CBROPS 200-201: Chapter 6 - Introduction to Virtual Private Networks (VPNs)

1. Clientless & client-based SSL VPNs

1.1. Point-to-Point Tunneling Protocol (PPTP)

1.2. Layer 2 Forwarding (L2F) Protocol

1.3. Layer 2 Tunneling Protocol (L2TP)

1.4. Generic Routing Encapsulation (GRE)

1.5. Multiprotocol Label Switching (MPLS)

1.6. Internet Protocol Security (IPsec)

1.7. Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

2. Remote-access VPNs & site-to-site VPNs

2.1. Site-to-site VPNs

2.1.1. Enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so they can communicate over a share medium such as the internet.

2.1.2. Examples

2.1.2.1. IPsec

2.1.2.2. GRE

2.1.2.3. MPLS as site-to-site VPN protocols

2.2. Remote-access VPNs

2.2.1. Enable users to work from remote locations such as homes, hotels, & other premises as if they were connected to their corporate network.

3. The phases of IPsec

3.1. Internet Key Exchange v1 (IKv1)

3.1.1. IKEv1 Phase 1 attribute exchange

3.1.1.1. Encryption algorithms

3.1.1.2. Hashing algorithms

3.1.1.3. Diffie-Hellman groups

3.1.1.4. Authentication method

3.1.1.5. Vendor-specific attributes

3.2. Encryption Algorithms in IPsec

3.2.1. Data Encryption Standard (DES) - 64 bits

3.2.2. Triple DES (3DES) - 168 bits

3.2.3. Advanced Encryption Standard (AES) - 128 bits

3.2.4. AES 192 - 192 bits

3.2.5. AES 256 - 256 bits

4. Hashing Algorithms used in VPNs

4.1. Secure Message Algorithm (SHA)

4.2. Message Digest Algorithm 5 (MD5)

5. NAT-traversal (NAT-T)

5.1. Related to IPsec protocols Authentication Header (AH) and Encapsulating Security Payload (ESP).

5.2. With NAT-T, VPN peers dynamically discover whether an address translation device exists between them.

5.3. If NAT/PAT device is discovered they use UDP port 4500 to encapsulate data packets allowing NAT/PAT device to forward and translate packets.

6. IPsec Attributes

6.1. Encryption

6.1.1. AES recommended with higher key length

6.1.2. Support

6.1.2.1. None

6.1.2.2. DES

6.1.2.3. 3DES

6.1.2.4. AES128

6.1.2.5. AES192

6.1.2.6. AES256

6.2. Hashing

6.2.1. Support

6.2.1.1. MD5

6.2.1.2. SHA

6.2.1.3. Null

6.2.2. SHA is recommended

6.3. Identity Information

6.3.1. Network

6.3.2. Protocol

6.3.3. Port Number

6.4. Lifetime

6.4.1. 120-2,147,483,647 seconds

6.4.2. 10-2,147,483,647 kilobytes

6.5. Mode

6.5.1. Tunnel

6.5.2. Transport

6.6. Perfect Forward Secrecy (PFS) groups

6.6.1. None

6.6.2. 1

6.6.3. 2

6.6.4. 5

7. IKEv1 & IKEv2

7.1. IKEv1 Exchange

7.1.1. Phase 1 has two possible exchanges: main mode & aggressive mode.

7.1.2. There is a single exchange of a message pair for IKEv2 IKE_SA.

7.2. IKEv1 Authentication

7.2.1. Does not allow the use of Extensible Authentication Protocol (EAP), EAP allows IKEv2 to provide a solution for a remote-access VPN.

7.3. IKEv2 Exchange Efficiency

7.3.1. Has a simple exchange of two message pairs for the CHILD_SA.

7.3.2. IKEv1 has at least three message pairs for Phase 2.

7.3.3. KEv2 is designed to be more efficient than IKEv1 since fewer packets are exchanged.

7.3.4. IKEv2 supports the use of next-generation encryption protocols and anti-DoS capabilities.

8. SSL VPN Technologies

8.1. Reverse proxy technology

8.2. Port-forwarding technology & smart tunnels

8.3. SSL VPN tunnel client (AnyConnect Secure Mobility Client)

8.4. Integrated terminal services

9. Key Terms

9.1. Internet Key Exchange (IKE)

9.1.1. Protocol used by IPsec to negotiate & establish secured site-to-site remote-access VPN tunnels.

9.1.2. IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols: namely, Oakley and Secure Key Exchange Mechanism (SKEME).

9.2. Diffie-Hellman (DH)

9.2.1. A key agreement protocol that enables two users or devices to authenticate each other's pre-shared keys without actually sending the keys over an unsecured medium.

9.3. IKEv1 vs. IKv2

9.3.1. Phase 1

9.3.1.1. KEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA.

9.3.2. Phase 2

9.3.2.1. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for Phase 2.