Virtual Private Network (VPN)

Virtual Private Network (VPN)

• Secure communications over an unsecure network such as the Internet.

• Provides confidentiality.

Site-to-Site VPN

• Virtual Private Network (VPN) between 2 branch offices.

• Allows you to access a network securely over an unsecure network.

• All traffic between encrypted on the VPN tunnel.

Remote Access VPN

• Allow teleworkers to connect to the corporate network from a computer or laptop.

• A VPN client application is installed on the user's device.

• The VPN client establishes a secure tunnel between the computer and the VPN concentrator.

Host-to-Host VPN

• Creates a VPN tunnel between one device to another.

• Requires a software to be installed on each device.

Split tunnel 

• Traffic for the corporate network goes through the VPN tunnel while all other traffic goes directly out to the Internet.

Full tunnel 

• All traffic is routed through the VPN tunnel to the corporate network, then out to the Internet.

VPN Tunneling Protocols and Encryption

• Creates the tunneling communication between systems.

• This does not perform data encryption.

• Can be used with data encryption protocols to provide confidentiality.

Point-to-Point Tunneling Protocol (PPTP)

• Widely supported

• Provides weak data encryption.

• Uses Microsoft Point-to-Point Encryption.

 Layer 2 Tunneling Protocol (L2TP)

• Widely supported.

• Provides stronger security.

• Very complex to configure.

• Firewall can block this protocol.

• Uses IPsec.

Secure Sock Tunneling Protocol (SSTP)

• Works over port 443.

• Works with only Microsoft systems.

• Uses SSL 3.0.

Internet Key Exchange v2 (IKEv2)

• Supports mobility.

• There is limited support.

• Uses IPsec.

What is IPsec

• Internet Protocol security (IPsec) is a framework which uses a group of various protocols which are used to secure the communication between devices.

• IPsec is commonly used when establishing a virtual private network (VPN), whether it’s a Remote Access VPN or a Site-to-Site VPN.

• A Site-to-Site VPN is used to connect remote branch offices together across an unsecure network such as the Internet.

• A Remote Access VPN allows an employee to establish a secure connection between their computer and the corporate network.

IPsec Security Association (SA)

• Within IPsec, endpoints establishes a trust  between themselves which are known as Security Association (SA).

• During IPsec, an Internet Key Exchange (IKE) Phase 1 Security Association (SA) is established between the VPN peers.

• During an IKE Phase 1 (Main Mode) SA, the peers uses this to negotiate encryption, integrity, authentication and key exchange methods.

• Within IKE Phase 2 (Quick Mode), data is exchanged between the VPN peers within 2 one-way encrypted tunnels between each peer to the other.

• During an IKE Phase 2 (Quick Mode) SA, the peers uses this to negotiate IPsec encapsulation protocol, encryption, integrity, authentication and key exchange methods.

IPSec Protocols

• When using the Authentication Header (AH) encapsulation protocol, it provides authentication and integrity but no data encryption.

• AH uses an IP protocol value of 51.

• When using Encapsulating Security Protocol (ESP), it provides authentication, integrity and data encryption as data is sent across the VPN tunnel.

• ESP uses an IP protocol value of 50.

IPsec Encapsulation

• In Transport mode, the original header is maintained while an ESP header and trailer is inserted within the packet.

• In Tunnel mode, a new ESP header is inserted within the packet and an ESP trailer.