Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 18: VPNs - Coggle Diagram
Module 18: VPNs
18.1 VPN Overview
-
18.1.2 VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites.Major benefits of VPNs are shown in the table. 
18.2 VPN Topologies
-
-
-
18.2.3 SSL VPNs
When a client connects to an SSL VPN, it uses Transport Layer Security (TLS), a newer version of SSL, with both terms often used interchangeably. SSL uses public key infrastructure and digital certificates for authentication. While both IPsec and SSL provide access to network resources, IPsec is more secure, and SSL is easier to deploy and support. The choice depends on user access needs and organizational IT processes. A table compares the two methods.
IPsec and SSL VPNs are complementary, not exclusive. Each addresses different needs, and organizations can implement one or both based on the requirements of their remote users.
18.3 IPsec Overview
-
-
-
18.3.4 Confidentiality
Confidentiality in IPsec is achieved through encryption, with the strength depending on the encryption algorithm and key length. The longer the key, the harder it is to break. For example, a 64-bit key can be cracked in about a year with a powerful computer, while a 128-bit key would take around 10 quintillion years to decrypt with the same machine. The time to break the encryption also depends on the attacking device's processing power. The encryption algorithms highlighted in the figure are all symmetric key cryptosystems.
- DES uses a 56-bit key and should be avoided.
- 3DES is a variant of the 56-bit DES. It uses three independent 56-bit encryption keys per 64-bit block, which provides significantly stronger encryption strength over DES. DES is computationally taxing and is no longer considered to be secure.
- AES is the most recommended symmetric encryption algorithm. It provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128 bits, 192 bits, and 256 bits.
- SEAL is a stream cipher, which means it encrypts data continuously rather than encrypting blocks of data. SEAL uses a 160-bit key and is considered to be very secure.
18.3.5 Integrity
Data integrity ensures that the received data is identical to what was sent, preventing interception and modification. For example, if a check for $100 made out to Alex is intercepted and altered to $1,000 made out to Jeremy, the attacker could potentially cash the forged check. The integrity check would detect such alterations and prevent the fraud. Because VPN data is transported over the public internet, a method of proving data integrity is required to guarantee that the content has not been altered. A hashing algorithm guarantees the integrity of the message using a hash value. The figure highlights the two most common hashing algorithms.
- Message-Digest 5 (MD5) uses a 128-bit shared-secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. MD5 is no longer secure should be avoided.
- The Secure Hash Algorithm (SHA) uses a 160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 algorithm. The output is a 160-bit hash. SHA-256 or higher are considered to be secure.
18.3.6 Authentication
When conducting business long distance, you must know who is at the other end of the phone, email, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. The figure highlights the two peer authentication methods.
- A pre-shared secret key (PSK) value is entered into each peer manually. The PSK is combined with other information to form the authentication key. PSKs are easy to configure manually, but do not scale well, because each IPsec peer must be configured with the PSK of every other peer with which it communicates.
- Rivest, Shamir, and Adleman (RSA) authentication uses digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to the remote end and acts like a signature. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine. Each peer must authenticate its opposite peer before the tunnel is considered secure.
In PSK authentication, the local device creates a hash (Hash_L) by applying the authentication key and identity information to a hash algorithm. This hash is sent to the remote device for one-way authentication. If the remote device can generate the same hash, the local device is authenticated. Then, the process reverses, with the remote device authenticating the local device, and the steps are repeated in the opposite direction.PSK Authentication
In RSA authentication, the local device creates a hash (Hash_L), encrypts it with its private key to form a digital signature, and sends it with a digital certificate to the remote device. The remote device decrypts the signature using the public key, then checks if the decrypted hash matches its own computed hash. If they match, the local device is authenticated, and the process repeats in the opposite direction for the remote device.RSA Authentication
-
-
-
-
-
-