Scribd
Upload
59 views16 pages

VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network and enables secure communication between computing devices. VPNs use encryption and authentication to protect data in transit. There are two main types of VPNs - remote access VPNs allow users to securely access a private network remotely, while site-to-site VPNs connect the networks of different office locations. IPSec is a common secure network protocol used to implement VPNs through encryption, authentication, and integrity checks.

Uploaded by

Zuŋɘʀa Aɓɗuɭɭʌh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
59 views16 pages

VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network and enables secure communication between computing devices. VPNs use encryption and authentication to protect data in transit. There are two main types of VPNs - remote access VPNs allow users to securely access a private network remotely, while site-to-site VPNs connect the networks of different office locations. IPSec is a common secure network protocol used to implement VPNs through encryption, authentication, and integrity checks.

Uploaded by

Zuŋɘʀa Aɓɗuɭɭʌh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

*

Prepared by :
Zunera Abdullah
BSIT 7th
*

A virtual private network (VPN) extends a private


network across a public network, and enables users to
send and receive data across shared or public networks
as if their computing devices were directly connected to
the private network. Applications running on a
computing device, e.g. a laptop, desktop, smartphone,
across a VPN may therefore benefit from the
functionality, security, and management of the private
network.
*
Remote access: Remote access VPN allows a user to
connect to a private network and access its services and
resources remotely. The connection between the user and the
private network happens through the Internet and the
connection is secure and private.
Site-to-site: Site-to-site VPN use to connect the network of
one office location to the network at another office location.
Firewall-based: protect against unauthorized and malicious
users intercepting or exploiting a VPN connection.
*

encapsulates packets in order to route other protocols over IP


networks.
point-to-point connection between network nodes.
GRE tunnel from Router A to Router D. When a packet is sent
through the tunnel, it is encapsulated in a GRE packet, so
Router B and Router C do not see the original packet.
*

a secure network protocol


suite that authenticates and encrypts the packets of data
sent over an Internet Protocol network. It is used in virtual
private networks
IPSec acts on the network layer
*
Confidentiality: The sender can encrypt the packets
before transmitting them across the network. If such a
communication is intercepted, it cannot be read by
anybody.
Data integrity: The receiver can verify whether the data
was changed while traveling the Internet.
Origin authentication: The receiver can authenticate the
source of the packet.
Antireplay protection: The receiver can verify that each
packet is unique and is not duplicated.
*
When packets are traveling on the Internet, they are
vulnerable to eavesdropping. Clear-text messages can be
intercepted and read by anybody. Therefore, to keep the
data secure, it can be encrypted. For encryption to work,
both the sender and the receiver need to know the rules
that were used to encrypt the original message.
Two types of encryption:
Symmetric: each peer uses the same key to encrypt and
decrypt data
Asymmetric: each peer uses a different key to encrypt
and decrypt the message
A public key, which is exchanged between the users
A private key, which is kept secret by the owners

Rivest, Shamir, and Adelman (RSA) algorithm. The RSA algorithm uses an
asymmetric key for encryption and decryption. Each user generates two
keys: a private key and a public key. The users keep the private key for
themselves and exchange the public key. To send an encrypted message to
the other end, the local end encrypts the message by using the remote
end's public key and the RSA encryption algorithm. This message is then
sent to the other end, where it is decrypted using that site's private key.
With RSA encryption, the opposite can also be true. The remote end can
encrypt a message using its own private key, and the receiver can decrypt
the message using the sender's public key.
*
accuracy and consistency of data
To guard against this interception, every message has an
attached hash. This hash guarantees the integrity of the
message. The receiver checks this by comparing the received
hash with the hash it calculates from the message itself. If
both values are equal, the message has not been tampered
with.
*

IPSec uses the Hashed Message Authentication Codes (HMAC)


protocol to calculate the hash.
Two HMAC algorithms are commonly used:
HMAC-MD5 This protocol uses a 128-bit shared key. The key
and the message are combined to a 128-bit hash.
HMAC-SHA-1 This protocol uses a 160-bit shared key. The
length of the hash is 160 bits. This protocol is considered
stronger because of the longer key.
*
three peer authentication methods:
Preshared keys :A secret key is entered into each peer
manually.
RSA signatures: The exchange of digital certificates
authenticates the peers.
RSA encryption nonces: Nonces (a random number
generated by the peers) are encrypted and then
exchanged between peers. The two nonces are used
during the peer authentication process.
*

Antireplay protection verifies that each packet is unique


and not duplicated. IPSec packets are protected by
comparing the sequence number of the received packets
and a sliding window on the destination host. Packets in
which the sequence number is before the sliding window
are considered late, or duplicate. These packets are
dropped.
*
There are two main IPSec framework protocols available:
Authentication header (AH): AH is the protocol to use when
confidentiality is not required. It provides data
authentication and integrity for IP packets between two
systems. It verifies that the origin of the packet is correct
and that the packet is not modified during transport. It does
not encrypt the data packet, so the text is transported in
clear text.
Encapsulating security payload (ESP): ESP can be used to
provide encryption and authentication. It provides
confidentiality by performing encryption at the IP packet
layer.
*

Transport Mode
Transport mode can be used when encrypting traffic between
two hosts or between a host and a VPN gateway.
Tunnel Mode
secure tunnel from one gateway to another.
the original IP packet (IP header and the Data payload) is
encapsulated within another packet.
*
Step 1. Establish an IKE policy This policy must be identical on both sides of the VPN. The following elements go
into an IKE policy:
- Key distribution method Manual or certificate authority.
- Authentication method This is mainly determined by the key distribution method you have selected. Manual
distribution uses preshared keys, whereas certificate authority distribution uses RSA encrypted nonces or RSA
signatures.
- IP address or hostnames of peers
Step 2. Establish an IPSec policy Only certain traffic has to go through the IPSec tunnel. Of course, you can decide
to send all traffic between peers through that tunnel, but there is a significant performance penalty when using
IPSec. It is better to be selective. As in step 1, both peers need to have the same IPSec policies. The following
information is needed for an IPSec policy:
- IPSec protocol AH and/or ESP
- Authentication MD5 or SHA-1
- Encryption DES, 3DES, or AES
- Identify traffic Identification of traffic to be sent through the tunnel; specify the protocol, source, destination,
and port
- SA establishment
Step 3. Examine the configuration as it is at this stage Check your devices to avoid conflicts with existing settings
on one of the devices.
Step 4. Test the network before IPSec Check whether you can ping the peers that are going to participate in
IPSec. If you cannot ping them, you must fix this before you can configure IPSec.
Step 5. Permit IPSec ports and protocols If there are access lists enabled on the devices along the path of the
VPN, make sure that those devices permit the IPSec traffic.

You might also like