private network connections over third-party networks, such as the Internet or extranets. The foundation of secure VPNs is based on authentication, encapsulation, and encryption. By properly implementing security, successful VPN implementations meet three goals:
Content 3.1 Introducing VPN Technology 3.1.5 VPN Security: Encapsulation Incorporating the appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents. Encapsulation is one of the major components of confidentiality. Encryption is the other. Tunneling is the transmission of data through a public network so that routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling allows the use of public networks (for example, the Internet) to carry data on behalf of users as though the users had access to a private network. This is where the name VPN comes from. VPNs build tunnels by encapsulating the private network data and protocol information within the public network protocol data so that the tunneled data is not available to anyone examining the transmitted data frames. Tunneling is the process of placing an entire packet within another packet and sending the new, composite packet over a network. In Figure , the outer packet source and destination addressing is assigned to “tunnel interfaces” and routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted. Figure lists the three different protocols that tunneling uses: Figure illustrates an e-mail traveling through the Internet over a VPN connection. PPP carries the message to the VPN device where the message is then encapsulated within a generic routing encapsulation (GRE) packet. To reinforce the concepts of tunneling, consider an example of sending a holiday card through traditional mail. The holiday card has a message inside and is the passenger protocol. The card is put inside an envelope (encapsulating protocol) with proper addressing applied. The envelope is put inside a mailbox for delivery. The Postal system (carrier protocol) picks up and delivers the envelope to your mailbox. The two end points in the carrier system are the “tunnel interfaces.” You remove the holiday card (extract the passenger protocol) and read the message.
Content 3.1 Introducing VPN Technology 3.1.6 VPN Security: IPsec and GRE Tunneling protocols vary in the features that they support, the problems that they aim to solve, and the amount of security that they provide to the data that they transport. This course focuses on using IPsec and IPsec with GRE. When used alone, IPsec provides a private, resilient network for IP unicast only. Use IPsec in conjunction with GRE when support for IP multicast, dynamic IGP routing protocols, or non-IP protocols is required. Figure shows an example secure remote access VPN. IPsec has two encryption modes: Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of transport mode. Additionally, all devices must use a common key and the firewalls of each network must be set up with very similar security policies. IPsec can encrypt data between various devices, including router to router, firewall to router, PC to router, and PC to server. GRE encloses the IP header and payload of packets with a GRE-encapsulation header. Network designers use this method of encapsulation to hide the IP header of packets as part of the GRE-encapsulated payload. By hiding information, the designers separate, or “tunnel,” data from one network to another without making changes to the underlying common network infrastructure. Tunneling in Site-to-Site VPNs
In a site-to-site VPN, GRE provides the framework for packaging the passenger protocol for transport over the carrier protocol (usually IP-based). This transport includes information on what type of packet is encapsulated and information about the connection between the client and server. Site-to-site VPNs can also use IPsec in tunnel mode as the encapsulating protocol. IPsec works well on both remote-access and site-to-site VPNs. To use IPsec, both tunnel interfaces must support IPsec. Tunneling: Remote-Access
In a remote-access VPN, tunneling often uses PPP and associated protocols. When communication is established over the network between the host computer and a remote access system, PPP is the carrier protocol. Remote-access VPNs can also use the protocols listed below. Each protocol uses the basic structure of PPP: Interactive Media Activity Drag and Drop: Layer 3 VPN Tunnel Flowchart Upon completion of this activity, the student will be able to identify the process of selecting Layer 3 VPN Tunnel options.
Content 3.1 Introducing VPN Technology 3.1.7 VPN Security: Symmetric and Asymmetric Encryption Algorithms Encryption is the process of taking all the data that one computer is sending to another computer and encoding the data into a form that only the intended destination computer will be able to decode. The primary methods of encryption are symmetric-key (or secret key)