private network connections over third-party
networks, such as the Internet or extranets. The foundation of
secure VPNs is based on authentication, encapsulation, and
encryption. By properly implementing security, successful VPN
implementations meet three goals: -
Authentication: Authentication ensures that a message
comes from an authentic source and goes to an authentic
destination. User identification gives a user confidence that
the party the user establishes communications with is who the
user thinks the party is. VPN technologies are making use of
several reputable methods for establishing the identity of the
party at the other end of a network. These include passwords,
digital certificates, smart cards, and biometrics.
-
Data confidentiality: One of the traditional security
concerns is protecting data from eavesdroppers. As a design
feature, data confidentiality aims at protecting the message
contents from being intercepted by unauthenticated or
unauthorized sources. VPNs achieve confidentiality using
mechanisms of encapsulation and encryption.
- Data
integrity: Since you have no control over where the data
has traveled and who has seen or handled the data you send or
receive while the data journeys across the Internet, there is
always the possibility that the data has been modified. Data
integrity guarantees that no tampering or alterations occur to
data while it travels between the source and destination. VPNs
typically use one of three technologies to ensure data
integrity: one-way hash functions, message authentication codes
(MAC), or digital signatures.
Content
3.1 Introducing VPN Technology 3.1.5
VPN Security: Encapsulation Incorporating the
appropriate data confidentiality capabilities into a VPN
ensures that only the intended sources and destinations are
capable of interpreting the original message contents.
Encapsulation is one of the major components of
confidentiality. Encryption is the other. Tunneling is the
transmission of data through a public network so that routing
nodes in the public network are unaware that the transmission
is part of a private network. Tunneling allows the use of
public networks (for example, the Internet) to carry data on
behalf of users as though the users had access to a private
network. This is where the name VPN comes from. VPNs build
tunnels by encapsulating the private network data and protocol
information within the public network protocol data so that the
tunneled data is not available to anyone examining the
transmitted data frames. Tunneling is the process of placing an
entire packet within another packet and sending the new,
composite packet over a network. In Figure , the outer packet
source and destination addressing is assigned to “tunnel
interfaces” and routable across the network. Once a composite
packet reaches the destination tunnel interface, the inside
packet is extracted. Figure lists the three different protocols
that tunneling uses: - Carrier protocol: The
protocol the information is traveling over.
-
Encapsulating protocol: The protocol (GRE, IPsec, L2F,
PPTP, L2TP) that is wrapped around the original data. Not all
protocols offer the same level of security.
-
Passenger protocol: The original data (IPX, AppleTalk,
IPv4, IPv6).
Figure illustrates an e-mail traveling
through the Internet over a VPN connection. PPP carries the
message to the VPN device where the message is then
encapsulated within a generic routing encapsulation (GRE)
packet. To reinforce the concepts of tunneling, consider an
example of sending a holiday card through traditional mail. The
holiday card has a message inside and is the passenger
protocol. The card is put inside an envelope (encapsulating
protocol) with proper addressing applied. The envelope is put
inside a mailbox for delivery. The Postal system (carrier
protocol) picks up and delivers the envelope to your mailbox.
The two end points in the carrier system are the “tunnel
interfaces.” You remove the holiday card (extract the passenger
protocol) and read the message.
Content 3.1
Introducing VPN Technology 3.1.6 VPN Security:
IPsec and GRE Tunneling protocols vary in the features that
they support, the problems that they aim to solve, and the
amount of security that they provide to the data that they
transport. This course focuses on using IPsec and IPsec with
GRE. When used alone, IPsec provides a private, resilient
network for IP unicast only. Use IPsec in conjunction with GRE
when support for IP multicast, dynamic IGP routing protocols,
or non-IP protocols is required. Figure shows an example secure
remote access VPN. IPsec has two encryption modes:
- Tunnel mode
- Transport mode
Tunnel mode
encrypts the header and the payload of each packet while
transport mode only encrypts the payload. Only systems that are
IPsec-compliant can take advantage of transport mode.
Additionally, all devices must use a common key and the
firewalls of each network must be set up with very similar
security policies. IPsec can encrypt data between various
devices, including router to router, firewall to router, PC to
router, and PC to server. GRE encloses the IP header and
payload of packets with a GRE-encapsulation header. Network
designers use this method of encapsulation to hide the IP
header of packets as part of the GRE-encapsulated payload. By
hiding information, the designers separate, or “tunnel,” data
from one network to another without making changes to the
underlying common network infrastructure. Tunneling in
Site-to-Site VPNs
In a site-to-site VPN, GRE provides
the framework for packaging the passenger protocol for
transport over the carrier protocol (usually IP-based). This
transport includes information on what type of packet is
encapsulated and information about the connection between the
client and server. Site-to-site VPNs can also use IPsec in
tunnel mode as the encapsulating protocol. IPsec works well on
both remote-access and site-to-site VPNs. To use IPsec, both
tunnel interfaces must support IPsec. Tunneling:
Remote-Access
In a remote-access VPN, tunneling often
uses PPP and associated protocols. When communication is
established over the network between the host computer and a
remote access system, PPP is the carrier protocol.
Remote-access VPNs can also use the protocols listed below.
Each protocol uses the basic structure of PPP:
- Layer 2 Forwarding (L2F): Developed by Cisco
Systems, L2F uses any authentication scheme that is supported
by PPP. However, L2F does not support encryption.
-
Point-to-Point Tunneling Protocol (PPTP): The PPTP Forum, a
consortium that includes US Robotics, Microsoft, 3COM, Ascend,
and ECI Telematics, created PPTP. PPTP supports 40-bit and
128-bit encryption and uses any authentication scheme that is
supported by PPP.
- Layer 2 Tunneling Protocol
(L2TP): L2TP is the product of a partnership between the
members of the PPTP Forum, Cisco Systems, and the Internet
Engineering Task Force (IETF). It is a combination of the PPTP
and L2F protocols. Both site-to-site VPNs and remote-access
VPNs can use L2TP as a tunneling protocol. However, due to the
lack of confidentiality inherent in the L2TP protocol, it is
often implemented along with IPsec and is called L2TP/IPsec. A
new version of the protocol was released in 2005 and is
referred to as L2TPv3.
Interactive Media
Activity Drag and Drop: Layer 3 VPN Tunnel
Flowchart Upon completion of this activity, the student
will be able to identify the process of selecting Layer 3 VPN
Tunnel options.
Content 3.1 Introducing
VPN Technology 3.1.7 VPN Security: Symmetric
and Asymmetric Encryption Algorithms Encryption is the
process of taking all the data that one computer is sending to
another computer and encoding the data into a form that only
the intended destination computer will be able to decode. The
primary methods of encryption are symmetric-key (or secret key)