP Network/ Internet 2. PPP User Authentication (IP Allocation) 1. User Identification Mobile Users and Telecommuters 5. Tunnel to PNS (Home Gateway) Security Server (RADIUS) POP Corporate Intranet 3. PPTP Client S/W NAS PAC SP Network/ Internet 6. End-to-End Tunnel Established PNS NT Server NAT NAS (Network Access Server) PAC (PPTP Access Concentrator) PNS (PPTP Network Server) NAT (Network Access Translation) 4. PPTP User Authentication (IP Allocation)
IPSec Operations (PSINet Case) 2. PPP User Authentication (IP Allocation) 1. User Identification Mobile Users and Telecommuters 5. Tunnel to VSU (IPSec Function) Security Server (RADIUS) POP Corporate Intranet 3. IPSec Client S/W (VPNremote) NAS L/L VPNet VSU-1100 CyberGuard Firewall Intranet Server 6. End-to-End Tunnel Established SP Network/ Internet NAT 4. IPSec User Authentication (IP Allocation) VSU (VPNware Service Unit)
IPSec Operations (Function) VSU Configurations with CA VPN 구성 VPNmanager이외의 곳에서는 VSU를 Access 할 수 없음 PSINet Backbone VPN Network 이외의 Packet Access를 차단함 * VPN 고객중 타 ISPs와 이중으로 연결시 일부 Network Blocks Open Catalyst 203.235.126.254/24 203.235.126.110/24 CyberGuard Firewall VPNmanager Dial, L/L 203.235.124.254/24 3Com 100M Hub VPN 의 실제 처리를 담당 IP Tunnel의 종단 Encryption Authentication Integrity Hardware Compression VSU-1100 203.235.124.248, 250, 251 203.235.124.253/24 Log Server VPN Router (C7000) 203.235.124.249 203.235.124.252/24 VPN용 전용선 기존 전용선과 별도로 구성함 VPN Customers
DEDICATED = LAN-to-LAN VPNs ABC Corp. Branch ABC Corp. HQ Existing Access Router VSU-1200 Enterprise Applications Service Provider Network T1 T3 VSU-1010 Existing Access Router Internet XYZ Corp. VSU-10 VSUs Configuration VPNmanager IPSec Tunnel Existing Access Router SYSLOG Server
Generic Route Encapsulation (GRE) GRE Tunnel Generic Route Encapsulation (GRE) IP Network GRE Tunnel IP GRE Network Packet Transport Protocol Carrier Protocol Passenger Protocol
IPSec and SSL TCP/IP Network Protocol 자체가 보안에 대책이 없는 프로토콜이다! 각각의 Application System에 보안 프로토콜을 적용하느니 차라리 IP Layer에서 보안이 보장되면 문제는 해결! 그래서, IPSec Protocol이 등장 (IPv6 도 고려함) SSL (Secure Socket Layer; Layer 4)은 일반론적인 접근 시도 (Netscape사) IPSec이 IP Datagram 즉, 각각의 Packet을 암호화하는 데 집중했다면 SSL은 Session, 혹은 Channel을 암호화하는 방법을 채택 따라서, IPSec은 구현하기는 어렵지만 대부분의 응용시스템에 적용 가능하고 IP Broadcasting 같은 분야에도 적용 가능하지만 SSL은 연결된 Session만을 지원한다.
IPSec Protocols and Formats Headers Key Exchange Modes Encryption Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman SKIP Transport Tunnel DES, 3DES Integrity, authentication Adds confidentiality Negotiates security parameters Uses digital certificates Generates shared secret keys IP payload only, Layer 4 is obscured Both end systems need IPsec Entire datagram No changes to intermediate systems DES, RC4, IDEA ...
IPSec 기능 및 특징
MPLS VPN = QoS VPN Edge Routers IP Header 이외의 Label 을 LPS Tunnel 붙여서 Destination 까지 전달 LPS Tunnel CPE Routers CPE Routers MPLS Network Core Label Switching Router IP EBGP, RIP, OSPF LPS (Label Switched Path) : Full Meshed LDP (Label Distribution Protocol) - - - : MP-IBGP (Multiprotocol IBGP)