Virtual Private Networks – SY0-601 CompTIA Security+ : 3.3

We use VPNs to maintain the security of our data over insecure networks. In this video, you’ll learn about SSL VPNs, HTML5 VPNs, L2TP, IPSec, and more.


A Virtual private network, or VPN is a way to send data securely through a network that normally would be considered public. The internet is a good example of this. And by using a VPN we can send information between two points on the internet without anyone in the middle being able to understand anything that’s being sent.

The device that’s doing all of the hard work on a VPN is the VPN concentrator. This is the device that is encrypting data sending it out over the network and then decrypting anything that it happens to receive. This concentrators often a standalone device or it’s integrated into another device, such as a firewall.

There are many implementations of VPN concentrators and VPN solutions. Some of them are hardware devices or are built into a purpose built appliance. Others are implemented as software and you can run it on any operating system. The end stations that are communicating over the VPN commonly have some type of client that’s able to encrypt and decrypt the data. That client may be something that is installed separately or may be built into the operating system that you’re using.

With a VPN you might be at home at a coffee shop at a hotel or some other place and you need to access resources that are inside of your corporate network. But if you access those directly across the internet, anyone that is on the inside of the internet or listening in to the conversation would be able to see this information being sent back and forth.

So instead, you start your VPN software and you create an encrypted tunnel to the VPN concentrator that is just in front of your corporate network. The VPN concentrator is going decrypt that information and send everything in the clear into the corporate network. And of course, the process will work in reverse, where information from the corporate network will be encrypted by the VPN concentrator sent across the internet. And the VPN client that’s on your laptop will then decrypt that data and show you the information as if you were sitting locally in the corporate network.

It’s very common to turn this software on the laptop whenever you need access to your corporate network. But there may be some implementations of VPN software that are always on. So the moment you login into your computer it’s always connected using that VPN software to your corporate network. For individual users communicating to a network, especially from a coffee shop a hotel or from home you might be using an SSL VPN. Or secure Sockets Layer VPN, which communicates over TCP port 443.

Since that’s such a common port to be used for SSL communication it’s one that commonly works on any network you happen to connect to. This is also something that doesn’t need any big VPN clients it’s not incredibly complex. You’re usually providing remote access from a single device using this SSL VPN.

Many SSL VPN are designed for end user use. So you’ll often use your username and password and perhaps some two factor authentication to be able to access and authenticate to the concentrator. With this type of VPN you don’t often need very complex authentication. For instance, you don’t need to have digital certificates deployed or shared passwords that you might use for something like an IPSec configuration.

In fact, it’s very common for SSL VPN to run as a very small client on an operating system or inside of the browser itself. In fact, many of the latest browsers support VPN software running inside of them using HTML5. This is hypertext markup language version 5. And one of the nice features of HTML5 is that it supports application programming interfaces and includes a web cryptography API as part of the browser.

This means you don’t have to install any software. There’s no installation of a client you simply start your browser, connect to the remote network and you’re able to send SSL VPN communication without installing any additional code. The only thing you have to have is a browser that supports HTML5 and these days most of our modern browsers will be able to use these capabilities for your SSL VPN.

And in user VPN configuration can be configured as a full tunnel or a split tunnel. With a full tunnel everything that is being transmitted by the remote user is sent to the VPN concentrator on the other side. The VPN concentrator will then decide where that data happens to go. So if the remote user wants to send information to the corporate network it will be sent to the VPN concentrator, which would then decrypted send it into the corporate network. And then that information will be sent back to the remote user.

But if the remote user wants to connect to another third party device such as my website at professormesser.com. With a full tunnel, it has to communicate to the VPN concentrator. The VPN concentrator will communicate to the web server, which will then be reported back to the VPN concentrator and then sent to the remote user. This means that in a full tunnel all of the data is going across that encrypted tunnel. And that user can’t break out of that tunnels to send information to another device directly.

With a split tunnel the administrator of the VPN can configure some information to go through the tunnel. And other information can go outside of the tunnel. For example, a remote user can still communicate to the remote network through the VPN concentrator that set the remote site. But if they need to communicate to a separate website they can communicate through the split tunnel directly to that server and back to the remote user. It doesn’t need to go through the full tunnel to communicate to devices that aren’t on the internal corporate network.

We can also use VPN technology between remote locations. We might have a corporate network and a remote site and we might set up a VPN between VPN concentrators or firewalls. This means that anything running between those firewalls will be encrypted. And of course, that firewall or VPN concentrator is providing the encryption and decryption process to provide access from the remote site to the corporate network.

Side to side VPN like this are almost always connected constantly or they’re in a configuration where they will dynamically connect each other whenever you need to communicate. Usually there is a firewall in place at the corporate network and there’s a firewall in place at the remote site. And so it’s very easy to use those firewalls as VPN concentrators.

Many site to site VPNs are implemented using L2TP. This is layer 2 tunneling protocol. This means that we’re connecting two networks together as if they are on the same layer 2 network. But we’re obviously connecting them through a layer 3 network to perform that function. This is commonly used in conjunction with IPSec networks.

So you would use L2TP for the tunnel between these sites. And then add on the IPSec for the encryption capabilities. You’ll sometimes see those referred to as L2TP over IPSec or L2TP/IPSec.

And if you are connecting site to site communication using an encrypted tunnel then you’re most likely using IPSec or internet protocol security. This allows you to have authentication and encryption over a layer 3 network. And it’s very commonly used on networks like the internet.

IPSec also supports packet signing along with the encryption. So you can not only have security of the data but you can make sure that anti-replay is built in to the conversation. You also find that this is very standardized and regardless of what manufacturer’s firewall you happen to be using you’re probably able to communicate to any other firewall using IPSec using the standard set of protocols.

If you do configure IPSec you’ll see that there are two major protocols that you will use. One is AH or the authentication header. And the other is ESP or the encapsulation security payload.

There are two ways to send encrypted data over an IPSec tunnel. One is using transport mode and the other is using tunnel mode. Let’s take for example an original packet of information, which includes an IP header and then the data that we need to protect. In transport mode we will take our IP header put it in the front. So that we know where to send this information.

But then we will encrypt the data and put an IPSec header in an IPSec trailer around it. This obviously doesn’t protect everything in this particular packet because the IP header remains in the clear. And is sent across the network to the original IP addresses.

If you want to protect both the IP information and the data then you want to use tunnel mode. And tunnel mode both the IP header and the data are encrypted with IPSec. Will find IPSec headers and trailers around those. And then we will have a brand new IP header that sends this information to the IPSec concentrator on the other side of the tunnel.

If your only concern is the integrity of the data then you may not need to encrypt any data going across the tunnel. In that case, you would only be using the authentication header or AH protocol. This is a hash of the packet and a shared key that is shared between the two IPSec concentrators. It’s common to use a hash such as SHA-2, that would then add an authentication header to the data that you’re already sending across the network.

This again is not going to provide any encryption. But it will provide data integrity because we do have a hash. We can guarantee the origin of the data because we have authentication with the shard key. And there’s going to be a prevention of replay attacks because sequence numbers are also included as part of this communication.

In most IPSec implementations though you’re going to be doing some type of encryption And we use ESP or the encapsulation security payload to provide that encryption functionality. This is going to encrypt and authenticate across this IPSec tunnel. It commonly uses SHA-2 for the hash and AES for encryption but you can change those parameters in the IPSec config.

This adds extra headers on the front and trailers on the end. We have an integrity check value so we can make sure that the data goes through the network properly. And your IP header and data is encrypted in the middle of the tunnel.

In most implementations of IPSec that you’ll see will often have the encapsulation security payload. So that we can encrypt the data. But we also include the authentication header to make sure that the data gets through the network without anyone changing any of that information.

Here’s a graphic that combines both the authentication header and the encapsulation security payload in both of the modes, both the transport mode and the tunnel mode. Remember in transport mode we’re only encrypting the data and the original IP header remains in its original form. And now you have the authentication header and the encapsulation security payload all combined with an integrity check value at the end to make sure that the data gets through the network without any corruption.

With tunnel mode, which is undoubtedly the most common implementation of IPSec that you’ll see. You of course have both the IP header and data that’s encrypted and the AH and ESP protocols are wrapped around that data. So that it can be sent through the network with the encryption and the integrity.