A VPN (Virtual Private Network) extends a private network
across a public network, such as the Internet.
A VPN is a network that uses a public telecommunication
infrastructure, such as the Internet, to provide remote offices or individual
users with secure access to their organization's network. A VPN ensures privacy
through security procedures and tunneling protocols such as the Layer Two
Tunneling Protocol (L2TP). Data is encrypted at the sending end and decrypted
at the receiving end.
A VPN connection across the Internet is similar to a wide
area network (WAN) link between websites. From a user perspective, the extended
network resources are accessed in the same way as resources available within
the private network. One major limitation of traditional VPNs is that they are
point-to-point, and do not tend to support or connect broadcast domains. Therefore
communication, software, and networking, which are based on layer 2 and
broadcast packets, such as NetBIOS used in Windows networking, may not be fully
supported or work exactly as they would on a real LAN. Variants on VPN, such as
Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are
designed to overcome this limitation.
VPNs allow employees to securely access their company's
intranet while traveling outside the office. Similarly, VPNs securely connect
geographically separated offices of an organization, creating one cohesive
network. VPN technology is also used by individual Internet users to secure
their wireless transactions, to circumvent geo restrictions and censorship, and
to connect to proxy servers for the purpose of protecting personal identity and
location.
A well-designed VPN can greatly benefit a company. For
example, it can:
- Extend geographic connectivity
- Reduce operational costs versus traditional WANs
- Reduce transit times and traveling costs for remote users
- Improve productivity
- Simplify network topology
- Provide global networking opportunities
- Provide telecommuter support
- Provide faster Return On Investment (ROI) than traditional WAN
What features are needed in a well-designed VPN? It should
incorporate these items:
- Security
- Reliability
- Scalability
- Network Management
- Policy Management
- Security mechanisms
To prevent disclosure of private information, VPNs typically
allow only authenticated remote access and make use of encryption techniques.
VPNs provide security by the use of tunneling protocols and
through security procedures such as encryption.
The VPN security model provides:
The VPN security model provides:
- Confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and Deep packet inspection), an attacker would only see encrypted data.
- Sender authentication to prevent unauthorized users from accessing the VPN.
- Message integrity to detect any instances of tampering with transmitted messages.
Secure VPN protocols include the following:
- Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force (IETF) for IPv6, which was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation. This standards-based security protocol is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals: authentication, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
- Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address Translation and firewall rules.
- Datagram Transport Layer Security (DTLS)- Used in Cisco AnyConnect VPN and in OpenConnect VPN to solve the issues SSL/TLS has with tunneling over UDP.
- Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
- Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1
- Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark "MPVPN".
- Secure Shell (SSH) VPN- OpenSSH offers VPN tunneling (distinct from port forwarding) to secure remote connections to a network or to inter-network links. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.
Authentication
Tunnel endpoints must be authenticated before secure VPN
tunnels can be established. User-created remote-access VPNs may use passwords,
biometrics, two-factor authentication or other cryptographic methods.
Network-to-network tunnels often use passwords or digital certificates. They
permanently store the key to allow the tunnel to establish automatically,
without intervention from the user.
Types of VPN
- Site-to-site VPN
Often abbreviated to S2SVPN. It’s a connection between two
sites and encrypts all traffic between two (or multiple) subnets. There are two
types of S2SVPN:
- Policy-based: Interesting traffic triggers an ACL and is encrypted and sent to the remote VPN peer.
- Routed: Traffic is routed into an encrypted tunnel to the remote VPN peer.
- DMVPN
A DMVPN (Dynamic Multipoint VPN) is not a protocol but more a
technique using different protocols. One or more central hub routers are
required, but the remote (spoke) routers can have dynamic IPs and more can be
added without having to modify the configuration on the hub router(s), or any
other spoke routers. The routers use a next-hop resolution protocol, combined
with a dynamic routing protocol to discover remote peers and subnets. The VPN
itself is a mGRE tunnel (GRE with multiple endpoints) which is encrypted. This
way, traffic between spoke routers does not have to go through the hub router
but can be sent directly from spoke to spoke.
- Client VPN
A Client VPN is an encrypted connection from one device
towards a VPN router. It makes that one remote device appear as a member of a
local subnet behind the VPN router. Traffic is tunneled from the device
(usually a computer or laptop of a teleworker) towards the VPN router so that
user has access to resources inside the company. It requires client software
that needs to be installed and configured.
- SSLVPN
This type of VPN works like a client VPN. The difference is
that the remote client does not need preconfigured software, but instead the
browser acts as VPN software. The browser needs to support active content,
which every modern browser supports, either directly or through a plug-in.
Traffic is tunneled over SSL (or TLS) to the SSLVPN router. From a networking
perspective, traffic is tunneled over layer 4 instead of layer 3. The benefit
is that the remote user does not need to configure anything and can simply log
in to a web page to start the tunnel. The drawback that you’ll likely need a
dedicated device as SSLVPN endpoint because this is not a standard feature.
Protocols?
For secure VPNs:
- General IPsec
- ESP and AH (encryption and authentication headers)
- Key exchange (ISAKMP, IKE, and others)
- Cryptographic algorithms
- IPsec policy handling
- Remote access
- SSL and TLS
For trusted VPNs:
- General MPLS
- MPLS constrained by BGP routing
- Transport of layer 2 frames over MPLS
How VPNs Work?
When planning or extending a VPN, though, you should consider
the following equipment:
- Network Access Server- As previously described, a NAS is responsible for setting up and maintaining each tunnel in a remote-access VPN.
- Firewall- A firewall provides a strong barrier between your private network and the Internet. IT staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to help protect against malicious Internet traffic.
- AAA Server- The acronym stands for the server's three responsibilities: authentication, authorization and accounting. For each VPN connection, the AAA server confirms who you are (authentication), identifies what you're allowed to access over the connection (authorization) and tracks what you do while you're logged in (accounting).
One widely used standard for AAA servers is Remote
Authentication Dial-in User Service (RADIUS). Despite its name, RADIUS isn't
just for dial-up users. When a RADIUS server is part of a VPN, it handles
authentication for all connections coming through through the VPN's NAS.
VPN components can run alongside other software on a shared
server, but this is not typical, and it could put the security and reliability
of the VPN at risk. A small business that isn't outsourcing its VPN services
might deploy firewall and RADIUS software on generic servers. However, as a
business's VPN needs increase, so does its need for equipment that's optimized
for the VPN. The following are dedicated VPN devices a business can add to its
network. You can purchase these devices from companies that produce network
equipment, such as Cisco:
- VPN Concentrator- This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.
- VPN-enabled/VPN-optimized Router- This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.
- VPN-enabled Firewall- This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.
- VPN Client- This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.
VPN Technologies
A well-designed VPN uses several methods in order to keep your
connection and data secure.
- Data Confidentiality- This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode.
Most VPNs use one of these protocols to provide encryption.
- IPsec- Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol. Also, all devices must use a common key or certificate and must have very similar security policies set up.
For remote-access VPN users, some form of third-party
software package provides the connection and encryption on the users PC. IPsec
supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.
- PPTP/MPPE- PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself does not provide data encryption.
- L2TP/IPsec- Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and then encrypt that traffic with IPsec between their access-point and the remote office network server.
- Data Integrity- While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer.
- Data Origin Authentication- It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender.
- Anti-Replay- This is the ability to detect and reject replayed packets and helps prevent spoofing.
- Data Tunneling/Traffic Flow Confidentiality- Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic. For example, a single device that uses IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header. As noted in RFC 2401 leavingcisco.com, "...disclosure of the external characteristics of communication also can be a concern in some circumstances. Traffic flow confidentiality is the service that addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality."
All the encryption protocols listed here also use tunneling
as a means to transfer the encrypted data across the public network. It is
important to realize that tunneling, by itself, does not provide data security.
The original packet is merely encapsulated inside another protocol and might
still be visible with a packet-capture device if not encrypted. It is mentioned
here, however, since it is an integral part of how VPNs function.
Tunneling requires three different protocols
- Passenger Protocol- The original data (IPX, NetBeui, IP) that is carried.
- Encapsulating Protocol- The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data.
- Carrier Protocol- The protocol used by the network over which the information is traveling.
The original packet (Passenger protocol) is encapsulated
inside the encapsulating protocol, which is then put inside the carrier
protocol's header (usually IP) for transmission over the public network. Note
that the encapsulating protocol also quite often carries out the encryption of
the data. Protocols such as IPX and NetBeui, which would normally not be
transferred across the Internet, can safely and securely be transmitted.
For site-to-site VPNs, the encapsulating protocol is usually
IPsec or Generic Routing Encapsulation (GRE). GRE includes information on what
type of packet you are encapsulating and information about the connection
between the client and server.
For remote-access VPNs, tunneling normally takes place using
Point-to-Point Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for
other IP protocols when communicating over the network between the host
computer and a remote system. PPP tunneling will use one of PPTP, L2TP or
Cisco's Layer 2 Forwarding (L2F).
- AAA- AAA (Authentication, Authorization and Accounting) is used for more secure access in a remote-access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured VPN client software can establish a secure connection into the remote network. With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.
When a request to establish a tunnel comes in from a dial-up
client, the VPN device prompts for a username and password. This can then be
authenticated locally or sent to the external AAA server, which checks:
- Who you are (Authentication)
- What you are allowed to do (Authorization)
- What you actually do (Accounting)
The Accounting information is especially useful for tracking client
use for security auditing, billing or reporting purposes.
- Nonrepudiation- In certain data transfers, especially those related to financial transactions, nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end denies having taken part in a transaction. Much like a bank requires your signature before honoring your check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the possibility of sender denying participation in the transaction.
A number of protocols exist that can be used to build a VPN
solution. All of these protocols provide some subset of the services listed in
this document. The choice of a protocol depends on the desired set of services.
For example, an organization might be comfortable with the data being
transferred in clear text but extremely concerned about maintaining its
integrity, while another organization might find maintaining data
confidentiality absolutely essential. Their choice of protocols might thus be
different.
Site to Site or Lan to Lan VPN
It provides secure IP communication over insecure network between
two branches.
IPSec/VPN
- IKE (Internet Key Exchange)
- ESP (Encapsulating Security Pay Load)
- AH (Authentication Header)
VPN Features
- Confidentiality- Data will keep as a secret using encryption. DES, 3DES, AES.
- Integrity- It means your data will not alter during transmission using Hash, Md-5, SHA.
- Data Origin Authentication- It means both devices will authenticate to each other using pre-shared key, Certificate.
- Anti-Replay- It means if your data will arrive late, it will consider as alter, and it will drop. Time & Volume.
IKE- IKE provides a frame work to exchange the security parameters
and policies between two VPN peers.
IKE Modes
|
IKE Phase
|
Main Mode Or
Aggressive
|
Phase 1
|
Quick Mode Phase 2
|
Phase 2
|
- Main Mode- In main mode 6 attributes are divided in to three steps
(Note: Proposal = security parameters and policies.)
- Aggressive Mode
- Initiator will send own proposal and secret to responder
- Responder will authenticate it. And responder will send won proposal and secret to initiator.
- Initiator will authenticate the session.
- Quick Mode– In quick mode they will re check their security parameters and policies.
Phase 1
In IKE Phase 1 they create single IKE bi directional tunnel
Phase 2
In IKE phase II they create multiple IP sec unidirectional
tunnel.
VPN Features
|
ESP
|
AH
|
Confidentiality
|
Yes
|
No
|
Integrity
|
Yes
|
Yes
|
DOA
|
Yes
|
Yes
|
Anti Replay
|
In protocol No 50
|
In protocol No 50
|
IP sec modes (Protect L4 and Upper Layer)
- Transport Mode
- Tunnel Mode (Protect L3 and Upper Layer) S to S, GET VPN
- ISAKMP– Internet Security Association Key Management Protocol.
IKE is a Management Protocol. It uses another Protocol for
Key exchange. That is called ISAKMP. It use UDP port no 500.
Example
PC1(config)#int fa0/0
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#no shut
PC1(config-if)#ip route
0.0.0.0 0.0.0.0 192.168.101.1
PC2(config)#int fa0/0
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
PC2(config-if)#no shut
PC2(config-if)#ip route
0.0.0.0 0.0.0.0 192.168.102.1
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.101.1 255.255.255.0
R1(config-if)#no shut
R1(config)#int s0/0
R1(config-if)#ip add 101.1.1.100 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip route 0.0.0.0 0.0.0.0 101.1.1.1
R1#sh ip route static
ISP(config)#int s0/0
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#no shut
ISP(config)#int s0/1
ISP(config)#ip add 102.1.1.1 255.255.255.0
ISP(config-if)#no shut
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.102.1 255.255.255.0
R2(config-if)#no shut
R2(config)#int s0/0
R2(config-if)#ip add 102.1.1.100 255.255.255.0
R2(config-if)#no shut
R2(config-if)#ip route 0.0.0.0 0.0.0.0 102.1.1.1
R2#sh ip route static
R2#ping 101.1.1.100
Successful
R2#ping 192.168.102.100
Successful
R2#ping 102.1.1.100
Successful
R1#ping 192.168.101.100
Successful
PC1#ping 192.168.102.100
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption ?
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash ?
R1(config-isakmp)#hash sha
R1(config-isakmp)#group ?
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 1800
R1(config-isakmp)#exit
R1(config)#crypto isakmp key mani add 102.1.1.100
R1(config)# crypto ipsec transform-set t-set esp-aes
esp-shahmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec security-association lifetime
seconds 1800
R1(config)#access-list 101 permit ip 192.168.101.0
0.0.0.255 192.168.102.0 0.0.0.255
R1(config)#crypto map test 10 ipsec-isakmp
R1(config-crypto-map)#set peer 102.1.1.100
R1(config-crypto-map)#set transform-set t-set
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#int s0/0
R1(config-if)#crypto map test
R1#sh his
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 5
R2(config-isakmp)#Lifetime 1800
R2(config-isakmp)#exit
R2(config)#crypto isakmp key mani add 101.1.1.100
R2(config)#crypto ipsec transform-set ttt esp-aes
esp-sha-hmac
R2(config-crypto-trans)#mode tunnel 1
R2(config-crypto-trans)#exit
R2(config)#crypto ipsec security-association lifetime
seconds 1800
R2(config)#access-list 102 permit ip 192.168.102.0
0.0.0.255 192.168.101.0 0.0.0.255
R2(config)#crypto map test 10 ipsec-isakmp
R2(config-crypto-map)#set peer 101.1.1.100
R2(config-crypto-map)#set transform-set ttt
R2(config-crypto-map)#match address 102
R2(config-crypto-map)#int s0/0
R2(config-if)#crypto map test
R2#sh his
PC1#ping 192.168.102.100 repeat 300
nice job we leaned here also
ReplyDelete