Introducing VPN Technologies

Date: Dec 6, 2011

Return to the article

Virtual Private Networks (VPNs) are incredibly important these days as more and more companies seek to connect sites and workers using the public Internet as the network infrastructure. In this article, Anthony Sequeira examines the basics of IPSec for the creation of these VPNs.

One of the single largest growing tools used by businesses today is Virtual Private Networks (VPN). Everyday, thousands of individuals use the internet to connect to remote offices for work related tasks. These connections have to be made in as secure a fashion as humanly possible, and the single largest tool in our arsenal to make this happen is IP Security (IPsec). In fact, it would not be unrealistic to say that IPsec is the most commonly used security implementation found in VPN deployments.

IP Security (IPsec)

IPsec is a suite of protocols that allows us to encrypt and authenticate each IP packet found in a given communications session. IPsec provides the mechanism for mutual authentication to take place as a communications session is built, as well as allow us to negotiate the cryptographic keys that will be used during the life of the session once it is established. The beautiful part about IPsec is that it is an end-to-end security scheme that operates within the Internet Protocol Suite. This means that we can use it to protect data in all three of the primary models used for VPN architectures:

IPsec can protect any application traffic crossing an IP network and does not require applications to be built to leverage its capabilities. There are other internet security systems that do require an application to be designed to support them; a few of these include Transport Layer Security (TLS), Secure Sockets Layer (SSL) and Secure Shell (SSH). These tools can only protect application protocols that have been built to be compatible with them, and they work at the upper layers of the TCP/IP OSI Model.

IPsec, however, was created by the Internet Engineering Task Force (IETF) to operate at the Network Layer of the OSI model. This open standard protocol suite combines these three protocols to protect network traffic:

Authentication Headers (AH)

Authentication headers are defined in RFC 2402, and they provide data origin authentication as well as offering optional anti-replay protection. The drawback with AH is that the authentication it provides for the IP Header is not complete. That is because some of the IP fields cannot be correctly predicted by the receiver. These fields are known as “mutable fields” and they may and often do change during transmission. AH will, however, successfully protect the IP packet's payload, and the payload is actually what we are interested in protecting.

In a nutshell, Authentication Headers will authenticate data origin; it will protect data integrity, and has the optional capability of playback protection. The one drawback to AH, is that it does not offer data confidentiality.

What is a replay attack? A replay attack is when a valid data transmission is repeated or delayed on a network. The purpose for doing this is to apply an IP substitution during the data retransmission so that a cyber criminal can masquerade as a legitimate user or program by falsifying data.

Encapsulating Security Payloads (ESP)

This is one of those protocols where the name says it all. If we looked at an illustration of an IPsec packet we would see that there is an ESP header and an ESP Trailer surrounding, or encapsulating the payload. This header and trailer allow us to authenticate the data's origin, protect ourselves from possible replay attacks, and it does provide data confidentiality. That seems like it would be the security trifecta. Three out of three is much better than what AH offered us. Or is it?

ESP provides more capabilities than AH, but as with all things in networking, this comes at a cost. ESP is substantially more processor intensive than AH. So if data confidentiality isn't a concern, AH may be a better fit based on network resources. The other issue is that ESP requires some pretty solid cryptography, which might not be allowed or even possible in some environments. So there will be situations where you may have to use Authentication Headers rather than ESP.

ESP and AH Modes of Operation

No matter which protocol you chose—Authentication Headers (AH) or Encapsulation Security Payload (ESP)—we quickly discover that they both operate in one of two modes:

Security Associations (SA)

A Security Association (SA) is a combination of shared security attributes used between two end points to support a secure communication session. In Cisco IOS there is a well-defined framework used to establish these security associations:

If it wasn't for the bundle of algorithms and data that provide the parameters necessary to maintain AH and/or ESP operations that are provided by Security Associations, there would be no IPsec protocol in the first place.

Conclusion

We have looked closely at one of the most commonly used protocol suites employed in networking today. Whether it is a 'road warrior' in a hotel room in the middle of nowhere or branch offices connected via site-to-site VPN's, we have seen what technologies protect our data, and how they operate to create a secure framework that eliminates distance as an impediment to exchanging data and accessing network resources. It is amazing how much this simple suite of protocols can do for us.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |