A virtual private network (VPN) is a valuable security technique that’s commonly used to protect data sent across insecure networks. In this video, you’ll learn about VPN technologies, types of VPN implementations, and how IPsec protocols are used to protect your data at the packet level.
<< Previous Video: Firewalls Next: Network Intrusion Detection and Prevention >>
One of the challenges we have with communicating across the internet is we’re never quite sure who might be in the middle and able to see the traffic that’s going by. For that reason, we will often encrypt the traffic between two points. One of the most common ways to do this is with a virtual private network, or a VPN. This allows us to set up an encrypted tunnel, and any traffic we send through that tunnel to the device on the other side will be encrypted and completely useless by anybody who might listen in along the way.
It’s common to implement this encryption method using a VPN concentrator. This is a device that is specifically designed to provide this encryption and decryption of network traffic, and allows many people to use this encryption mechanism simultaneously. It’s very common to have this concentrator built into an existing firewall. And there’s also software-based VPN concentrators you can configure, as well. And on the client side, most operating systems these days come with software that will allow you to automatically connect to a number of these VPN concentrators without having to load additional software on your workstation.
When you’re using a VPN concentrator, you usually have a corporate network that has the VPN concentrator right on the front of it, usually connected to the internet. And then somewhere out on the internet is your device. Maybe it’s a laptop at a coffee shop. You start your client VPN software, which then communicates over an encrypted tunnel to the VPN concentrator. The VPN concentrator will take that encrypted traffic, decrypt the communication, and send all of that into the corporate network.
When that traffic needs to get back to your laptop, it is sent to the VPN concentrator, which then encrypts the communication and sends it back over that encrypted tunnel. This VPN tunnel is something that’s usually created on demand. You sit down in the coffee shop, you start the software, and it builds that tunnel back to your remote location. Some software can be configured as Always On, which means anytime you’re using your laptop, it’s always using an encrypted tunnel back to your corporate network.
One very common type of VPN in use is a Secure Sockets Layer VPN, or SSL VPN. This is using the very common SSL or TLS protocol running over TCP port 443. Because this SSL VPN is using this very common SSL protocol that we commonly use in our web browsers, you generally find that most networks allow this traffic to flow freely. Most SSL VPN clients are built into existing browsers or operating systems, and you’re usually logging in with your normal authentication. You don’t need additional digital certificates, and you don’t have to set up a separate IPSec tunnel. The SSL VPN is simply running from a browser, connecting back to a concentrator, and you’re connected over this encrypted tunnel.
If the administrator of your VPN has set it up as a full tunnel, that means that all traffic, regardless of its destination, will all traverse this tunnel. That means if you’re sending traffic to your corporate network, that will obviously go over your encrypted tunnel, but if you do need to communicate to a third-party website, it will first traverse this tunnel, at which time the VPN concentrator will redirect that traffic to the third-party website, who will then direct it back to the VPN concentrator so that it can be encrypted and sent back to you.
You can contrast this with a split VPN tunnel. That’s when all of the traffic from your site to the corporate network traverses this encrypted tunnel, but if you need to communicate to a third-party website that is not part of your corporate network, it will use the normal communication outside the scope of that VPN communication. That might speed up the communication on your side, and if it’s not required that you have encryption between you and that third-party site, then there’s no reason to use encrypted tunnel.
If you’re part of a company that has a large corporate office and then many remote sites, there may already be a VPN configured between firewalls at the corporate office and at your remote site. You’ll find that most site-to-site VPNs are always on, which means whenever you send traffic, it’s always going to go through that encrypted tunnel. Some site-to-site VPNs are configured to disable the tunnel after a certain amount of non-use, but as soon as you try to send traffic through to the corporate network, it will rebuild the tunnel and send that traffic over the encrypted connection.
In most cases, an organization is going to use the existing firewalls that are in place to act as VPN concentrators. That means you don’t have to have a separate device at all these remote locations, and you can simply take advantage of the firewall that’s already there.
Most site-to-site VPNs are encrypting this traffic using a protocol called Internet Protocol Security, or IPSec. This allows Layer 3 encryption of all IP traffic from one site to the other. Not only are we providing confidentiality through the encryption of this traffic, IPSec also allows an integrity check so you can make sure that nobody is replaying traffic through this VPN connection. This is also a very standardized protocol, which means you can have one manufacturer’s firewall at one side and a completely different manufacturer’s firewall at the other side, but they’ll still be able to communicate using IPSec. There are two core protocols associated with IPSec. There is AH, or the authentication header, and there’s also ESP, or the encapsulation security payload.
IPSec can use two different modes of communication. One is transport mode, and the other is tunnel mode. The way this works is that you have your original packet, and that packet has an IP header and data inside of it. We obviously need to protect this data. In transport mode, the data is encrypted. You have an IPSec header and an IPSec trailer put on either side of the data, and then you use the original IP header to be able to get that data to the remote site.
In tunnel mode, both the IP header and the data are encrypted. They’re wrapped around an IPSec header and an IPSec trailer, and then a completely different IP header is put on the front of the packet. This means that, if somebody sees that packet going through, they’re not going to have any idea what the actual IP destination is because all of that information is encrypted when you’re using tunnel mode.
Let’s take a look at the authentication header that’s used with an IPSec. This provides integrity of the data that’s being sent through the network. Commonly, IPSec will take the IP header and the data, combine that with a shared key, and provide a hash. And usually, the has is one based on MD5, SHA-1, or SHA-2, and it’s adding that authentication header to the beginning of the packet.
The part of IPSec that’s providing the encryption is done through the encapsulation security payload, or ESP. It’s using 3DES or usually AES for encryption, and it adds a header, a trailer, and an Integrity Check Value. That means that you can encrypt the IP header, the data, and you have an ESP trailer inside of this encrypted information. And on the outside, you have not only your new IP header, but the ESP header and Integrity Check Value. This means that you can authenticate almost all of the data when you’re running this IPSec datagram and using ESP to encrypt the data.
In most IPSec implementations, you’re not only using the ESP for the encryption, but you’re using the authentication header at the same time. This means that you can have this encrypted data inside of your packet, but you can authenticate the entire IP packet. That means that you can do this either in a transport mode and a tunnel mode to ensure that not only is your traffic protected and encrypted, but now you can also be assured that’s exactly what was sent by the original station.