1.1 Introduction
The way to protect the information within the data packet while providing transparency to the end user spawn the concept of VPN.
Classification of VPNs
Depending on Trust Levels:
- Intranet VPNs
- Same company communicating over Leased Lines/Intranet Lines
- Extranet VPNs
- Different companies communication over Internet
Depending on Deployment:
- Site to Site
- S2S protocols allows an organization to establish secure connections between two or more sites/offices so that it can send traffic using shared mediums such as Internet
- Remote Access
- Remote access protocol benefits an organization by allowing mobile users to work from remote locations, such as home, hotel, hospitals as if they were directly connected to the organizations network
Depending on Tunnel end points, VPNs can be terminated at different devices like ASA, Routers, VPN Concentrators etc.
Depending on IETF standards:
- L2TP: layer 2 tunneling protocol
- L2F: Layer 2 Forwarding
- PPTP: point to point tunneling protocol
- MPLS: Multi Protocol Label Switching
- GRE: Generic Routing Encapsulation
- IPSec: Internet Protocol Security
- SSL: Secure Socket Layer
For CCIE Security, we study only GRE, IPSec, SSL
Depending on OSI Layers:
- Layer 7: SSL, VPN
- Layer 3: IPSec, GRE, GRE over IPsec
- Layer 2: L2TP, L2F, PPTP, MPPE
Aim of any VPN
- Confidentiality (Encryption - Data Protection)
- Symmetric Encryptions:
- This is a process where the same key is being used to encrypt and decrypt using any of the encryption algorithms given below
- DES - 64bits (56 bits effective)
- 3DES - 192bits (168bits effective)
- AES - 128bits, 192bits, 256bits
- what is ECB,CBC?
ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block. Should two identical plain-text blocks be encrypted using the same key, their ciphertext blocks are the same. This means that an attacker could identify similar or identical traffic as it flows across a communications channel. The attacker could use this information to help build a catalogue of messages that have a certain meaning, and then replay them later, without knowing their real meaning. For instance, suppose an attacker captures a login sequence for a user who has administrative privilege and whose traffic is protected by DES-ECB, and
then replays it. This sort of risk must be mitigated, and that is why CBC was invented.With CBC mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. It is then encrypted using the DES key. This means that the encryption of each block depends on previous blocks, and encryption of the same 64-bit plain-text block can result in different ciphertext blocks.
- The keys are exchanged using a process called Diffie Hellman process
- In DH both the devices generates a Prime Number (P) and an Integer (I) and exchanges and synchronizes using a NONCE in clear text
- They both generate seperate Random Secret Keys (RS)
- Public Keys are generated as follows and sent to the peer
- Private Keys are generated using private key of the peer as follows
- Kprivate = Kpublic ^ RS mod P
- MODULUS OPERATION IS A NON REVERSIBLE OPERATION. HENCE A HACKER WILL NOT BE ABLE TO REVERSE CALCULATE THE RANDOM SECRET KEYS!
- Asymmetric Encryptions:
- This is a process where it is encrypted using public Key and decrypted using Private Key or vice versa.
- Encryptions can be done using BLOCK or STREAM cipher.
- Integrity (Hashing - Detect Data Modification)
- It is irreversible and has a fixed output
- It attaches a HASH value to the data. The receiver takes the data runs the same HASH algorithm and check the HASH value from the message. If it is same, it accepts.
- To prevent any hacker from changing the Data and the Hash Value and bypass the check, we use a methodology called HMAC
- Authentication (Keys - Preshared Key [PSK] or Public Key Infrastructure [PKI])
- Non Repudiation
- Anti Replay Attack
