What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN concentrators) that act as endpoints to establish, manage, and control VPN connections Software to create and manage tunnels
Overlay and Peer-to-Peer VPN’s Overlay VPNs Service providers (SPs) are the most common users of the overlay VPN model. The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.
L2 overlay VPN L2 overlay VPNs are independent of the network protocol used by the customer meaning that the VPN is not limited to carrying IP traffic. If the carrier offers the appropriate ATM service, the overlay VPN will carry any kind of information. Frame Relay VPNs are normally limited to data applications, although voice over Frame Relay customer premises equipment (CPE) devices may be useable on some services.
L3 overlay VPN L3 Overlay VPNs most often use an “IP in IP” tunneling scheme using Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP security (IPsec).
CPE-Based VPN (Peer-to-Peer) CPE-based VPN is another name for an L3 VPN. The VPN is implemented using CPE. In this way, a customer creates a VPN across an Internet connection without any specific knowledge or cooperation from the service provider. The customer gains the advantage of increased privacy using an inexpensive Internet connection.
SP-Provisioned VPN The introduction of Multiprotocol Label Switching (MPLS) combines the benefits of overlay VPNs (security and isolation among customers) with the benefits of the simplified routing of a peer-to-peer VPN. MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow.
The Provider Core (P) and the Customer Edge (CE) routers are assumed to be unaware of any VPN protocols or procedures. Only the Provider Edge (PE) routers need to be provisioned to support the VPN’s.
3 Types of VPN
Characteristics of a Secure VPN’s
VPN Security: Encapsulation Three different protocols that tunnelling uses: Carrier protocol: The protocol the information is travelling over. Encapsulating protocol: The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data. Not all protocols offer the same level of security. Passenger protocol: The original data (IPX, AppleTalk, IPv4, IPv6).
VPN Security: IPsec and GRE 1. Tunnel mode 2. Transport mode Tunnel mode encrypts the header and the payload of each packet Transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of transport mode. Additionally, all devices must use a common key and the firewalls of each network must be set up with very similar security policies. IPsec can encrypt data between various devices, including router to router, firewall to router, PC to router, and PC to server
Symmetric Encryption Algorithm Symmetric-key encryption, also called secret key encryption, works when each computer has a secret key (code) that the computer uses to encrypt information before the information is sent over the network to another computer. Symmetric-key encryption requires that someone know which computers will be talking to each other so that the person can configure the key on each computer. Symmetric-key encryption is a secret code, or key, that each of the two computers must know to decode the information.
Asymmetric Encryption Algorithm Uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key. Public-key encryption uses a combination of a private key and a public key. Only the sender knows the private key. The sender gives a public key to any recipient that the sender with whom he wants to communicate. To decode an encrypted message, the recipient must use the public key, provided by the originating sender, and the recipient’s own private key.
VPN Security: Authentication Username and password: Uses the predefined usernames and passwords for different users or systems. One Time Password (OTP) (Pin/Tan): A stronger authentication method than username and password, this method uses new passwords that are generated for each authentication. Biometric: Biometrics usually refers to technologies that are used for measuring and analyzing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements, especially for authentication purposes. Pre-shared keys: This method uses a secret key value, manually entered into each peer, and then used to authenticate the peers. Digital certificates: Use the exchange of digital certificates to authenticate the peers.
What is IPSEC?
IPsec Protocols IKE: Provides a framework for the negotiation of security parameters and establishes authenticated keys. IPsec uses symmetrical encryption algorithms for data protection, which are more efficient and easier to implement in hardware than other types of algorithms. These algorithms need a secure method of key exchange to ensure data protection. The IKE protocols provide the capability for secure key exchange. AH: The IP Authentication Header (AH) provides connectionless integrity and data origin authentication for IP datagrams and optional protection against replays. AH is embedded in the data that needs to be protected. ESP has replaced the AH protocol, and AH is no longer used very often in IPsec. ESP: Encapsulating Security Payload (ESP) provides a framework for encrypting, authenticating, and securing data. ESP provides data privacy services, optional data authentication, and anti-replay services. ESP encapsulates the data that needs protection. Most IPsec implementations use the ESP protocol.
Site-to-Site IPsec VPN Operations Step 1 Interesting traffic initiates the IPsec process: Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs protection. Step 2 IKE Phase 1: IKE authenticates IPsec peers and negotiates IKE SAs during this phase, setting up a secure communications channel for negotiating IPsec SAs in Phase 2. Step 3 IKE Phase 2: IKE negotiates IPsec SA parameters and sets up matching IPsec SAs in the peers. These security parameters are used to protect data and messages that are exchanged between endpoints. Step 4 Data transfer: Data is transferred between IPsec peers based on the IPsec parameters and keys that are stored in the SA database. Step 5 IPsec tunnel termination: IPsec SAs terminate through deletion or by timing out.
Step 2: IKE Phase 1 First exchange: The two peers negotiate and agree on which algorithms and hashes to use to secure the IKE communications. Second exchange: A Diffie-Hellman exchange generates shared secret keys and pass nonces (a nonce is a value used only once by a computer security system). A random number sent by one party to another party, signed, and returned to the first party proves the second party’s identity. Once created, the shared secret key is used to generate all the other encryption and authentication keys. Third exchange: In this exchange, each peer verifies the identity of the other side by authenticating the remote peer.
Step 3: IKE Phase 2 Negotiates IPsec security parameters and IPsec transform sets Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie- Hellmann exchange
IPsec Tunnel Operation The last two steps in IPsec involve transferring the data and then closing the connection Data Transfer: After IKE Phase 2 is complete and quick mode has established IPsec SAs, traffic is exchanged between Host A and Host B via a secure tunnel as shown in Figure. Interesting traffic is encrypted and decrypted according to the security services that are specified in the IPsec SA. IPsec Tunnel Termination: IPsec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds has elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded.
Configuring a Site-to-Site IPsec VPN Step 1 Configure the ISAKMP policy that is required to establish an IKE tunnel. Step 2 Define the IPsec transform set. The definition of the transform set defines the parameters for the IPsec tunnel, such as encryption and integrity algorithms. Step 3 Create a crypto access control list (ACL). The crypto ACL identifies the traffic to be forwarded through the IPsec tunnel. Step 4 Create a crypto map. The crypto map combines the previously configured parameters together and defines the IPsec peer device. Step 5 Apply the crypto map to the outgoing interface of the VPN device. Step 6 Configure an ACL and apply the list to the interface. Typically, edge routers are configured with restrictive ACLs that could inadvertently block the IKE or IPsec protocols.