5.5 Virtual Private Networks
The following are two styles of VPN tunnels commonly used:
1. Full tunnel, which routes all of a user's network traffic through the VPN tunnel. This can sometimes send traffic that is not necessary. 2. Split tunnel, which routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel. All other traffic is passed through the normal internet connection.
VPN Tunneling Protocol
> A VPN uses a Tunneling Protocol that encrypts packet contents and wraps them in an unencrypted packet. The Tunneling Protocol (also referred to as the VPN Protocol) identifies the methods that devices use to establish the VPN connection and encrypt the data. The three types of protocols used by VPNs are: > Carrier Protocol (such as IP). > Tunneling Protocol (such as PPTP or L2TP). > Passenger Protocol (for the data being transmitted). > Many networks make use of a piece of hardware called a VPN concentrator. VPN concentrators are advanced routers that can create and maintain many secure connections to the network through VPN tunnels.
VPNs can be implemented in the following ways:
> A host-to-host VPN allows an individual host connected to the internet to establish a VPN connection to another host on the internet. Both devices must be configured for a VPN connection and have the software to encrypt and encapsulate the packets. > A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN. > A remote-access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts. - The VPN concentrator is located on the edge of a network. - The VPN concentrator establishes multiple connection with multiple hosts. - The individual hosts must be able to establish a VPN connection. - The hosts can access resources on the VPN server on the private network using the VPN connection. > Always-on VPN employs the concept that a user is always on the VPN, whether physically within the LAN or remotely. There is no turning it on or off. All traffic is basically fully tunneled.
Point-to-Point Tunneling
> Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols and was developed by Microsoft. > PPTP does the following: - Uses standard authentication protocols, such as Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) - Supports TCP/IP only - Encapsulates other LAN protocols and carries the data securely over an IP network - Uses Microsoft's MPPE for data encryption - Is supported by most operating systems and servers - Uses TCP port 1723
When Implementing a VPN, be sure to:
> Select a protocol that is supported by all devices that need to encrypt and encapsulate packets. > Open the appropriate ports to allow VPN traffic through the firewall.
As you study this section, answer the following questions:
> What are three ways a Virtual Private Network (VPN) can be implemented? > What is a VPN concentrator? > What function do VPN endpoints provide? > What is the difference between full tunnel and split tunnel? > What are three types of protocols used by a VPN? > What is inverse split tunneling? In this section, you will learn to: > Configure a VPN. > Configure a VPN client. > Configure a remote access VPN. > Configure a VPN connection iPad.
Point-to-Point Tunneling Protocol (PPTP)
A early tunneling protocol developed by Microsoft.
Transport Layer Security (TLS)
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications.
Virtual Private Network
A remote access connection that uses encryption to securely send data over an untrusted network.
Internet Protocol Security (IPsec)
A set of protocols that provides security for Internet Protocol (IP) that can be used in conjunction with L2TP or to set up a VPN solution.
Layer 2 Forwarding (L2F)
A tunneling protocol developed by Cisco to establish virtual private network connections over the internet.
VPN Basics
A virtual private network (VPN) is a remote-access connection that uses encryption to securely send data over an untrusted network. By using a VPN, you can take advantage of an existing internet connection to securely communicate between devices. When working with VPNs, consider the following: > A VPN provides an alternative to: - WAN connections - Connections that use telephone lines and a remote access server. > VPNs work by using a Tunneling Protocol that encrypts packet contents and encapsulates those packets. - The encapsulated packets are routed through the internet using the information in the packet header. - When the packet reaches the destination device, the outer wrapping encapsulating the packets and the encryption is removed. - Only the destination device is allowed to remove the wrapping and restore the packet to its original form.
Secure Sockets Layer (SSL)
A well-established protocol to secure IP protocols, such as HTTP and FTP.
Layer 2 Tunneling Protocol (L2TP)
An open standard for secure multi-protocol routing.
Tunneling
Communication method that encrypts packet contents and encapsulates them for routing though a public network.
Tunnel Endpoints
Devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. These endpoints create a secure virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents. > Routers use the decrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents.
Internet Protocol Security
Internet Protocol Security (IPsec) provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes two protocols that provide different features. > Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPsec. > Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data * If you use AH alone, data is not encrypted. IPsec has two modes of operation. They are based on the relationship of the communicating devices to each other. > Transport Mode is used for end-to-end encryption of data. The packet data is protected, but the header is left intact, allowing intermediary devices (such as routers) to examine the packet header and use the information in routing packets. > Tunnel Mode is used for link-to-link communications. Both the packet contents and the header are encrypted. IPsec can be used to secure communications such as: > Host-to-host communications within a LAN > VPN communications through the internet, either by itself or in conjunction with the L2TP VPN Protocol > Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, and countless others Be aware of the following additional characteristics of IPsec: > It functions at the Network layer (Layer 3) of the OSI model > It uses either digital certificates or pre-shared keys > It generally can't be used when a NAT proxy is deployed
Layer 2 Forwarding
Layer 2 Forwarding (L2F) is a VPN technology developed by Cisco that: > Operates at the Data Link layer (Layer 2) > Offers mutual authentication > Does not encrypt data > Merged with PPTP to create L2TP
Layer 2 Tunneling
Layer 2 Tunneling Protocol (L2TP) is an open standard for secure multi-protocol routing. > L2TP does the following: - Operates at the Data Link layer (Layer 2) - Supports multiple protocols (not just IP) - Uses IPsec for encryption. Combining L2TP with IPsec (called L2TP/IPsec) provides: Per-packet data-origin authentication (non-repudiation) Replay protection Data confidentiality - Is not supported by older operating systems - Uses TCP port 1701 and UDP port 500
Secure Sockets Layer
The Secure Sockets Layer (SSL) Protocol has long been used to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote-access scenario. SSL does the following: > Authenticates the server to the client using public key cryptography and digital certificates > Encrypts the entire communication session > Uses port 443, which is a port that is often already open in most firewalls *Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
Transport Layer Security
The Transport Layer Security (TLS) Protocol works in a similar way to SSL, even though they are not interoperable. When securing a connection with a VPN, TLS: > Authenticates the server to the client, using public key cryptography and digital certificates > Encrypts the entire communication session > Uses port 443 or port 30
5.57 VPN Protocol Facts
This lesson covers the following topics: > VPN Tunneling Protocol > VPN protocol comparison
5.5.6 VPN Facts
This lesson covers the following topics: > VPN basics > VPN and wireless networks
VPN and Wireless Networks
VPNs can also be used to help secure connection made over open wireless networks. Many establishments such as airports, hotels, and restaurants, provide unsecured public Wi-Fi access. Because encryption is not used to secure the wireless connection, many users are hesitant to use these networks. In most cases, this hesitancy is warranted. However, it is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection even though the wireless network itself is not encrypted. It is recommended that you use IPSec or SSL to secure the VPN because these protocols are relatively secure. Avoid using PPTP with MS-CHAPv2 as this configuration setup is no longer considered secure. *If you are using a VPN over an open wireless network and need to access a secure website, be sure your browser's HTTPS requests go through the VPN connection. To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the insecure open wireless network instead of through the secure VPN tunnel.
5.5.4 Configure a Remote Access VPN Lab
You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Complete this lab as follows: 1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Start the VPN wizard and select the authentication backend type. a. From the pfSense menu bar, select VPN > OpenVPN. b. From the breadcrumb, select Wizards. c. Under Select an Authentication Backend Type, make sure Local User Access is selected. d. Select Next. 3. Create a new certificate authority certificate. a. For Descriptive Name, enter CorpNet-CA. b. For Country Code, enter GB. c. For State, enter Cambridgeshire. d. For City, enter Woodwalton. e. For Organization, enter CorpNet. f. Select Add new CA. 4. Create a new server certificate. a. For Descriptive Name, enter CorpNet. b. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same. c. Use all other default settings. d. Select Create new Certificate. 5. Configure the VPN server. a. Under General OpenVPN Server Information: - Use the Interface drop-down menu to select WAN. - Verify that the Protocol is set to UDP on IPv4 only. - For Description, enter CorpNet-VPN. b. Under Tunnel Settings: - For Tunnel Network, enter 198.28.20.0/24. - For Local Network, enter 198.28.56.18/24. - For Concurrent Connections, enter 4. c. Under Client Settings, in DNS Server1, enter 198.28.56.1. d. Select Next. 6. Configure the firewall rules. a. Under Traffic from clients to server, select Firewall Rule. b. Under Traffic from clients through VPN, select OpenVPN rule. c. Select Next. d. Select Finish. 7. Set the OpenVPN server just created to Remote Access (User Auth). a. For the WAN interface, select the Edit Server icon (pencil). b. For Server mode, use the drop-down and select Remote Access (User Auth). c. Scroll to the bottom and select Save. 8. Configure the following Standard VPN users. a. From the pfSense menu bar, select System > User Manager. b. Select Add. c. Configure the User Properties as follows: - Username: Username - Password: Password - Full name: Fullname d. Scroll to the bottom and select Save. e. Repeat steps 8b-8d to created the remaining VPN users.
5.5.5 Configure a VPN connection iPad
You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your network security appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to: Add an IPSec VPN connection using the following values: > Description - CorpNetVPN > Server - 192.28.56.34 > Account - mbrown > Secret - asdf1234$ > Turn on the VPN. > Verify that a connection is established. The password for mbrown is L3tM31nN0w (0=zero). Complete this lab as follows: 1. Verify your connection to the Home-Wireless network. a. Select Settings. b. Select Wi-Fi. 2. Add and configure a VPN. a. From the left menu, select General. b. From the right menu, select VPN. c. Select Add VPN Configuration. d. Select IPSec. e. In the Description field, enter CorpNetVPN. f. In the Server field, enter 198.28.56.34. g. In the Account field, enter mbrown. h. In the Secret field, enter asdf1234$. i. In the upper right, select Save. 3. Connect to the VPN just created. a. Under VPN Configuration, slide Not Connected to ON. b. When prompted, enter L3tM31nN0w (0 = zero) as the password. c. Select OK.