An Introduction to VPN Technology: An Introduction to VPN Technology QTS Ongoing Education Series


Check Point Facts: Check Point Facts History Founded June 1993 IPO June 1996 Strong growth in revenues and profits Global market leadership 62% VPN market share (Datamonitor, 2001) 42% firewall market share (#1 Position - IDC, 2000) De-facto standard for Internet security Strong business model Technology innovation and leadership Technology partnerships Strong and diversified channel partnerships Check Point Software


Check Point’s Solid Foundation: Check Point’s Solid Foundation Financial Strength Last 12 Months Revenues of $543M Profit of $313M Strong Balance Sheet Market Leadership 220,000+ Installations 100,000+ VPN Gateways 83 Million+ VPN Clients 81,000+ Customers 1,500+ Channel Partners 300+ OPSEC Partners 100


Platform Choice - Open: Platform Choice - Open Dedicated Appliances (Check Point Pioneered the market) Entry Level Easy set up Enterprise Class Network Grade Data Center & ISPs High Performance / Carrier Class Future Platforms Consumer & Small Business Cable & DSL Wireless GPRS, 2.5G-3G Infrastructure Multi-Subscriber Service Providers Network Services Open Systems Attractive Price/Performance Wide Variety of Platforms 60-80% of the Market Flexibility


OPSEC Partners: OPSEC Partners Open framework for security integration - “The Security OS” Over 270 partners Breadth of solutions Choice Certification www.OPSEC.com Voted #1 Partner Alliance Program The Open Platform for Security


Enhanced Management Capabilities: Enhanced Management Capabilities SecureUpdate for OPSEC Partners Central management of software install for OPSEC applications OPSEC Application monitoring Central monitoring of OPSEC applications alongside Check Point products Open Management repository Import/Export objects from management database


Agenda: Agenda What is a Virtual Private Network (VPN)? VPN deployment situations Why use VPNs? Types of VPN protocols IPSec VPNs Components A sample session Deployment questions


What is a VPN?: What is a VPN? A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality Internet Acme Corp Acme Corp Site 2


Types of VPNs: Types of VPNs Remote Access VPN Provides access to internal corporate network over the Internet Reduces long distance, modem bank, and technical support costs Internet Corporate Site


Types of VPNs: Types of VPNs Remote Access VPN Site-to-Site VPN Connects multiple offices over Internet Reduces dependencies on frame relay and leased lines Internet Branch Office Corporate Site


Types of VPNs: Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Provides business partners access to critical information (leads, sales tools, etc) Reduces transaction and operational costs Corporate Site Internet Partner #1 Partner #2


Types of VPNs: Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Client/Server VPN Protects sensitive internal communications Most attacks originate within an organization Internet LAN clients Database Server LAN clients with sensitive data


Alternate Technologies: Alternate Technologies Site-to-site/extranets Frame relay, leased lines Remote access Dial up modem banks


Why Use Virtual Private Networks?: Why Use Virtual Private Networks? More flexibility Leverage ISP point of presence Use multiple connection types (cable, DSL, T1, T3)


Why Use Virtual Private Networks?: Why Use Virtual Private Networks? More flexibility More scalability Add new sites, users quickly Scale bandwidth to meet demand


Why Use Virtual Private Networks?: Why Use Virtual Private Networks? More flexibility More scalability Lower costs Reduced frame relay/leased line costs Reduced long distance Reduced equipment costs (modem banks,CSU/DSUs) Reduced technical support


VPN-1 Return on Investment: VPN-1 Return on Investment 5 branch offices, 1 large corporate office, 200 remote access users. Payback: 1.04 months. Annual Savings: 88% Case History – Professional Services Company


VPN ROI Calculator: VPN ROI Calculator Tool URL: http://www.checkpoint.com/products/vpn1/roi_calculators/index.html


Components of a VPN: Components of a VPN Encryption Message authentication Entity authentication Key management


Point-to-Point Tunneling Protocol: Point-to-Point Tunneling Protocol Layer 2 remote access VPN distributed with Windows product family Addition to Point-to-Point Protocol (PPP) Allows multiple Layer 3 Protocols Uses proprietary authentication and ancryption Limited user management and scalability Known security vulnerabilities Remote PPTP Client ISP Remote Access Switch PPTP RAS Server Corporate Network


Layer 2 Tunneling Protocol (L2TP): Layer 2 Tunneling Protocol (L2TP) Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco supported protocol) Weak authentication and encryption Does not include packet authentication, data integrity, or key management Must be combined with IPSec for enterprise-level security Remote L2TP Client ISP L2TP Concentrator L2TP Server Corporate Network


Internet Protocol Security (IPSec): Internet Protocol Security (IPSec) Layer 3 protocol for remote access, intranet, and extranet VPNs Internet standard for VPNs Provides flexible encryption and message authentication/integrity Includes key management


Components of an IPSec VPN: Components of an IPSec VPN Encryption Message Authentication Entity Authentication Key Management DES, 3DES, and more HMAC-MD5, HMAC-SHA-1, or others Digital Certificates, Shared Secrets,Hybrid Mode IKE Internet Key Exchange (IKE), Public Key Infrastructure (PKI) All managed by security associations (SAs)


Security Associations: Security Associations An agreement between two parties about: Authentication and encryption algorithms Key exchange mechanisms And other rules for secure communications Security associations are negotiated at least once per session – possibly more often for additional security


Encryption Explained: Encryption Explained Used to convert data to a secret code for transmission over an untrusted network Encryption Algorithm “The cow jumped over the moon” “4hsd4e3mjvd3sd a1d38esdf2w4d” Clear Text Encrypted Text


Symmetric Encryption: Symmetric Encryption Same key used to encrypt and decrypt message Faster than asymmetric encryption Used by IPSec to encrypt actual message data Examples: DES, 3DES, RC5, Rijndael Shared Secret Key


Asymmetric Encryption: Asymmetric Encryption Different keys used to encrypt and decrypt message (One public, one private) Provides non-repudiation of message or message integrity Examples include RSA, DSA, SHA-1, MD-5 Alice Public Key Encrypt Alice Private Key Decrypt Bob Alice


Key Management: Key Management Shared Secret Simplest method; does not scale Two sites share key out-of-band (over telephone, mail, etc) Public Key Infrastructure Provides method of issuing and managing public/private keys for large deployments Internet Key Exchange Automates the exchange of keys for scalability and efficiency


What are Keys?: What are Keys? An Encryption Key is: A series of numbers and letters… …used in conjunction with an encryption algorithm… …to turn plain text into encrypted text and back into plain text The longer the key, the stronger the encryption


What is Key Management?: What is Key Management? A mechanism for distributing keys either manually or automatically Includes: Key generation Certification Distribution Revocation


Internet Key Exchange (IKE): Internet Key Exchange (IKE) Automates the exchange of security associations and keys between two VPN sites IKE provides: Automation and scalability Improved security Encryption keys be changed frequently Hybrid IKE Proposed standard designed by Check Point Allows use of existing authentication methods


Different Types of VPN/Firewall Topologies: VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service Different Types of VPN/Firewall Topologies


Different Types of VPN/Firewall Topologies: VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service Different Types of VPN/Firewall Topologies


Protecting Remote Access VPNs: Protecting Remote Access VPNs The Problem: Remote access VPN clients can be “hijacked” Allows attackers into internal network The Solution: Centrally managed personal firewall on VPN clients Internet Attacker Cable or xDSL


Summary: Summary Virtual Private Networks have become mission-critical applications IPSec is the leading protocol for creating enterprise VPNs Provides encryption, authentication, and data integrity Organizations should look for: Integrated firewalls and VPNs Centralized management of VPN client security A method to provide VPN QoS