Overview of VPN in Security Context:

VPN Advantages:

 It allows remote user to securely connect to enterprise network.

 It saves cost as there will be reduction in maintenance costs.
 As VPN change the IP address, user can unblock websites and bypass filters.
 User can share encrypted files at better bandwidth.
 With VPN, small businesses can securely connect its main office with branch offices, it’s
customers, suppliers, employees, partners.

4 Functionality of VPN:

Authentication

Access control: confidentiality

Data protection

Data Integrity

a. Maintain availability of IT infrastructure.

b. Enforce Access control.
VPN technology:

VPN tunnel encapsulates data. The encrypted link inside VPN tunnel provides secure and reliable
connection of user to outside internet. This encryption is done through security protocols such as
SSL, IPSEC.

VPN works at Layer 2 or Layer 3 of OSI model layer.

 All the WAN routing control is under service provider for Layer 3 whereas business need to
handle routing themselves for layer 2 VPN.
  Layer 2 MPLS offers cost effective solution and high bandwidth whereas Layer 3 offers
relatively low bandwidth.
 Layer 2 VPN are less scalable than layer 3 VPN.
 IPLS, VPLS, 802.1 q tunneling etc. are the examples of layer 2 VPN. MPLS VPN, IPSEC P2P are
the examples of Layer 3 VPN [1].

[1] "Layer 2 vs. Layer 3 MPLS | GCOMM", GCOMM, 2020. [Online]. Available:

https://gcomm.com.au/blog/layer-2-vs-layer-3-mpls/. [Accessed: 15- Oct- 2020].

VPN components:

Vpn components are broadly categorised into 4 parts:

The internet: It refers to fundamental network.

Security Gateways: It includes firewalls, routers that is placed between public internet and private
network for preventing intrusion.

Security Policy Servers: It indicates that ACL list that security gateways uses to decide which traffic to
allow and which to deny.

Certificate Authorities: It is for validating the authenticity of shared keys and few other checks.
Seven Domains:

User Domain: It includes actual user, employee. Any user wanting to use organizational IT
infrastructure must review and sign Acceptable Use Policy (AUP) before using related IT
infrastructures.

Workstation domain: It includes end user devices. These workstations must maintain integrity of
devices by having personal firewalls, antispyware, anti-viruses, and other security countermeasures.

LAN domain:

LAN- WAN Domain: Routers, firewalls, DMZ, IDPS etc are configured and deployed in this domain.

Remote Access Domain: It represents the secure and encrypted access of remote users to company’s
IT infrastructure. SSL, VPN tunnelling for remote access to IT infrastructures.

WAN domain: This refers to service provider providing WAN connectivity to securely connect all its
sites, remote user.

System Domain: It represents all the hardware, OS software, database software, data etc. in
enterprise data centre.
http://www.divyaaradhya.com/2018/03/13/policies-for-the-seven-domains-of-a-typical-it-
infrastructure/
https://sis.binus.ac.id/2018/01/15/the-seven-domain-of-a-typical-it-infrastructure/

Business requirements:

Availability of the network and its components

Redundancy

High availability

Single point of failure

Denial of service

Sensitivity of the data

-Encryption

-Access control

For any business or company network having remote users, there should be configuration and
deployment of VPN. For remote users, for security concerns there should be additional firewalls, or
segmenting through DMZ or additional SSL encryption.

Is VPN more costly than leased lines

https://www.leasedlineandmpls.co.uk/leased-line-or-vpn/

Is remote access possible without VPN

https://jumpcloud.com/blog/remote-network-access-no-vpn

https://www.giac.org/paper/gsec/215/remote-access-security-radius/100741

lecture 2:

https://www.informit.com/articles/article.aspx?p=25946&seqNum=4
VPN in terms of CIA:

Confidentiality: It ensures data confidentiality by advanced encryption and encapsulation of data.

For this various encryption keys, encryption algorithm (symmetric, asymmetric) and protocols are
used .

Integrity: It ensures data integrity which is achieved via HMAC (Hashed Message Authentication
Code) algorithm.

Availability: The availability of data and resources is assured as every data passing through tunnel is
encapsulated and risk of intruder penetrating the internal network is less.

Authentication: VPN enhance authentication by various methods PSK (Pre-Shared Key), SSL
certificates, User authentication for remote users.

Drawbacks of VPN:

- Irregular connection breaks, slower internet connection.

- Illegal use of VPN for crafting various cyber-attacks by hackers.
- It does not ensure QoS because of the congestion, latency issue and packet loss.
- For constant accessibility, it requires high availability.
- It is difficult to troubleshoot VPN clients.

Lecture 3:
The difference between IKEv1 and IKEv2 are:

 IKEv2 is more scalable as it automatically creates different policies and security associations.
 IKEv1 uses symmetric authentication whereas IKEv2 uses asymmetric authentication (RSA
and pre-shared key)
 IKEv2 provides more security as it supports more algorithm than IKEv1.
 IKEv2 uses separate keys for each direction. IKEv2 supports EAP authentication whereas
IKEv1 does not.

https://www.kareemccie.com/2016/12/differences-between-ikev1-and-ikev2.html
Lecture 4:
Software vs hardware-based vpn

Layer 2 vs layer 3 vpn

https://networkinterview.com/layer-2-vpn-vs-layer-3-vpn/

VPN server on a firewall:

Pros:

It is easier to manage and control security.

We can create firewall rules that can be applied to our VPN traffic.

Cons:

Single point of failure

Improper configuration of firewall rules may allow traffic from internet to get to internal network.

VPN server parallel to firewall:

Pros:

There is no need for modifying firewall configurations to support VPN packets as traffic is not passing
through Firewall at all.

Scalability: If there is excess workload on VPN, we can add machines and distribute it.

It is simpler to add VPN servers .

Conc:

Since vpn and firewall both are directly connected to internet, they are more prone to attacks. We
need to ensure that both are well protected otherwise hacker can break in and can compromise the
internal network.

VPN behind the firewall (on a LAN or as a part of dmz):

The vpn is completely protected from internet by the firewall.

It will ease the administrator workload as well. He is well familiar with routing through firewall, he
just needs to assign ports needed by VPN.

Cons:

The network performance degrades because all traffic travels through firewall as well.