What Is Needed to Build a VPN?

1
What Is Needed to Build a VPN?

• An existing network with servers and workstations
  
• Connection to the Internet
• VPN gateways (i.e., routers, PIX, ASA, VPN
  concentrators) that act as endpoints to
  establish, manage, and control VPN connections
• Software to create and manage tunnels

2
(No Transcript)
3
Overlay and Peer-to-Peer VPNs

• Overlay VPNsService providers (SPs) are the most
  common users of the overlay VPN model.
• The design and provisioning of virtual circuits
  (VC) across the backbone is complete prior to any
  traffic flow.
• In the case of an IP network, this means that
  even though the underlying technology is
  connectionless, it requires a connection-oriented
  approach to provision the service.

4
L2 overlay VPN

• L2 overlay VPNs are independent of the network
  protocol used by the customer meaning that the
  VPN is not limited to carrying IP traffic.
• If the carrier offers the appropriate ATM
  service, the overlay VPN will carry any kind of
  information.
• Frame Relay VPNs are normally limited to data
  applications, although voice over Frame Relay
  customer premises equipment (CPE) devices may be
  useable on some services.

5
L3 overlay VPN

• L3 Overlay VPNs most often use an IP in IP
  tunneling scheme using Point to Point Tunneling
  Protocol (PPTP), Layer 2 Tunneling Protocol
  (L2TP), and IP security (IPsec).

6
(No Transcript)
7
CPE-Based VPN (Peer-to-Peer)

• CPE-based VPN is another name for an L3 VPN.
• The VPN is implemented using CPE.
• In this way, a customer creates a VPN across an
  Internet connection without any specific
  knowledge or cooperation from the service
  provider.
• The customer gains the advantage of increased
  privacy using an inexpensive Internet connection.

8
(No Transcript)
9
SP-Provisioned VPN

• The introduction of Multiprotocol Label Switching
  (MPLS) combines the benefits of overlay VPNs
  (security and isolation among customers) with the
  benefits of the simplified routing of a
  peer-to-peer VPN.
• MPLS VPN provides simpler customer routing,
  simpler service provider provisioning and a
  number of possible topologies that are hard to
  implement in either the overlay or peer-to-peer
  VPN models.
• MPLS also adds the benefits of a
  connection-oriented approach to the IP routing
  paradigm, through the establishment of
  label-switched paths that are created based on
  topology information rather than traffic flow.

10

• The Provider Core (P) and the Customer Edge (CE)
  routers are assumed to be unaware of any VPN
  protocols or procedures.
• Only the Provider Edge (PE) routers need to be
  provisioned to support the VPNs.

11
3 Types of VPN
12
(No Transcript)
13
(No Transcript)
14
Characteristics of a Secure VPNs
15
VPN Security Encapsulation

• Three different protocols that tunnelling uses
• Carrier protocol The protocol the information is
  travelling over.
• Encapsulating protocol The protocol (GRE, IPsec,
  L2F, PPTP, L2TP) that is wrapped around the
  original data. Not all protocols offer the same
  level of security.
• Passenger protocol The original data (IPX,
  AppleTalk, IPv4, IPv6).

16
VPN Security IPsec and GRE

• 1. Tunnel mode 2. Transport mode
• Tunnel mode encrypts the header and the payload
  of each packet
• Transport mode only encrypts the payload.
• Only systems that are IPsec-compliant can take
  advantage of transport mode.
• Additionally, all devices must use a common key
  and the firewalls of each network must be set up
  with very similar security policies.
• IPsec can encrypt data between various devices,
  including router to router, firewall to router,
  PC to router, and PC to server

17
Symmetric Encryption Algorithm

• Symmetric-key encryption, also called secret key
  encryption, works when each computer has a secret
  key (code) that the computer uses to encrypt
  information before the information is sent over
  the network to another computer.
• Symmetric-key encryption requires that someone
  know which computers will be talking to each
  other so that the person can configure the key on
  each computer.
• Symmetric-key encryption is a secret code, or
  key, that each of the two computers must know to
  decode the information.

18
Asymmetric Encryption Algorithm

• Uses different keys for encryption and
  decryption.
• Knowing one of the keys does not allow a hacker
  to deduce the second key and decode the
  information.
• One key encrypts the message, while a second key
  decrypts the message. It is not possible to
  encrypt and decrypt with the same key.
• Public-key encryption uses a combination of a
  private key and a public key.
• Only the sender knows the private key.
• The sender gives a public key to any recipient
  that the sender with whom he wants to
  communicate.
• To decode an encrypted message, the recipient
  must use the public key, provided by the
  originating sender, and the recipients own
  private key.

19
VPN Security Authentication

• Username and password Uses the predefined
  usernames and passwords for different users or
  systems.
• One Time Password (OTP) (Pin/Tan) A stronger
  authentication method than username and password,
  this method uses new passwords that are generated
  for each authentication.
• Biometric Biometrics usually refers to
  technologies that are used for measuring and
  analyzing human body characteristics such as
  fingerprints, eye retinas and irises, voice
  patterns, facial patterns, and hand measurements,
  especially for authentication purposes.
• Pre-shared keys This method uses a secret key
  value, manually entered into each peer, and then
  used to authenticate the peers.
• Digital certificates Use the exchange of digital
  certificates to authenticate the peers.

20
What is IPSEC?
21
IPsec Protocols

• IKE Provides a framework for the negotiation of
  security parameters and establishes authenticated
  keys. IPsec uses symmetrical encryption
  algorithms for data protection, which are more
  efficient and easier to implement in hardware
  than other types of algorithms. These algorithms
  need a secure method of key exchange to ensure
  data protection. The IKE protocols provide the
  capability for secure key exchange.
• AH The IP Authentication Header (AH) provides
  connectionless integrity and data origin
  authentication for IP datagrams and optional
  protection against replays. AH is embedded in the
  data that needs to be protected. ESP has replaced
  the AH protocol, and AH is no longer used very
  often in IPsec.
• ESP Encapsulating Security Payload (ESP)
  provides a framework for encrypting,
  authenticating, and securing data. ESP provides
  data privacy services, optional data
  authentication, and anti-replay services. ESP
  encapsulates the data that needs protection. Most
  IPsec implementations use the ESP protocol.

22
Site-to-Site IPsec VPN Operations

• Step 1 Interesting traffic initiates the IPsec
  process Traffic is deemed interesting when the
  VPN device recognizes that the traffic you want
  to send needs protection.
• Step 2 IKE Phase 1 IKE authenticates IPsec peers
  and negotiates IKE SAs during this phase, setting
  up a secure communications channel for
  negotiating IPsec SAs in Phase 2.
• Step 3 IKE Phase 2 IKE negotiates IPsec SA
  parameters and sets up matching IPsec SAs in the
  peers. These security parameters are used to
  protect data and messages that are exchanged
  between endpoints.
• Step 4 Data transfer Data is transferred between
  IPsec peers based on the IPsec parameters and
  keys that are stored in the SA database.
• Step 5 IPsec tunnel termination IPsec SAs
  terminate through deletion or by timing out.

23
Step 2 IKE Phase 1

• First exchange The two peers negotiate and agree
  on which algorithms and hashes to use to secure
  the IKE communications.
• Second exchange A Diffie-Hellman exchange
  generates shared secret keys and pass nonces (a
  nonce is a value used only once by a computer
  security system). A random number sent by one
  party to another party, signed, and returned to
  the first party proves the second partys
  identity. Once created, the shared secret key is
  used to generate all the other encryption and
  authentication keys.
• Third exchange In this exchange, each peer
  verifies the identity of the other side by
  authenticating the remote peer.

24
Step 3 IKE Phase 2

• Negotiates IPsec security parameters and IPsec
  transform sets
• Establishes IPsec SAs
• Periodically renegotiates IPsec SAs to ensure
  security
• Optionally, performs an additional
  Diffie-Hellmann exchange

25
IPsec Tunnel Operation

• The last two steps in IPsec involve transferring
  the data and then closing the connection
• Data Transfer After IKE Phase 2 is complete and
  quick mode has established IPsec SAs, traffic is
  exchanged between Host A and Host B via a secure
  tunnel as shown in Figure . Interesting traffic
  is encrypted and decrypted according to the
  security services that are specified in the IPsec
  SA.
• IPsec Tunnel Termination IPsec SAs terminate
  through deletion or by timing out. An SA can time
  out when a specified number of seconds has
  elapsed or when a specified number of bytes have
  passed through the tunnel. When the SAs
  terminate, the keys are also discarded.

26
Configuring a Site-to-Site IPsec VPN

• Step 1 Configure the ISAKMP policy that is
  required to establish an IKE tunnel.
• Step 2 Define the IPsec transform set. The
  definition of the transform set defines the
  parameters for the IPsec tunnel, such as
  encryption and integrity algorithms.
• Step 3 Create a crypto access control list (ACL).
  The crypto ACL identifies the traffic to be
  forwarded through the IPsec tunnel.
• Step 4 Create a crypto map. The crypto map
  combines the previously configured parameters
  together and defines the IPsec peer device.
• Step 5 Apply the crypto map to the outgoing
  interface of the VPN device.
• Step 6 Configure an ACL and apply the list to the
  interface. Typically, edge routers are configured
  with restrictive ACLs that could inadvertently
  block the IKE or IPsec protocols.

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)