N ETWORK S ECURITY
V IRTUAL P RIVATE NETWORK
Compiled from
CCNA Certification All-In-One For Dummies by Silviu Angelescu &
CCNA Cisco Certified Network Associate Study Guide, Seventh Edition (Exam 640-802) by Todd Lammle
ONTENTS
Introduction
VPN Data security
Types of VPNs
NTRODUCTION
A VPN is a private network established using a public network infrastructure, such as the
Internet.
The main purpose of Virtual Private Networks is to provide a cost-effective,
, and highly scalable means of connecting remote sites
The Internet is an open, public resource thus, sensitive corporate data must be protected
VPNs provide methods to ensure that data is protected from eavesdropping, manipulation, and outright theft
Establishing this virtual connection between two endpoints is known as tunneling
ONNECTION
DATA SECURITY
VPNs must provide secure lines of communications by implementing the following security measures
Access control: Denying unauthorized user access to the corporate network
Data origin authentication: Method of verifying sender identity to prevent spoofing or other attacks.
Use IP Security (IPsec), certificates, or the exchange of pre-shared keys
Data confidentiality: which ensures that sensitive corporate data is not copied or read by unauthorized users.
Data integrity: Ensuring that source data reaches the proper destination unaltered while in transit over public infrastructures
YPES OF
S
Remote access VPNs Remote access VPNs allow remote users such as telecommuters to securely access the corporate network wherever and whenever they need to.
Site-to-site VPNs Site-to-site VPNs, or intranet
VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive
WAN connections like Frame Relay.
Extranet VPNs/ Business Partner VPN. Extranet
VPNs allow an organization's suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.
ETHODS FOR
CREATION
VPN can be implemented using of the following methods
IPSec – mainly used for site-to-site VPNs
Secure Sockets Layer (SSL) – mainly used for
Remote access VPNs
EC
S
IPsec is a layer 3 suite of protocols that provides security mitigation features.
IPsec enforces data confidentiality, integrity, encryption, and authentication features between communication endpoints across IP-based networks.
The two primary security protocols used by IPSec are
Authentication Header (AH) and Encapsulating
Security Payload (ESP)
The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication
ESP will provide confidentiality, data origin authentication, connectionless integrity, antireplay service, and limited traffic-flow confidentiality
EC HEADER IN TUNNEL
ODE
Confidentiality - Confidentiality is provided through the use of symmetric encryption algorithms like DES or 3DES. Confidentiality can be selected separately from all other services, but the confidentiality selected must be the same on both endpoints of your VPN.
Data origin authentication and connectionless
integrity Data origin authentication and connectionless integrity are joint services offered as an option in conjunction with the likewise optional confidentiality.
Anti-replay service You can only use the antireplay service if data origin authentication is selected.
Anti-replay election is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number.
NCRYPTION
IPSec uses various types of protocols to perform encryption
Symmetric encryption This encryption requires a shared secret to encrypt and decrypt. Each computer encrypts the data before sending info across the network, and this same key is used to both encrypt and decrypt the data.
Examples of symmetric key encryption are Data Encryption
Standard (DES), triple DES (3DES), and Advanced
Encryption Standard (AES).
Asymmetric Encryption Devices that use asymmetric encryption use different keys for encryption than they do for decryption. These keys are called private and public keys.
Private keys encrypt a hash from the message to create a digital signature that is then verified (via decryption) using the public key
Public keys encrypt a symmetric key for secure distribution to the receiving host, who then decrypts that symmetric key using their exclusively held private key
DVANTAGES OF
EC
Performance: Only IP packets traversing public (insecure) networks are encrypted. This provides high performance by only encrypting necessary data between insecure networks.
Network layer security: IPsec operates at the network layer and does not require modification of TCP/IP applications to secure them.
Scalability: IPsec VPNs may be implemented over any IPcapable network backbone such as the Internet. Simple deployment also provides organizations with operational cost reduction benefits.
Versatile: Implements various security mechanisms such as data authentication, encryption, digital integrity checking, and replay protection, which prevents duplication of old transactions and mitigates denial of service attacks.
Universal acceptance: IPsec is an industry-recognized IETF standard and is supported by most operating systems.
Application independence: IPsec is transparent to applications (and upper OSI layers) and is not assigned to any one specific application.
EC
ISADVANTAGES
Performance: IPsec may require large amounts of processing power on VPN endpoints (gateways) to encrypt, decrypt, and authenticate traffic.
Security: Because IPsec relies on public keys, security mitigation depends on secure key management. Compromised security keys eliminate the security integrity and benefits of
IPsec
Complexity: The vast configuration options of IPsec make it very flexible, but also overly complex. Configuration errors can expose the corporate network to unnecessary security risks and introduce weaknesses in the VPN.
Firewall restrictions: Connecting to an organization's own network from an off-site location may not be possible due to corporate firewall restrictions (blocking IPsec-specific UDP ports).
Management: IPsec employs digital signature authentication, which relies on a public key infrastructure
(PKI). PKI requires considerable implementation planning and administrative management
S
SSL operates at Layer 4 (transport) of the OSI model to authenticate and encrypt Hypertext
Transfer Protocol (HTTP) traffic.
By allowing secure VPN communications from any Web-based browser between the internal corporate network and the remote user, SSL eliminates the IPsec installation requirement of third-party VPN client software
ADVANTAGES
Interoperability: SSL is supported by a variety of device and software manufacturers and allows operability between different vendors and applications.
Management: SSL makes deployment, management, and administration tasks extremely simple and effective. No additional client software installation is required
Cost: The clientless architecture of SSL allows a cheaper deployment alternative than IPsec-based VPNs. No special client software licenses or other expensive hardware is needed.
Granular structure: Provides finely detailed client access policies based on user identity and profile. This allows an administrator to be very specific when defining the corporate VPN. SSL allows narrowing down authenticated user access to specific data, applications, and servers.
Firewall and NAT operation: SSL uses TCP port 443 (HTTPS), which is open on most networks, allowing SSL VPNs to operate without extra administrative overhead.
Security: By only allowing access to certain applications, security mitigation is increased, and the threat of attack is minimized.
Application layer functionality: Unlike IPsec, which operates at the OSI network layer, SSL eliminates IP-based address management problems by operating at the transport layer and provides services to the upper layers.
EFERENCES
Angelescu, Silviu. "Chapter 4 - Introducing
Virtual Private Networks (VPNs)". CCNA
Certification All-In-One For Dummies. John
Wiley & Sons. © 2010. Books24x7.
<http://common.books24x7.com/toc.aspx?bookid=
40605> (accessed April 16, 2012)
Lammle, Todd. "Chapter 16 - Wide Area
Networks". CCNA Cisco Certified Network
Associate Study Guide, Seventh Edition (Exam
640-802). Sybex. © 2011. Books24x7.
<http://common.books24x7.com/toc.aspx?bookid=
41059> (accessed April 16, 2012)