Please enable JavaScript.

Coggle requires JavaScript to display documents.

VPN and IPsec Concepts, Site-to-Site and Remote-Access VPNs, Enterprise…

- - - - VPNs provide the highest level of security available, by using advanced encryption and authentication protocols that protect data from unauthorized access.
    - - VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure.
    - - VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. Remote workers can take advantage of these high-speed connections to gain secure access to their corporate networks.
    - - With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
- - - - IPsec: Extensive - All IP-based applications are supported.
      - SSL: Limited - Only web-based applications and file sharing are supported.
    - - IPsec: Strong - Uses two-way authentication with shared keys or digital certificates.
      - SSL: Moderate - Using one-way or two-way authentication.
    - - IPsec: Strong - Uses key lengths from 56 bits to 256 bits.
      - SSL: Moderate to strong - With key lengths from 40 bits to 256 bits.
    - - IPsec: Medium - Because it requires a VPN client pre- installed on a host.
      - SSL: Low - It only requires a web browser on a host.
    - - IPsec: Limited - Only specific devices with specific configurations can connect.
      - SSL: Extensive - Any device with a web browser can connect.
  - - - The service provider participates in customer routing by establishing a peering between the customer’s routers and the provider’s routers. Then customer routes that are received by the provider’s router are then redistributed through the MPLS network to the customer’s remote locations.
    - - The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The customer’s routers effectively belong to the same multiaccess network.
- - - - Essential security functions
        
        Integrity: IPsec uses hashing algorithms to ensure that packets have not been altered between source and destination.
        
        Origin authentication: IPsec uses the Internet Key Exchange (IKE) protocol to authenticate source and destination. Methods of authentication including using pre-shared keys (passwords), digital certificates, or RSA certificates.
        
        Diffie-Hellman: Secure key exchange typically using various groups of the DH algorithm.
        
        Confidentiality: IPsec uses encryption algorithms to prevent cybercriminals from reading the packet contents.
  - - - DH groups
        
        DH groups 1, 2, and 5 should no longer be used. These groups support a key size of 768 bits, 1024 bits, and 1536 bits, respectively.
        
        DH groups 14, 15, and 16 use larger key sizes with 2048 bits, 3072 bits, and 4096 bits, respectively, and are recommended for use until 2030.
        
        DH groups 19, 20, 21 and 24 with respective key sizes of 256 bits, 384 bits, 521 bits, and 2048 bits support Elliptical Curve Cryptography (ECC), which reduces the time needed to generate keys. DH group 24 is the preferred next generation encryption.