Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8: VPN and IPsec Concepts - Coggle Diagram
Module 8: VPN and IPsec Concepts
8.1 VPN Technology
8.1.1 Virtual Private Networks
To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections.
A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network
8.1.2 VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
8.1.4 Enterprise and Service Provider VPNs
There are many options available to secure enterprise traffic. These solutions vary depending on who is managing the VPN.
°
Enterprise VPNs
- Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using both IPsec and SSL VPNs.
°
Service Provider VPNs
- Service provider-managed VPNs are created and managed over the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites. MPLS is a routing technology the provider uses to create virtual paths between sites.
8.2 Types of VPNs
8.2.1 Remote-Access VPNs
VPNs have become the logical solution for remote-access connectivity for many reasons.
Remote-access VPNs let remote and mobile users securely connect to the enterprise by creating an encrypted tunnel. Remote users can securely replicate their enterprise security access including email and network applications.
Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL.
Remote-access VPNs also allow contractors and partners to have limited access to the specific servers, web pages, or files as required.
8.2.2 SSL VPNs
When a client negotiates an SSL VPN connection with the VPN gateway, it actually connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS.
SSL utiliza la infraestructura de clave pública y certificados digitales para autenticar a los pares. Tanto las tecnologías IPsec como SSL VPN ofrecen acceso a prácticamente cualquier aplicación o recurso de red. Sin embargo, cuando la seguridad es un problema, IPsec es la mejor opción. Si el soporte y la facilidad de despliegue son las cuestiones principales, considere SSL
It is important to understand that IPsec and SSL VPNs are not mutually exclusive. Instead, they are complementary; both technologies solve different problems, and an organization may implement IPsec, SSL, or both
8.2.4 GRE over IPsec
Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol
It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic which may be necessary if the organization requires routing protocols to operate over a VPN. However, GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.
A standard IPsec VPN (non-GRE) can only create secure tunnels for unicast traffic.
To solve this problem, we can encapsulate routing protocol traffic using a GRE packet, and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway.
The terms used to describe the encapsulation of a GRE over IPsec tunnel are:
Passenger protocol:
This is the original protocol that is encapsulated, such as a routing protocol.
Carrier protocol:
This is the protocol used to encapsulate the passenger protocol, in this case, GRE.
Transport protocol:
This is the protocol that actually transports everything, in this case, IPsec.
8.2.3 Site-to-Site IPsec VPNs
Site-to-site VPNs are used to connect networks across another untrusted network such as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through a VPN terminating device. The VPN terminating is typically called a VPN gateway.
Un dispositivo de gateway de VPN puede ser un router o un firewal
The VPN gateway encapsulates and encrypts outbound traffic, sending it through a VPN tunnel over the internet to the target site's VPN gateway. The receiving gateway decrypts the traffic and forwards it to the destination host within its private network.
Site-to-site VPNs are typically created and secured using IP security (IPsec).
8.3 IPsec
IPsec Technologies
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7.
IPsec Protocol
Confidentiality
Integrity
Authentication
Diffie-Hellman
IPsec Protocol Encapsulation
Confidentiality
Integrity
Authentication
PSK Authentication
RSA Authentication
Secure Key Exchange with Diffie-Hellman
