SECURITY + VIRTUAL PRIVATE NETWORK 5.7
When implementing a VPN, be sure to:
Select a protocol that is supported by all devices that need to encrypt and encapsulate packets. Open the appropriate ports to allow VPN traffic through the firewal
A remote access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts.
The VPN concentrator is located on the edge of a network. The VPN concentrator establishes multiple connections with multiple hosts. The individual hosts must be able to establish a VPN connection. The hosts can access resources on the VPN server or the private network using the VPN connection.
a. The three types of protocols used by VPNs are:
A carrier protocol (such as IP). A tunneling protocol (such as PPTP or L2TP). A passenger protocol for the data being transmitted
Point-to-Point Tunneling Protocol (PPTP)
A early tunneling protocol developed by Microsoft. Uses standard authentication protocols, such as Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP). Supports TCP/IP only. Encapsulates other LAN protocols and carries the data securely over an IP network. Uses Microsoft's MPPE for data encryption. Is supported by most operating systems and servers. Uses TCP port 1723.
VPNs can be implemented in the following ways
A host-to-host VPN allows an individual host connected to the internet to establish a VPN connection to another host on the internet. Both devices must be configured for a VPN connection and have the software to encrypt and encapsulate the packets. A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN. A remote access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts. An always-on VPN employs the concept that a user is always on VPN, whether physically within the LAN or remotely. There is no turning it on or off. All traffic is basically fully tunneled.
Transport Layer Security (TLS)
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications. Authenticates the server to the client, using public key cryptography and digital certificates. Encrypts the entire communication session. Uses port 443 or port 30
Virtual Private Network (VPN
A remote access connection that uses encryption to securely send data over an untrusted network.
Internet Protocol Security (IPsec)
A set of protocols that provides security for Internet Protocol that can be used in conjunction with L2TP or by itself as a VPN solution.
Layer 2 Forwarding (L2F)
A tunneling protocol developed by Cisco to establish virtual private network connections over the internet Operates at the data link layer (layer 2). Offers mutual authentication. Does not encrypt data. Merged with PPTP to create L2T
Tunneling
A type of network protocol that encrypts IP packet contents and encapsulates them for routing though a public network.
Secure Sockets Layer (SSL)
A well-established protocol to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. Authenticates the server to the client, using public key cryptography and digital certificates. Encrypts the entire communication session. Uses port 443, a port that is often already open in most firewalls
Layer 2 Tunneling Protocol (L2TP)
An open standard for secure multi-protocol routing Operates at the data link layer (layer 2). Supports multiple protocols (not just IP). Uses IPsec for encryption. Combining L2TP with IPsec (called L2TP/IPsec) provides: Is not supported by older operating systems. Uses TCP port 1701 and UDP port 500.
IPsec includes two protocols that provide different features.
Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPsec. Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data
The following are two styles of VPN Tunnels commonly used:
Full tunnel, which routes all of a user's network traffic through the VPN tunnel. This can sometimes send traffic that is not necessary over the tunnel. Split tunnel, which routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel. All other traffic is passed through the normal internet connection.
IPsec can be used to secure communications such as:
Host-to-host communications within a LAN. VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol. Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others
Be aware of the following additional characteristics of IPsec:
It functions at the network layer (layer 3) of the OSI model. It uses either digital certificates or pre-shared keys. It generally can't be used when a NAT proxy is deployed
Implementations that use SSL for VPN tunneling include
Microsoft's SSTP and Cisco's SSL VPN.
Uses IPsec for encryption. Combining L2TP with IPsec (called L2TP/IPsec) provides:
Per packet data origin authentication (nonrepudiation) Replay protection Data confidentiality
VPNs work by using a tunneling protocol that encrypts packet contents and encapsulates those packets.
The encapsulated packets are routed through the internet using the information in the packet header. When the packet reaches the destination device, the outer wrapping encapsulating the packets and the encryption is removed. Only the destination device is allowed to remove the wrapping and restore the packet to its original form
To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunneL
This behavior would result in HTTP/HTTPS traffic being transmitted over the insecure open wireless network instead of through the secure VPN tunnel
IPsec has two modes of operation, based on the relationship of the communicating devices to each other.
Transport mode is used for end-to-end encryption of data. The packet data is protected, but the header is left intact, allowing intermediary devices (such as routers) to examine the packet header and use the information in routing packets. Tunnel mode is used for link-to-link communications. Both the packet contents and the header are encrypted.
A VPN provides an alternative to:
WAN connections Connections that use telephone lines and a remote access server
Tunnel endpoints
are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. These endpoints create a secure virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet content
Avoid using PPTP with MS-CHAPv2
as this configuration is no longer secure.
If you are using a VPN over an open wireless network and need to access a secure website
be sure your browser's HTTPS requests go through the VPN connection.
VPNs can also be used to help secure
connections made over open wireless networks
If you use AH alone
data is not encrypted
Many establishments, such as airports, hotels, and restaurants, provide unsecured public Wi-Fi access. Because
encryption is not used to secure the wireless connection,
the VPN provides sufficient encryption to secure the connection
even though the wireless network itself is not encrypted.
VPN concentrators are advanced
routers that can create and maintain many secure connections to the network through VPN tunnels.
Routers use the decrypted packet headers
to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents
It is recommended that you use IPsec or SSL
to secure the VPN, as these protocols are relatively secure
it is generally considered acceptable
to use a VPN connection to securely transfer data over an open Wi-Fi networ . As long as strong tunneling ciphers and protocols are used