-------------------------------------------------- OSI -------------------------------------------------- LAYER 7 [APLICACION ] SSH LAYER 6 [PRESENTACION] LAYER 5 [SESION ] SOCKS v5, SSL LAYER 4 [TRANSPORTE ] LAYER 3 [RED ] IPSec, AH, ESP, IKE LAYER 2 [ENLACE ] PPTP, L2F, L2TP LAYER 1 [FISICO ] [ http://www.nationmaster.com/encyclopedia/OSI-model ] [ http://www.tech-faq.com/osi-model.shtml ] PPTP -> Usa: MPPE (Microsoft Point-to-Point Encryption) L2TP -> Usa: IPSec ----- IPSec (Layer3) ----- en modo túnel protege protocolos basados en TCP/IP usando L2TP. 1) Authentication Header (AH) -> Provee autenticación,integridad,antireplay [seq num]. Usa: Hash-based Message Authentication Code (HMAC) con MD5 ó SHA-1 2) Encapsulating Security Payload (ESP) -> Provee confidencialidad,autenticación,antireplay [seq num]. Usa: Hash-based Message Authentication Code (HMAC) con MD5 ó SHA-1 Privacidad: Cifrado DES-CBC 3) Security Associations (SA) -> Define la política de Seguridad a ser usada. Lógicas, únicas, unidireccionales. Un "Security Parameter Index" (SPI) distingue cada SA. 3.1) ISAKMP (The Internet Security Association and Key Management Protocol) Define procedimientos y formatos de paquetes para establecer, negociar, modificar y borrar SAs 3.2) Oakley (The Oakley Key Determination Protocol) Describe un esquema bajo el cual 2 participantes autenticados puede intercambiar información de llaves (keys) Usa: Algoritmo de intercambio de llaves "Diffie-Hellman" 3.3) IKE (The Internet Key Exchange) Algoritmo automático predeterminado de manejo de llaves para IPSec (Combinación de *ISAKMP* y *Oakley*) ---------------- IPSec Components: ---------------- - IPSec driver - ISAKMP - IP Policy Agent - IP Security Policy and Security Association -> To define the sec environment. - Security Association API - Management Tools Modes: Tunnel Mode -> Gw to Gw, 1 packet is encapsulated or tunneled in another Transport Mode -> Secures the packet exchange end-to-end *AH* in Tunnel mode or Transport mode [NET NOT OK] Tunnel Mode *ESP* with authentication [NAT OK] good [Headers integrity OK] PPTP -> TCP:1723 (from "PPTP Client" to "PPTP Server") L2TP -> UDP:500 ("IKE traffic" to "VPN Server") UDP:1701 ("L2TP traffic" from "VPN Client" to "VPN Server") IP(ID:50) ("IPSec ESP traffic" from "VPN Server" to "VPN Client") ---------------------------- VPN Authentication Protocols: (OSI:Datalink layer) ---------------------------- - PAP (Password Authentication Protocol) [clear text auth] - CHAP (Challenge Handshake Authentication Protocol) [uses MD5] - SPAP (Shiva Password Authentication Protocol) - EAP-TLS (Extensible Authentication Protocol-Transaction Level Security) [Microsoft implementation with Public-Key] If all the sites in a VPN are owned by the same enterprise, the VPN is a corporate "intranet". If the various sites in a VPN are owned by different enterprises, the VPN is an "extranet". RFC2547 -------------------------------------------------------------------------- por Hugo Martín www.hackcraft.com (2005)