DTH3C3 - Keamanan Jaringan

Jaya Kuncara Rosa Susila, S.T., M.T.

 Pokok Bahasan Hari ini?

Virtual Private Network (VPN) dan Autentikasi

Jenis Keamanan pada VPN Tunneling

Trusted Secure Hybrid IPSec

PPTP L2TP
VPN VPN VPN Encryption
 Private network

• A private network is a network that uses private IP address space.

• Both, the IPv4 and the IPv6 specifications define private addressing ranges.
• These addresses are commonly used for local area networks (LANs) in
residential, office, and enterprise environments.
• Private network addresses are not allocated to any specific organization
and anyone may use these addresses without approval from a regional
Internet registry.
 Private IPv4 addresses

RFC1918 Host ID
IP Address Range Netmask
Name Size
10.0.0.0 –
24-bit block 10.0.0.0/8 (255.0.0.0) 24 bit
10.255.255.255
172.16.0.0 – 172.16.0.0/12
20-bit block 20 bit
172.31.255.255 (255.240.0.0)
192.168.0.0 – 192.168.0.0/16
16-bit block 16 bit
192.168.255.255 (255.255.0.0)
 Virtual Private Network Definition?

• A virtual private network (VPN) extends a private network across a public

network, and enables users to send and receive data across shared or public
networks as if their computing devices were directly connected to the
private network. (Wikipedia)
• A virtual private network is a way to simulate a private network over a public
network, such as the Internet. (Virtual Private Network, 2nd edition –
O’Reilly)
• A Virtual Private Network (VPN) is a conceptual network formed by defining
a closed group of users and encrypting all communication between its
members. (thesis by Brendon Harris – 1998)
 Virtual vs Private

• Virtual- not part of a dedicated network of traditional network

infrastructures, Integrated Services Digital Network (ISDN), Packet
Switched Network (PSN), Packet Switched Telephone Network (PSTN), and
Frame Relay from a telecommunications provider.
• Private (or confidential) - The traffic handles is encrypted while it travels
between the end points of the VPN.
 Why do I need a VPN?

•Hide your IP Address

• Connecting to a Virtual Private Network often conceals your real IP address.

Change your IP Address

• Using a VPN will almost certainly result in getting a different IP address.

•Encrypt data transfers

• A Virtual Private Network will protect the data you transfer over public WiFi.
 Why do I need a VPN?

•Mask your location

• With a Virtual Private Network, users can choose the country of

origin for their Internet connection.

Access blocked website

• Get around website blocked by governments with a VPN.

 The VPN security model provides?

Confidentially
• such that even if the network traffic is sniffed at the packet level, an attacker would
see only encrypted data
Integrity
• message integrity to detect any instances of tampering with transmitted messages.

Authectication
• sender authentication to prevent unauthorized users from accessing the VPN
 Types of VPNs

Site-to-Site VPN
• Connects the corporate office to branch offices over the Internet.
• Used when distance makes it impractical to have direct network connections between
these offices.
• Dedicated equipment is used to establish and maintain a connection.
Remote access
• A remote access VPN securely connects a device outside the corporate office.
• These devices are known as endpoints and may be laptops, tablets, or smartphones.
• Advances in VPN technology have allowed security checks to be conducted on endpoints
to make sure they meet a certain posture before connecting.
 Hardware or Software VPN?

Hardware Based VPN Software Based VPN

• Connect one gateway to another • Integrated with firewalls
• Routers at each network gateway encrypt and • Appropriate when participating networks use
decrypt packets different routers and firewalls
• VPN appliance • Benefits
• Designed to serve as VPN endpoint • More cost-effective
• Join multiple LANs • Offer maximum flexibility
• Benefits
• Scalable
• Better security
 Hardware or Software VPN Products?

Hardware Products Software Products

1. Cisco Systems Gigabit Dual WAN VPN 1. AnyConnect
2. Zyxel Next Generation VPN Firewall 2. NordVPN
3. GL.iNet GL-AR150 Mini Travel Router & VPN 3. TunnelBear
4. UTT HiPER 518 VPN 4. OpenVPN Access Server
5. Dell Sonicwall TZ300 VPN 5. PureVPN
6. Linksys Business Dual WAN VPN Router 6. ExpressVPN
7. ….. 7. .....
 Points to consider when selecting VPNs?

1. Compatibility
2. Scalability
3. Security
4. Cost
5. Vendor support
 Virtual Private Network Technology

• There are two issues to consider VPN,

• The first is providing private communications over the Internet, while
• The second deals with transporting incompatible LAN-based protocols over the
Internet.
• Organizations that wish to use the Internet to connect private networks
using protocols must use some form of protocol encapsulation or tunnelling.
Or It is also possible to use an IP gateway to translate incompatible network
protocols to IP.
 Securing a VPN

a) The information transmitted between the two locations via the encrypted
tunnel cannot be read by anyone else.
b) VPN security contains several elements to secure both the company's
private network and the outside network.
 VPN Encryption

• Encryption works by having all data sent from one computer encrypted in
such a way that only the computer it is sending to can decrypt the data.
• Types of encryption commonly used include public-key encryption which is a
system that uses two keys — a public key known to everyone and a private
or secret key known only to the recipient of the message.
• The other commonly used encryption system is a Symmetric-key encryption
system in which the sender and receiver of a message share a single,
common key that is used to encrypt and decrypt the message.
 VPN Equipment

• These standard components include a software client for each remote

workstation, dedicated hardware (such as a firewall), or a product (like the
Cisco VPN Concentrator, a VPN server, and a Network Access Server).
• Some best and free open source VPN server: OpenVPN server, PriTunel
VPN server, SoftEther VPN, OpenConnect VPN Server, VyOS, Hypersocket
VPN.
• A network access server (NAS) is a type of server that provides in-house or
remotely connected users with a broader external network and/or the
Internet.
 VPN Tunneling

• Tunneling means the original packet being encapsulated in a new header(s)

and then sent from one device in the internet to another, while the reverse
happens at the other end.
• There are two main types of tunneling used in virtual private networks.
• Voluntary tunneling, where the client makes a connection to the service provider then
the VPN client creates the tunnel to the VPN server once the connection has been
made.
• Compulsory tunneling, the service provider manages the VPN connection and brokers
the connection between that client and a VPN server.
 Tunnelling Protocols

1. Generic Routing Encapsulation 5. AscendTunnel Management

(GRE) Protocol (ATMP)
2. Point-to-Point Tunnelling Protocol 6. Data Link Switching (DLSw)
(PPTP) 7. Mobile IP
3. Layer-2 Forwarding (L2F) 8. IP Security (IPSec)
4. Layer-2 Tunnelling Protocol (L2TP)
 Tunnelling Protocols
Generic Routing
Encapsulation (GRE)
• Specifies a protocol for performing encapsulation of an
arbitrary Network-layer protocol over another arbitrary
Network-layer protocol.
• GRE is specified in RFC 1701.
• The GRE protocol functions by encapsulating the Network-
layer protocol to be transported in a GRE packet, which may
optionally include route information.
• The resulting GRE packet can then be encapsulated in the
final network protocol and delivered.
• RFC 1702 is a companion memo which addresses the case of
using IP as the delivery protocol or the payload protocol and
the special case of IP as both the delivery and payload.
• GRE in itself does not provide encryption services.
Point-to-Point Tunnelling
Protocol (PPTP)
• PPTP provides proprietary cryptographic services
to establish a VPN between a user’s computer
and the destination network.
• It is a joint development by Ascend
Communications and Microsoft.
• PPTP specifies a protocol which allows the Point-
to-Point Protocol (PPP) to be tunneled across an
IP network.
• The PPP packets are encapsulated using GRE, the
resulting GRE packet is then delivered using an IP
network.
• PPTP has been submitted to the Internet
Engineering Task Force48 (IETF) as an Internet-
Draft.
 Tunnelling Protocols
Layer-2 Forwarding (L2F)
• L2F focuses on providing a standards-based
tunnelling mechanism for transporting Link-
layer frames containing higher layer
protocols.
• The L2F protocol is used to encapsulate the
HDLC (High level Data Link Control) packet,
the resulting L2F packet is then sent in a
UDP datagram across an IP network.
• L2F supports tunnelling of IP, IPX, and
AppleTalk protocols.
• In addition L2F allows the tunnel to be
encrypted using IPSec.
Layer-2 Tunnelling Protocol
(L2TP)
• L2TP is being designed by the IETF PPP
working group and combines the best
features from PPTP and L2F.
• L2TP is described in an IETF Internet-
Draft document.
• No cryptographic services are defined in
the L2TP standard, although IPSec could
be used to secure the IP datagrams across
an IP network.
 Tunnelling Protocols
Ascend Tunnel Management
Protocol (ATMP)
• The ATMP protocol is currently being used in Ascend
Communication products to allow dial-in client software to
create a virtual presence on a user's home network from remote
locations.
• The clients themselves are unaware of ATMP, although it is
assumed that standard PPP or SLIP clients are being used.
• ATMP currently allows for both IP and IPX protocols to be
tunnelled- encapsulation is performed using the GRE protocol.
• ATMP is defined in RFC 2107. It is interesting to note that Ascend
Communications created PPTP's fundamental architecture and
advanced the concept to Microsoft.
• No cryptographic services are defined in the ATMP standard,
although IPSec could be used to secure the IP datagrams across
an IP network.
Data Link Switching (DLSw)
• DLSw is a forwarding mechanism for the IBM SNA
(Systems Network Architecture) and IBM NetBIOS
(Network Basic Input Output Services) protocols.
• The protocol does not provide full routing, but instead
provides switching at the SNA Data Link-layer (i.e. layer
2 in the SNA architecture) and encapsulation in TCP/IP
for transport over the Internet.
• DLSw version 1.0 is defined in RFC 1795. RFC 2166
defines version 2.0 which is a set of backward
compatible enhancements, the majority of which
address scaling issues.
• No cryptographic services are defined in the DLSw
standard, although IPSec could be used to secure the IP
datagrams across an IP network.
 Tunnelling Protocols

Mobile IP IP Security (IPSec)

• The principal design goal of Mobile IP is for a node to • Provides a security framework developed by the IETF IP
retain its IP address after it has moved to another Security Working Group for IP version 4 and IP version 6.
network.
• IPSec supports a number of tunnelling methods with or
• The IETF Mobile IP working group has specified the use without encryption.
of encapsulation as a way to deliver datagrams from a
mobile node's "home network" to an agent that can
deliver datagrams locally by conventional means to the
mobile node at its current location away from home.
• Mobile IP specifies tunnelling for a number of
circumstances such as firewall traversal. Other possible
applications of encapsulation include multicasting,
preferential billing, choice of routes with selected
security attributes, and general policy routing.
• IPSec is expected to be integrated with the Mobile IP
implementation.
 Application layer VPN

• All three protocols are currently being developed as Internet-Drafts by

various IETF working groups.
1. S-HTTP (Secure HTTP)
2. SSH (Secure Shell)
3. SSL (Secure Socket Layer)
 Secure-HTTP

• Secure-HTTP is a secure message-oriented communications protocol designed for use in

conjunction with HTTP. It is designed to coexist with HTTP’s messaging model and to be
easily integrated with HTTP applications.
• S-HTTP provides full flexibility in the choice of cryptographic algorithms, modes and
parameters, and has been designed for extensibility. Interestingly, S-HTTP does not require
client-side public-key certificates (or public-keys) because it supports symmetric-key only
operation modes. This is significant because it allows secure transactions to occur without
requiring users to have an established public-key.
• S-HTTP supports end-to-end secure transactions, in contrast with the original HTTP
authorization mechanisms which require the client to attempt access and be denied before
the security mechanism is employed.
• Option negotiation is used to allow clients and servers to agree on transaction modes,
cryptographic algorithms, and certificate selection.
 Secure Shell

• SSH is a datagram-based binary protocol that is capable of functioning on top of any Transport-layer that
can deliver a stream of binary data.
• It was originally designed as a replacement for the UNIX rlogin, rsh, and rep commands, in addition, it is
also used to provide secure X-Windows connections and secure forwarding of arbitrary TCP connections.
• SSH provides strong authentication and secure communications over tinsecure channels. All
communications are encrypted using IDEA or one of several other ciphers (e.g. triple-DES, DES, RC4-128,
Blowfish).
• Encryption keys are exchanged using RSA, and data used in the key exchange is destroyed every hour (keys
are never saved). Each host has an RSA key which is used to authenticate the host when RSA host
authentication is used.
• Encryption is used to protect against IP-spoofing; public-key authentication is used to protect against DNS
and route spoofing. RSA keys are also used to authenticate hosts.
• The datagram mechanism and related authentication, key exchange, encryption, and integrity mechanisms
implement a Transport layer security mechanism, which is then used to implement the secure connection
functionality.
 Secure Socket Layer

• SSL was initially designed by Netscape Communications, and is the predominant

Application-layer security protocol.
• The primary goal of the SSL protocol is to provide privacy and reliability between
two communicating applications.
• The SSL is a protocol layer which may be placed between a reliable connection-
oriented Transport-layer protocol (e.g. TCP) and the Application-layer (e.g. HTTP).
• SSL provides for secure communication between a client and server by allowing
mutual authentication, the use of digital signatures for integrity, and encryption for
privacy.
 Tugas 4

1. Cari info mendalam mengenai • Ditulis dalam bentuk artikel dan

standar-standar yang dipakai dalam dikumpulkan pada pertemuan pekan
protokol-protokol VPN? (GRE, PPTP, depan.
L2TP, ATMP, Mobile IP, IPsec)
• Seperti biasa, dikumpulkan dengan
2. Cari info mendalam mengenai format:
mekanisme keamanan yang dipakai
dalam aplikasi VPN? (s-HTML, SSH,
• Tugas 4 – Kelas – NIM – Nama
Mahasiswa.docx
SSL)
3. Carilah minimal 3 provider layanan
VPN kemudian tulis deskripsi dari
provider itu dan bandingkan dengan
yang lainnya?