What is Virtual Private Networks
A private network that is created via tunneling over a public network, usually the Internet.
Benefits of Virtual Private Networks
- Compatibility with different broadband technology
- Cost savings
- Security
- Scalability
VPN services
- Authentication
- Data integrity
- Confidentiality
Architecture Classifications
i. Intranet VPN
* LAN-to-LAN connection (site to site)
* Connects Branch Offices to Main Office
* Fixed Tunnel End Points
ii. Extranet VPN
* LAN-to-LAN connection (site to site)
* Connects Trading Partners to Main Office
* Fixed Tunnel End Points
iii. Remote VPN
* User-to-LAN connection
* Connects Remote Mobile Users to Main Office
* Variable IP Addresses on Tunnel End Points
* A.k.a. Virtual Private Dial-up Network (VPDN)
Tunnelling Taxonomy
Classification - Voluntary Tunnels
i. End-to-end tunnels
ii. Created at the request of a client computer, which acts as the tunnel end point
iii. A separate tunnel is created for each communicating pair
iv. Eg. Dial-up connection
Tunnelling Taxonomy
Classification - Compulsory Tunnels
i. Intermediate devices act as tunnel end points
ii. Created and configured by an intermediate device
iii. Compulsory tunnels are shared by multiple
communications
iv. Intermediate device named differently in different tunnelling protocols e.g. Intermediate device is
called IP Security Gateway in IPSec,
Tunnelling Protocols on Difference OSI layers (mcq)
- Layer 2 tunnelling protocols
* Data Link Layer
* Use frames as their unit of exchange
* PPP - Layer 3 tunnelling protocols
* Network Layer
* IPSec - Application Layer Protocol
* Application Layer
* SSL VPN
What are the 2 Site to Site VPNs
- Cisco Generic Routing Encapsulation (GRE)
- IP Security Protocol (IPsec)
Generic Routing Encapsulation (GRE)
- GRE can encapsulate almost any type of packet.
- Uses IP to create a virtual point-to-point link between Cisco routers
- Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols)
- Best suited for site-to-site multiprotocol
Generic Routing Encapsulation (GRE) statement
(ref image)
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1
255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination
209.165.200.225
R1(config–if)# tunnel mode gre ip
What is IPsec - Internet Protocol
Security
- A “framework” of open standards developed by the IETF to create a secure tunnel at the network (IP) layer.
- It spells out the rules for secure
communications. - IPsec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms.
- IPsec allows newer and better algorithms to be implemented without patching the existing IPsec
standards.
What are the 2 IPsec Framework Protocols
- AH: Authentication Header
- ESP: Encapsulating Security Payload
Authentication Header (AH)
- provides authentication and optional replay-detection services using PSK or RSA.
- It supports DH Secure key exchange
- supports integrity via hash verification using HMAC-MD5 and HMAC-SHA-1 algorithms.
What does Authentication Header (AH) NOT provide
Confidentiality (encryption).
* It is appropriate to use when confidentiality is not required or permitted.
* All text is transported unencrypted.
* It only ensures the origin of the data and verifies that the data has not been modified during transit.(integrity assured)
* If the AH protocol is used alone, it provides weak protection.
Encapsulating Security Payload (ESP)
- ESP provides the same security services as AH
(authentication and integrity) AND encryption service. - It encapsulates the data to be protected.
Port of Encapsulating Security Payload (ESP)
protocol number 50
Port of Authentication Header (AH)
protocol number 51
Transport Mode
- Security is provided only for the Transport Layer and above.
- It protects the payload but leaves the original IP address in plaintext.
ESP transport mode is used between hosts.
What does Transport Mode work well with
- Transport mode works well with GRE, because GRE hides the addresses of the end devices by adding its own IP.
Tunnel Mode
- Tunnel mode provides security for the complete original IP packet.
- The original IP packet is encrypted and then it is encapsulated in another IP packet (IP-in-IP encryption).
- ESP tunnel mode is used in remote access and site-to-site implementations.
