Faculty of information technology
Download 1.67 Mb. Pdf ko'rish
|
full thesis
- Bu sahifa navigatsiya:
- Management console
- Device-specific configuration
- 3.2.3 IPsec
- Authentication Headers (AH)
- Tunnel mode
- Transport mode
3.2.2
OpenVPN OpenVPN is a highly customizable, secure and reliable VPN solution that is developed with an Open Source license [ 6 ]. It can be installed on almost all commonly used operating systems and has an excellent documentation, which makes its setup quite easy. It can be can be configured to operate on either OSI Layer 2 or OSI Layer 3. OpenVPN provides peer authentication, data-origin authentication, data integrity, data confidential- ity (encryption), and replay protection through use of X.509 certificates or a pre-shared 12 password. It is possible to turn the security features off and run the OpenVPN without encryption and authentication [ 34 ]. The number of available configuration options is unusually large and allows for an extensive customization [ 34 ]. Among some of its more prominent features are: ∙ Management console – Server-side interface for collecting VPN statistics, listing connected devices, kicking devices, etc. ∙ Event-related scripts – The daemon can be configured to run a given script when- ever certain event happens (e.g. whenever a new device tries to connect) and its behavior can be influenced through the return values of such scripts. ∙ Device-specific configuration – The server side can have a separate configuration for each device and thus have a different set of configuration options to be used in communication with different devices. ∙ Push options to clients – The server can push any configuration options to clients and thus overwrite their local configuration when the need for it arises. OpenVPN runs fully in user space and is comparatively slower (longer response time and lesser throughput) than most of its competitors [ 27 ]. 3.2.3 IPsec IPsec is a set of network protocols that together ensure secure communication between two endpoints. Unlike many other protocols and applications, it does not use TLS protocol for key exchange and for cryptographic algorithm negotiations [ 22 ]. Instead, it provides its own implementation of that functionality. IPsec always operates at OSI Layer 3 [ 22 ]. Based on the security needs there are 2 different transfer protocols that IPsec may be configured to use for communication: A) Authentication Headers (AH) – provides data origin authentication, data in- tegrity and protection against replay attacks, but no confidentiality [ 25 ]. B) Encapsulating Security Payloads (ESP) – provides data origin authentication, data integrity, protection against replay attacks, and confidentiality [ 26 ]. AH or ESP protocol is always used in conjunction with Security Associations (SA) protocol, which provides algorithms and key exchange mechanisms for obtaining parameters that are needed by AH and ESP [ 22 ]. Authentication is done either via certificates, or through a pre-shared key, and cannot be disabled [ 22 ]. Based on the network topology there are 2 encapsulation modes that IPsec may be configured to use for communication: A) Tunnel mode – In this mode, an additional IP header is added on top of the existing one. This is typically used for site-to-site topology. When used in conjunction with ESP security protocol, the encapsulated IP address is encrypted and thus the real destination of the packet cannot be read by anyone while it is traveling between the sites. B) Transport mode - This mode is used for host-to-host topology. There is no addi- tional IP encapsulation. Irrespective of the encapsulation mode chosen, when a NAT 13 is on the path between the two end points, a NAT-traversal mode, which encapsulates the packet with one more UDP header, must be enabled. This is done so that the NAT can safely modify the header without changing the hash-protected IP header. IPsec is generally considered to be faster (higher throughput, lower latency) than Open- VPN when similarly configured [ 27 ]. Its ability to encrypt destination IP address puts IPsec above OpenVPN also in terms of security. Download 1.67 Mb. Do'stlaringiz bilan baham: |
Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling
ma'muriyatiga murojaat qiling