You are on page 1of 10

Chapter 17: Fundamentals of VPN Technology

I. Understanding VPNs and Why We Use Them

1. What Is a VPN?
2. Types of VPNs

IPsec Implements security of IP packets at Layer 3 of the OSI model, and can be
used for site-to-site and remote-access VPNs
2. SSL Secure Sockets Layer implements security of TCP sessions at Layer 4 of the
OSI model, and can be used for remote-access VPNs (as well as being used to
securely visit a web server that supports it via HTTPS).
3. MPLS Multiprotocol Label Switching and MPLS Layer 3 VPNs are provided by
a service provider to allow a company with two or more sites to have logical
connectivity between the sites using the service provider network for transport. This
is also a type of VPN (called MPLS L3VPN), but there is no encryption by default.
IPsec could be used on top of the MPLS VPN to add confidentiality (through
encryption) and the other benefits of IPsec to protect the Layer 3 packets. MPLS
L3VPNs are not the primary type of VPNs we focus on for the rest of this chapter
and book. The primary VPNs that provide encryption, data integrity, authentication
of who the peer is on the other end of the VPN, and so on use IPsec or SSL

3. Two Main Types of VPNs


Remote-access VPNs Some users might need to build a VPN connection from
their individual computer to the corporate headquarters (or to the destination they
want to connect to). This is referred to as a remote-access VPN connection. Remoteaccess VPNs can use IPsec or SSL technologies for their VPN
2. Site-to-site VPNs The other main VPN implementation is by companies that may
have two or more sites that they want to connect securely together (likely using the
Internet) so that each site can communicate with the other site or sites. This
implementation is called a site-to-site VPN. Site-to-site VPNs traditionally use a
collection of VPN technologies called IPsec.

4. Main Benefits of VPNs


Data integrity

5. Confidentiality
1. Only allowing intended parties to understand the data. Eavesdroppers will only see
a scrambled payload (also called Cipher text) which is meaningless without being
able to decrypt or unlock the data.

2. Symmetrical algorithms when used, the key to encrypt data is also the key to decrypt

6. Data Integrity
1. An example is when you download an IOS image file from Cisco. Cisco includes an
MD5 (digest algorithm 5) value associated with the file. Use the Verify command to
make sure it matches. This is how hashing verifies data integrity

7. Authentication
1. Pre-shared keys used for authentication only
2. Public and private key pairs used for authentication only
3. User authentication (in combination with remote-access VPNs)

8. Antireplay
1. Just means that when a VPN packet is sent, another (duplicate) packet will not be
valid say an attacker tried to copy and replay packets from a valid VPN
termination point to establish a VPN

II. Cryptography Basic Components

1. Summary
a. Confidentiality is a function of encryption
b. Data integrity is a function of hashing
c. Authentication is the process of proving the identity of the other side of the

2. Ciphers and Keys

1. Must understand the terminology to understand the technology

3. Ciphers
1. Ciphers are also known as algorithms; used for either encryption or decryption
There are literally hundreds of Ciphers both standards based and proprietary
2. Common methods of ciphers use include the following
a. Substitution This type of cipher substitutes one character for another. The
example earlier used a simple cipher that substituted each letter from the
alphabet with the previous letter of the alphabet. To make it more challenging,
we could have shifted more than just a single character and only chose certain
letters to substitute. The exact method of substitution could be referred to as the
key. If both parties involved in the VPN understand the key, they can both
encrypt and decrypt data
b. Polyalphabetic This is similar to substitution, but instead of using a single
alphabet, it could use multiple alphabets and switch between them by some
trigger character in the encoded message
c. Transportation This uses many different options, including the
rearrangement of letters. For example, if we have the message This is secret,
we could write it out (top to bottom, left to right) as shown in the example below

3. We then encrypt it as RETCSIHTSSEI, which is starting at top right and going

around like a clock, spiraling inward. To know how to encrypt/decrypt this
correctly, we need the correct key

4. Keys
1. The key in the example above refers to the instructions for how to reassemble the
characters. In this case, it begins at the top-right corner and moves clockwise and
spirals inward. A one-time pad (OTP) is a good example of a key that is only used
once. Using this method, if we want to encrypt a 32-bit message, we use a 32-bit
key, also called the pad, which is used one time only. Each bit from the pad is
mathematically computed with a corresponding bit from our message, and the results
are our cipher text, or encrypted content. The key in this case is the one-time use
pad. The pad must also be known by the receiver if he wants to decrypt the
message. (Another use of the acronym OTP is for a user's one-time password, which
is a different topic than the one-time pad.)

5. Block and Stream Ciphers

1. Encryption algorithms can operate on blocks of data at a time, or bits and bytes of
data, based on the type of cipher. Let's compare the two methods

6. Block Ciphers
1. A symmetric key cipher that operates on a group of bits called a block. A block
cipher encryption algorithm may take a 64-bit block of plain text and generates a 64bit block of cipher text. With this type of encryption, the same key to encrypt is also
used to decrypt. Examples of symmetrical block cipher algorithms include the
a. Advanced Encryption Standard (AES)
b. Triple Digital Encryption Standard (3DES)
c. Blowfish
d. Digital Encryption Standard (DES)
e. International Data Encryption Algorithm (IDEA)
2. Block ciphers may add padding when there isn't enough data to make a full block;
some overhead wasted

7. Stream Ciphers
1. Symmetric key cipher, each bit of plaintext is encrypted 1 bit at a time against the
bits of the key stream, also called a cipher digit stream. The resulting output is a
ciphertext stream. Less overhead than Block Ciphers.

8. Symmetric and Asymmetric Algorithms

1. Symmetric and Asymmetric are important to understand

9. Symmetric
1. Again, a symmetric encryption algorithm, also known as a symmetrical cipher, use
the same key to encrypt and decrypt. Both VPN termination points require the same
key or keys.
2. Examples
a. DES
b. 3DES
c. AES
e. RC2, RC4, RC5, RC6
f. Blowfish
3. Symmetrical Ciphers are mostly used today; especially for the bulk of our data as
they require less CPU compared to asymmetrical ciphers. The longer the key the
more secure. A minimum key length should be at least 80 bits to be safe; a typical
key length is anywhere from 40 bits to 256 bits. Bigger is better.

1. An example of an asymmetric cipher (asymmetric encryption algorithm) is public
key algorithms. Instead of using the same key for encryption and decryption, we use
two different keys that mathematically work together as a pair. Let's call these keys
the public key and private key. Together they make a key pair. Let's put these keys
to use with an analogy
2. An example is a cargo container with two key holes; a large key hole and a small
key hole. If we lock the container with the small key hole and the respective key,
the only way to unlock it is with the big key/hole. If we lock the container with the
large key/hole, the only way to unlock it is with the small key/hole. Since
asymmetric ciphers take so much CPU, we usually use them for such things as
authenticating a VPN peer or generating keying material that we could use for our
symmetrical ciphers (encryption algorithms).
3. It's called Public Key Cryptography as we allow one of these keys to be published
and available to anyone who wants to use it (the public key). The other key in the
key pair is the private key, and this private key is known only to the device that owns
the public-private key pair. Example is visiting a secure website. Your PC has
access to the public key, and the server is the only one that knows the private key.
SSL later in this chapter, and again in more detail in the Public Key Infrastructure
(PKI) chapter

1. A hash (AKA digest, or message digest) is calculated from some data. Since the
same hash will be calculated from the same data every time (one way) it can be used
to verify data integrity
2. Example is the sender of data calculating a hash from the data and sending the hash
with each packet. The receiver runs the same hashing algorithm and if it's not the
same then the data lost it's integrity.
3. Three most popular types of hashes are as follows
a. Message Digest 5 (MD5) This creates a 128-bit digest
b. Secure Hash Algorithm 1 (SHA-1) This creates a 160-bit digest
c. Secure Hash Algorithm 2 (SHA-2) Options include a digest between 224 bits
and 512 bits
4. With encryption and cryptography, and now hashing, bigger is better, and more bits
equals better security

12.Hashed Message Authentication Code


Hashed Message Authentication Code (HMAC) uses a secret key to calculate the
hash for data so that the packets cannot be changed during transit; and only the
parties with the secret key can correctly verify the hash

13.Digital Signatures
1. Digital signatures provide three core benefits
a. Authentication
b. Data integrity
c. Nonrepudiation

14.Digital Signatures in Action

1. Digital signatures involve Public/Private key pairs, hashing, and encryption
2. Example
a. Bob and Lois are two PCs and they want to create a VPN between each other
b. Both Bob and Lois have generated public-private key pairs and have both been
given digital certificates from a common certificate authority (CA). A CA is a
trusted entity that hands out digital certificates (more on that later).
c. Opening a Digital Certificate you will find
a. Name of the Entity (for example, Bob)
b. Bobs public key (which Bob gave to the CA when he applied for his digital
c. Also a digital signature of the CA
d. Both Bob and Lois trust the CA and have both received their certificates
e. Bob takes a packet and generates a hash. Bob then takes this small hash and
encrypts it using Bob's private key. (Think of this as a shipping container, and
we are using the small key in the small keyhole to lock the data.) We attach this
encrypted hash to the packet and send it to Lois. There is a fancy name for this
encrypted hash: a digital signature.
f. Lois when she receives this packet looks at the encrypted hash that was sent and
she decrypts it using Bob's public key (Think of this as a big keyhole and the big
key being used to unlock the data.) She then sets the decrypted hash off to the
side for one moment and she runs the same hash algorithm on the packet she
received (after she decrypted it using the sender's public key), she knows two
things. She knows the only person who could have encrypted that was Bob with
Bob's private key, and that data integrity on the packet is solid, because of 1 bit
had changed the hash would not have matched. This process is called
authentication, using digital signatures, and normally happens in both directions
with an IPsec VPN tunnel if the peers are using digital signatures for
authentication, referred to as rsa-signatures in the configuration
g. One might ask, okay so how did Lois get Bob's key (Bob's public key) to begin
with? The answer is that Bob and Lois also exchanged digital certificates, which

contained each other's public keys. Bob and Lois do not just trust any
certificates, but they do trust certificates that are digitally signed by a CA that
they trust. This also implies that to verify digital signatures from the CA, both
Bob and Lois would also need the CA's public key. Most browsers today have
the built-in certificates and public keys for the mainstream CAs on the Internet

15.Key Management
1. Symmetric keys used for symmetric ciphers such as hashing and encryption
2. Asymmetric keys public-private key pairs can be used with asymmetric ciphers
such as digital signatures among other things
3. Key management
a. generating keys
b. verifying keys
c. exchanging keys
d. storing keys
e. End of lifetime, destroying keys
4. Keyspace refers to all possible key values for a key. Longer is better but more CPU

16.IPsec and SSL

1. IPsec been around for decades used for both remote-access and site-to-site VPNs
2. SSL is newer in its application with remote-access VPNs

1. Collection of protocols and algorithms to protect IP packets at Layer 3
a. Confidentiality through encryption
b. data integrity through hashing and HMAC
c. Authentication using digital signatures or using Pre-Shared Keys (PSK)
2. Summary of IPsec
a. ESP and AH The two primary methods for implementing IPsec. The
acronyms stand for Encapsulating Security Payload (ESP), which can do all of
the features of IPsec, and Authentication Header (AH), which can do many parts
of the IPsec objectives, except for the important one of encryption of the data.
For that reason, we do not frequently see AH being used
b. Encryption algorithms for confidentiality DES, 3DES, AES
c. Hashing algorithms for integrity MD5, SHA
d. Authentication algorithms Pre-shared keys (PSK), RSA digital signatures
e. Key management An example would be Diffie-Hellman (DH), which can be
used to dynamically generate symmetrical keys to be used by symmetrical
algorithms. PKI, which supports the function of digital certificates issued by
trusted CAs. Internet Key Exchange (IKE), which does a lot of the negotiating
and management for us for IPsec to operate

1. Could use IPsec to do your banking, but not everyone has IPsec client or software.
Even if there were, not everyone has a digital certificate or a PSK that they could
successfully use for authentication
2. SSL can be used for encryption and authentication and almost every web browser
out there supports it
3. To use SSL the user connects to an SSL server another way of saying connects to a
web server that supports SSL by using HTTPS rather than HTTP. SSL is also known
as Transport Layer Security (TLS).
4. Browser requests web server to identify itself. Server sends browser a copy of its
SSL certificate and browser checks whether it trusts the certificate by looking at the
digital signature of the CA that is on the certificate using the method for verifying a
digital signature discussed earlier, the browser determines whether the certificate is
valid or not based on the signature of the CA. Pop-up comes up if the certificate is
not trusted and asks if you want to continue. You shouldn't continue.

5. If trusted, browser now has access to the server's public key contained in the
6. Usually the server does not require the browser to prove who it is; but instead the
web server uses some type of user authentication such as a username or password as
required to verify who the user is
7. After authentication, several additional exchanges occur between browser and server
as they establish the encryption algorithm they will use and the keys that they will
use to encrypt and decrypt the data
Table 17-2 VPN Components
Examples of Use

Uses the same key for encrypting and decrypting data




Uses a public and private key. One key encrypts the

data, and the other key in the pair is used to decrypt

RSA, Diffie-Hellman

Digital signature

Encryption of hash using private key, and decryption of

hash with the sender's public key

RSA signatures

Diffie-Hellman key Uses a public-private key pair asymmetrical algorithm,

but creates final shared secrets (keys) that are then sued
by symmetrical algorithms

Used as one of the

many services of IPsec


Encryption algorithms provide this by turning clear text DES, 3DES, AES,
into cipher text

Data integrity

Validates data by comparing hash values

MD5, SHA-1


Verifies the peer's identity to the other peer

PSKs, RSA signatures

III. Do I Know This Already? Quiz

Table 17-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section


Understanding VPNs and Why We Use Them


Cryptography Basic Components


1. What element in a VPN provides the P portion?

a. Data integrity
b. Confidentiality
c. Antireplay
d. Authentication
2. What algorithms in a VPN provide the confidentiality? (Choose all that apply.)
a. MD5
b. SHA-1
c. AES
d. 3DES
3. A remote user needs to access the corporate network from a hotel room from a
laptop. What type of VPN is used for this?
a. Site-to-Site VPN
b. Dial-up VPN
d. Remote-access VPN
4. Which type of VPN technology is likely to be used in a site-to-site VPN?
a. SSL
b. TLS
d. IPsec
5. Which to of the following are benefits of VPNs?
a. Hashing
b. Confidentiality
c. Diffie-Hellman
d. Data integrity
6. How can a publicly available and well-known cipher be used to securely encrypt
data between two endpoints of a VPN tunnel?
a. MD5
b. Keys
c. Authentication
d. Antireplay
7. Which of the following are symmetrical encryption ciphers? (Choose all that apply.)
a. SHA1
b. AES
c. RSA
d. 3DES
8. What is the primary difference between a hash and Hashed Message Authentication
Code (HMAC)?
a. Keys
b. MD5
c. SHA1
d. AES

9. What is used to encrypt the hash in a digital signature?

a. Sender's public key
b. Sender's private key
c. Receiver's pubic key
d. Receiver's private key
10. What are valid options to protect data in motion with or without a full VPN?
(Choose all that apply.)
a. TLS
b. SSL
d. IPsec

IV. Review All the Key Topics

Table 17-3 Key Topics
Key Topic Description



What is a VPN? -



VPN technologies -



Main benefits of VPNs -



Ciphers and keys -



Symmetric and asymmetric algorithms -



Hashes -



Hashed Message Authentication Code -



Digital signatures -



IPsec and SSL -


V. Complete the Tables and Lists from Memory

Table 17-2 Add NTP Server Configuration
IP Address

Add the IP address of the NTP server. (This may be the IP address of a publicly available NTP server or an internal server on your network.)


Select the interface the server will be contacted through. If no interface is

selected, the ASA uses the default route to try to locate the server.


If you have entered multiple servers and require this one to be preferred
over others, select this option. However, depending on the accuracy of the
server, if another servers time is more accurate than the preferred it is used

Key Number

Select from the list or enter a number for this authentication key.


This option must be selected for authentication to work successfully.

Key Value

Enter the message digest 5 (MD5) key used by the server for authentication.

Re-Enter Key

Reenter the MD5 key.

Table 17-2 VPN Components


Examples of Use


Uses the same key for encrypting and decrypting DES, 3DES, AES, IDEA


Uses a public and private key. One key encrypts RSA, Diffie-Hellman
the data, and the other key in the pair is used to

Digital signature Encryption of hash using private key, and

decryption of hash with the sender's public key

RSA signatures

key exchange

Uses a public-private key pair asymmetrical

Used as one of the many services
algorithm, but creates final shared secrets (keys) of IPsec
that are then used by symmetrical algorithms


Encryption algorithms provide this by turning

clear text into cipher text


Data integrity

Validates data by comparing hash values

MD5, SHA-1


Verifies the peer's identity to the other peer

PSKs, RSA signatures

VI. Define Key Terms

1. VPN 2. SSL 3. IPsec 4. 3DES 5. AES 6. MD5 7. SHA1 8. hash 9. HMAC 10. digital signature 11. symmetrical 12. asymmetrical 13. key -