Purpose of VPNs:
VPNs create secure, encrypted connections between sites or remote users over public networks like the Internet. This ensures confidentiality and integrity of data transmitted over these insecure networks.
Types of VPNs:
Site-to-Site VPN: Established between two or more VPN gateways. The traffic is encrypted between the gateways, and internal hosts are unaware of the VPN.
Remote-Access VPN: Provides secure access for remote users to a network via VPN, often used for connecting mobile workers or remote offices.
Site-to-Site VPNs:
The VPN tunnel is established between fixed devices (VPN gateways) and traffic is encrypted only between these devices.
Commonly used for inter-site connections, allowing remote locations to access main network resources securely.
Remote-Access VPNs:
Initiated by a client, and can be clientless or client-based (e.g., SSL VPNs).
SSL VPNs provide flexibility and are easy to deploy, while IPsec VPNs offer higher security but are more complex.
SSL vs. IPsec VPNs:
SSL VPNs: Easier to deploy, widely used for web-based access (e.g., online banking).
IPsec VPNs: Preferred when security is the top priority, particularly for site-to-site connections and high-security environments.
Security Functions:
Confidentiality: Achieved through encryption using algorithms such as AES (Advanced Encryption Standard).
Integrity: Ensured with hashing algorithms (SHA, MD5) to verify that the data has not been altered.
Authentication: IPsec uses IKE (Internet Key Exchange) to authenticate peers.
IPsec Protocols:
AH (Authentication Header): Provides integrity and authentication but does not encrypt data.
ESP (Encapsulating Security Payload): Provides both encryption and authentication.
Key Exchange (Diffie-Hellman):
Ensures secure key exchange between peers even over insecure channels, with different DH groups offering varying levels of security.
Transport Mode: Only the payload is encrypted, the original IP address remains in plaintext. Suitable for end-to-end communication.
Tunnel Mode: The entire IP packet is encrypted and encapsulated into a new IP packet. Suitable for site-to-site VPNs.