LAN

LAN 2003 6 4

LAN Hotel LAN LAN IEEE802.11a IEEE802.11b 802.11b 11Mbps Copyright (c) 2003 NPO Page 3 FREESPOT FREESPOT HOTSPOT NTT ( ) MZONE ( )NTT Mobile ( ) Yahoo! BB ( ) MapFanWeb http://www.mapfan.com/musen/ Copyright (c) 2003 NPO Page 4

PHS LAN WEP 64bit Copyright (c) 2003 NPO Page 5 LAN SSID Service Set ID LAN OS MAC OS WEP Wired Equivalent Privacy LAN RC4 40bit 104bit 802.1x Copyright (c) 2003 NPO Page 6

WEP WEP Key 40bit WEP Key 2.7 LAN http://www.lac.co.jp/security/intelligence/snsspiffy/3.pdf AirSnort WEP Copyright (c) 2003 NPO Page 7 AP WEP Key Copyright (c) 2003 NPO Page 8

VPN WEP WEP POP HTTP VPN VPN VPN VPN Copyright (c) 2003 NPO Page 9 VPN sec VPN PC VPN PC WEB (POP/SMTP/HTTP ) Copyright (c) 2003 NPO Page 10

LAN VPN Workspace Workspace PC Wireless LAN NIC Access Point VPN MTU Copyright (c) 2003 NPO Page 12

Workspace or VPN Ping FTP GET PUT Copyright (c) 2003 NPO Page 13 50 SSH ( ) LINCS Cisco ( ) ( ) ( ) BB( ) ( ) ( ) ( ) ( ) Copyright (c) 2003 NPO Page 14

LAN Copyright (c) 2003 NPO Page 15 Copyright (c) 2003 NPO Page 16

Copyright (c) 2003 NPO Page 17 VPN Copyright (c) 2003 NPO Page 18

LAN sec NAT Private NAT Private VPN VPN Copyright (c) 2003 NPO Page 20

LAN sec VPN HotSpot_A Web Server Mail Server DNS Server File Server HotSpot_B Copyright (c) 2003 NPO Page 21 sec Main Pre-Shared Main Pre-Shared ID ID HASH Copyright (c) 2003 NPO Page 22

XAUTH Hybrid Auth XAUTH IKE OTP RADIUS S/KEY Hybrid Auth VPN VPN VPN XAUTH Hybrid Auth Internet Draft Expire sec Client XAUTH Hybrid Auth Copyright (c) 2003 NPO Page 23 XAUTH IKE IKE SA Sec SA Copyright (c) 2003 NPO Page 24

IKE ID ID Copyright (c) 2003 NPO Page 25 ID ID NAT NAT AH NAT ESP ESP NAPT Network Address Port Translation 1 NAT AH AH ESP ESP Copyright (c) 2003 NPO Page 26

NAT NAT Traversal NAT-T NAT-D / / NAT-D NAT UDP ISAKMP KE Ni NAT-D NAT-D sec UDP Encapsulation of sec Packet UDP Encapsulation NAT-T!! Copyright (c) 2003 NPO Page 27 NAT NAT-Traversal Netscreen SSH NAT Checkpoint UDP NAT NAT sec UDP 2746 Cisco TCP high port(tcp encapsulation) TCP 10000 UDP high port(udp encapsulation) UDP 10000 Copyright (c) 2003 NPO Page 28

NAT NAT Traversal NAT-T IKE SA sec SA Non-IKE UDP Copyright (c) 2003 ESP NPO Page 29 AP A 192.168.0.1 VPN 192.168.1.1 Server B 192.168.0.1 Copyright (c) 2003 NPO Page 30

DNS Intranet.hoge.co.jp A? 192.168.0.1 VPN Server DNS Server DNS Server Copyright (c) 2003 NPO Page 31 VPN sec-dhcp ISAKMP Configuration Method Server 192.168.1.1 DNS Server 192.168.1.2/24 ESP B Interface 192.168.0.1 Virtual 10.0.1.2 VPN DNS 192.168.1.2 Copyright (c) 2003 NPO Page 32 A Interface 192.168.0.1 Virtual 192.168.0.1 10.0.1.1 VPN DNS 192.168.1.2

ISAKMP Configuration Method ISAKMP Configuration Method( ode-cfg) IKE Draft Expire IKE SA Internal Internal-v4-Address Internal Internal-v4-Address = x.x.x.x Internal Internal-v4-Netmask Internal Internal-v4-Netmask = 24bit Internal Internal-v4-DNS Internal Internal-v4-DNS = y.y.y.y sec SA Copyright (c) 2003 NPO ESP Page 33 RFC3456 (Dynamic Host Configuration Protocol (DHCPv4) Configuration of sec Tunnel Mode ) Phase2 DHCP SA IKE SA DHCP SA sec-dhcp Internal Internal-v4-Address = x.x.x.x Internal Internal-v4-Netmask = 24bit Internal Internal-v4-DNS = y.y.y.y sec SA Copyright (c) 2003 ESP NPO Page 34

AP A 192.168.0.1 VPN 192.168.0.1 Server Copyright (c) 2003 NPO Page 35 sec MTU HotSpot ADSL PPPoE Ether FCS Ether ESP ESP FCS Ether PPPoE PPP ESP ESP FCS Copyright (c) 2003 NPO Page 36

Server 192.168.1.1 DNS Server 192.168.1.2/24 DF=0 DF=1 Copyright (c) 2003 NPO Page 37 Server 192.168.1.1 DNS Server 192.168.1.2/24 DF=0 1 Copyright (c) 2003 NPO Page 38

MTU 1380B DNS Server 192.168.1.2/24 ESP ESP Copyright (c) 2003 NPO Page 39 DF=1 PMTU ESP ESP Copyright (c) 2003 NPO Page 40

NIC LAN (IEEE802.11b ) IEEE802.11a IEEE802.11g LAN IKE NAT-T Copyright (c) 2003 NPO Page 41 ( ) Copyright (c) 2003 NPO Page 42

LAN Copyright (c) 2003 NPO Page 43 VPN XAUTH Hybrid Auth NAT-Traversal ISAKMP-Config sec-dhcp IKE MTU ICMP PMTU Copyright (c) 2003 NPO Page 44

Copyright (c) 2003 NPO Page 45