Module 8 VPN and IPsec Concepts

one of the uh greatest telecommunication

subscriber telecommunication companies

in Kenya is safaricom and safaricom uh

one thing very interesting when you work

with or force of cardicom

is that

they choose to give you their own laptop

they choose to buy for your laptop

rather than you buying for yourself a

laptop and of course that's because of

security measures

and the reason why safaricom will choose

to give you their own laptop is because

those laptops come already installed

with a VPN and they can always you know

monitor the activities of your device

and you might not be able to install or

uninstall any applications without their

permission all right

and so they use

a VPN I think a safaricom

telecommunications company

uh which is one of the greatest in

Eastern Africa they use VPN from Cisco

they use a vpns from Cisco and it which

does a very good job so for this party I

will explain how vpns and we learn of a

special type of VPN called IP security

vpns and how it is used to secure side

to side and remote access connectivity

so we look at the benefit of a VPN

technology

then we'll describe the different types

of vpns and then we will finally explain

how the IP security framework or VPN is

used to secure uh

connections now

uh the VPN technology is a very

interesting topology and

one of the major things that it does is

that it creates an end-to-end private

network connections okay so a VPN just

from its name is actually a virtual

circuit and it carries information in

them very secure manner over the public

internet so it's not easy to hack into

it because of some of the encryption and

authentication and mechanisms that we

are going to talk about okay so traffic

is always encrypted and looking at the

diagram we see here looking at the

diagram we see here realize that

um we have this main site yeah main

organization this is the headquarters

here

and there is this a corporate you know

there's a firewall The Cisco adaptive

security plans firewall here

and there are guys yeah that work within

a branch here using a Cisco router

and CIS karata is normally able to be

configured by the way with a VPN there's

a regional office which is also a

firewall uh which can be configured with

a VPN

there's a Soho Network here a small

office home office Network

where this is when someone is obviously

working from home and within the Cisco

router is also installed with a VPN and

there's a remote worker here and this is

what safaricom does for its employees

when they're working offline

they are installed with the Cisco's VPN

called anyconnect application

which actually provides a VPN Services

okay

now

current or modern vpns currently support

and treatment features like in one of

those encryption features is the IP

security

and the SSL and you know SSL which means

secure socket layer

the and these are types of vpns and so

the SSL was actually a technology that

is being done away with it because it's

being replaced by What's called the TLs

the transport layer security okay and

both of these vpns either it's SSL

security I'm in SSL vpns or the IP

security vpns they are both used to

secure traffic between sites

but there does exist uh many uh

advantages or benefits of using vpns and

one of those benefits as we already seen

of course is the cost savings the cost

element

remember every organization wants to

um have some change remaining you know

you want to you you want to invest and

remain with some money for you so that

you get some profit you need profit that

is higher than the expenditure and so

organizations will always use vpns to

reduce their connectivity options while

simultaneously increasing remote

connection uh bandwidth

of course they are secure because of the

encryption and authentications for their

users

uh in terms of scalability vpns allows

organizations to use the internet

and they can add as many users as

possible within their vpns

they are very compatible with most of

the connectivity options and that's one

of advantages that you know VPN has for

us

like I had mentioned

two types of vpns Remote Access VPN

Remote Access VPN

and uh this is whereby of course we have

mobile users which must have an

application installed on your laptop or

on your phone and the other type is the

Remote Access VPN and this is a VPN that

is normally implemented within the

router okay

so long as you are connected that router

which is you are can be your default

gateway

then you can actually you're actually

protected okay

no

vpns can be created in either using IP

security or the SSL vpns

and this brings us to what we call

either a clientless VPN connection

where the connection is done using the

browser all right

so when you see SSL here you must be

thinking about https all right because

protocols like SSL and TLS they're the

ones that make https to be more secure

than http

and so the cloudless VPN is a VPN that

its connection is normally secured using

the web browser all right

then the cloud-based VPN connection

uh and by the way they and this is going

to divide either the IP security or the

SSL so the client VPN an example is the

clientless VPN an example is the SSL VPN

and then the client based VPN

client based VPN

the

the client-based VPN is actually one

that requires a client software

and an example I gave you was the Cisco

anyconnect is uh one of the uh secure

Mobility plan software which must be

installed either on your mobile phone or

on your laptop or on a desktop computer

so every time you want to use the VPN

you must actually log into using your

username and password the credentials

you must log into that VPN when using a

client based VPN connection

so looking at the

diagram we have here

uh

we realize that this is a client the

best VPN you can sit

is actually actually oh this is this is

the client-based here this is a client

based here because the laptop or the

tablet must be installed with the

application but the uh the SSL VPN the

clientless

you just need a browser and that's it

any divisor device that has a browser

and so at this point in time we want to

look at the difference between the two

of them okay the difference between the

SSL

vpns and the IP security VPS okay now do

note that the SSL VPN normal uses uh uh

pkl which is a public key infrastructure

okay

and um

it also uses digital certificates to

authenticate the peers okay

now this table is going to summarize for

the for us this uh two technologies

and um looking at the table here we are

going to make a comparison of them in

terms of the application supported in

terms of the authentication length

encryption strength connection

complexity uh even the connection uh

options okay

and so

to start us off let's look at

um

let's look at these differences and

we'll start with a application supported

okay

um

Let's uh talk about in terms of the

application supported for IP security

VPN remember this is the one that uses

um a client software

all IP based applications will actually

work so it's a bit extensive but for the

SSL vpns only devices that have a web a

web a web browser will be supported all

right

uh or a web sharing application for that

matter file sharing

then in terms of the authentication

strength

uh the IP security has a two-way

authentication with the shared keys or

digital certificates

while the SSL one has a one-way or

two-way authentication it's a bit

moderator

in terms of the encryption strength

in terms of the encryption strength

the key lines in IP security are a bit

stronger between 56 to 2 to 256 bits of

encryption okay

while that of the SSL as a moderate to

strong encryption from 40 to 56 bits of

encryption

all right

then

in terms of the connection complexity

uh the IP security vpns requires a VPN

client installed on your device

but the SSL VPN only requires a web

browser on a host

okay

then the connection options for the

connection options

we have uh

uh the ipse Securities VPN is limited

because only devices with that

particular application will be used but

for the SSL VPN it's a bit extensive

because any device with a web browser

will definitely be able to connect so

that is something that is obviously

nothing okay

now

in terms of uh the side to side clearly

you can see

decide to set VPN normally you have a

Gateway here

so

this organization has the main branch

here

and it has a a

branch location and maybe this is can be

in one city and this is in another city

and so this VPN connected to anything

it's always configured on the router and

the firewall okay and so the client

normally connecting to this network they

don't have to uh use any credentials to

log into the VPN

and that's why they have no knowledge

that they're actually using a VPN

because any traffic they generate will

go to the router then the router will

encrypt that traffic to the firewall on

the VPN Gateway okay

we already saw the site the the the the

remote access one which does the

opposite you must have the application

uh installed on your device we have what

you call the GRE over IP security

now GRE was actually one of the

protocols is actually a Cisco

proprietary protocol for configuring

non-secure vpns and there is something

for you to note

GRE the generic routing encapsulation

is normally a non-secure side-to-site

VPN tunneling protocol

but for you to secure VPN

you must combine VPN with IP security so

to encapsulate and secure the traffic

within GRE

you must add it to the IP security to be

able to make it more secure

so it will be something like this

we need to carry traffic from the branch

router to the HQ router and there's a

GRE you know configured on the two of

them on Virtual circuits so if they need

to exchange any ispf routing information

in a secure manner then

yeah

looking here of course we have the

original packet in green inside there

then in brown we have the tunnel the

Jerry tunnel is the brown one the second

one

then the blue one will be ipsecurity VPN

to be able to encapsulate and secure

that particular communication so that is

uh what's called the GRE over IP

security okay

uh we also have What's called the DM

dmvpn dmvpn the dynamic multi-point vpns

this is another side to side IP security

VPN and GRE of Ip security and

um

the the the this particular uh protocol

which is also a Cisco proprietary

solution provides multiple vpns in very

easy Dynamic and scalable Manner and so

it simplifies the implementation of uh

VPN tunnels and provides a very flexible

option to connect Central sites to its

branches okay

now if you remember the Harvard spoke

topology it's normally used by the dmvpn

and it uses also the full mesh topology

okay

this one is very secure and each site is

normally uh configured using multi-point

uh GRE the MGR the mgre

which is basically a tunnel interface

which allows single GRE interfaces to

support multiple IP security channels so

that is a dmvpn

now talking about IP security uh and

this is the last thing we talk about and

then we get going

uh IP security Technologies uh is an

ietf internet engineering task force

standard which defines how vpns can be

secured across a public IP network okay

so it will normally uh protect and

authenticate packets between a source

device and a destination device and that

is providing security

so four elements here we have

confidentiality which we have talked

about before

confidentiality is normally ensured

using encryption algorithms okay and

this is to prevent cyber criminals from

accessing or reading any packets as they

are being transmitted over the Internet

okay

okay

so confidentiality please mark

confidentiality confidentiality is

always ensured using

encryption algorithms inclusion

algorithms and encryption is the process

of you know uh uh and encryption ensures

that only

um I mean confidentiality shows that

only authorized users can have access to

information

then we have integrity Integrity which

is always ensured using hashing

algorithms and our integrity is

basically ensuring that uh information

passing from a social destination is not

changed or it's not altered in any

manner

and then we have origin Authentication

origin authentication uses a a key I

mean an internet key exchange Ike

protocol to authenticate the source and

the destination so what you want to do

is that you want to guarantee that the

information comes from where it says it

comes from we have to authenticate the

origin that it's the sender is actually

the person that we are told is sending

or the what the packet says it's sending

but in terms of the digital key

exchanges we have the death Hellman I

think we did talk about DH previously in

our security topic so the DH or the Devi

Hillman is majorly useful exchange of

the keys the public and key exchanges

and so an IP security uh VPN

are

must be bound by some of these uh rules

and it integrates confidentiality

integrity

authentication and the diff element key

exchanges okay

and so like we said

for the IP security protocol we need the

the ah which is the authentication

errors the ESP and the ESP plus the ah

for to provide the

um Hyper Security protocols to ensure

confidentiality

within the VPN we must have this

encryption algorithms and we are talking

about uh data and preference standards

the days we are talking about tripoders

and we talk about the the AES the

advanced encryption standards and of

course the the scl as well when you talk

about integrity to make sure that no one

Alters our messages and they are being

transmitted over the internet

we have

hashing algorithms like the md5 the

message digest five we have the Shah the

secure hashing algorithm as encryption

as a hashing algorithms to ensure

integrity

then in terms of the authentication to

authenticate uh when you want to log

into you use your VPN application

we have the pre-shared key uh as a

protocol and we also have the RSC which

is we also learned RSA in SSH when we

say uh crypto key generate RSA you know

we always generate those authentication

keys so RSA basically uh refers to the

letters refer to the names of three guys

who actually invented this algorithm and

so that refers to the revised the Sharma

and Adelman

and this is uh our authentication

protocols again then for the death

Helman for key exchanges between the

source and the destination devices

um to ensure security within the key

exchange

we have the the field Man 2 all the way

all the way so this is the structure of

our the framework of the IP security

looks like and it needs to have all

these uh elements so that it's

considered as secure you know for secure

and remote access so I think

this brings us to the end of this

particular uh uh concept here

um

I don't know if uh

we don't have any questions then you

know we could meet during the next uh

chapter which will be uh