Networking

Infrastructure
& Protocols

PRESENTATION BY:
LALINDA RATHNABHARATIE
Module Objectives
Module Title: VPN and IPsec Concepts

Module Objective: Explain how VPNs and IPsec are used to secure site-to-site and
remote access connectivity.

Topic Title Topic Objective

VPN Technology Describe the benefits of VPN technology.
Types of VPNs Describe different types of VPNs.
IPsec Explain how the IPsec framework is used to secure
network traffic.
VPN Technology
Virtual Private Networks
• Virtual private networks (VPNs) to
create end-to-end private network
connections.
• A VPN is virtual in that it carries
information within a private
network, but that information is
actually transported over a public
network.
• A VPN is private in that the traffic is
encrypted to keep the data
confidential while it is transported
across the public network.
VPN Technology
VPN Benefits
• Modern VPNs now support encryption features, such as Internet Protocol
Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic
between sites.
• Major benefits of VPNs are shown in the table:
Benefit Description
Cost Savings Organizations can use VPNs to reduce their connectivity costs while
simultaneously increasing remote connection bandwidth.

Security Encryption and authentication protocols protect data from unauthorized

access.
Scalability VPNs allow organizations to use the internet, making it easy to add new
users without adding significant infrastructure.
Compatibility VPNs can be implemented across a wide variety of WAN link options
including broadband technologies. Remote workers can use these high-
speed connections to gain secure access to corporate networks.
VPN Technology
Site-to-Site and Remote Access VPNs
A site-to-site VPN is terminated on VPN gateways. VPN traffic is only encrypted
between the gateways. Internal hosts have no knowledge that a VPN is being
used.
VPN Technology
Site-to-Site and Remote Access VPNs (Cont.)
A remote-access VPN is dynamically created to establish a secure connection
between a client and a VPN terminating device.
VPN Technology
Enterprise and Service Provider VPNs
VPNs can be managed and
deployed as:
• Enterprise VPNs - common
solution for securing enterprise
traffic across the internet. Site-to-
site and remote access VPNs are
created and managed by the
enterprise using IPsec and SSL
VPNs.
• Service Provider VPNs - created
and managed by the provider
network. The provider uses
Multiprotocol Label Switching
(MPLS) at Layer 2 or Layer 3 to
create secure channels between
an enterprise’s sites, effectively
segregating the traffic from other
customer traffic.
Types of VPNs
Types of VPNs
Remote-Access VPNs
• Remote-access VPNs let remote and
mobile users securely connect to the
enterprise.
• Remote-access VPNs are typically
enabled dynamically by the user when
required and can be created using
either IPsec or SSL.
• Clientless VPN connection -The
connection is secured using a web
browser SSL connection.
• Client-based VPN connection - VPN
client software such as Cisco
AnyConnect Secure Mobility Client
must be installed on the remote user’s
end device.
Types of VPNs
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate
peers. The type of VPN method implemented is based on the access
requirements of the users and the organization’s IT processes. The table
compares IPsec and SSL remote access deployments.

Feature IPsec SSL

Applications supported Extensive – All IP-based Limited – Only web-based applications
applications and file sharing
Authentication strength Strong – Two-way authentication Moderate – one-way or two-way
with shared keys or digital authentication
certificates
Encryption strength Strong – Key lengths 56 – 256 bits Moderate to strong - Key lengths 40 – 256
bits
Connection complexity Medium – Requires VPN client Low – Requires web browser on a host
installed on a host
Connection option Limited – Only specific devices with Extensive – Any device with a web
specific configurations can browser can connect
connect
Types of VPNs
Site-to-Site IPsec VPNs
• Site-to-site VPNs connect networks
across an untrusted network such as
the internet.
• End hosts send and receive normal
unencrypted TCP/IP traffic through a
VPN gateway.
• The VPN gateway encapsulates and
encrypts outbound traffic from a site
and sends the traffic through the VPN
tunnel to the VPN gateway at the
target site. The receiving VPN
gateway strips the headers, decrypts
the content, and relays the packet
toward the target host inside its
private network.
Types of VPNs
GRE over IPsec
• Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN
tunneling protocol.
• A GRE tunnel can encapsulate various network layer protocols as well as
multicast and broadcast traffic.
• GRE does not by default support encryption; and therefore, it does not
provide a secure VPN tunnel.
• A GRE packet can be encapsulated into an IPsec packet to forward it
securely to the destination VPN gateway.
• Standard IPsec VPNs (non-GRE) can only create secure tunnels for unicast
traffic.
• Encapsulating GRE into IPsec allows multicast routing protocol updates to
be secured through a VPN.
Types of VPNs
GRE over IPsec (Cont.)
The terms used to describe the encapsulation of GRE over IPsec tunnel are
passenger protocol, carrier protocol, and transport protocol.
• Passenger protocol – This is the original packet that is to be encapsulated
by GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
• Carrier protocol – GRE is the carrier protocol that encapsulates the original
passenger packet.
• Transport protocol – This is the protocol that will actually be used to forward
the packet. This could be IPv4 or IPv6.
Types of VPNs
GRE over IPsec (Cont.)
For example, Branch and HQ need to exchange OSPF routing information over
an IPsec VPN. GRE over IPsec is used to support the routing protocol traffic
over the IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol)
would be encapsulated by GRE (i.e., carrier protocol) and subsequently
encapsulated in an IPsec VPN tunnel.
Types of VPNs
Dynamic Multipoint VPNs
Site-to-site IPsec VPNs and GRE over IPsec are not sufficient when the
enterprise adds many more sites. Dynamic Multipoint VPN (DMVPN) is a Cisco
software solution for building multiple VPNs in an easy, dynamic, and scalable
manner.
• DMVPN simplifies the VPN tunnel configuration and provides a flexible
option to connect a central site with branch sites.
• It uses a hub-and-spoke configuration to establish a full mesh topology.
• Spoke sites establish secure VPN tunnels with the hub site.
• Each site is configure using Multipoint Generic Routing Encapsulation
(mGRE). The mGRE tunnel interface allows a single GRE interface to
dynamically support multiple IPsec tunnels.
• Spoke sites can also obtain information about each other, and
alternatively build direct tunnels between themselves (spoke-to-spoke
tunnels).
Types of VPNs
IPsec Virtual Tunnel Interface
IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required
to support multiple sites and remote access.
• IPsec VTI configurations are applied to a virtual interface instead of static
mapping the IPsec sessions to a physical interface.
• IPsec VTI is capable of sending and receiving both IP unicast and multicast
encrypted traffic. Therefore, routing protocols are automatically supported
without having to configure GRE tunnels.
• IPsec VTI can be configured between sites or in a hub-and-spoke topology.
Types of VPNs
Service Provider MPLS VPNs
Today, service providers use MPLS in their core network. Traffic is forwarded
through the MPLS backbone using labels. Traffic is secure because service
provider customers cannot see each other’s traffic.
• MPLS can provide clients with managed VPN solutions; therefore, securing
traffic between client sites is the responsibility of the service provider.
• There are two types of MPLS VPN solutions supported by service providers:
• Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a
peering between the customer’s routers and the provider’s routers.
• Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead,
the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet
multiaccess LAN segment over the MPLS network. No routing is involved. The customer’s
routers effectively belong to the same multiaccess network.
IPsec
IPSec
IPsec Technologies
IPsec is an IETF standard that defines how a VPN can be secured
across IP networks. IPsec protects and authenticates IP packets
between source and destination and provides these essential security
functions:
• Confidentiality - Uses encryption algorithms to prevent cybercriminals from
reading the packet contents.
• Integrity - Uses hashing algorithms to ensure that packets have not been
altered between source and destination.
• Origin authentication - Uses the Internet Key Exchange (IKE) protocol to
authenticate source and destination.
• Diffie-Hellman – Used to secure key exchange.
IPSec
IPsec Technologies (Cont.)
• IPsec is not bound to any specific rules
for secure communications.
• IPsec can easily integrate new
security technologies without
updating existing IPsec standards.
• The open slots in the IPsec framework
shown in the figure can be filled with
any of the choices that are available
for that IPsec function to create a
unique security association (SA).
IPSec
IPsec Protocol Encapsulation
Choosing the IPsec protocol
encapsulation is the first building
block of the framework.
• IPsec encapsulates packets using
Authentication Header (AH) or
Encapsulation Security Protocol
(ESP).
• The choice of AH or ESP establishes
which other building blocks are
available.
• AH is appropriate only when
confidentiality is not required or
permitted.
• ESP provides both confidentiality and
authentication.
IPSec
Confidentiality
The degree of confidentiality
depends on the encryption
algorithm and the length of the
key used in the encryption
algorithm.

The number of possibilities to try

to hack the key is a function of
the length of the key - the
shorter the key, the easier it is to
break.
IPSec
Confidentiality (Cont.)
The encryption algorithms highlighted
in the figure are all symmetric key
cryptosystems:
• DES uses a 56-bit key.
• 3DES uses three independent 56-bit
encryption keys per 64-bit block.
• AES offers three different key lengths:
128 bits, 192 bits, and 256 bits.
• SEAL is a stream cipher, which
means it encrypts data continuously
rather than encrypting blocks of data.
SEAL uses a 160-bit key.
IPSec
Integrity
• Data integrity means that the data
has not changed in transit.
• A method of proving data integrity
is required.
• The Hashed Message
Authentication Code (HMAC) is a
data integrity algorithm that
guarantees the integrity of the
message using a hash value.
• Message-Digest 5 (MD5) uses a
128-bit shared-secret key.
• The Secure Hash Algorithm (SHA)
uses a 160-bit secret key.
IPSec
Authentication
There are two IPsec peer
authentication methods:
1. Pre-shared key (PSK) - (PSK) value
is entered into each peer
manually.
• Easy to configure manually
• Does not scale well
• Must be configured on every peer
2. Rivest, Shamir, and Adleman
(RSA) - authentication uses digital
certificates to authenticate the
peers.
• Each peer must authenticate its
opposite peer before the tunnel is
considered secure.
IPSec
Secure Key Exchange with Diffie - Hellman
DH provides allows two peers to
establish a shared secret key over an
insecure channel.

Variations of the DH key exchange are

specified as DH groups:
• DH groups 1, 2, and 5 should no longer be
used.
• DH groups 14, 15, and 16 use larger key
sizes with 2048 bits, 3072 bits, and 4096 bits,
respectively
• DH groups 19, 20, 21 and 24 with
respective key sizes of 256 bits, 384 bits, 521
bits, and 2048 bits support Elliptical Curve
Cryptography (ECC), which reduces the
time needed to generate keys.
Thank you