Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 18: VPNs - Coggle Diagram
Module 18: VPNs
VPN Topologies
VPN Topologies
Site-to-Site
A site-to-site VPN is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used.
-
Remote-Access VPNs
A remote-access VPN is dynamically created to establish a secure connection between a client and a VPN terminating device. For example, a remote access SSL VPN is used when you check your banking information online.
Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL. As shown in the figure, a remote user must initiate a remote access VPN connection.
-
VPN Tecnologies
IPsec
IPsec works at Layer 3, the Network layer of the OSI model directly on top of IP.
-
SSL
SSL operates at Layer 7, the Application layer of the OSI model it encrypts HTTP traffic not IP packets.
-
VPN
To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.
The first types of VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco and which does not include encryption services. It is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual point-to-point link.
VPN Benefits
Cost Savings
With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth
Security
VPNs provide the highest level of security available, by using advanced encryption and authentication protocols that protect data from unauthorized access.
Scalability
VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure.
Compatibility
VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. Remote workers can take advantage of these high-speed connections to gain secure access to their corporate networks.
IPsec Protocols
The two main IPsec protocols are Authentication Header (AH) and Encapsulation Security Protocol (ESP). The IPsec protocol is the first building block of the framework. The choice of AH or ESP establishes which other building blocks are available.
AH uses IP protocol 51 and is appropriate only when confidentiality is not required or permitted. It provides data authentication and integrity, but it does not provide data confidentiality (encryption). All text is transported unencrypted.
The AH function is applied to the entire packet, except for any IP header fields that normally change in transit. Fields that normally change during transit are called mutable fields. For example, the Time to Live (TTL) field is considered mutable because routers modify this field.
-
ESP uses IP protocol 50 and provides both confidentiality and authentication. It provides confidentiality by performing encryption on the IP packet. ESP provides authentication for the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
-
IPsec Overview
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7.
Using the IPsec framework, IPsec provides these essential security functions:
Confidentiality - IPsec uses encryption algorithms to prevent cybercriminals from reading the packet contents.
Integrity - IPsec uses hashing algorithms to ensure that packets have not been altered between source and destination.
Origin authentication - IPsec uses the Internet Key Exchange (IKE) protocol to authenticate source and destination. Methods of authentication include the use of pre-shared keys (passwords), digital certificates, or RSA certificates.
-
IPsec is not bound to any specific rules for secure communications. This flexibility of the framework allows IPsec to easily integrate new security technologies without updating the existing IPsec standards. The currently available technologies are aligned to their specific security function. The open slots shown in the IPsec framework in the figure can be filled with any of the choices that are available for that IPsec function to create a unique security association (SA).
-
Internet Key Exchange
The Internet Key Exchange (IKE) protocol is a key management protocol standard. IKE is used in conjunction with the IPsec standard. As shown in the figure, IKE automatically negotiates IPsec security associations and enables IPsec secure communications. IKE enhances IPsec by adding features and simplifies configuration for the IPsec standard. Without IKE in place, IPsec configuration would be a complex, manual configuration process that would not scale well.
-