Virtual Private Network (VPN)

Need For Virtual Private Networks

• Connect sites/users safely
• Dedicated WAN links are costly
• Internet as an alternative
  • Fast
  • Inexpensive
  • Readily available
  • Unsecure
    • Equipment could potentially be targeted

VPN Components

• Tunneling
  • Tunneling is really just encapsulation, You've got regular data carried, let's say by TCP over IPv4, this is everything that we need for global reachability, IPs are global routing. The problem is that the internet is not secure.
  • The idea of tunneling is taking all that existing data that needs to go somewhere and protect it, that's where we encapsulate it inside of ESP, that's the layer four or transport layer protocol that's used for tunneling, and then we've got a new IP header. This is typically what's going from one device to the other to cross the internet (IPSec).
  • Once you get to the other side that encrypted data is decrypted and regular communications go out the other side.
• Encryption
  • Tunneling is the process from going to clear text to cipher text, which is encrypted, and then we move it back to clear again so that we can understand it.
  • Not all tunneling uses encryption.
    • So Generic Router Encapsulation (GRE) tunneling: think about a big clear storage container, It's all clear, anybody can see what's inside of it but you can put whatever you want on it.
      • If a device is not using an IP protocol we can still tunnel it using GRE and carry it over IP. Is such as handy as duck tape. We can do anything with GRE, there is almost no exception case.
  • GRE + IPSec means we can combine the compatibility of GRE with the integrity of IPSec.
• Devices
  • Routers
    • The best way for a Site-to-Site connectivity.
    • Typically is a small number of connections with much higher throughput.
  • Firewalls
    • Excel at the remote access component, they also support different protocols for different types of connectivity.
  • Network Appliance / PC
    • A machine could run the IPSec services and it could actually do tunneling and bridging for you, easily done with Linux.
• Clients
  • Who is connecting to the network?
  • A lot of times this is going to require a dedicated software.
    • If you have a Cisco Firewall or a Cisco Router, you'll use a piece of software called Cisco AnyConnect.
  • Microsoft VPN Client for Windows
  • There're VPN rules that we'll push down to that user that defines what they can access inside of the corporate network.
    • When the client connects to the server side of the VPN, all that information is pushed down. Previously every vendor had their own VPN client as it was not standardized. In version two, they standardized a lot of thigs, one of them being the configuration push.
  • OpenVPN
    • Open source VPN client
      • Internet Key Exchange v2 (IKEv2)