Tunneling Protocols
VPN creates a tunnel between two
devices connected to the Internet to allow secure communication between them.
It uses the following tunneling protocols to create the tunnel:
Layer 2 Forwarding (L2F) - It was the first Cisco-proprietary
tunneling protocol introduced for virtual private dial-up networks (VPDNs).
Using this protocol, VPDN allows the device to create a secure connection for
the corporate network with a dial-up connection.
Point-to-point Tunneling protocol (PPTP) - It was introduced by
Microsoft to allow secure data transmission from remote network to the
corporate network.
Layer 2 Tunneling Protocol (L2TP) - It was introduced by both Cisco
and Microsoft to include all the capabilities of L2F and PPTP protocols.
Generic Routing Encapsulation (GRE) - It was introduced by Cisco to
encapsulate various protocols in IP tunnels.
IPSec VPNs
IPSec (IP Security) is an
architecture that provides security services for IP networks. It defines authentication
and encryption functions that can be used over the IP networks. It allows you
to use different protocol options for the VPN features. In addition, it allows
you to change the architecture as the security protocols are improved over
time.
IPSec Encryption
IPSec encryption process uses a pair of encryption
algorithms to encrypt and decrypt the data. One algorithm is used to hide
(encrypt) the data and the other is used to re-create (decrypt) the original
data.
The algorithm that encrypts the data adds a secret password, referred to as encryption key, to the packet. Therefore, an unauthorized user intercepting the encrypted data cannot decrypt the packet without the encryption key. However, if the unauthorized user is successful in decrypting one packet then the attacker will not get any relevant information from that packet which can help decryption of other packets.
IPSec Protocols
IPSec is actually a group of
standards, protocols, and technologies that work together to build a secure
session, commonly called a tunnel, to a remote peer. An IPSec tunnel comprises
three connections: one management connection and two unidirectional data
connections. The tunnel is built across two phases. The management connection is
built during Phase 1 and is used to share IPSec-related information between the
two peers. The two data connections are built during Phase 2 and are used to
transmit user traffic. All three connections are protected. Here is a brief
description of these protocols used to build a tunnel:
ISAKMP
The Internet Security Association and Key Management Protocol is used to build and maintain the tunnel; it defines the format of the management payload, the mechanics of a key exchange protocol for the encryption algorithms and HMAC functions, negotiates how the tunnel will be built between the two devices, and authenticates the remote device.
IKE
The Internet Key Exchange Protocol is responsible for generating and managing keys used for encryption algorithms and HMAC functions. Actually, it is a combination of ISAKMP and IKE working together that secures the tunnel between two devices: they use UDP as a transport and connect on port 500.
DH The Diffie-Hellman process is used to securely exchange the encryption and HMAC keys that will be used to secure the management and data connections.
AH The Authentication Header
protocol is used only to validate the origination and validity of data packets
(on the data connections) received from a peer; it accomplishes this by using
HMAC functions, where the signature created is based on almost the entire IP
packet. Its two main disadvantages are that it breaks if it goes through any
type of address translation device and it does not support encryption.
ESP The
Encapsulation Security Payload protocol is used to provide packet confidentiality
and authentication. It provides confidentiality through encryption and packet
authentication through an HMAC function. Because it supports encryption, it is
the protocol companies use to protect the data
connections; however, its downside is that its signature process does not protect
the outer IP header and thus cannot detect packet tampering in the header,
whereas AH can. ESP's other main advantage is that it can work through address
translation devices doing NAT without any changes, but it requires an
encapsulation in a UDP packet to work through a PAT or firewall device. This
part of the IPSec standard is called NAT Transparency or Traversal, or NAT-T
for short.
VPN Types
VPNs fall under two implementation types:
Site-to-Site
Remote Access
The following sections will
expand on these types.
Site-to-Site
Site-to-Site VPNs, sometimes called LAN-to-LAN or L2L VPNs, connect two locations
or sites together, basically extending a classical WAN design. Two intermediate
devices, commonly called VPN gateways, protect the traffic between the two
LANs. This type of VPN tunnels packets between the locations: the original IP
packet from one LAN is encrypted by one gateway, forwarded to the destination gateway, and then decrypted and forwarded to the local LAN at its
end to the destination. From the real source and destination's perspective, the
VPN is virtual—they don't even know their traffic is being protected between
the two VPN gateways. The most common site-to-site protocol used to protect traffic
is IPSec. Routers are commonly used as the VPN gateway product, though other
products can be used, such as firewalls. Cisco products that support IPSec L2L
VPNs include routers, ASA and PIX security appliances, and the VPN 3000
concentrators. Because of scalability features such as dynamic multipoint VPNs
(DMVPNs), Cisco routers are the preferred choice for IPSec L2L gateways.
L2Ls come in two flavors:
intranet and extranet. An intranet L2L basically connects two offices of the
same company together, such as a corporate office and a regional or branch
office. An extranet is an L2LVPN that connects two different companies
together, such as a corporate office and another company that is a business
partner. Address translation is commonly required here because the two companies
might be using the same private address space.
Remote Access
Remote access VPNs are an
extension of the classic circuit-switching networks, such as POTS and ISDN.
They securely connect remote users or SOHOs to a corporate or branch office.
With a remote access V P N, the VPN provides a virtualization process, making
it appear that the remote access user or office is physically connected to the corporate
office network. Common protocols used for remote access VPNs include IPSec,
SSL, PPTP, and L2TP. Cisco supports all four of these protocols; however, most of
the Cisco's development effort is based on IPSec and SSL. These are discussed
in the next two sections.
Easy VPN
Cisco's IPSec remote access
solution is called Easy VPN. Easy VPN is a design approach Cisco took to make
it easy to deploy, scale to a large number of users, and centralize policy
configurations. Easy VPN involves two components:
Easy VPN Server
Easy VPN Remote or Client
The Easy VPN Server centralizes
the policy configurations for the Easy VPN Remotes and provides access to
corporate resources. All of your IPSec remote access policies are configured on
the Servers and pushed down to the Remotes, which implement the policies. This
makes it easy to change policies, since they need to be changed only on a small
number of Servers, not: on any of the "Remotes. Easy VPN Server products
that Cisco supports include che ASA and PIX security appliances, routers, and
the VPN 3000 concentrators. Since the concentrators are end-of-sale, the
recommended platform for Easy VPN Servers is the ASA security appliances.
The Easy VPN Remote allows the
user or users to access corporate resources securely via the Easy VPN Server.
Very little configuration is required on the Remote to bring up a tunnel -another
reason the term easy is used to describe this solution. Easy VPN Remotes
include the following products from Cisco: the Cisco VPN Client (runs on
Windows, Macintosh, Solaris, and Linux); the Certicom and Movian clients (runs
on PDAs and smart phones), and hardware clients such as the 3002, the PIX 501
and 506E; the ASA 5505; and small-end routers such as the 800s through the
3800s. Easy VPN allows users to use their applications as they would without
having a VPN in place; the downside of Easy VPN is that special software must
be installed on user desktops, laptops, PDAs, or smart phones, or a hardware client
must be deployed.
WebVPN
Unlike IPSec, which is an open standard, SSL VPNs, even though they use SSL as their protection protocol, are implemented differently by each vendor, making them proprietary. SSL VPNs are one of the newest VPNs in the marketplace today. Cisco's SSL VPN solution is called WebVPN and provides three secure connection methods: clientless, thin client, and the SSL VPN Client. The clientless and thin client implementations use a normal web browser, with JavaScript installed, to provide the VPN solution. The main advantage of this is that no special software has to be installed on a user's desktop—they use the web browser that is already there! The downside of this is that the applications must be either web-based or a supported handful of non—web-based applications, such as telnet. The SSL VPN Client provides network-layer protection and allows users to use their day-to-day applications without any modifications. And on the VPN gateway side, they are easy to set up, change policies, and add new users. However, they are not as scalable or as secure as using IPSec.
No comments:
Post a Comment