Virtual Private Networks (VPNs) and Data Privacy
20-hour live training seminar on the Internet
Register online and get a free book!
Overview Learn to analyze and implement IPsec, PPP, PPTP, L2F, L2TP, RSVP, and DiffServ. This course is designed to dispel the "virtual" in Virtual Private Networks. VPNs are not simulations, and they are not mysterious, even though some vendors may have you think so. This course will dispel the myths surrounding the VPN "cloud" so that you understand the ins and outs of VPN implementation. It provides a detailed level of explanation of how cryptography, IPsec, tunneling and encapsulation protocols, and other QoS functions are used to meet the security and performance demands of today's internetworking community. You will learn the why, what, where, and how of IPsec-based VPNs. We will explore the need for securing communications and the underlying details involved in designing, implementing, and maintaining a VPN. What You'll Learn:
To defend against threats to secure communications
The concept of "being there logically, but not physically"
Motivators for having a VPN ?C cost, security, and QoS
The process of message encryption and decryption
About PKI objectives, features, contenders, elements, and trust models
3 common secure communications architectures
What IPsec is and its current and future role
The difference between an SAD and an SPD
To describe the functions, payloads, attributes, phases, and exchanges of the IPsec Key Management Protocol (KMP)
The history, handshake, packet types and formats, AVPs, security procedures, relationship with IPsec, and the extensions and modifications of L2TP
The challenges of finding and correcting faults in secured networks
Anyone who needs to understand how the new IPsec protocols provide security services and how cryptography works to secure communications is a candidate for this seminar. Security professionals, including consultants, analysts, administrators, network engineers, network designers, Webmasters, e-Commerce consultants and developers, communications managers, and IS managers, will all benefit.
Look at this agenda!
1. Secure Communications Threats, Resolutions, and Objectives
Communications threats
Disclosure or divulgence
Destruction or modification
Denial of Service (DoS)
Resolution to secure communications threats
Physical security
Host-based security
Host-based network security
Network-based security
Communications security objectives
Confidentiality
Integrity
Authentication
Access control
Non-repudiation
Availability
Audit and logging
2. Virtual Private Networks
What is a VPN?
Networking - a historical view
Defining VPNs - private communications over public networks
Virtual
PPP
PPTP
L2F
L2TP
MPLS
RSVP and DIFFSERV
Private
Confidentiality vs. disclosure
Authenticate
Authorize
Log
Integrity vs. destruction
Availability vs. denial
Network
Wires & wireless
Copper
Fiber
Airwaves
Architectural designs
Branch office
Remote user
Paranoid designs
Why have a VPN?
Cost
Leased line vs. Internet
Security
Protection from the Internet
Quality of Service
Speed over the Internet
How to build or acquire a VPN
Home brewed
Outsourced
Hybrid
3. Secure Communications Components - A Cryptography Primer
Message transformation - enciphering and deciphering
Data manipulation in cryptography
Substitutions, permutations, and other "gyrations"
Components of cryptography
Random values
Entropy
Keys
Pseudo-random number generators or functions.
How much data to process at a time
Block ciphers
Stream ciphers
Two basic cipher types
One-way ciphers - integrity & authentication
Checksums, MICs, MACs, and hashing
Bi-directional - confidentiality, non-repudiation, and integrity
Secret key
Public key
Hybrids
Digital signatures
Private key encryption
Digest encryption with private key
Digital certificates
Features and procedures
Minimal participation
Integrity assurance
Potential common trust
Support for large participating groups
Provision for expiration and revocation
Biometric support
Certificate authority
Implementations of protection
Hardware
Commonly symmetric
Software
Commonly asymmetric
Combination
Authentication and key exchange
Crypto processing
Automated and manual key aging and revocation
Reasons
New connections
Perfect forward secrecy
Recovery - lost or stolen keys
Frequencies
Session
Volume
Gap
Methods
Automated
Manual
4. Public Key Infrastructure (PKI)
PKI objectives
Cost controls
Interoperable
Uniform
Secure
Open standards based
PKI features
Strong authentication
Key generation techniques
Use of strong ciphers
Controlled key distributions
PKI elements
Certificates
Certificate authorities
Registration authorities
Certificate repository
Certificate revocation
Certificate backup and recovery
Automatic certificate update
Maintaining certificate history
Certificate cross certification
Non-repudiation
Certificate time stamping
Client software
PKI trust models
Hierarchy
Distributed
Mesh
Hub-and-spoke
Web
User centric
PKI contenders
Numerous contenders
PKI
PKCS
PGP
S/WAN
SPKI
SDSI
X9.17
5. Secure Communications Architectures
Risk assessment, policy, and architecture
Basic security analysis
How valuable - asset evaluation
Who is the enemy - risk analysis
Willingness to protect - commitment
Risk assessment and policy
Policy and architecture
Packet protection levels
Unencrypted
Payload encryption
Transport encryption
Tunnel encryption
Link level encryption
Protection services implementation locations
Application
Interprocess
Between the application and transport
Between the internetwork and the network
Protocol
Network
Order of process
Encryption
Compression
Secure communications architectures
Host-to-host
Gateway-to-gateway
Host-to-gateway
Tying it all together
Communications security & quality negotiations
Voluntary - client initiated
Compulsory - proxy / NAS initiated
Direct versus indirect
Direct (point-to-point)
Indirect (routed)
Inline or parallel
Inline
Parallel
6. Internet Protocol Security (IPsec)
What is IPsec?
When can it be used?
Security Associations (SA)
Simplex connection
Triple
Security databases
Security Association Database (SAD)
Functions
Entries
Security Policy Database (SPD)
Functions
Entries
IPsec modes of operation
Transport
Tunnel
IPsec security services
Authentication Header (AH)
Function
Datagram formats
Encapsulation Security Payload (ESP)
Function
Datagram formats
Key Management Protocol (KMP)
Function
Key exchange methods and protocols
Internet Key Exchange (IKE)
Hybrid of three protocols
ISAKMP
Oakley
SKEME
Exchange phases
Phase 1
Phase 2
Exchange modes
Main
Aggressive
Quick
New group
Authentication methods
Digital signatures
Pre-shared secrets
Public key encryption
Standard
Revised
DH and Oakley groups
Configuration methods
Manual
Mode configuration
DHCP mode configuration
DHCP relay
DHCP server
Remote node
Configuration exchanges
DHCP discover
DHCP offer
DHCP request
DHCP ACK / NAK
Alternate key exchange methods
Simple Key Interchange Protocol (SKIP)
Photuris
7. The Virtual of VPNs
Serial Line Interface Protocol (SLIP)
History
Components
Point-to-Point Protocol (PPP)
History
Handshake
PDU formats
Point-to-Point Tunneling Protocol (PPTP)
History
Handshake
PDU formats
Layer 2 Forwarding (L2F)
History
Handshake
PDU formats
Layer 2 Tunneling Protocol (L2TP)
History and overview
Peers
Tunnels
Control connections
Control channel
Calls
State machines
Frame Relay and ATM
Handshake
Initial control connection
Call detection and session start
Call disconnect and session teardown
Packet types
Control connection management
Call management
Error reporting
PPP session control
Attribute Value Pairs (AVPs)
Control messages
Control connection management
Call management
LCP negotiation and authentication
Call status
PDU formats
AVP common coding format
Control message format
Payload message format
Security procedures
End-point authentication
Packet encryption, authentication, and integrity
L2TP and IPsec
PPP filtering
Modifications and extensions
Extensions AVP
Proxy LCP
LCP information
MPLS
Multiprotocol Label Switching (MPLS)
History and overview
Elements
Ingress node
Egress node
LSR
LSP
LIB
FEC
LDP
LSH
NHFLE
Applications
IP routing control
Multicast IP routing
VPN routing
Traffic engineering
Quality of Service (QoS)
Operations
MPLS setup and maintenance
Packet entry
Network hopping
Packet exit
Packet / label formats
Ethernet
Frame Relay
SONET / SDC
ATM via PVC
ATM label switched
Resource Reservation Protocol (RSVP), Differentiated Services (DiffServ) , and IETF Integrated Services (IntServ)
Best effort vs. QoS-based routing
Extending the routing paradigm
Integrated services
Route shifting
Alternate routing
Integrated services (IntServ)
RSVP (per flow orientation)
DiffServ (class or aggregated flows)
8. Managing and Maintaining Secured Communications
Principals of maintaining and managing secured communications
Fault
Configuration
Accounting
Performance
Security
Finding and correcting faults
Areas with Cleartext
Gateway-to-gateway and end-to-gateway
Areas with Ciphertext only
End-to-end
Initial and ongoing configuration
Multiple and geographically disparate locations
Centralizing operations
Negotiating SLAs
SLA Types
SLA Challenges
Monitoring SLAs
Evaluating claims
Periodic reviews and assessments
Cryptographic tools
Cryptographic operators & operations
Accounting
Dynamic addresses
RARP / BOOTP
DHCP
Translated and hidden addresses
NAT
DDNS
Performance
Network baseline
Peaks and valleys
Protocol and application distributions
Growth percentages
Balancing issues
Security vs. user convenience
Hardware vs. software
Key sizes
Key aging
Message sizes
Routing information
Security
Basic threats
Human
Keys
Ciphers
Complexity
Cryptoanalytic attacks
Rubber hose
Chosen plaintext
Known plaintext
Ciphertext only
Lifetimes, sensitivity, randomness, and volumes
Shelf life
Latency
Aging
Randomness and entropy
Import and export
Sensitivity
Volumes
Managing keys
Generate good keys
Exchange securely
Prepare to replace
Secrets remain secret
Randomness is essential
Computers don't randomize
Keep key re-usage to a minimum
Migration of problems
Physical
Logical addressing
Application problems
User problems
Stretching the limits
9. Future Directions
Integration of security and network management systems
Centralized
Policy-based
Management Information Bases (MIBs)
What is a MIB?
Newly arriving MIBs
New and emerging / merging tools
|
