VPNs
VPN Overview
Virtual Private Networks
VPN Benefits
To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.
The figure shows a collection of various types of VPNs managed by an enterprise’s main site. The tunnel enables remote sites and users to access the main site’s network resources securely.
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites.
VPN Topologies
Site to Site
A site-to-site VPN is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used.
Remote Access
VPNs have become the logical solution for remote-access connectivity for many reasons. As shown in the figure, remote-access VPNs let remote and mobile users securely connect to the enterprise by creating an encrypted tunnel. Remote users can securely replicate their enterprise security access including email and network applications. Remote-access VPNs also allow contractors and partners to have limited access to the specific servers, web pages, or files as required. This means that these users can contribute to business productivity without compromising network security.
SSL VPNs
When a client negotiates an SSL VPN connection with the VPN gateway, it actually connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. However, both terms are often used interchangeably.
SSL uses the public key infrastructure and digital certificates to authenticate peers. Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. However, when security is an issue, IPsec is the superior choice. If support and ease of deployment are the primary issues, consider SSL. The type of VPN method implemented is based on the access requirements of the users and the organization’s IT processes. The table compares IPsec and SSL remote access deployments.
IPsec Overview
Technologies
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7.
Using the IPsec framework, IPsec provides these essential security functions:
Confidentiality - IPsec uses encryption algorithms to prevent cybercriminals from reading the packet contents.
Integrity - IPsec uses hashing algorithms to ensure that packets have not been altered between source and destination.
Origin authentication - IPsec uses the Internet Key Exchange (IKE) protocol to authenticate source and destination. Methods of authentication include the use of pre-shared keys (passwords), digital certificates, or RSA certificates.
Diffie-Hellman - Secure key exchange typically using various groups of the DH algorithm.
Confidentiality
Confidentiality is achieved by encrypting the data, as shown in the figure. The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm. If someone tries to hack the key through a brute-force attack, the number of possibilities to try is a function of the length of the key. The time to process all the possibilities is a function of the computer power of the attacking device. The shorter the key, the easier it is to break. A 64-bit key can take approximately one year to break with a relatively sophisticated computer. A 128-bit key with the same machine can take roughly 1019 or 10 quintillion years to decrypt.
Authentication
When conducting business long distance, you must know who is at the other end of the phone, email, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. The figure highlights the two peer authentication methods.
Protocols
Transport and Tunnel Modes
IPsec Protocol Overview
The two main IPsec protocols are Authentication Header (AH) and Encapsulation Security Protocol (ESP). The IPsec protocol is the first building block of the framework. The choice of AH or ESP establishes which other building blocks are available.
AH uses IP protocol 51 and is appropriate only when confidentiality is not required or permitted. It provides data authentication and integrity, but it does not provide data confidentiality (encryption). All text is transported unencrypted.
ESP uses IP protocol 50 and provides both confidentiality and authentication. It provides confidentiality by performing encryption on the IP packet. ESP provides authentication for the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
Encapsulation
If ESP is selected as the IPsec protocol, an encryption algorithm must also be selected. Cisco products support 3DES, AES, and SEAL. However, 3DES should be avoided. If 3DES must be implemented, then configure short key lifetimes.
ESP can also provide integrity and authentication. First, the payload is encrypted. Next, the encrypted payload is sent through a hash algorithm, such as SHA-256 or higher. The hash provides authentication and data integrity for the data payload. Note that MD5 and SHA-1 should be avoided.
Optionally, ESP can also enforce anti-replay protection. Anti-replay protection verifies that each packet is unique and is not duplicated. This protection ensures that a hacker cannot intercept packets and insert changed packets into the data stream. Anti-replay works by keeping track of packet sequence numbers and using a sliding window on the destination end.
When a connection is established between a source and destination, their counters are initialized at zero. Each time a packet is sent, a sequence number is appended to the packet by the source. The destination uses the sliding window to determine which sequence numbers are expected. The destination verifies that the sequence number of the packet is not duplicated and is received in the correct order.
ESP and AH can be applied to IP packets in two different modes, transport mode and tunnel mode, as shown in the figure below.