15 Virtual Private Networks (VPNs) Flashcards
Virtual Private Networks
A virtual private network (VPN) allows the creation of private networks across the Internet, providing privacy and the tunneling of IP and non-TCP/IP protocols. VPNs are used daily to give remote users and disparate networks connectivity over a public medium like the Internet instead of using more expensive, permanent means. VPNs are actually pretty easy to understand. A VPN fits somewhere between a LAN and WAN, with the WAN often simulating a LAN link. Basically, your computer on one LAN connects to a different, remote LAN and uses its resources remotely. The challenge when using VPNs is a big one—security! This may sound a lot like connecting a LAN (or VLAN) to a WAN, but a VPN is so much more. Here’s the key difference: A typical WAN connects two or more remote LANs together using a router and someone else’s network, like your Internet service provider’s (ISP’s). Your local host and router see these networks as remote not local networks or local resources. A VPN actually makes your local host part of the remote network by using the WAN link that connects you to the remote LAN. The VPN will make your host appear as though it’s actually local on the remote network. This means we gain access to the remote LAN’s resources, and that access is also very secure. And this may also sound a lot like a VLAN definition because the concept is the same. Just remember this key distinction: For networks that are physically local, using VLANs is a good solution, but for physically remote networks that span a WAN you need to use VPNs instead.
Benefits of VPNs
Security
VPNs provide security using advanced encryption and authentication protocols,
which help protect your network from unauthorized access. IPsec and SSL fall into this category. Secure Sockets Layer (SSL) is an encryption technology used with web browsers and has native SSL encryption known as Web VPN. You can also use the Cisco AnyConnect SSL VPN client installed on your PC to provide an SSL VPN solution, as well as the Clientless Cisco SSL VPN.
Cost Savings
By connecting the corporate remote offices to their closest Internet provider and creating a VPN tunnel with encryption and authentication, I gain a huge savings over opting for traditional leased point-to-point lines. This also permits higher bandwidth links and security, all for far less money than traditional connections.
Scalability
VPNs scale very well to quickly bring up new offices or have mobile users connect securely.
Compatibility with broadband technology
For remote and traveling users and remote
offices, any Internet access can provide a connection to the corporate VPN. This allows users to take advantage of the high-speed Internet access DSL or cable modems offer.
Enterprise-managed VPNs
You’ll use an enterprise-managed VPNs if your company manages its own VPNs. This is a very popular way to provide this service. There are three different categories of enterprise-managed VPNs:
Remote access VPNs
allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to.
Site-to-site VPNs
Or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay.
Extranet VPNs
Allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.
Provider-managed VPNs - Layer 2 MPLS VPN
Layer 2 VPNs are a type of virtual private network (VPN) that uses MPLS labels to transport data. The communication occurs between routers known as Provider Edge routers (PEs) because they sit on the edge of the provider’s network, next to the customer’s network. ISPs that have an existing layer 2 network may choose to use these VPNs instead of the other common layer 3 MPLS VPNs. The two typical technologies of Layer 2 MPLS VPN are:
Virtual private wire service (VPWS)
VPWS is the simplest form for enabling Ethernet services over MPLS. It’s also known as ETHoMPLS (Ethernet over MPLS), or VLL (Virtual Leased Line). VPWS is characterized by a fixed relationship between an attachment-virtual circuit and an emulated virtual circuit. For example, VPWS-based services are point-to-point Frame-Relay/ATM/Ethernet services over IP/MPLS.
Virtual private LAN switching service (VPLS) This is an end-to-end service and is virtual because multiple instances of this service share the same Ethernet broadcast domain virtually. Still, each connection is independent and isolated from the others in the network. A learned, dynamic relationship exists between an attachment-virtual circuit and emulated virtual circuits that’s determined by customer MAC address. In this type of network, the customer manages its own routing protocols. One advantage that Layer 2 VPN has over its layer 3 counterpart is that some applications won’t work if nodes aren’t in the same Layer 2 network.
Provider-managed VPNs - Layer 3 MPLS VPN
Layer 3 MPLS VPN provides a Layer 3 service across the backbone and a different IP subnet connects each site. Since you will typically deploy a routing protocol over this VPN, you need to communicate with the service provider in order to participate in the exchange of routes. Neighbor adjacency is established between your router (called CE) and provider router (called PE). The service provider network has many core routers (called P routers) and the job of the P routers is to provide connectivity between the PE routers. If you want to totally outsource your Layer 3 VPN, then this service is for you. Your service provider will maintain and manage routing for all your sites. From your perspective as a customer who’s outsourced your VPN’s, it will seem like your ISP’s network is one, big virtual switch. Because they’re inexpensive and secure, I’m guessing that you really want to know how to create VPNs now, right? Great! So there’s more than one way to bring a VPN into being. The first approach uses IPsec to build authentication and encryption services between endpoints on an IP network. The second way is via tunneling protocols, which allow you to establish a tunnel between endpoints on a network. Understand that the tunnel itself is a way for data or protocols to be encapsulated inside another protocol—pretty clean!
Four of the most common tunneling protocols in use today:
Layer 2 Forwarding (L2F)
A Cisco-proprietary tunneling protocol that was Cisco’s first and created for virtual private dial-up networks (VPDNs). A VPDN allows a device to use a dial-up connection to create a secure connection to a corporate network. L2F was later replaced by L2TP, which is backward compatible with L2F.
Point-to-Point Tunneling Protocol (PPTP)
PPTP was created by Microsoft with others to allow for the secure transfer of data from remote networks to the corporate network.
Layer 2 Tunneling Protocol (L2TP)
L2TP was created by Cisco and Microsoft to replace L2F and PPTP. It merges the capabilities of both L2F and PPTP into one tunneling protocol.
Generic Routing Encapsulation (GRE)
GRE is the predominate encapsulation protocol in use today. Another Cisco-proprietary tunneling protocol, GRE forms virtual point-to-point links, allowing for a variety of protocols to be encapsulated in IP tunnels.
Cisco IOS IPsec
IPsec is an industry-wide standard framework of protocols and algorithms that allows for secure data transmission over an IP-based network. It functions at the layer 3 Network layer of the OSI model. IPsec can’t be used to encrypt non-IP traffic. This means that if you run into a situation where you have to encrypt non-IP traffic, you’ll need to create a Generic Routing Encapsulation (GRE) tunnel for it and then use IPsec to encrypt that tunnel!
IPsec Transforms
An IPsec transform specifies a single security protocol with its corresponding security algorithm; without these transforms, IPsec wouldn’t be able to give us its glory. It’s important to be familiar with these technologies, so let me take a second to define the security protocols.
Security Protocols
The two primary security protocols used by IPsec are Authentication Header (AH) and Encapsulating Security Payload (ESP).
Authentication Header (AH)
The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication. It works like this: The sender generates a one-way hash, then the receiver generates the same one-way hash. If the packet has changed in any way, it won’t be authenticated and will be dropped because the hash value no longer matched. So basically, IPsec relies upon AH to guarantee authenticity.
Encapsulating Security Payload (ESP)
It provides confidentiality, data origin authentication, connectionless integrity, anti-replay service, and limited traffic-flow confidentiality by defeating traffic flow analysis—which is almost as good as AH without the possible encryption! ESPs five big features:
Confidentiality (encryption)
Confidentiality allows the sending device to encrypt the packets before transmitting in order to prevent eavesdropping and is provided through the use of symmetric encryption algorithms like DES 3DES, however, AES is the most common in use today. It can be selected separately from all other services, but the type of confidentiality must be the same on both endpoints of your VPN.
Data integrity
Data integrity allows the receiver to verify that the data received hasn’t been altered in any way along the way. IPsec uses checksums as a simple way to check of the data.
Authentication
Authentication ensures that the connection is made with the correct partner. The receiver can authenticate the source of the packet by guaranteeing and certifying the source of the information.
Anti-replay service
Anti-replay election is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number. In case you were wondering, a replay attack is when a hacker nicks a copy of an authenticated packet and later transmits it to the intended destination. When the duplicate, authenticated IP packet gets to the destination, it can disrupt services and generally wreak havoc. The Sequence Number field is designed to foil this type of attack.
Traffic flow
For traffic flow confidentiality to work, you’ve got to have at least tunnel mode selected. It’s most effective if it’s implemented at a security gateway where tons of traffic amasses because that’s precisely the kind of environment that can mask the true source-destination patterns to bad guys trying to breach your security.
Encryption
VPNs create a private network over a public network infrastructure, but to maintain confidentiality and security, we really need to use IPsec with our VPNs. IPsec uses various types of protocols to perform encryption. The types of encryption algorithms used today are:
Symmetric encryption
This type of encryption requires a shared secret to encrypt and decrypt. Each computer encrypts the data before sending info across the network, with this same key being used to both encrypt and decrypt the data. Examples of symmetric key encryption are Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES).
Asymmetric encryption
Devices that use asymmetric encryption use different keys for encryption than they do for decryption. These keys are called private and public keys. Private keys encrypt a hash from the message to create a digital signature, which is then verified via decryption using the public key. Public keys encrypt a symmetric key for secure distribution to the receiving host, which then decrypts that symmetric key using its exclusively held private key. It’s not possible to encrypt and decrypt using the same key. Asymmetric decryption is a variant of public key encryption that also uses a combination of both a public and private keys. An example of an asymmetric encryption is Rivest, Shamir, and Adleman (RSA).
GRE Tunnels
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate many protocols inside IP tunnels. Some examples would be routing protocols such as EIGRP and OSPF and the routed protocol IPv6.
A GRE tunnel interface supports a header for each of the following:
■ A passenger protocol or encapsulated protocols like IP or IPv6, which is the protocol being encapsulated by GRE
■ GRE encapsulation protocol
■ A Transport delivery protocol, typically IP GRE tunnels have the following characteristics:
■ GRE uses a protocol-type field in the GRE header so any layer 3 protocol can be used through the tunnel.
■ GRE is stateless and has no flow control.
■ GRE offers no security.
■ GRE creates additional overhead for tunneled packets—at least 24 bytes.
GRE over IPsec
By itself, GRE offers no security—no form of payload confidentiality or encryption whatsoever. If the packets are sniffed over the public network, their contents are in plain text. Although IPsec provides a secure method for tunneling data across an IP network, it definitely has its limitations. IPsec doesn’t support IP broadcast or IP multicast, preventing the use of protocols that need them like routing protocols. IPsec also does not support the use of multiprotocol traffic. But GRE can be used to “carry” other passenger protocols like IP broadcast or IP multicast, plus non-IP protocols as well. Using GRE tunnels with IPsec allows you to run a routing protocol, IP multicast, as well as multiprotocol traffic across your network. With a generic hub-and-spoke topology like Corp to Branch, you can typically implement static tunnels (usually GRE over IPsec) between the corporate office and branch offices. When you want to add a new spoke to the network, you just need to configure it on the hub router and then a small configuration on the corp router. Also, the traffic between spokes has to traverse the hub, where it must exit one tunnel and enter another. Static tunnels are an appropriate solution for small networks, but not so much as the network grows larger with an increasing number of spokes!
Cisco DMVPN (Cisco Proprietary)
The Cisco Dynamic Multipoint Virtual Private Network (DMVPN) feature enables you to easily scale large and small IPsec VPNs. The Cisco DMVPN is Cisco’s answer for allowing a corporate office to connect to branch offices with low cost, easy configuration and flexibility. DMVPN is comprised of one central router like a corporate router, which is referred to as the hub, and the branches as spokes. So the corporate to branch connection is referred to as the hub and spoke interconnection. The spoke-to-spoke design is also supported for branch-to-branch interconnections. If you’re thinking this design sounds really similar to your old Frame Relay network, you’re right! The DMPVN features enable you to configure a single GRE tunnel interface and a single IPsec profile on the hub router to manage all spoke routers. This keeps the size of the configuration on the hub router basically the same even if you add more spoke routers to the network. DMVPN also allows a spoke router to dynamically create VPN tunnels between them as network data travels from one spoke to another.
Cisco IPsec VTI (Cisco Proprietary)
The IPSec Virtual Tunnel Interface (VTI) mode of an IPsec configuration can seriously simplify a VPN configuration when protection is needed for remote access. And it’s a simpler option than GRE or L2TP for the encapsulation and crypto maps used with IPSec. Like GRE, it sends routing protocol and multicast traffic, just without GRE and all the overhead it brings. Simple configuration and routing adjacency directly over the VTI are great benefits! Understand that all traffic is encrypted and that it supports only one protocol—either IPv4 or IPv6 just like standard IPsec.
