LAN 2003 6 4
LAN Hotel LAN LAN IEEE802.11a IEEE802.11b 802.11b 11Mbps Copyright (c) 2003 NPO Page 3 FREESPOT FREESPOT HOTSPOT NTT ( ) MZONE ( )NTT Mobile ( ) Yahoo! BB ( ) MapFanWeb http://www.mapfan.com/musen/ Copyright (c) 2003 NPO Page 4
PHS LAN WEP 64bit Copyright (c) 2003 NPO Page 5 LAN SSID Service Set ID LAN OS MAC OS WEP Wired Equivalent Privacy LAN RC4 40bit 104bit 802.1x Copyright (c) 2003 NPO Page 6
WEP WEP Key 40bit WEP Key 2.7 LAN http://www.lac.co.jp/security/intelligence/snsspiffy/3.pdf AirSnort WEP Copyright (c) 2003 NPO Page 7 AP WEP Key Copyright (c) 2003 NPO Page 8
VPN WEP WEP POP HTTP VPN VPN VPN VPN Copyright (c) 2003 NPO Page 9 VPN sec VPN PC VPN PC WEB (POP/SMTP/HTTP ) Copyright (c) 2003 NPO Page 10
LAN VPN Workspace Workspace PC Wireless LAN NIC Access Point VPN MTU Copyright (c) 2003 NPO Page 12
Workspace or VPN Ping FTP GET PUT Copyright (c) 2003 NPO Page 13 50 SSH ( ) LINCS Cisco ( ) ( ) ( ) BB( ) ( ) ( ) ( ) ( ) Copyright (c) 2003 NPO Page 14
LAN Copyright (c) 2003 NPO Page 15 Copyright (c) 2003 NPO Page 16
Copyright (c) 2003 NPO Page 17 VPN Copyright (c) 2003 NPO Page 18
LAN sec NAT Private NAT Private VPN VPN Copyright (c) 2003 NPO Page 20
LAN sec VPN HotSpot_A Web Server Mail Server DNS Server File Server HotSpot_B Copyright (c) 2003 NPO Page 21 sec Main Pre-Shared Main Pre-Shared ID ID HASH Copyright (c) 2003 NPO Page 22
XAUTH Hybrid Auth XAUTH IKE OTP RADIUS S/KEY Hybrid Auth VPN VPN VPN XAUTH Hybrid Auth Internet Draft Expire sec Client XAUTH Hybrid Auth Copyright (c) 2003 NPO Page 23 XAUTH IKE IKE SA Sec SA Copyright (c) 2003 NPO Page 24
IKE ID ID Copyright (c) 2003 NPO Page 25 ID ID NAT NAT AH NAT ESP ESP NAPT Network Address Port Translation 1 NAT AH AH ESP ESP Copyright (c) 2003 NPO Page 26
NAT NAT Traversal NAT-T NAT-D / / NAT-D NAT UDP ISAKMP KE Ni NAT-D NAT-D sec UDP Encapsulation of sec Packet UDP Encapsulation NAT-T!! Copyright (c) 2003 NPO Page 27 NAT NAT-Traversal Netscreen SSH NAT Checkpoint UDP NAT NAT sec UDP 2746 Cisco TCP high port(tcp encapsulation) TCP 10000 UDP high port(udp encapsulation) UDP 10000 Copyright (c) 2003 NPO Page 28
NAT NAT Traversal NAT-T IKE SA sec SA Non-IKE UDP Copyright (c) 2003 ESP NPO Page 29 AP A 192.168.0.1 VPN 192.168.1.1 Server B 192.168.0.1 Copyright (c) 2003 NPO Page 30
DNS Intranet.hoge.co.jp A? 192.168.0.1 VPN Server DNS Server DNS Server Copyright (c) 2003 NPO Page 31 VPN sec-dhcp ISAKMP Configuration Method Server 192.168.1.1 DNS Server 192.168.1.2/24 ESP B Interface 192.168.0.1 Virtual 10.0.1.2 VPN DNS 192.168.1.2 Copyright (c) 2003 NPO Page 32 A Interface 192.168.0.1 Virtual 192.168.0.1 10.0.1.1 VPN DNS 192.168.1.2
ISAKMP Configuration Method ISAKMP Configuration Method( ode-cfg) IKE Draft Expire IKE SA Internal Internal-v4-Address Internal Internal-v4-Address = x.x.x.x Internal Internal-v4-Netmask Internal Internal-v4-Netmask = 24bit Internal Internal-v4-DNS Internal Internal-v4-DNS = y.y.y.y sec SA Copyright (c) 2003 NPO ESP Page 33 RFC3456 (Dynamic Host Configuration Protocol (DHCPv4) Configuration of sec Tunnel Mode ) Phase2 DHCP SA IKE SA DHCP SA sec-dhcp Internal Internal-v4-Address = x.x.x.x Internal Internal-v4-Netmask = 24bit Internal Internal-v4-DNS = y.y.y.y sec SA Copyright (c) 2003 ESP NPO Page 34
AP A 192.168.0.1 VPN 192.168.0.1 Server Copyright (c) 2003 NPO Page 35 sec MTU HotSpot ADSL PPPoE Ether FCS Ether ESP ESP FCS Ether PPPoE PPP ESP ESP FCS Copyright (c) 2003 NPO Page 36
Server 192.168.1.1 DNS Server 192.168.1.2/24 DF=0 DF=1 Copyright (c) 2003 NPO Page 37 Server 192.168.1.1 DNS Server 192.168.1.2/24 DF=0 1 Copyright (c) 2003 NPO Page 38
MTU 1380B DNS Server 192.168.1.2/24 ESP ESP Copyright (c) 2003 NPO Page 39 DF=1 PMTU ESP ESP Copyright (c) 2003 NPO Page 40
NIC LAN (IEEE802.11b ) IEEE802.11a IEEE802.11g LAN IKE NAT-T Copyright (c) 2003 NPO Page 41 ( ) Copyright (c) 2003 NPO Page 42
LAN Copyright (c) 2003 NPO Page 43 VPN XAUTH Hybrid Auth NAT-Traversal ISAKMP-Config sec-dhcp IKE MTU ICMP PMTU Copyright (c) 2003 NPO Page 44
Copyright (c) 2003 NPO Page 45