Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8: VPN and IPsec Concepts - Coggle Diagram
Module 8: VPN and IPsec Concepts
VPN Technology
Virtual Private Networks
To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.
The figure shows a collection of various types of VPNs managed by an enterprise’s main site. The tunnel enables remote sites and users to access main site’s network resources securely.
VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
Major benefits of VPNs are shown in the table.
Site-to-Site and Remote-Access VPNs
Enterprise and Service Provider VPNs
VPNs can be managed and deployed as:
Enterprise VPNs - Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using both IPsec and SSL VPNs.
Service Provider VPNs - Service provider-managed VPNs are created and managed over the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites. MPLS is a routing technology the provider uses to create virtual paths between sites. This effectively segregates the traffic from other customer traffic. Other legacy solutions include Frame Relay and Asynchronous Transfer Mode (ATM) VPNs.
8.2 Types of VPNs
Remote-Access VPNs
VPNs have become the logical solution for remote-access connectivity for many reasons. These let users securely connect to the enterprise by creating an encrypted tunnel. Remote users can securely replicate their enterprise security access.
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers. Both IPsec and SSL VPN technologies offer access to virtually any network application or resource.
Site-to-Site IPsec VPNs
Site-to-site VPNs are used to connect networks across another untrusted network such as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through a VPN terminating device.
GRE over IPsec
Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol. It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic.
Dynamic Multipoint VPNs
DMVPN simplifies the VPN tunnel configuration and provides a flexible option to connect a central site with branch sites. It uses a hub-and-spoke configuration to establish a full mesh topology.
IPsec Virtual Tunnel Interface
IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to support multiple sites and remote access. IPsec VTI configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a physical interface.
Service Provider MPLS VPNs
Traffic is forwarded through the MPLS backbone using labels that are previously distributed among the core routers. Traffic is secure because service provider customers cannot see each other’s traffic.
8.3 IPsec
Technologies
Protocol Encapsulation
encapsulates packets using Authentication Header (AH) or Encapsulation Security Protocol (ESP).
Confidentiality
Integrity
Authentication
Secure Key Exchange with Diffie-Hellman
DH provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel.
