On 11/05/09 the notice of Renegotiation vulnerabilities within SSL/TLS protocols became public.  The vulnerability allows for injection of arbitrary plain-text allowing for HTTP requests, or impersonate the victim, as well as other consequences.

~Opinion~

While the known possible outcomes of this vulnerability seem similar to many of the run-of-the-mill exploits we’ve seen, the ramifications behind this vulnerability are monumental.

Just the number of vendors, and their products effected by this alone show that there will soon be a revolution.  The affect on everyday lives of so many will undoubtedly negative.

Either a major overhaul of the protocols is necessary, or we are in for a new breed of security focus.  An overhaul is most likely to occur; however, if it doesn’t we will have to be prepared to move into a security stance which covers security in both a pre- and post- environment.

Our previously hardened infrastructure would have to be analyzed, and protected during use.  Protecting our protection if you will.

While all this seems goofy, given the fact that we will most likely just patch and move on, it seems to beckon the time for more intuitive security measures is nearing, or hear.  Security measures that… think.

Packets with guns.  Headers with secret handshakes. Connections that conspire against their own existence.

~/Opinion~

As usual, if you want to hear more information, visit the link below… And I am very interested in hearing comments on this one… Maybe I am just blowing it out of proportion, but it seems big.

Vulnerability Note VU#120541 (New Window)

Częstym problemem występującym w sieciach LAN jest brak szyfrowania ruchu lub zbyt słabe zabezpieczenia dostępne w tanich urządzeniach takich jak np routery. Jednym ze sposobów poradzenia sobie z tym jest zastosowanie sieci VPN którą opisałem w poprzednim wpisie lub wprowadzenie szyfrowania całego ruchu w oparciu o dostępny w Windowsie protokół IPSec. IPsec to zbiór protokołów służących implementacji bezpiecznych połączeń oraz wymiany kluczy szyfrowania pomiędzy komputerami. Protokoły tej grupy mogą być również wykorzystywane do tworzenia Wirtualnej Sieci Prywatnej (ang. VPN). IPsec składa się z dwóch kanałów komunikacyjnych pomiędzy połączonymi komputerami: kanał wymiany kluczy za pośrednictwem którego przekazywane są dane związane z uwierzytelnianiem oraz szyfrowaniem (klucze) oraz kanału (jednego lub więcej), który niesie pakiety transmitowane poprzez sieć prywatną. Kanał wymiany kluczy jest standardowym protokołem UDP (port 500). Kanały przesyłu danych oparte są na protokole ESP (protokół numer 50) opisanym w dokumencie RFC 2406. Więcej do poczytania na wikipedii http://pl.wikipedia.org/wiki/IPsec .

W tym wpisie pokażę jak zainstalować i skonfigurować połączenie oparte o IPSec pomiędzy Windowsem XP i Linuksem Ubuntu 9.04.

Instalacja Ubuntu :
# apt-get update
# apt-get install isakmpd

Jeżeli wszystko pójdzie dobrze to powinniśmy zobaczyć
Konfigurowanie isakmpd (20041012-5) ...
Starting OpenBSD isakmpd: done

Przechodzimy do konfiguracji isakmpd:
# cp /etc/isakmpd/isakmpd.conf /etc/isakmpd/isakmpd.conf.kopia
# echo > /etc/isakmpd/isakmpd.conf
# pico /etc/isakmpd/isakmpd.conf
Do pliku isakmpd.conf wklejamy :
[Phase 1]
Default= any

[any]
Phase= 1
Configuration= Default-main-mode
Authentication= TAJNE-HASLO

[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA,3DES-SHA

Następnie :
# cp /etc/isakmpd/isakmpd.policy /etc/isakmpd/isakmpd.policy.kopia
# echo > /etc/isakmpd/isakmpd.policy
# pico /etc/isakmpd/isakmpd.policy
i wklejamy :
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
$OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:TAJNE-HASLO"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";

Na koniec restartujemy tunel :
# /etc/init.d/isakmpd restart

Konfiguracja Windowsa XP :
1. Start > uruchom > mmc
2. Gdy odpali się konsola mmc przechodzimy menu Plik > Dodaj/Usuń przystawkę.. > w zakładce Autonomiczna klikamy na Dodaj > na samym dole listy wybieramy Zarządzanie zasadami zabezpieczeń IP > Komputer lokalny
3. Prawy klik w miejscu gdzie są Zasady > Utwórz zasadę zabezpieczeń IP > nazwa IPSec
4. Dalej > Dalej > W miejscu gdzie jest możliwość wyboru metody autoryzacji wybieramy : Użyj tego ciągu do ochrony wymiany kluczy i wpisujemy tam nasze TAJNE-HASLO > dalej > edytuj właściwości
5. Dodaj > Ta reguła nie określa żadnego tunelu > Sieć LAN > Użyj tego ciągu do ochrony wymiany kluczy i wpisujemy tam nasze TAJNE-HASLO > dalej > w miejscu Listy filtrów IP dajemy DODAJ > DODAJ > Dalej > Mój adres IP > Dowolny adres IP > Dowolny > Zakończ > OK > na koniec zaznaczamy naszą regułę klikając na nią > dalej > zaznaczamy Wymagaj Zabezpieczeń > Zakończ > OK > Zakończ >
6. Na liście zasad klikamy na naszą zasadę IPSec prawym przyciskiem i wybieramy Przypisz

Przykład ruchu przed ustawieniem szyfrowania i po :
Przed ( ping na wp.pl z komputera 192.168.0.104 ) :
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:24:18.810670 IP 192.168.0.104 > www.wp.pl: ICMP echo request, id 512, seq 3328, length 40
15:24:18.810685 IP 192.168.0.104 > www.wp.pl: ICMP echo request, id 512, seq 3328, length 40
15:24:18.833136 IP www.wp.pl > 192.168.0.104: ICMP echo reply, id 512, seq 3328, length 40


Po ( ping na 192.168.0.103 z tego samego komputera ) :
15:43:55.230110 IP 192.168.0.104.500 > 192.168.0.103.500: isakmp: phase 1 I ident
15:43:55.231793 IP 192.168.0.103.500 > 192.168.0.104.500: isakmp: phase 1 R ident
15:43:55.261015 IP 192.168.0.104.500 > 192.168.0.103.500: isakmp: phase 1 I ident
15:43:55.293697 IP 192.168.0.103.500 > 192.168.0.104.500: isakmp: phase 1 R ident
15:43:55.304717 IP 192.168.0.104.500 > 192.168.0.103.500: isakmp: phase 1 I ident[E]
15:43:55.311441 IP 192.168.0.103.500 > 192.168.0.104.500: isakmp: phase 1 R ident[E]
15:43:55.320323 IP 192.168.0.104.500 > 192.168.0.103.500: isakmp: phase 2/others I oakley-quick[E]
15:43:55.321473 IP 192.168.0.103.500 > 192.168.0.104.500: isakmp: phase 2/others R oakley-quick[E]
15:43:55.329405 IP 192.168.0.104 > 192.168.0.103: ESP(spi=0x54ec7b59,seq=0x1), length 76
15:43:55.329431 IP 192.168.0.104.500 > 192.168.0.103.500: isakmp: phase 2/others I oakley-quick[E]
15:43:55.334433 IP 192.168.0.103 > 192.168.0.104: ICMP 192.168.0.103 protocol 50 unreachable, length 104
15:43:56.156008 IP 192.168.0.104 > 192.168.0.103: ESP(spi=0x54ec7b59,seq=0x2), length 76
15:43:56.162215 IP 192.168.0.103 > 192.168.0.104: ESP(spi=0x72c430f4,seq=0x1), length 76
15:43:57.155322 IP 192.168.0.104 > 192.168.0.103: ESP(spi=0x54ec7b59,seq=0x3), length 76
15:43:57.158452 IP 192.168.0.103 > 192.168.0.104: ESP(spi=0x72c430f4,seq=0x2), length 76

I am always updating IPSEC policies. This VBScript update the policy with a port range saving you serious time.

Simply replace the port to port section with the required range (E.G. 600 To 650), and update filterlist and description  sections with the service name, then save as <filename> .vbs, run it, then select permit the new rule on the Filter Action tab.

Set objShell = WScript.CreateObject(“WScript.Shell”)

For intN = port To port
objShell.Run “netsh ipsec static add filter filterlist=”"AllowPNewService”" srcaddr=me dstaddr=any protocol=TCP srcport=”&CStr(intN)&” dstport=0 mirrored=yes description=”"AllowNewService”"”, 1, True
Next

Set objShell = Nothing

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

Download

 Windows Installer (32-bit)

 Windows Installer (64-bit)

 Windows U3 (32-bit)

 Windows PortableApps (32-bit)

 OS X 10.5 (Leopard) Intel .dmg

 OS X 10.5 (Leopard) PPC .dmg

 Source Code

The 64-bit Windows installer requires the Microsoft Visual C++ 2008 SP1 Redistributable Package (x64) in order to run.

http://www.wireshark.org/

Hi Sutus users,

I really enjoy working from home. It’s relaxing, comfortable, and I don’t have to commute! However, I always had to remember to bring home a laptop and any files I needed. What if I forget one of them? Worse still, what if the laptop is stolen and my data is lost or compromised? Your BC200 can help you out. It’s not a new feature, but it really is a useful one. I’m talking about a Virtual Private Network, which is a simple way to connect to the office network from anywhere with an Internet connection. It takes just a few steps to set up, too. Open Business Central Manager, and click on Remote Office Access. Follow the instructions to set up either a PPTP or IPsec VPN. I’m going to recommend the ‘Help’ files this time, rather than have you follow my instructions. Just click the ‘Learn More…’ BUTTONS if you’re not sure what is right.

Here are some creative uses for a VPN, some that you may not have heard of:

• connecting to an office file server, so you can work from home.
• sending documents to network printers at the office.
• backing up data remotely, just in case something happens to your home machine or laptop.
• using a work softphone at home – the callers will never know that you’re at home, instead of at your desk. You’re still reachable, but callers don’t ever need to know your home number.
• accessing company web servers for editing web pages or using a business instant messaging application.
• making a proxy connection for Internet traffic – one of our contractors used her BC200 to watch her favourite local TV via Slingshot while she worked overseas!
• deterring traffic snoopers – it is safer to use a VPN when you’re using a hotspot, for example.

So there you have it. It’s not much work to set up, but it really does open up a lot of connectivity possibilities. I’m going to leave it there for this week.

-Dave.

(P.S. – I’m not in my office while I write this!)

The Snow Leopard VPN is not very configurable from the GUI, but behind the scenes it is using a racoon configuration.

To grab the configuration it is generating, configure the VPN in the System Preferences GUI, then rename /usr/sbin/racoon and try connecting. The config file will be written in /var/run/racoon/. Grap a copy of that file and customize it to your needs. Once you have the config file, rename racoon back to its original name.

Then to make the GUI use your custom config file instead of the one it generates, edit /etc/racoon/racoon.conf to include your custom config file and comment out the line:
include "/var/run/racoon/*.conf" ;


By making a few changes I was able to get a successful connection to our Cisco VPN Concentrators.

I’m hoping there is a less hacky way to accomplish this. If you know of one, let me know. Otherwise file a bug with Apple.

IPv6 has security issues.  This is no surprise.  What may be a surprise is that you might be vulnerable even if you haven’t rolled it out to your network.

Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).

IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?

Source: IPv6: Not a Security Panacea, AJ Jaghori, CSO, 21 Sep 2009.

For more information about IPv6 security issues, see the article referenced above and,

• IPv6: What you need to know
• IPv6 Security Issues

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

IPSec

*** Theory ***

• VPNs
  • Data origin ,e.g. AH, ESP
  • Encryption
    • (S) Symmetric Encryption – Same key for enc/decryption. Aka secret key.
    • (A) Asymmetric Encryption – 2 keys. Public and Private.  Encrypt with public, decrypt with private. Private always stay local.
    • DH – Allows the exchange of secret keys over a non-secure connection
      • (S) DES is 56bit
      • (S) 3DES is 3 DES keys on top of each other. So 3 x 56 = 168bit (really 112)
      • (A) AES is the best.
• Data Integrity AH, ESP
• Anti replay AH, ESP
  • Mitigate via sequence number on packet.
  • GRE – Encapsulate packet in an IP header. Has no encryption. GRE is multiprotocol. IPSec is really IP only. So GRE over IPSec makes sense.  Can use GRE to send routing protocols over IPSec etc. GRE Encaps first then IPSec encaps
  • L2TP/PPTP – No encryption
  • IPSec – Earlier versions could not carry multicast traffic.
    • Tunnel Mode – Transparent to end host
    • Transport Mode
    • AH (Protocol 51) – Method for authentication and securing data (protects payload of packet. AH less overhead than ESP
    • ESP (protocol 50) – It authenticates, secures and encrypts. Preferred over AH
    • IKE (UDP 500) – negotiates the security parameters and authentication keys
      • Phase 1 – Agreement on methods to exchange data aka SA (Security Association). 1 SA per tunnel.
        • Aggressive Mode – Faster, but not encrypted. 3 Messages,
        • Main Mode – 6 messages. R 1 “DES or 3DES? MD5 or SHA?” R2 “DES and MD5 please” etc DH Keys, Authenticate
  • Phase 1.5 – Known as XAUTH for security
  • Phase 2 – 2 SA per 1 tunnel.
    • Quick Mode – 3 messages
    • Crypto Access List – Defines interesting traffic that starts the IKE/ IPSec process
      • Steps on Cisco Router
        • 1) Create ISAKMP policy 2) Create IPSec transform set 3) Define interesting traffic with crypto access-list 4) Create Crypto Map and apply to interface
    • Dead Peer Detection (DPD) – Keepalive for IPSec.  Sends hello every 10 seconds unless it receives a hello from peer. This means overhead because of enc ry/decryption. Can use on-demand where router sends DPD hello only prior to sending data to peer.
  • • Troubleshooting
      • MM_NO_STATE – Phase 1 attribute mismatch
      • MM_KEY_EXCH – Incorrect pre-shared key or peer IP address

About the company:Telecom based MNC, an leading provider of multimedia core technology that enables mobile operators to deliver mobile broadband to their subscribers. They are Headquatered in Great Boston and have their presence in Europe,Asia,North America are looking for Testing Professionals in the wireless domain.

Location :Bangalore

Experience :1-4Yrs

Skills
Experience in wireless packet core (PDSN) and wireless technologies like CDMA
Good Exposure to IMS domain involving (P-CSCF or S-CSCF) functionalities.
Good Exposure to IPSEC (IKEV1 or IKEV2)
Good Exposure to 3gpp/3GPP2 standards

Education: Should be at least B.E (Electronics/Comp. Science/E&C) / B.Tech/ MCA (Full Time)

Mail your updated resume if this requirement excites you, also pass it on to your friends. For applying or any queries feel free to contact me at Deepika@zyoin.com or 080 -25726241

At our company we use SafeNets SoftRemoteLT VPN solution for secure communication with our DB servers.
In Windows XP and Vista this works fine.

Since the release of Windows 7 RC I’ve tried to get SoftRemoteLt working but have had no luck.
That is until now…

In this post I will show you how to configure Windows 7 and Virtual Windows XP Mode to route VPN traffic through XP.

First you need to make sure you’ve got the prerequisits:
(Instructions for prerequisits are not covered by this post.)

• Windows 7 Professional or Ultimate
• Intel® Virtualization Technology or AMD-V™ feature is enabled in BIOS
• Windows Virtual PC RC
• Windows XP Mode RC
• SafeNet SoftRemoteLt installed on Virtual Windows XP.
  These instructions should work for other clients as well.
• Make sure Internet and VPN is working.
  

(Windows Virtual PC RC and Windows XP Mode RC can be downloaded from here.)

There are several things we need to configure on both Windows 7 (host) and Windows XP Mode (guest):

1. Add a Loopback adapter to the host.
2. Configure the Loopback adapter.
3. Add a Virtual adapter to the guest.
4. Configure the Virtual adapter.
5. Disable Internet Connection Sharing and Firewall on the guest.
6. Enable routing on the guest.
7. Configure routing on the guest.
8. Configure routing on the host.

Let’s get started then.

Add a Loopback adapter to the host

For the host to utilize the VPN located on the guest we need more than unidirectional communication.
VPN traffic goes from the host to the guest, thrugh the VPN and out on the Internet.
When receiving data the guest needs to be able to route it back to the host.
Therefor we need another communication channel.

• Open up Device Manager and right click the root node.
• Select “Add Legacy Hardware” then click “Next”.
• Select “Install the hardware that I manually select from a list (Advanced)” and click “Next”.
• Select “Network Adapters” then click “Next”.
• In the left pane select “Microsoft”.
• In the right pane select “Microsoft Loopback Adapter” then click “Next”.
• On the confirmation screen click “Next”.
• When the installation is finished, click “Finish”.

Now you should have a new network adapter in the Network Connections.

Configure the Loopback adapter

Now it’s time to choose an subnet and IP address for your network connection.
I chose a subnet that wouldn’t collide with my home or work networks.

192.168.199.199 with subnet mask 255.255.255.0

• Open up the Network Connections.
• Find the new network adapter.
  Mine is called “Local Area Connection 4″.
• Right click the icon and select “Properties”.
• Select “Internet Protocol Version 4 (TCP/IPv4)” then click “Properties”.
• Select “Use the following IP address”.
• Enter the IP address and subnet mask and click “OK”.
• Click “OK”.

We’re almost done configuring the host. However, before we can finish we will configure the guest.

Add a Virtual adapter to the guest

Before we start you’ll need to shut down Windows XP Mode completely. Hibernation will not work.

• Open up Virtual Machines.
• Select “Windows XP Mode”.
• Click “Settings”.
• Select “Networking”.
• Set the number of network adapters to 2.
• For the second adapter, select “Microsoft Loopback Adapter” then click “OK”.

Moving on…

Configure the Virtual adapter

For the Virtual Adapter we should now choose an IP address in the same range as we chose before:

192.168.199.200 with subnet mask 255.255.255.0

• Start Windows XP Mode.
• Open up Network Connections.

You should now see two connections. Mine are called “Local Area Connection” and “Local Area Connection 2″.
The first one is your “Internet Connection” and the second one is the “Loopback Connection”.

• Right click your “Loopback Connection” then select “Properties”.
• Select “Internet Protocol (TCP/IP)” and click “Properties”.
• Select “Use the following IP address”.
• Enter the IP address and subnet mask and click “OK”.
• Click “OK”.

Disable Internet Connection Sharing and Firewall on the guest

We need to create or own routing and we do not want windows to interfere with our setup.

• Open “Services”.
• Find “Windows Firewall/Internet Connection Sharing (ICS)”.
• Right click the node and select “Properties”.
• Set “Startup type” to “Disabled” then click “Stop”.
• Click “OK”.

Don’t close “Services” just yet.

Enable routing on the guest

To enable routing we need to do two things:

• Start RegEdit.
• Find the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter”
• The default value should be “0×00000000″, change it to “0×00000001″.
• Close RegEdit.
• Back in “Services” find “Routing and Remote Access”.
• Right click the node and select “Properties”.
• Set “Startup type” to “Automatic” then click “Start”.
• Click “OK”.

You may now close “Services”.
At this point you might need to restart Windows XP Mode.

Configure routing on the guest

In this step we’ll set up the routing needed for the host to be able to communicate through the guests VPN.

• Start a “Command Prompt”.
• Enter “netsh routing ip nat install”.
  This will install NAT routing.
• Enter “netsh routing ip nat add interface “Local Area Connection” full”.
  This will route traffic through your “Internet Connection”.
• Enter “netsh routing ip nat add interface “Local Area Connection 2″ private”.
  This will route traffic through your “Loopback Connection”.

Guest is done! Only one more thing to do.

Configure routing on the host

You’ll need to know which subnet your VPN network is using.
We will configure the routing so that all traffic meant for you VPN network goes through the “Loopback adapter”.
Let’s say your VPN subnet is

172.16.16.0 with netmask 255.255.255.0

• Start a “Command Prompt” as Administrator. (Run as Administrator).
• Enter “route -p add 172.16.16.0 mask 255.255.255.0 192.168.199.200″
  Note that 192.168.199.200 is the IP address of the guests Virtual Adapter we set earlier.

All done.

From now on all you need to do is start SoftRemoteLt from the “Windows Virtual PC” folder in the Start Menu and you’re all set.

مقدمه ای بر شبکه خصوصی مجازی (VPN):
شبکه خصوصی مجازی یا Virtual Private Network که به اختصار VPN نامیده می شود، امکانی است برای انتقال ترافیک خصوصی بر روی شبکه عمومی. معمولا از VPN برای اتصال دو شبکه خصوصی از طریق یک شبکه عمومی مانند اینترنت استفاده می شود.منظور از یک شبکه خصوصی شبکه ای است که بطور آزاد در اختیار و دسترس عموم نیست. VPN به این دلیل مجازی نامیده می شود که از نظر دو شبکه خصوصی ، ارتباط از طریق یک ارتباط و شبکه خصوصی بین آنها برقرار است اما در واقع شبکه عمومی این کار را انجام می دهد. پیاده سازی VPN معمولا اتصال دو یا چند شبکه خصوصی از طریق یک تونل رمزشده انجام می شود. در واقع به این وسیله اطلاعات در حال تبادل بر روی شبکه عمومی از دید سایر کاربران محفوظ می ماند. VPN را می توان بسته به شیوه پیاده سازی و اهداف پیاده سازی آن به انواع مختلفی تقسیم کرد.

دسته بندی VPN براساس رمزنگاری
VPN را می توان با توجه به استفاده یا عدم استفاده از رمزنگاری به دو گروه اصلی تقسیم کرد:

1- VPNرمزشده : VPN های رمز شده از انواع مکانیزمهای رمزنگاری برای انتقال امن اطلاعات بر روی شبکه عمومی استفاده می کنند. یک نمونه خوب از این VPN ها ، شبکه های خصوصی مجازی اجرا شده به کمک IPSec هستند.

2- VPN رمزنشده : این نوع از VPN برای اتصال دو یا چند شبکه خصوصی با هدف استفاده از منابع شبکه یکدیگر ایجاد می شود. اما امنیت اطلاعات در حال تبادل حائز اهمیت نیست یا این که این امنیت با روش دیگری غیر از رمزنگاری تامین می شود. یکی از این روشها تفکیک مسیریابی است. منظور از تفکیک مسیریابی آن است که تنها اطلاعات در حال تبادل بین دو شبکه خصوصی به هر یک از آنها مسیر دهی می شوند. (MPLS VPN) در این مواقع می توان در لایه های بالاتر از رمزنگاری مانند SSL استفاده کرد.

هر دو روش ذکر شده می توانند با توجه به سیاست امنیتی مورد نظر ، امنیت مناسبی را برای مجموعه به ارمغان بیاورند، اما معمولا VPN های رمز شده برای ایجاد VPN امن به کار می روند. سایر انواع VPN مانند MPLS VPN بستگی به امنیت و جامعیت عملیات مسیریابی دارند.

دسته بندی VPN براساس لایه پیاده سازی
VPN بر اساس لایه مدل OSI که در آن پیاده سازی شده اند نیز قابل دسته بندی هستند. این موضوع از اهمیت خاصی برخوردار است. برای مثال در VPN های رمز شده ، لایه ای که در آن رمزنگاری انجام می شود در حجم ترافیک رمز شده تاثیر دارد. همچنین سطح شفافیت VPN برای کاربران آن نیز با توجه به لایه پیاده سازی مطرح می شود.

1- VPN لایه پیوند داده : با استفاده از VPN های لایه پیوند داده می توان دو شبکه خصوصی را در لایه 2 مدل OSI با استفاده از پروتکلهایی مانند ATM یا Frame Relay به هم متصل کرد.با وجودی که این مکانیزم راه حل مناسبی به نظر می رسد اما معمولا روش ارزنی نیست چون نیاز به یک مسیر اختصاصی لایه 2 دارد. پروتکلهای Frame Relay و ATM مکانیزمهای رمزنگاری را تامین نمی کنند. آنها فقط به ترافیک اجازه می دهند تا بسته به آن که به کدام اتصال لایه 2 تعلق دارد ، تفکیک شود. بنابراین اگر به امنیت بیشتری نیاز دارید باید مکانیزمهای رمزنگاری مناسبی را به کار بگیرید.

2- VPN لایه شبکه : این سری از VPN ها با استفاده از tunneling لایه 3 و/یا تکنیکهای رمزنگاری استفاده می کنند. برای مثال می توان به IPSec Tunneling و پروتکل رمزنگاری برای ایجاد VPN اشاره کرد.مثالهای دیگر پروتکلهای GRE و L2TP هستند. جالب است اشاره کنیم که L2TP در ترافیک لایه 2 تونل می زند اما از لایه 3 برای این کار استفاده می کند. بنابراین در VPN های لایه شبکه قرار می گیرد. این لایه برای انجام رمزنگاری نیز بسیار مناسب است. در بخشهای بعدی این گزارش به این سری از VPN ها به طور مشروح خواهیم پرداخت.

3- VPN لایه کاربرد : این VPN ها برای کار با برنامه های کاربردی خاص ایجاد شده اند. VPN های مبتنی بر SSL از مثالهای خوب برای این نوع از VPN هستند. SSL رمزنگاری را بین مرورگر وب و سروری که SSL را اجرا می کند، تامین می کند.SSH مثال دیگری برای این نوع از VPN ها است.SSH به عنوان یک مکانیزم امن و رمز شده برای login به اجزای مختلف شبکه شناخته می شود. مشکل VPNها در این لایه آن است که هرچه خدمات و برنامه های جدیدی اضافه می شوند ، پشتیبانی آنها در VPN نیز باید اضافه شود.

دسته بندی VPN براساس کارکرد تجاری
VPN را برای رسیدن به اهداف تجاری خاصی ایجاد می شوند. این اهداف تجاری تقسیم بندی جدیدی را برای VPN بنا می کنند .

1- VPN اینترانتی : این سری از VPN ها دو یا چند شبکه خصوصی را در درون یک سازمان به هم متصل می کنند. این نوع از VPN زمانی معنا می کند که می خواهیم شعب یا دفاتر یک سازمان در نقاط دوردست را به مرکز آن متصل کنیم و یک شبکه امن بین آنها برقرار کنیم.

VPN اکسترانتی : این سری از VPN ها برای اتصال دو یا چند شبکه خصوصی از دو یا چند سازمان به کار می روند. از این نوع VPN معمولا برای سناریوهای B2B که در آن دو شرکت می خواهند به ارتباطات تجاری با یکدیگر بپردازند، استفاده می شود.

منبع: http://ircert.com/articles/IntroductionToVPN.htm

Hoy toca un poco de teoría, ya que la última clase, hemos dado, “IPSEC”. Así me pongo un pocos las pilas y me hago una buena entradita con este tema. En lugar de coger todos los apuntes y pasarlos a limpio, por ejemplo a un documento de word, me lo paso a limpio con una entrada al blog.

Bueno vamos al tema:

Que es IPSEC.

IPsec es un protocolo que está sobre la capa del protocolo de Internet (IP). Este, permite a dos o más equipos comunicarse de forma segura (de ahí biene el nombre). La “pila de red” IPsec de FreeBSD se basa en la implementación KAME, que incluye soporte para las dos familias de protocolos, IPv4 e IPv6.

IPsec consta de dos sub-protocolos:

• Encapsulated Security Payload (ESP), que protege los datos del paquete IP de interferencias de terceros, cifrando el contenido utilizando algoritmos de criptografía simétrica (como Blowfish, 3DES).
• Authentication Header (AH), que protege la cabecera del paquete IP de interferencias de terceros así como contra la falsificación (“spoofing”), calculando una suma de comprobación criptográfica y aplicando a los campos de cabecera IP una función hash segura. Detrás de todo esto va una cabecera adicional que contiene el hash para permitir la validación de la información que contiene el paquete.

Estos dos protocolos ( AH y ESP), sirven  para asegurarla autenticación, integridad y confidencialidad de la comunicación. Puede proteger el datagrama IP completo o sólo los protocolos de capas superiores. Estos modos se denominan, respectivamente, módo túnel y modo transporte. En modo túnel el datagrama IP se encapsula completamente dentro de un nuevo datagrama IP que emplea el protocolo IPsec. En modo transporte IPsec sólo maneja la carga del datagrama IP, insertándose la cabecera IPsec entre la cabecera IP y la cabecera del protocolo de capas superiores.

Las redes se diseñan normalmente para impedir el acceso no autorizado a datos confidenciales desde fuera de la intranet de la empresa mediante el cifrado de la información que viaja a través de líneas de comunicación públicas. Sin embargo, la mayor parte de las redes manejan las comunicaciones entre los hosts de la red interna como texto sin formato. Con acceso físico a la red y un analizador de protocolos, un usuario no autorizado puede obtener fácilmente datos privados.

IPSec autentifica los equipos y cifra los datos para su transmisión entre hosts en una red, intranet o extranet, incluidas las comunicaciones entre estaciones de trabajo y servidores, y entre servidores. El objetivo principal de IPSec es proporcionar protección a los paquetes IP. IPSec está basado en un modelo de seguridad de extremo a extremo, lo que significa que los únicos hosts que tienen que conocer la protección de IPSec son el que envía y el que recibe. Cada equipo controla la seguridad por sí mismo en su extremo, bajo la hipótesis de que el medio por el que se establece la comunicación no es seguro.

Configuración de directivas de IPSec

Las directivas de IPSec locales se crean y configuran mediante Directiva de seguridad local. Use Directiva de seguridad del dominio para crear y configurar directivas de IPSec para todo el dominio. También puede agregar el complemento Administración de directivas de seguridad de IP a una consola MMC.

Se pueden definir varias directivas, pero sólo una se asigna a un equipo al mismo tiempo. Para asignar una directiva, en Directiva de seguridad local o la consola de Directiva de grupo apropiada, haga clic con el botón secundario del mouse en la directiva de IPSec y, a continuación, haga clic en Asignar. Recuerde que la configuración del dominio sobrescribe la configuración local.

Directiva de grupo presenta tres entradas de directiva predefinidas:

Para modificar una directiva, tendrás que hacer clic con el botón secundario del mouse en la directiva y, a continuación, otra vez clic en Propiedades. Para crear una directiva, haz clic con el botón secundario del mouse en el nodo Directivas de seguridad IP, haz clic en Crear directiva de seguridad IP y, a continuación, completa el Asistente para directiva de seguridad de IP.

Características de seguridad de IPSec

Las siguientes características de IPSec afrontan todos estos métodos de ataque:

1. Access “Local Security Settings” from Administrative tools.

2. Click on “Select IP security policies on local computer” -> Right click on the blank area in the right side pane -> Click on “Create IP Security Policy” -> This will open a Wizard.

3. Click Next -> Provide a name and description for this new IP security policy being created (eg: IPSEC policy to block a specific IP) -> Click next till you reach the final window -> un-check “edit properties” before you click on finish.

Now the policy is created. You have to enable the IP filter list and the filter action to make this policy valid. The steps to enable these are explained below.

IP Filter List – This specifies which network traffic will be affected by this rule.

IP Filter Action – This specifies whether this rule negotiates for secure network traffic, and how it will secure the traffic.

4. IP Filter List – The new policy will be displayed in “Local Security Settings” under “Select IP security policies on local computer”. Right click on this and select properties -> Add -> Next -> keep the default value under “Tunnel Endpoint” -> Select the network type -> Now you have reached the window for IP Filter List. Click on Add -> Specify a name for the IP filter list -> Provide the description if required -> Select the source IP (the IP which you wish to block -> Click next till you finish

5. IP Filter Action – Now select the Filter List created after the completion of the above step -> Next -> Now you have reached the window for IP Filter Action. Click on Add -> Specify a name for the IP filter action -> Provide the description if required -> next -> Select the option to block, permit or negotiate security as per your requirement -> Click next till you finish.

6. Select the filter action and click on next to complete the wizard.

7. Right click on the policy created and select assign to activate it.

Hi folks,

Two months ago we implemented a DRP network in a branch office. The connection between the main office and the branch one is done with a site-to-site IPSec VPN.

Here is the global schema :

VPN

Everything was ok until I tried to connect to the F0/0 IP of the remote VPN router (VPN-2). Thus, I was unable to get connected.

I checked ACLs, routes, … everything is ok.
Being connected on the VPN-2 (indirectly connected), I tried to telnet back to the 192.168.1.1 machine, then I got a Host unreachable error.

Strange, routes are ok (a default route exists throughout the ISP router)… The error suggests there is no route to the host, so I added an explicit route on VPN-2 indicating the ISP router as the gateway to connect to the 192.168.1.0/24 network.

ip route 192.168.1.0 255.255.255.0 A.B.C.D

As expected, this solved the problem.

After this, I thought why the default route wasn’t been used ?
My suggestion :
192.168.1.0/24 is a RFC1918 network and may be the IOS default route doesn’t hundle these networks.

Your comments are welcome.

There are several motivations for building VPN·s, but a common thread in each is that they all share therequirement to Virtualize some portion of an organization·s communications ­ in other words, make some portion (orperhaps all) of the communications essentially Invisible to external observers, while taking advantage of the efficiencies of a common communications infrastructure. The base motivation for VPN’s lies in the economics of communications.

Communications systems today typically exhibit the characteristic of a high fixed-cost component, and
smaller variable cost components which vary with the transport capacity, or bandwidth, of the system. Within this
economic environment, it is generally financially attractive to bundle a number of discrete communications services
onto a common high capacity communications platform, allowing the high fixed-cost components associated with the
platform to be amortized over a larger number of clients. Accordingly, a collection of virtual networks implemented on
a single common physical communications plant is cheaper to operate than the equivalent collection of smaller
physically discrete communications plants, each servicing a single network client.

So, if aggregation of communications requirements leads to a more cost-effective communications infrastructure,
why not pool all these services into a single public communications system? Why is there still the requirement to
undertake some form of partitioning within this common system that results in these Їvirtual private networks? In
response to this, the second motivation for VPN·s is that of communications privacy, where the characteristics and
integrity of communications services within one closed environment is isolated from all other environments which share the common underlying plant. The level of privacy depends greatly on the risk assessment performed by the subscriber organization ­ if the requirement for privacy is low, then the simple abstraction of discretion and network obscurity may serve the purpose. However, if the requirement for privacy is high, then there is a corresponding requirement for strong security of access and potentially strong security applied to data passed over the common network.

This paper can·t do justice to the concept of VPN·s without some historical perspective, so we need to take a
quick look at why VPN·s are an evolving paradigm, and why they will continue to be an issue of confusion, contention,
and disagreement. This is important, since you will indeed discover that opinions on VPN solutions are quite varied, and everyone seems to be deeply religious on how they should be approached.

Historically, one of the precursors to the VPN was the Public Data Network (PDN), and the current familiar instance of the PDN is the global Internet. The Internet creates a ubiquitous connectivity paradigm, where the network permits any connected network entity to exchange data with any other connected entity. The parallels with the global Public Switched Telephone Network (PSTN) are, of course, all too obvious ­ where a similar paradigm of ubiquitous public access is the predominate characteristic of the network.

In this selection from Server 2003 Network Security Admin LearnSmart Video Training, best-selling network security author Tom Carpenter illustrates the foundations of the IPSEC security protocol.

Linux Jornal is giving FREE digital copy of Linux Journal’s System Administration Special Edition (PDF Download). Go get it!
It has a LOT of interesting stuff.

• Billix
• Zenoss
• Hearthbeat
• Thin Clients
• PXE Booting
• VPNS With IPsec and SSL/TLS
• MySQL 5 Stored Procedures
• And much more!