Professional Documents
Culture Documents
VPN Detailed Notes 1664621006
VPN Detailed Notes 1664621006
Encryption protocols
1. SSH ( Secure Shell) → Secure remote connectivity
2. S/MIME ( Secure/ Multipurpose internet mail exchange) → Email Security
3. SSL ( Secure socket Layer) Online transactions
4. Ipsec ( Ip security) Online transactions
Tunneling
1. Ipsec → Open Standard
2. GRE → Cisco Prop.
3. L2F → Layer 2 Forwarding
4. L2TP → Layer 2 tunneling protocol
5. PPTP → point to point tunneling protocol
GRE Ipsec
Cisco Proprietary Open Standard
Generic Routing Encapsulation IP security
Tunneling Encryption +Tunneling
Supports IP , IPX and Tunneling Supports only IP
Supports Unicast and Multicast Supports only Unicast
Less secure More secure
In real time we use GRE over Ipsec.
IP Sec Modes
Tunnel Mode (Encrypt IP + password)
• Tunnel mode creates a new additional IP header with data encryption
Transport mode (Encrypt +Password)
• Just encypt data without adding new IP header.
DES- Data Encryption Standard; AES- Advance Encryption Standard
Assymetric encryption uses Different Keys: Private Key – Encryption, Public Key –
Decryption.
VPNs are to provide data integrity, authentication and data encryption to assure
confidentiality of packets sent over an unprotected network or the internet.
Site- to –Site VPNs: These VPN tunnels are terminated between two or more network
infrastructure devices.
Remote-access VPNs: These VPN tunnels are formed between a VPN head-end device and
an end-user workstation or hardware VPN client.
IPSec VPNs protect IP packets exchanged between remote networks or hosts and an IPSec
gateway located at the edge of your private network.
SSL VPN products protect application streams from remote users to an SSL gateway.
In other words, IPSec connects hosts to entire private networks, while SSL VPNs connect
users to inside those services and applications networks.
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-
to-site or remote-access VPN tunnels.
Ipsec is a framework provided by the Internet Security Association and Key Management
Protocol (ISKAMP) and parts of two other management protocols, namely Oakley and
Secure Key Exchange Mechanism (SKEME).
IKE has two phases
Phase1 is used to create secure bidirectional communication channel between the IPsec
peers.
IKE phase 1
1. Negotiate phase 1( hagle)
2. Setup Keys (DH)
3. Authenticate
IKE Phase 1 “SA/Tunnel” Ready
IKE Phase 2
Negotiation phase 2
(Encryption, Hashing, Lifetime, PFS)
IKE phase2 “SA/Tunnel” Ready
Often called the IPSec Tunnel
IP Sec. uses two different protocols to encapsulate the data over a VPN tunnel.
Encapsulation Security Payload (ESP): IP protocol 50
Authentication Header (AH): IP Protocol 51
IP Sec can use two modes with either AH or ESP:
Transport Mode: Protects upper-layer protocols, such as UDP and TCP
Tunnel Mode: Protects the entire IP Packets.
IKEV2
IKE version 2 enhances the function of performing dynamic key exchange and peer
authentication.
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security
association (SA) in the IPSec protocol suite.
Specified in IETF Request for Comments(RFC) 2409, IKE defines an automatic means of
negotiation and authentication for IPsec security associations (SA).
Security associations are security policies defined for communication between two or more
entities; the relationship between the entities is represented by a key.
The IKE protocol ensures security for SA communication without the pre-configuration that
would be required.
IPSEC VS SSL:
This document is regarding the quick look out of two VPN technologies. It covers the
difference and strengths of both technologies.
IPSEC:
- It works on Layer 3 (Network Layer) of OSI Model.
- Since, it works on Network Layer; it secures all data that travels between two end points
without an association to any specific application.
- Once, it gets connected then
the person will be virtually connected to the respective entire network and
able to access the entire network
- It defines how to provide data integrity, authenticity and
confidentiality over insecure network
like Internet.
- It completes its goal through tunneling, Encryption and Authentication.
- It is complex because the two entities which will communicate via IPSEC have to
agree on same security policies which must be configured on the both end of the devices.
- A Single IPSec tunnel secures all the communication between
the devices regardless of traffic type. It can be TCP, UDP, ICMP etc or any application
like e-mail, client-server, database.
- Special purpose software is available for IPSec connections. This can
be for PCs, Mobiles, and
PDAs as well as for edge devices like Routers and Firewall.
SSL VPN:
- It works on Layer 7 (Application Layer) of OSI Model.
- It is a protocol used for secure web-based communication over the Internet.
- It uses encryption and authentication to keep communications private
between two devices, typically, web server and user machine.
- Like IPSec, SSL also provides flexibility by providing level of security.
- Unlike IPSec, SSL helps to secure one application at a time and each application
is supported via web browser.
- All basic web browser application such
as IE or Mozilla supports SSL, by default. But, not all the application
supports same so it requires upgrading which is very cost consuming.
- Above problem can be resolved by purchasing SSL VPN gateway which
is deployed at the edge
of the corporate network and serve as a proxy toLAN application such as e-
mail, file servers and the other resources.
- The browser thinks it is directly communicating with the application and application
thinks it is directly communicating with browser.
SSL VPN makes it transparent to the either side of the network.
• Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the
cryptographic functions of the web browser to enable remote access to TCP-based
applications such as Post Office Protocol version
3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access
protocol (IMAP), Telnet, and Secure Shell (SSH).
• Tunnel Mode—full tunnel client mode offers extensive application support through
its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN
Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured
and easy-to-support SSL VPN tunneling client that provides
network layer access to virtually any application.
IPsec ‘s key strength lies in its ability to provide a permanent connection between
locations. Working at the network
layer (layer 3 of the network stack) also makes it application agnostic: Any IP-based
protocol could be tunneled through it. This makes IPsec an
attractive alternative to an expensive leased line or a dedicated circuit. It could also
serve as a backup link in the event that the primary leased line or dedicated
circuit connecting the remote site to the central office goes down.
SSL VPNs, on the other hand, have been designed from the ground
up to support remote access.They do not require any special software to be installed.
Remote access is provided through a browser-based session using
SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular
level. Specific authentication and authorization schemes for access to an application can
be limited to a particular user population. Built-in logging and auditing
capabilities address various compliance requirements. SSL VPNs also
have the ability to run host compliance checks on the remote assets connecting to
the enterprise to validate they are configured with the appropriate security software and
have the latest patches installed.
This does not meanSSL VPNs are the panacea to all of IPsec’s weaknesses. If a remote site
requires an always-on link to the main office, SSL VPN would not be the solution.
IPsec, being application agnostic, can support a number of legacy protocols and
traditional client/server applications with minimal effort.This is not the case with
SSL VPNs, which have been built around Web-based
applications. Many SSLVPNs get around this weakness by installing a Java or ActiveX-
based agent on the remote asset. This installation is typically achieved seamlessly
after the remote asset has successfully authenticated to the SSL VPN appliance, though
it should be noted that both ActiveX and Java come with
their own security weaknesses that attackers commonly seek to exploit.
SSL VPN is based on the SSL (secure socket layer) protocol - virtually every computer nowadays
supports it. That means that your computer already has the "client" software to access the SSL VPN.
Traditionally SSL VPN was associated with web-browsers (so you could use it only for a web-based
traffic) - however with solutions like OpenVPN you can now create a VPN solution quite similar (and
equally secure) to the one offered by IPSec.
The selection criteria really depend on what are your trying to achieve by implementing a VPN
solution.
Traditionally for site-to-site VPN one would use IPSec, while for the client remote access SSL VPN
would be selected (especially for the web-based access). However with the OpenVPN you can now
implement equally secure site-to-site VPN solution.
As mentioned at the beginning IPSec would be more expensive in comparison to the SSL VPN (e.g.
OpenVPN). SSL VPN is a tunneling method that uses an encryption layer on top of the IP stack --
usually, over TCP, which brings a number of congestion problems with it -- and can be used to secure
traffic from an endpoint (home or on-the-road user) to a network that should not be publicly
accessible.
Depending on the exact solution, it may be "clientless" which is kind of a misnomer as it will usually
still require a java capable browser, in which a client applet is downloaded and run to build a
connection.
There is no such thing as a standard for SSL VPN solutions, all have their own proprietary design.
Site-to-site (to connect two office networks to each other for example) connectivity may or may not be
possible depending on the solution.
IPSec VPN on the other hand is an encryption method built as an extension to the IPv4 stack (or
builtin in case of IPv6) and can besides tunneling also provide mere authentication of IP packets if
required.
It is an internet standard and interoperable gateways are available from several vendors.
Site-to-site connectivity is also available in the standard.
IPSec may require dedicated software (or appliance) on the gateway side.
Client side, in case of endpoint-to-network connections, a client application may be required for ease
of configuration although IPSec functionality is builtin into recent Windows versions, comes with all
major Linux distributions, and is available on MacOS too.
Free gateway software is available for either case, with OpenSwan being the major contender in
IPSec solutions, and OpenVPN in SSL solutions.
Incidentally, OpenVPN is an atypical SSL VPN in that it supports site-to-site connectivity, does require
a dedicated client application in all cases (does not work through a browser), and uses it's own
proprietary SSL protocol over UDP rather than TCP thus avoiding congestion issues of TCP-over-
TCP which most "normal" SSL tunneling solutions have.
Typical decision criteria are the same as any IT project -- skill, budget, timeframe, ... Then apply those
to the technologies at hand.
Differences (in brief, with no details):
1. SSL (secure tunnel to APPLICATION)
1.1 SSL works on high level (TCP). That is, it can secure TCP connections only.
1.2 Can authentication both sides/single side/no auth. (policy defined by configuration). For example,
anyone can connect to LinkedIn web server via "https" (http over SSL).
1.3 Designed to secure TCP applications only (Examples: Web servers, Mail servers)
1.4 Usually implemented by software above OS (for example embedded in Web/mail server)
1.5 Requires additional software technology (TCP session forwarder) to secure particular application,
if application do not support SSL directly
1.6 Cheap and well-standardized
1.7 Security is very sensitive to OS/Firewall missconfiguration