ITSY Ch 5.5 Virtual Private Networks (VPN)
VPN Gateway
A device that sits at the edge of a LAN to establish and maintain a secure VPN connection. Each gateway is a router or remote access server with VPN software installed, and encrypts and encapsulates data to exchange over the tunnel. Meanwhile, clients, servers, and other hosts on the protected LANs communicate through the VPN gateways as if they were on the same, private network and do not have to run special VPN software. It also allows for all traffic between the two sites to be encrypted 100 percent of the time.
Transport Layer Security (TLS)
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications. The Transport Layer Security (TLS) Protocol works in a similar way to SSL, even though they are not interoperable. When securing a connection with a VPN, TLS: Authenticates the server to the client, using public key cryptography and digital certificates Encrypts the entire communication session Uses port 443 or port 30
Virtual Private Network (VPN)
A remote access connection that uses encryption to securely send data over an untrusted network. VPNs provide a secure internet connection between locations by encrypting packets in transit. A VPN uses a protocol that tunnels, or encapsulates, each of those packets into a new packet. Information in the packet header of these encrypted packets routes the information through the internet. On the destination device, the outer wrapping of the packets is removed, and the packet is decrypted—"the data is back in its original format. When implementing a VPN, be sure to: Select a protocol that is supported by all devices that need to encrypt and encapsulate packets. Open the appropriate ports to allow VPN traffic through the firewall. VPNs work by using a Tunneling Protocol that encrypts packet contents and encapsulates those packets. The encapsulated packets are routed through the internet using the information in the packet header. When the packet reaches the destination device, the outer wrapping encapsulating the packets and the encryption is removed. Only the destination device is allowed to remove the wrapping and restore the packet to its original form. Routers use the decrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents.
Internet Protocol Security (IPsec)
A set of protocols that provides security for Internet Protocol (IP) that can be used in conjunction with L2TP or to set up a VPN solution. IPsec encrypts contents sent through a tunnel created by another protocol. IPsec is probably one of the most common tunneling encryption mechanisms currently used Internet Protocol Security (IPsec) provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes two protocols that provide different features. Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPsec. Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data. If you use AH alone, data is not encrypted. IPsec has two modes of operation. They are based on the relationship of the communicating devices to each other. Transport Mode is used for end-to-end encryption of data. The packet data is protected, but the header is left intact, allowing intermediary devices (such as routers) to examine the packet header and use the information in routing packets. Tunnel Mode is used for link-to-link communications. Both the packet contents and the header are encrypted. IPsec can be used to secure communications such as: Host-to-host communications within a LAN VPN communications through the internet, either by itself or in conjunction with the L2TP VPN Protocol Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, and countless others Be aware of the following additional characteristics of IPsec: It functions at the Network layer (Layer 3) of the OSI model It uses either digital certificates or pre-shared keys It generally can't be used when a NAT proxy is deployed
Layer 2 Forwarding (L2F)
A tunneling protocol developed by Cisco to establish virtual private network connections over the internet. Layer 2 Forwarding (L2F) is a VPN technology developed by Cisco that: Operates at the Data Link layer (Layer 2) Offers mutual authentication Does not encrypt data Merged with PPTP to create L2TP
Secure Sockets Layer (SSL)
A well-established protocol to secure IP protocols, such as HTTP and FTP. SSL requires certificates for identity proof, as well as for encryption. SSL is a great option for encrypting other types of connections between devices, such as a VPN connection. One of the benefits of using SSL is the fact that it uses port 443. This is really important because most network firewalls in most organizations are already configured to allow HTTPS traffic on this port, so we don't have to make any major firewall changes if we want to deploy an SSL VPN. The Secure Sockets Layer (SSL) Protocol has long been used to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote-access scenario. SSL does the following: Authenticates the server to the client using public key cryptography and digital certificates Encrypts the entire communication session Uses port 443, which is a port that is often already open in most firewalls Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
Authentication Header (AH)
AH is used to authenticate. Authentication Header (AH) provides assurances of message integrity and nonrepudiation. AH also provides authentication and access control and prevents replay attacks.
IPsec two different protocols
Authentication Header (AH) Encapsulating Security Payload (ESP)
Tunneling
Communication method that encrypts packet contents and encapsulates them for routing though a public network.
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.)
Configure the browser to send HTTPS requests through the VPN connection Configure the VPN connection to use IPsec It is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection, even though the wireless network itself is not encrypted. It is recommended that you use IPsec or SSL to secure the VPN, as these protocols are relatively secure. You should also configure the browser's HTTPS requests to go through the VPN connection. To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the unsecure open wireless network instead of though the secure VPN tunnel. Avoid using PPTP with MS-CHAPv2 in a VPN over open wireless configuration, as these protocols are no longer considered secure.
Which IPSec subprotocol provides data encryption?
ESP Encapsulating Security Payload (ESP) Protocol provides data encryption for IPSec traffic. Authentication Header (AH) provides message integrity through authentication, verifying that data is received unaltered from the trusted destination. AH provides no privacy and is often combined with ESP to achieve integrity and confidentiality.
In addition to Authentication Header (AH), IPsec is comprised of what other service?
ESP IPsec is comprised of two services. One service is named Authentication Header (AH), and the other named Encapsulating Security Payload (ESP). AH is used primarily for authenticating the two communication partners of an IPsec link. ESP is used primarily to encrypt and secure the data transferred between IPsec partners. IPSec employs ISAKMP for encryption key management.
VPN concentrators
Hardware devices that are dedicated to establishing client connections, as well as encrypting and decrypting VPN packets. Each client is configured with software that allows it to encrypt packets. The VPN concentrator is configured to allow or reject connections from users. It also removes the encryption before forwarding the information to the private network.
Ways to Configure a VPN through the Internet
Host-to-Host VPN Site-to-Site VPN Remote Access VPN
VPN tunneling protocols
IPsec and SSL (or TLS)
IPsec Transport mode
IPsec only encrypts each packet's internal data. Everything else—"the destination IP address, the origination IP address—"is all in cleartext.
Remote Access VPN
Individual hosts on the network can establish a VPN connection to the remote site. In this configuration, the client computer must be able to establish the VPN connection with a special device called a VPN concentrator that sits on the edge of the private network. A remote-access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts. The VPN concentrator is located on the edge of a network. The VPN concentrator establishes multiple connections with multiple hosts. The individual hosts must be able to establish a VPN connection. The hosts can access resources on the VPN server or the private network using the VPN connection. An always-on VPN employs the concept that a user is always on the VPN, whether physically within the LAN or remotely. There is no turning it on or off. All traffic is basically fully tunneled.
Difference between SSL and SSH
Is their application. SSL is mostly used for establishing a secure connection between website and clients, while SSH is utilized to create secure remote connections on insecure networks. SSL works based on SSL/TLS certificates.SSH works based on network tunnels. SSL is a security protocol.SSH is a network cryptographic network protocol.
Which VPN protocol typically employs IPsec as its data encryption mechanism?
L2TP L2TP (Layer 2 Tunneling Protocol) is the VPN protocol that typically employs IPsec as its data encryption mechanism. L2TP is the recommended VPN protocol to use on dial-up VPN connections. PPTP and PPP only support CHAP and PAP for data encryption. L2F offers no data encryption.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) is an open standard for secure multi-protocol routing. L2TP does the following: Operates at the Data Link layer (Layer 2) Supports multiple protocols (not just IP) Uses IPsec for encryption. Combining L2TP with IPsec (called L2TP/IPsec) provides: Per-packet data-origin authentication (non-repudiation) Replay protection Data confidentiality Is not supported by older operating systems Uses TCP port 1701 and UDP port 500
Split Tunnel VPN
Only certain types of traffic—"for example, traffic destined for a specific IP address range—"are sent through the VPN connection. All other traffic goes through the internet as normal. This configuration might be good for people who need to access private network resources but still want to access the internet through their own internet, and not through the VPN. It also helps reduce the amount of traffic sent through the VPN—"instead of sending all traffic through the VPN, only necessary traffic is sent. Split tunneling also has something called inverse split tunneling.
Which of the following VPN protocols is no longer considered secure?
PPTP Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols and was developed by Microsoft. It is no longer considered secure and is essentially obsolete. Internet Protocol Security (IPsec) provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPSec is still considered very secure. The Secure Sockets Layer (SSL) Protocol has long been used to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario.
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols and was developed by Microsoft.PPTP does the following: Uses standard authentication protocols, such as Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) Supports TCP/IP only Encapsulates other LAN protocols and carries the data securely over an IP network Uses Microsoft's MPPE for data encryption Is supported by most operating systems and servers Uses TCP port 1723
Which VPN tunnel style routes only certain types of traffic?
Split A VPN split tunnel routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel. All other traffic is passed through the normal internet connection. A full VPN tunnel routes all of a user's network traffic through the VPN tunnel. This can sometimes send traffic that is not necessary. A site-to-site VPN is a VPN implementation that uses routers on the edge of each site. A host-to-host VPN implementation allows an individual host connected to the internet to establish a VPN connection to another host on the internet.
A VPN is primarily used for which of the following purposes?
Support secured communications over an untrusted network
Which statement BEST describes IPsec when used in tunnel mode?
The entire data packet, including headers, is encapsulated When using IPsec in tunnel mode, the entire data packet, including original headers, is encapsulated. New encrypted packets are created with headers indicating only the endpoint addresses. Tunneling protects the identities of the communicating parties and original packet contents. Tunneling is frequently used to secure traffic traveling across insecure public channels, such as the internet. IPsec in tunnel mode is the most common configuration for gateway-to-gateway communications. In transport mode, routing is performed using the original headers; only the packet's payload is encrypted. Transport mode is primarily used in direct host-to-host communication outside of a dedicated IPsec gateway/firewall configuration.
IPsec Tunneling mode
The entire packet is encrypted. It is then encapsulated in another non-encrypted packet—"complete with a new IP header—"and sent over the internet.
Full Tunnel VPN
The other way you can configure the VPN is to route all traffic through the VPN, regardless of the type of traffic. This is usually the default VPN configuration method.
Inverse Split Tunnel
This is where all traffic is sent through the VPN except for a specific type of traffic, which is routed through the regular internet, unencrypted. The split is inverted, as its name suggests.
Host-to-Host VPN
This type of VPN allows an individual host connected to the internet to establish a VPN connection to another host. With a host-to-host connection, both devices need the ability to establish and understand the VPN protocol that's used. Both devices must have the software for encrypting the packets and encapsulating the packets. Allows an individual host connected to the internet to establish a VPN connection to another host on the internet. Both devices must be configured for a VPN connection and have the software to encrypt and encapsulate the packets.
IPsec also has two different modes for sending packets through the tunnel.
Transport mode Tunneling mode
Encapsulating Security Payload (ESP)
Used to encrypt data being sent through a connection.
A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server. Which solution should you implement?
VPN concentrator With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network. A demilitarized zone (DMZ), also called a screened subnet, is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). A RADIUS server is used to centralize authentication, authorization, and accounting for multiple remote access servers. However, clients still connect to individual remote access servers. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A passive IDS monitors, logs, and detects security breaches, but it does not take action to stop or prevent an attack. An active IDS (also called an intrusion protection system or IPS) performs the functions of an IDS but can also react when security breaches occur.
VPN and Wireless Networks
VPNs can also be used to help secure connections made over open wireless networks. Many establishments, such as airports, hotels, and restaurants, provide unsecured public Wi-Fi access. Because encryption is not used to secure the wireless connection, many users are hesitant to use these networks. In most cases, this hesitancy is warranted. However, it is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection even though the wireless network itself is not encrypted. It is recommended that you use IPsec or SSL to secure the VPN because these protocols are relatively secure. Avoid using PPTP with MS-CHAPv2 as this configuration setup is no longer considered secure. If you are using a VPN over an open wireless network and need to access a secure website, be sure your browser's HTTPS requests go through the VPN connection. To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the insecure open wireless network instead of through the secure VPN tunnel.
Site-to-Site
With a site-to-site VPN, you have a collection of computers at each location. Each computer in any location is able to communicate securely with any other computer at another location. Rather than requiring VPN configuration on every single computer, you install a single device, which acts as a gateway server. A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN.
Tunnel endpoints
devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. These endpoints create a secure virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents.
Which VPN implementation uses routers on the edge of each site?
site-to-site VPN A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN. A host-to-host VPN allows an individual host connected to the internet to establish a VPN connection to another host on the internet. Both devices must be configured for a VPN connection and have the software to encrypt and encapsulate the packets. A remote access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts. An always-on VPN employs the concept that a user is always on the VPN, whether physically within the LAN or remotely. There is no turning it on or off. All traffic is basically fully tunneled.