REPUBLIC OF CAMEROON REPUBLIQUE DU CAMEROUN

Peace – Work – Fatherland Paix – Travail – Patrie

******** ********
MINISTRY OF HIGHER EDUCATION MINISTERE DE ENSEIGNEMENT
******** SUPERIEURE
********
YAOUNDE INTERNATIONAL BUSINESS SCHOOL
School of Computer Engineering

Course Code & Title: NWS236: NETWORK SECURITY

Module: Network Security II
Credit & Credit Hours: 2 Credits (30 Hours) – L(15), T(05), P(10)
Lecturer: MUNJAM Thomas (MSc. Computer Engineering)

VPN CONCEPTS AND ARCHITECTURES

VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private
network over the Internet securely and privately. VPN creates an encrypted connection that is
called VPN tunnel, and all Internet traffic and communication is passed through this secure
tunnel. Virtual Private Network (VPN) is basically of 2 types:

1. Remote Access VPN

Remote Access VPN permits a user to connect to a private network and access all its services
and resources remotely. The connection between the user and the private network occurs
through the Internet and the connection is secure and private. Remote Access VPN is useful
for home users and business users both. An employee of a company, while he/she is out of
station, uses a VPN to connect to his/her company’s private network and remotely access files
and resources on the private network. Private users or home users of VPN primarily use VPN
services to bypass regional restrictions on the Internet and access blocked websites. Users who
are aware of Internet security also use VPN services to enhance their Internet security and
privacy.

2. Site to Site VPN

A Site-to-Site VPN is also called a Router-to-Router VPN and is commonly used in large
companies. Companies or organizations, with branch offices in different locations, use Site-to-

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 1
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
site VPN to connect the network of one office location to the network at another office
location.

• Intranet based VPN: When several offices of the same company are connected using
Site-to-Site VPN type, it is called Intranet based VPN.

• Extranet based VPN: When companies use Site-to-site VPN type to connect to the
office of another company, it is called as Extranet based VPN.

3. Cloud VPN

A Cloud VPN is a virtual private network that allows users to securely connect to a cloud-
based infrastructure or service. It uses the internet as the primary transport medium to connect
the remote users to cloud-based resources. Cloud VPNs are typically offered as a service by
cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. It uses the same
encryption and security protocols as traditional VPNs, such as IPsec or SSL, to ensure that the
data transmitted over the VPN is secure. Cloud VPNs are often used by organizations to
securely connect their on-premises resources to cloud-based resources, such as cloud-based
storage or software-as-a-service (SaaS) applications.

4. Mobile VPN

Mobile VPN is a virtual private network that allows mobile users to securely connect to a
private network, typically through a cellular network. It creates a secure and encrypted
connection between the mobile device and the VPN server, protecting the data transmitted over
the connection. Mobile VPNs can be used to access corporate resources, such as email or
internal websites, while the user is away from the office. They can also be used to securely
access public Wi-Fi networks, protecting the user’s personal information from being
intercepted. Mobile VPNs are available as standalone apps or can be integrated into mobile
device management (MDM) solutions. These solutions are commonly used by organizations
to secure their mobile workforce.

5. SSL VPN

SSL VPN (Secure Sockets Layer Virtual Private Network) is a type of VPN that uses the SSL
protocol to secure the connection between the user and the VPN server. It allows remote users
to securely access a private network by establishing an encrypted tunnel between the user’s
device and the VPN server. SSL VPNs are typically accessed through a web browser, rather
than through a standalone client. This makes them easier to use and deploy, as they don’t

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 2
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
require additional software to be installed on the user’s device. It can be used to access internal
resources such as email, file servers, or databases. SSL VPNs are considered more secure than
traditional IPsec VPNs because they use the same encryption protocols as HTTPS, the secure
version of HTTP used for online transactions.

6. PPTP (Point-to-Point Tunneling Protocol) VPN

PPTP (Point-to-Point Tunneling Protocol) is a type of VPN that uses a simple and fast method
for implementing VPNs. It creates a secure connection between two computers by
encapsulating the data packets being sent between them. PPTP is relatively easy to set up and
doesn’t require any additional software to be installed on the client’s device. It can be used to
access internal resources such as email, file servers, or databases. PPTP is one of the oldest
VPN protocols and is supported by a wide range of operating systems. However, it is
considered less secure than other VPN protocols such as L2TP or OpenVPN, as it uses a weaker
encryption algorithm and has been known to have security vulnerabilities.

7. L2TP (Layer 2 Tunneling Protocol) VPN

L2TP (Layer 2 Tunneling Protocol) is a type of VPN that creates a secure connection by
encapsulating data packets being sent between two computers. L2TP is an extension of PPTP,
it adds more security to the VPN connection by using a combination of PPTP and L2F (Layer
2 Forwarding Protocol) and it uses stronger encryption algorithm than PPTP. L2TP is relatively
easy to set up and doesn’t require additional software to be installed on the client’s device. It
can be used to access internal resources such as email, file servers, or databases. It is supported
by a wide range of operating systems, but it is considered less secure than other VPN protocols
such as OpenVPN, as it still has some vulnerabilities that can be exploited.

8. OpenVPN

OpenVPN is an open-source software application that uses SSL and is highly configurable and
secure. It creates a secure and encrypted connection between two computers by encapsulating
the data packets being sent between them. OpenVPN can be used to access internal resources
such as email, file servers, or databases. It is supported by a wide range of operating systems
and devices, and can be easily configured to work with various network configurations and
security settings. It is considered one of the most secure VPN protocols as it uses the industry
standard SSL/TLS encryption protocols, and it offers advanced features such as two-factor
authentication and kill switch.

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 3
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
Types of Virtual Private Network (VPN) Protocols:

1. Internet Protocol Security (IPSec): Internet Protocol Security, known as IPSec, is

used to secure Internet communication across an IP network. IPSec secures Internet
Protocol communication by verifying the session and encrypts each data packet during
the connection. IPSec runs in 2 modes:

o (i) Transport mode

o (ii) Tunneling mode

2. Layer 2 Tunneling Protocol (L2TP): L2TP or Layer 2 Tunneling Protocol is a

tunneling protocol that is often combined with another VPN security protocol like
IPSec to establish a highly secure VPN connection. L2TP generates a tunnel between
two L2TP connection points and IPSec protocol encrypts the data and maintains secure
communication between the tunnels.

3. Point–to–Point Tunneling Protocol (PPTP): PPTP or Point-to-Point Tunneling

Protocol generates a tunnel and confines the data packet. Point-to-Point Protocol (PPP)
is used to encrypt the data between the connection. PPTP is one of the most widely used
VPN protocols and has been in use since the early release of Windows. PPTP is also
used on Mac and Linux apart from Windows.

4. SSL and TLS: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
generate a VPN connection where the web browser acts as the client and user access is
prohibited to specific applications instead of entire network. Online shopping websites
commonly use SSL and TLS protocol. It is easy to switch to SSL by web browsers and
with almost no action required from the user as web browsers come integrated with
SSL and TLS. SSL connections have “https” in the initial of the URL instead of “http”.

5. Secure Shell (SSH): Secure Shell or SSH generates the VPN tunnel through which the
data transfer occurs and also ensures that the tunnel is encrypted. SSH connections are
generated by an SSH client and data is transferred from a local port on to the remote
server through the encrypted tunnel.

6. SSTP (Secure Socket Tunneling Protocol): A VPN protocol developed by Microsoft

that uses SSL to secure the connection, but only available for Windows.

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 4
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
 7. IKEv2 (Internet Key Exchange version 2): A VPN protocol that provides fast and
secure connections, but not widely supported by VPN providers.

8. OpenVPN: An open-source VPN protocol that is highly configurable and secure,

widely supported by VPN providers and considered one of the most secure VPN
protocols.

9. WireGuard: A relatively new and lightweight VPN protocol that aims to be faster,
simpler and more secure than existing VPN protocols.

VPN TUNNELING PROTOCOLS

Tunneling is the technique of putting an integrated data packet into another packet (which
contains routing information) and sending it over the internet. The packets travel through a path
which is known as tunnel. To secure a tunneled transmission against interception, all traffic
over a VPN is encrypted for safety. Virtual Private Network (VPN) supports 2 types of
tunneling which are as follows:

i. Voluntary tunneling
ii. Compulsory tunneling

Both types of tunneling are typically used. These are explained as follows:

1. Voluntary Tunneling: VPN client in the voluntary tunneling handles all the connection
setup. For the setup of connection through tunnel both the tunnel client and the tunnel server
have to accept the same tunneling protocol. In voluntary tunneling, clients first form a
connection to the ISP or carrier network provider. Then the tunnel on a VPN server builds by
the VPN client application using this live connection. Two step procedure is required to set up
the VPN connection in voluntary tunneling.

2. Compulsory Tunneling: The carrier network provider in the voluntary tunneling handles
all the connection setup required for VPN. It is a one step process as compared to the two steps
in voluntary tunneling. In compulsory tunneling, the client first establishes a normal connection
to the carrier then the carrier works as an intermediary to make a connection between a VPN
server and that client. Compulsory tunneling provides complete management control of the
tunnels to the ISP and hides the details of the connectivity of VPN server from the clients.

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 5
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
Broker devices are used in compulsory tunneling for the verification of clients. The logic built
in the broker device are used to associates the client with the different VPN servers. This
network device is also called as the following:

• VPN Front End Processor (FEP)

• Network Access Server (NAS)
• Point of Presence Server (POS)

In other words, when data moves from host A to B it covers all the different levels of the
specified protocol (OSI, TCP/IP, etc.) while moving between different levels, data conversion
(Encapsulation) to suit different interfaces of the particular layer is called tunneling.

For example, let us consider an Ethernet to be connected to another Ethernet through a WAN

The task is sent on an IP packet from host A of Ethernet-1 to host B of Ethernet-2 via a WAN.

Steps

• Host A constructs a packet that contains the IP address of Host B.

• It then inserts this IP packet into an Ethernet frame and this frame is addressed to
the multiprotocol router M1
• Host A then puts this frame on Ethernet.
• When M1 receives this frame, it removes the IP packet, inserts it in the payload
packet of the WAN network layer packet, and addresses the WAN packet to M2.
The multiprotocol router M2 removes the IP packet and sends it to host B in an
Ethernet frame.

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 6
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
How Does Encapsulation Work?

Data travels from one place to another in the form of packets, and a packet has two parts, the
first one is the header which consists of the destination address and the working protocol, and
the second thing is its contents.

In simple terminology, Encapsulation is the process of adding a new packet within the existing
packet or a packet inside a packet. In an encapsulated packet, the header part of the first packet
remains surrounded by the payload section of the surrounding packet, which has actual
contents.

Other Types of Tunneling Protocols

1. Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation is a method of encapsulation of IP packets in a GRE header

that hides the original IP packet. Also, a new header named delivery header is added above the
GRE header which contains the new source and destination address.

GRE header acts as a new IP header with a Delivery header containing a new source and
destination address. Only routers between which GRE is configured can decrypt and encrypt
the GRE header. The original IP packet enters a router, travels in encrypted form, and emerges
out of another GRE-configured router as the original IP packet as they have traveled through a
tunnel. Hence, this process is called GRE tunneling.

2. Internet Protocol Security (IPsec)

IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of protocols
between 2 communication points across the IP network that provide data authentication,
integrity, and confidentiality. It also defines the encrypted, decrypted, and authenticated
packets. The protocols needed for secure key exchange and key management are defined in it.

3. Virtual Extensible Local Area Network (VXLAN)

Virtual Extensible Local Area Network is short called VXLAN. It is a network virtualization
technology that stretches layer 2 connections over layer 3 networks by encapsulating Ethernet
frames in a VXLAN packet which includes IP addresses to address the scalability problem in
a more extensible manner.

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 7
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II
SSL Tunneling involves a client that requires an SSL connection to a backend service or
secures a server via a proxy server. This proxy server opens the connection between the client
and the backend service and copies the data to both sides without any direct interference in the
SSL connection.

PROJECT EXERCISES

1. How to Automate VPN to change IP location on Ubuntu using Python?

[Link]
ubuntu-using-python/?ref=oin_asr10

2. How to Setup VPN on Ubuntu Linux System for IP Spoofing Using windscribe?

[Link]
spoofing-using-windscribe/?ref=oin_asr8

Thomas (Person) MUNJAM | [Link]@[Link] Compiled for Higher National Diploma (HND)
[Link] | thomasperson33@[Link] 8
+237 678686249 | 659496501 | [Link]@[Link] NWS236: Network Security II