VPN Concentrator
Virtual Private Network
- Connect two offices at different locations
- Change IPs to a Non-overlapping IP in both ends since probably both office networks work under 192.168.1.0 / 24
Types of VPN
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241011124252.png)
- The example of connecting two office together is a Site-to-Site.
- With Remote Access, you can see this as Off site, can you still access corporate resources even if they are not in the building.
- This is typically achieve to the users Software which is installed on an End Point. An End Point could be your pone, tablet, laptop etc.
- It will ask us for authentication, we will provide our username and password and the device we are authenticating against is called a VPN Concentrator sometimes called the VPN server, sometimes called the Head End.
- When we connect as a client to that server, there is two different options we could use, one of them is Secure Sockets Layer (SSL) also known as Transport Layer Security (TLS), SSL was previously proprietary by Netscape. TLS is just a way using digital certificates that we can setup a secure encrypted channel.
- IPsec is an alternative to TLS. IPsec is using ESP at layer 4, its own tunneling protocol that's just built for this stuff.
- Whenever you are doing Site-to-Site VPNs you are always using IPsec.
VPN Concentrator
- High volume of encrypted tunnels
- If you are not a VPN concentrator, for example you could just be a router that is performing a Site-to-Site connection or a Business-to-Business (B2B) connection, typically a router is the best device to do this, they have support for advance VPN types like MPLS VPN, that's when you work with a service provides and you get a guaranteed level of service. Everything is IPsec.
- When we want remote access, this is when the VPN concentrator really lives.
- How many users do we have here? Typically one, each user is independently connecting to a device, more times than that, this device could be a firewall, and the firewall might be what's responsible for building your VPN connections.
- Lower traffic per tunnel
- We don't have hundreds of users flowing through a single link.
- Mobile users
- They change the geographic location, they move around, so their IP always changes. What does that mean?
- Remote access VPNs can always be initiated by the client. They can never be initiated by the server. Why? Because the server doesn't really know where these clients are at, so it is just sitting there passively waiting and listening to either TCP 443 for SSL VPNs or it's listening on a UDP 500 for ISE negotiations, which leads us to an IPsec tunnel.
- When someone connects, they connect to that port and they have to authenticate.
- When we look at site to site VPN, this is different because both sites are pointing towards the other site. Either site can bring up a tunnel or initiate transfer of data in either direction.
- They change the geographic location, they move around, so their IP always changes. What does that mean?
- Locations with dynamic addressing
- On the server side we don't know who we're going to be connecting to until they call us. So it's kind of almost like a dial up.
- How do I know its somebody that I can trust, they are going to authenticate. They can do so by using their Active Directory username and password. We might do 2FA using tokens.
- This will satisfy PCI Compliance is you take your active directory credentials, which is really pretty easy.
- Ex: A user is connecting remotely to our firewall and they present their AD username and password, firewall doesn't have that information but it relays it by talking to the AAA server, this could be Forescout, it could be Cisco ISE, or it could simply be Active Directory natively interacting with your Firewall, it could be Active Directory running Network Policy Server (NPS) so that it can talk to downstream devices.
- This plants an IPsec tunnel or SSL, which means will be built in all the communications between that user and our office is going to be encrypted and protected. Once it hits the firewall our ESP or SSL encrypted session is going to be decrypted and regular clear text data comes out the other side.
- Granular control of users based on policy
- As we performed authorization we pushed down parameters to this firewall, about what the user is allowed to do. A lot of times that happens through group membership.
- We can actually create an Access List and push it down to the user when they authenticate so a Per User Access Control List, which is more granular than at a group level.
Example Topology
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241011133848.png)
- If the remote user (laptop) wants to get into the Corporate Network they would hit a VPN Concentrator, in the image that is the logo of a Firewall.
- When you connect in remotely the server side pushes IP address information to you, it might push you an ACL, a Domain Name, or a WIN Server for name resolutions that come from the server side down to the client.
- In Site-to-Site VPNs we might have two physical routers, the cool thing about IPsec is that it's an open standard. So I can do it between different vendors. If both of these devices have got static IPs, we set this up so that the two offices are connected.
- If User A wants to get into the corporate network, all it has to do is to know its IP or type the fully qualified domain name, and they're automatically going to go through. The router doesn't authenticate them to come through the tunnel. You could do this if you wanted to, but we typically don't, we want an intermediate device tp know the IP address of the headquarters, to have a policy for how do encryption, to have the pre shared key that's needed to bring up the connection. Or to have the digital certificates installed. So all of the VPN Config is done at one time in one place. And then the users just show up and everything works.
Advantages of VPN Concentrator
Advantages:
- IPsec & SSL/TLS support
- SSL/TLS is TCP 443 which is typically going to be real happy going through a Network Address Translation (NAT) device so users can't control that firewall, so is the firewall going to allow the VPN traffic through?
- If you use IPsec, it's IP at layer 3, it's ESP at layer 4. The problem with doing address translation is that we typically use port numbers for this, and ESP doesn't have port numbers so IPsec sometimes will break in an environment where there's NAT.
- Integration with Active Directory and other AAA
- Users can leave the environment and still use their credentials to log in
- Granular control
- Global, Group, User level
- Seamless connectivity
- Log in on-site or off-site