Network Security v1.0 - Module 18 (VPNs)

Module 18: VPNs

VPN Overview:

• Purpose of VPNs:

  • VPNs create secure, encrypted connections between sites or remote users over public networks like the Internet. This ensures confidentiality and integrity of data transmitted over these insecure networks.

  • Types of VPNs:

    • Site-to-Site VPN: Established between two or more VPN gateways. The traffic is encrypted between the gateways, and internal hosts are unaware of the VPN.

    • Remote-Access VPN: Provides secure access for remote users to a network via VPN, often used for connecting mobile workers or remote offices.

VPN Topologies:

• Site-to-Site VPNs:

  • The VPN tunnel is established between fixed devices (VPN gateways) and traffic is encrypted only between these devices.

  • Commonly used for inter-site connections, allowing remote locations to access main network resources securely.

• Remote-Access VPNs:

  • Initiated by a client, and can be clientless or client-based (e.g., SSL VPNs).

  • SSL VPNs provide flexibility and are easy to deploy, while IPsec VPNs offer higher security but are more complex.

• SSL vs. IPsec VPNs:

  • SSL VPNs: Easier to deploy, widely used for web-based access (e.g., online banking).

  • IPsec VPNs: Preferred when security is the top priority, particularly for site-to-site connections and high-security environments.

IPsec Overview:

• Security Functions:

  • Confidentiality: Achieved through encryption using algorithms such as AES (Advanced Encryption Standard).

  • Integrity: Ensured with hashing algorithms (SHA, MD5) to verify that the data has not been altered.

  • Authentication: IPsec uses IKE (Internet Key Exchange) to authenticate peers.

• IPsec Protocols:

  • AH (Authentication Header): Provides integrity and authentication but does not encrypt data.

  • ESP (Encapsulating Security Payload): Provides both encryption and authentication.

• Key Exchange (Diffie-Hellman):

  • Ensures secure key exchange between peers even over insecure channels, with different DH groups offering varying levels of security.

Modes of IPsec:

• Transport Mode: Only the payload is encrypted, the original IP address remains in plaintext. Suitable for end-to-end communication.

• Tunnel Mode: The entire IP packet is encrypted and encapsulated into a new IP packet. Suitable for site-to-site VPNs.