Virtual Private Network (VPN)

Virtual Private Network (VPN)

Definition :

A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS).

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network

It encapsulates data transfers between two or more networked devices not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks.

Types:

Types of VPNs are named based upon the role they play in a business. There are three different categories of VPNs.

1. Remote Access VPNs
2. Site-to-Site VPNs (or intranet VPNs)
3. Extranet VPNs.

Remote Access VPNs : Allow Remote Users like telecommuters to securely access the corporate network wherever and whenever they need to.

Site-to-Site VPNs : Allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay.

Extranet VPNs : Allow an organization’s suppliers, partners and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

To creating VPN the first approach uses IPSec to create authentication and encryption services between endpoints on an IP network. The Second way is via tunneling protocols, allowing you to establish a tunnel between endpoints on a network. Tunnel itself is a means for data or protocols to be encapsulated inside another protocol.

Here is some most Common tunneling protocol:

1. Layer 2 Forwarding (L2F)
2. Point-to-Point Tunneling Protocol (PPTP)
3. Layer 2 Tunneling Protocol (L2TP)
4. Generic Routing Encapsulation (GRE)

IPSec (Internet Protocol Security) :

IPSec is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 network layer of the OSI Model. IPSec can protect only the IP layer and up (transport layer and user data). IPSec can’t be used to encrypt non-IP traffic. If you need to encrypt non-IP traffic, you’ll need to create a GRE tunnel for it and then use IPSec to encrypt that tunnel.

IPSec Features:

1. Data Confidentiality
2. Data Integrity
3. Data origin authentication
4. Anti-replay

IPSec Protocols :

The three main protocols that are used by IPSec are as follows:

1. Internet Key Exchange (IKE)
2. Encapsulating Security Payload (ESP)
   [ The following encryption methods are available to IPSec ESP.

• Data Encryption Standard (DES)
• Triple Data Encryption Standard (3DES)
• Advanced Encryption Standard (AES)
  ]

3. Authentication Header (AH)

Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check. HMAC hash algorithms in IPSec :

1. Message Digest 5 (MD5) [Input=variable, Output=128 bits, Used by IPsec=128 bits]

2. Secure Hash Algorithm (SHA-1) [Input=variable, Output=160 bits, Used by IPsec=First 96 bits].

IPSec Modes :

1. Tunnel Mode
2. Transport Mode

IKE Protocols :

1. ISAKMP (Internet Security Association Key Management Protocol)
2. Oakley.

IKE Phases :

1. IKE Phase 1 [Mandatory]
[ has two modes (i) Main Mode (ii) Aggressive ]

3. IKE Phase 1.5 [Optional]
4. IKE Phase 2 [Mandatory]
   [IKE Quick Mode is used by this Phase ]