Introduction to VPNs, PKI, and PGP

Hello, in this module we continue our discussion of encryption and we look at some practicalapplications of it. We start off by looking at VPN’s or virtual private networks and see how you canuse them to create secure communications using public networks such as the Internet. We thanbriefly look at the problem of key management and finish our discussion with a look at PGP or PrettyGood Privacy, which is an application that allows you to encrypt files and send encrypted email.
Nội dung trích xuất từ tài liệu:
Introduction to VPNs, PKI, and PGP Introduction to VPNs, PKI, and PGP Security Essentials The SANS Institute Encryption and Exploits - SANS ©2001 1Hello, in this module we continue our discussion of encryption and we look at some practicalapplications of it. We start off by looking at VPN’s or virtual private networks and see how you canuse them to create secure communications using public networks such as the Internet. We thanbriefly look at the problem of key management and finish our discussion with a look at PGP or PrettyGood Privacy, which is an application that allows you to encrypt files and send encrypted email. 3-1 Foundations of a VPN • VPNs use cryptography to communicate securely in the presence of adversaries – Encryption: Scramble data into something difficult to read without a key. – Decryption: the opposite process of encrypting. – Authentication: How are you sure you’re talking to the right person? VPNs, PKI, and PGP - SANS ©2001 2To architect and deploy a VPN, we need to understand how to apply these three tools. Theseconcepts are easy to grasp at the conceptual level, but the devil is in the details as they say. Cryptohas evolved from an abstract playground for mathematicians to something with widespread publicawareness (those little solid, gold keys in the browser have people asking the darndest questions).Likewise, authentication is a discipline in its own right. We’ll be discussing authentication systemsand client-side web certificates. 3-2 What is a VPN? • Dedicated leased lines are expensive • Most locations have low-cost connectivity to the Internet • Why not use the Internet as the communication media and use encryption for security • So, a VPN is a secure communication path that utilizes public networks VPNs, PKI, and PGP - SANS ©2001 3In its most basic sense, VPN’s, or virtual private networks, are a secure communication path thatutilizes public networks. Having dedicated leased lines between locations provides for securecommunications but can get very expensive. With most leased lines, you pay by the distance. So thegreater the distance between two locations, the more expensive the line. But most sites have fairlyinexpensive connections to the Internet, so why not use those connections in order to communicate?The main problem is security. Public networks, such as the Internet, have no security built-in.However, if we encrypt the data that is sent over the lines, we now have the security we need withthe costs that we like, thus a VPN. 3-3 Why Use a VPN? • Flexibility – A VPN “tunnel” over the Internet can be set up rapidly. A frame circuit can take weeks. – A good VPN will also support Quality of Service (QOS). • Cost – There are documented cases of a VPN paying for itself in weeks or months. – There are also cases where the hidden costs sunk the project! VPNs, PKI, and PGP - SANS ©2001 4One of the biggest benefits of VPN technology is their flexibility. Need a secure channel betweentwo hosts for only a day? Maybe just for an hour every business day? A VPN may fit the bill. Onceyou have the components, setting up a VPN is a software change. This makes the technology farmore flexible than legacy frame and dedicated circuits which must be wired and possibly requireadditional hardware. This flexibility lends itself to creating new business solutions. For example itsnot cost-effective to wire a T1 for every employee who works from home. Its very practical howeverto load up software on their laptop and let them connect to the home office via a VPN over theInternet.In looking for VPNs, ask about quality of service (QOS). Leased and dial-up lines offer bothbandwidth and latency guarantees, while dedicated connection technologies, like ATM and FrameRelay, have extensive mechanisms for similar guarantees. As IP-based VPNs become more widelydeployed, there will be market demand for similar guarantees, in order to ensure end-to-endapplication transparency.Cost is another potential benefit. With a frame or dedicated circuit, you typically pay a flat monthlyfee so even if the circuit goes unused, its costing you money. Also, crossing state and governmentboundaries with a dedicated circuit only increases their cost. With a VPN, you pay for a localconnection to the Internet with no “distance” charges.Given these benefits, its not surprising that Taylor and Hecht report that VPN technology is expectedto expand 300-1000% by 2003 (Taylor and Hecht). 3-4 What VPN systems are Made of • Routers, Firewalls • LDAP Server • Servers, clients • Key Management Schemes • Public Key Infrastructure • Load balance, QOS, ...