Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8: VPN and IPsec Concepts, image, image, image - Coggle Diagram
Module 8: VPN and IPsec Concepts
8.1. VPN Technology
8.1.1 Virtual Private Networks
A
VPN (Virtual Private Network)
provides a secure, logical connection (a
tunnel
) across an unsecured network, typically the public Internet.
It ensures
confidentiality, integrity, and authenticity
by using encryption and authentication protocols to protect the data transmitted over the tunnel.
8.1.2 VPN Benefits
Cost savings:
VPNs use the existing, cheaper Internet infrastructure instead of expensive dedicated private links.
Security:
Data remains private by being
encrypted
within the tunnel, protecting it from interception or eavesdropping.
Scalability:
It's easier and faster to add new users or remote sites to a VPN than to establish new dedicated physical connections.
8.1.3 Site-to-Site and Remote-Access VPNs
Site-to-Site VPNs
connect entire networks (e.g., branch office to headquarters) and are typically established between two specialized VPN routers.
Remote-Access VPNs
connect an
individual remote user
(e.g., a teleworker) to the corporate network, usually requiring VPN client software on the user's device.
8.1.4 Enterprise and Service Provider VPNs
Enterprise VPNs
are owned and managed by the organization itself, often used for connecting their own remote sites and users.
Service Provider VPNs
(often using technologies like MPLS) are offered as a service by carriers, creating private WANs over the provider's shared infrastructure.
8.2. Types of VPNs
8.2.1 Remote-Access VPNs
Designed to connect
individual users
(e.g., teleworkers, mobile users) securely to a private corporate network over the public Internet.
Requires
client software
installed on the user's device to establish the encrypted tunnel to the corporate VPN gateway.
8.2.2 SSL VPNs
Use the
SSL/TLS protocol
(the same used for secure websites) to create the encrypted tunnel.
They are popular for remote access because they often use a standard web browser and may not require specialized client software installation.
8.2.3 Site-to-Site IPsec VPNs
Connect
entire networks
(e.g., branch office to main office) over the Internet, with the VPN tunnel established between two
VPN gateways (routers)
.
They use the
IPsec protocol suite
for robust security, including authentication and encryption for all traffic flowing between the sites.
8.2.4 GRE over IPsec
GRE (Generic Routing Encapsulation)
is used to encapsulate a wide variety of Layer 3 protocols, but it offers no security on its own.
Encapsulating GRE traffic with IPsec
adds the necessary security (encryption and authentication) to the connection, often used for more complex routing needs.
8.2.5 Dynamic Multipoint VPNs (DMVPNs)
A
hub-and-spoke VPN framework
that allows spokes (remote sites) to establish
direct, dynamic tunnels
between themselves (spoke-to-spoke) on demand.
This eliminates the need for all traffic between spokes to pass through the central hub, improving efficiency and reducing latency.
8.2.6 IPsec Virtual Tunnel Interface (VTI)
A method to simplify the configuration of IPsec by binding the security policy to a
virtual interface
rather than complex crypto maps.
It allows traffic to be routed and forwarded into the VPN tunnel interface just like any other physical interface.
8.2.7 Service Provider MPLS VPNs
VPNs provided by a carrier, typically using
MPLS
within the service provider's core network.
They offer high performance and allow multiple customers to securely share the provider's infrastructure without using the public Internet for the connection.
8.3. IPsec
8.3.1 Video - IPsec Concepts
Introduces the
IPsec protocol suite
as the fundamental standard for securing IP communications, especially for VPNs.
Highlights the key security services IPsec provides:
Confidentiality, Integrity, and Authentication
.
8.3.2 IPsec Technologies
IPsec is a framework using several open-standard protocols:
AH (Authentication Header)
for integrity/authentication, and
ESP (Encapsulating Security Payload)
for confidentiality, integrity, and authentication.
It also uses
IKE (Internet Key Exchange)
to manage the security association (SA) and key exchange.
8.3.3 IPsec Protocol Encapsulation
IPsec operates in two modes:
Transport Mode
(secures the payload only, used for host-to-host) and
Tunnel Mode
(secures the entire original packet by adding a new IP header, used for VPN gateways).
Tunnel Mode
is the primary mode used for site-to-site VPNs.
8.3.4 Confidentiality
Confidentiality is achieved through
encryption
algorithms, such as
AES
(Advanced Encryption Standard), ensuring that data is unreadable if intercepted.
Encryption protects the data payload itself from unauthorized viewing.
8.3.5 Integrity
Integrity is provided by a
hashing algorithm
(e.g.,
SHA
) that creates a unique signature (a hash) of the packet's contents.
The receiver recalculates the hash and compares it to the hash sent; if they match, the data has
not been altered
in transit.
8.3.6 Authentication
Authentication verifies the
identity of the sender
and ensures the data originates from a legitimate source.
This is typically done using
Pre-shared Keys (PSK)
or
digital certificates
combined with an authentication protocol.
8.3.7 Secure Key Exchange with Diffie-Hellman
The
Diffie-Hellman (DH)
algorithm is used to allow two parties to securely
exchange the secret key
needed for encryption and decryption, even over an unsecured channel.
DH establishes
Perfect Forward Secrecy (PFS)
, meaning a breach of one session key won't compromise past or future keys.
