Professional Documents
Culture Documents
Virtual Private Networks (VPNS) : Simplified
Virtual Private Networks (VPNS) : Simplified
Networks (VPNs)
Simplified
Erich Spengler
CSSIA CATC—Moraine Valley Community College
2008—60 Minute Session
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agenda
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Demonstration—Remote Network
Access via VPN
Corporate Servers
VPN Server/Gateway
Internet/
Unsecure Network
Remote User
Subtitle
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
What Is a Virtual Private Network (VPN)?
Corporate HQ
Internet
Homeworker
with VPN Router Teleworker with
Wireless VPN Client Software
Hotspot
Wireless Client
Branch Office with VPN Client Software
with VPN Router
Internet
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Using Site-to-Site VPNs
VP N
N VP
N
VP
Internet VPN
VP PSTN/ISDN
N Broadband
Extranet
Business-to-Business
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Using Remote-Access VPNs
Remote Access Client
Telecommuter
POP Or
Internet
Or
Router
Mobile POP
Extranet
Consumer-to-Consumer
GRE
IPSec
L2TP
DES, 3 DES
MPLS
MPPE
PPTP
TCP Checksum
AH in IPSec
Identify Source
Authentication
PKI
RSA RSA
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
VPN Security
Subtitle
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
What a VPN Must Provide
Av
y
rit
ail
teg
a bi
In
lit
y
Confidentiality
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Network Security Model
Network Layer
Transport/
Network
Layer (3–4) GRE
PPTP
L2TP IPSEC
MPLS MPPE
Link/Physical
Layer (1–2)
Link-Layer Link-Layer
Encryption Encryption
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
What Is an IPSec VPN?
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Advantages of IPSec
Access VPNs
Classic site-to-site managed VPNs
Trusted MPLS VPNs
Service Provider
Main Office
Mobile
Worker
POP
Business Partner Mobile
Worker
ESP Header
AH Header
IP Header
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
IPSec Framework
IPSec
Framework
Choices
Encryption 3
DES AES
DES
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
IP Header with IPSec Information
IP Data
(Encrypted)
ESP Header
AH Header
IP Header
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
IPSec in a Standards World
Headquarters
Periodic Re-Key
Router
Firewall
ATE
TI FIC
CER
Internet/IP VPN
Remote Office
Standards-Based Cryptography
Firewall
IKE, IPSec, 3DES
Equipment/vendor interoperability
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
IKE Benefits an IPSec Environment
UNIVERSITY
IKE (Phase 1)
IKE (Phase 2)
Data
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated channel
with which to communicate; Main mode or Aggressive mode accomplishes
a Phase 1 exchange
Phase 2 exchange: security associations are negotiated on behalf of IPSec
services; Quick mode accomplishes a Phase 2 exchange
Phase II SA Phase II SA
(IPSec SA) (IPSec SA)
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
ISAKMP Main, Quick and Aggressive Modes
ISAKMP
I SA Header 1 R
Main Mode N E
(Phase 1) I 2 Header SA S
T P
Nonce Key Header 3
I O
A 4 Header Key Nonce N
T D
O Sig [ Cert ] ID Header 5 E
R 6 Header ID [ Cert ] Sig R
Certificate
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Web/SSL VPN Features
WebVPN
Broadband
Modem Broadband
Provider
ISP Corporate
Network
WebVPN Access
Point ASA Firewall
Wireless LAN
Feature
Access to internal web sites (HTTP/HTTPS) including filtering
Access to internal Windows (CIFS) File Shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Web/SSL VPN and IPSec Comparison
WebVPN IPSEC VPN
Uses a standard web browser to Uses purpose built client
access the corporate network software for network access
SSL encryption native to browser Client provides encryption
provides transport security and desktop security
Application accessed through Client establishes seamless
browser portal connection to network
Limited client/server application All application are accessible
accessed using applets through their native interface
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
What Is a PPTP VPN?
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
VPN Technology Options
SSH Application Layer SSL
Application
Layer (5–7)
Network Layer
Transport/
Network
GRE
Layer (3–4) PPTP
L2TP IPSEC
MPLS MPPE
Link/Physical
Layer (1–2)
Link-Layer Link-Layer
Encryption Encryption
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Benefits of PPTP
User Data
Organization
Secure
Network
Internet
PPTP
PPoE is point-point protocol over Ethernet
Single tunnel between end-points: Single device support (GRE = generic routing encapsulation)
Six bytes over overhead when compression used
No tunnel authentication
With RADIUS server supports authentication and accounting
CHAP V2 fixes password, masquerading, and encryption weakness
BRK-134T
40 or 128 bit RC4 packet encryption
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Is PPTP Secure? Yes
Organization
Secure
Network Internet
Response
Challenge
Response
New Client Key New Client Key
New Server Key New Server Key
Encrypted Packet
Encrypted Packet
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
VPN Technology Comparison
Simplicity Advanced
Low Cost Security
L2TP/IPSec
Gateway to Gateway PPTP
IPSec Tunnel Mode
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Group Exercise
Configuring
VPNs Lab
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Summary
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRK-134T
VPNs Simplified © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37