Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8.VPN and IPsec Concepts - Coggle Diagram
Module 8.VPN and IPsec Concepts
8.1. VPN Technology
8.1.1 Virtual Private Networks
Organizations use VPNs (Virtual Private Networks) to secure network traffic and create private, end-to-end connections. VPNs are virtual because data travels over a public network, but private because traffic is encrypted for confidentiality. The figure shows various VPN types managed by an enterprise's main site, where the tunnel allows remote users to securely access its network resources.
8.1.2 VPN Benefits
Modern VPNs support encryption features like Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
8.1.3 Site-to-Site and Remote-Access VPNs
A site-to-site VPN is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used.
8.1.4 Enterprise and Service Provider VPNs
Enterprise VPNs - Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet.
Service Provider VPNs - Service provider-managed VPNs are created and managed over the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites.
8.2 Types of VPNs
8.2.1 Remote-Access VPNs
VPNs allow remote and mobile users to securely connect to a company’s network through an encrypted tunnel, providing access to emails, applications, and limited resources for contractors or partners without compromising security. Remote-access VPNs are user-activated, can use either IPsec or SSL, and can be established through clientless or client-based connections.
8.2.2 SSL VPNs
When a client negotiates an SSL VPN connection with the VPN gateway, it actually connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. However, both terms are often used interchangeably.
8.2.3 Site-to-Site IPsec VPNs
Site-to-site VPNs are used to connect networks across another untrusted network such as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through a VPN terminating device.
8.2.4 GRE over IPsec
Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol. It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic which may be necessary if the organization requires routing protocols to operate over a VPN. However, GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.
8.2.5 Dynamic Multipoint VPNs
Site-to-site IPsec VPNs and GRE over IPsec are adequate to use when there are only a few sites to securely interconnect. However, they are not sufficient when the enterprise adds many more sites. This is because each site would require static configurations to all other sites, or to a central site.
8.2.6 IPsec Virtual Tunnel Interface
Like DMVPNs, IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to support multiple sites and remote access. IPsec VTI configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a physical interface.
8.2.7 Service Provider MPLS VPNs
Traditional service provider WAN solutions such as leased lines, Frame Relay, and ATM connections were inherently secure in their design. Today, service providers use MPLS in their core network. Traffic is forwarded through the MPLS backbone using labels that are previously distributed among the core routers. Like legacy WAN connections, traffic is secure because service provider customers cannot see each other’s traffic.
8.3 IPsec
8.3.2 IPsec Technologies
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7.
8.3.3 IPsec Protocol Encapsulation
Choosing the IPsec protocol encapsulation is the first building block of the framework. IPsec encapsulates packets using Authentication Header (AH) or Encapsulation Security Protocol (ESP). The choice of AH or ESP establishes which other building blocks are available.
8.3.4 Confidentiality
Confidentiality is achieved by encrypting the data, as shown in the figure. The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm. If someone tries to hack the key through a brute-force attack, the number of possibilities to try is a function of the length of the key. The time to process all the possibilities is a function of the computer power of the attacking device. The shorter the key, the easier it is to break. A 64-bit key can take approximately one year to break with a relatively sophisticated computer. A 128-bit key with the same machine can take roughly 1019 or 10 quintillion years to decrypt.
8.3.5 Integrity
Data integrity means that the data that is received is exactly the same data that was sent. Potentially, data could be intercepted and modified.
8.3.6 Authentication
When conducting business long distance, you must know who is at the other end of the phone, email, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. The figure highlights the two peer authentication methods.
8.3.7 Secure Key Exchange with Diffie-Hellman
Encryption algorithms require a symmetric, shared secret key to perform encryption and decryption. How do the encrypting and decrypting devices get the shared secret key? The easiest key exchange method is to use a public key exchange method, such as Diffie-Hellman (DH), as shown in the figure.
