Documente Academic
Documente Profesional
Documente Cultură
When you use a private WAN connection from a service provider, you trust them that they treat
your data confidential. The service provider will make sure that they separate traffic from different
customers and that nobody else is able to see your data.
What about the Internet? When you send traffic from A to B using the Internet, you have no control
at all which networks are used to get from the source to the destination. Someone in between the
traffic path might be capturing your packets and you wouldn’t know.
VPNs (Virtual Private Network) help by establishing a secure connection over an insecure network,
such as the Internet. This is a great alternative to private WAN connections since Internet access is
usually cheaper and it’s available pretty much everywhere.
VPNs provide a couple of features such as:
• Confidentiality: preventing anyone from reading your data. This is implemented with
encryption.
• Authentication: verifying that the router/firewall or remote user that is sending VPN traffic
is a legitimate device or router.
• Integrity: verifying that the VPN packet wasn’t changed somehow during transit.
• Anti-replay: preventing someone from capturing traffic and resending it, trying to appear as
a legitimate device/user.
VPN Types
There are two common VPN types that we use:
• site-to-site VPN
• client-to-site VPN (remote user)
Site-to-site VPN
With the site-to-site VPN, we have a network device at each site, between these two network
devices we build a VPN tunnel. Each end of the VPN tunnel will encrypt the original IP packet,
adds a VPN header, a new IP header and then forwards the encrypted packet to the other end of the
tunnel.
Here’s an example of a VPN tunnel:
Here’s what happens in the picture above:
• H1 sends an IP packet with source 192.168.1.1 and destination 192.168.2.2.
• R1 encrypts the IP packet, adds a VPN header and creates a new IP header with its own
public IP address as the source and 2.2.2.2 as the destination.
• R1 sends the new packet to R2.
• R2 receives the packet, checks if the packet really came from R1, decrypts it and forwards it
to H2.
• H2 receives the original IP packet.
In the example above I used two routers but firewalls like the Cisco ASA firewall are often used for
VPN tunnels.
Another advantage of (VPN) tunnels is that it allows LANs with private IP addresses to
communicate with each other.
Client-to-site VPN
The client-to-site VPN is also called the remote user VPN. The user installs a VPN client on his/her
computer, laptop, smartphone or tablet. The VPN tunnel is established between the user’s device
and the remote network device. Here’s an example:
In the picture above, the user has established a VPN tunnel between its VPN client and R1. This
allows the user to access a remote server.
VPN Protocols
There are a couple of VPN protocols, the most common ones are:
• IPSec
• PPTP
• L2TP
• SSL VPN
IPSec
The IP protocol itself doesn’t have any security features at all, which is why IPSec was created.
IPSec is not a protocol but it’s a framework and offers confidentiality, integrity, authentication and
anti-replay features on layer three of the OSI model.
It uses a variety of protocols and the advantage of a framework is that the protocols it uses can
change in the future. For example, currently, we can use encryption algorithms like DES, 3DES or
AES but if a new algorithm is created, IPSec might use it in the future.
You can use IPSec for:
• Creating a site-to-site VPN tunnel.
• Creating a client-to-site (remote user) VPN tunnel.
• Between two servers to authenticate and/or encrypt traffic.
PPTP
PPTP (Point to Point Tunneling Protocol) is one of the older VPN protocols, it was released around
1995. It uses a GRE tunnel for tunneling and PPP for authentication (using MS-Chap or MS-Chap
v2). Encryption is done with the MPPE protocol.
Since it’s been around for a while, PPTP is supported on many clients and operating systems. PPTP,
however, has been proven insecure so you shouldn’t use this protocol anymore if you want to
protect your data.
L2TP
L2TP (Layer Two Tunneling Protocol) is an extension of PPTP and as the name implies, allows us
to tunnel layer two traffic over layer three connections. L2TP can be used if you need to “bridge”
two remote LANs together and you want to use a single subnet on both sites. L2TP itself does not
offer any encryption or anything, which is why we use often use it together with IPSec. When you
use L2TP and IPSec together, it’s often referred to as L2TP/IPSec
SSL VPN
SSL (Secure Sockets Layer) is a protocol that is normally used to encrypt traffic between a web
browser and web server. When you surf the web using HTTP, everything is clear text. For secure
connections, we use HTTPS. We can use the same technology for VPNs.
Even though it’s called SSL VPN, nowadays we use TLS (Transport Layer Security) for HTTPS,
which is the successor of SSL.
One of the advantages of SSL VPN is that since it uses HTTPS, you can use it pretty much
everywhere. Most public wifi hotspots do permit HTTPS traffic while some might block other
traffic like IPSec. Another reason why SSL VPN is popular is that you don’t always have to use a
software client.
Most SSL VPN solutions offer a “portal” through the web browser that you can use to access
applications. For some advanced features, you might have to install a software client.
Conclusion
In this lesson you have learned some of the basics of VPNs:
• VPNs can be used as an alternative to private WAN connections and offer a secure
connection over an insecure medium, such as the Internet.
• VPNs offer features such as confidentiality, authentication, integrity and anti-replay.
• The two most common VPN types are site-to-site VPNs and client-to-site VPNs.
• Some common VPN protocols are:
• IPSec: a framework that provides security on layer three of the OSI model.
• PPTP: an old VPN protocol that uses PPP and GRE, insecure and should not be used
anymore.
• L2TP: a VPN protocol that tunnels layer two traffic, does not offer any encryption so
should be used together with IPsec.
• SSL VPN: uses SSL (HTTPS) to create a secure connection with the web browser.