I've mentioned, in the last few sections, that VPNs can be used to deal with certain kinds of attacks. Therefore, the question is: What is a virtual private network (VPN)? Having worked in the computer field for almost twenty years, I am constantly asked to explain various technologies and what they are used for. In security, the most common question I'm asked is "What's a VPN?" I've probably seen all possible explanations of what a VPN is, such as the following:
As you can see, many people have different views or perceptions of what a VPN is. For example, if you would search the Internet for the term VPN, you would easily find dozens of different, sometimes similar, sometimes conflicting definitions. For instance, at www.webopedia.com, the definition of a VPN is: "a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted."
To me, webopedia's definition makes it even more confusing as to what a VPN is. To clear up the confusion, I'll discuss what a VPN actually is and the different types of categories a VPN falls under. I'll then discuss some different types of VPN implementations. In its simplest form, a VPN is a connection, typically protected, between two entities that are not necessarily directly connected. The two entities could be directly connected via a point-to-point link, but it is more common to see them separated by more than one hop or network. The term "entities" could refer to either a specific device or a particular network (multiple devices). The connection, in many instances, crosses a public network; however, VPNs easily can be used for internal purposes. And the word "protected" in my definition of a VPN is somewhat open to interpretation. Most people assume that this means encryption (protecting traffic from eavesdropping attacks), or that packets haven't been tampered with (by a man-in-the-middle attack). And these assumptions are typically correct; however, a good VPN solution will deal with most, if not all, of the following issues:
As you can see, a VPN is responsible for all kinds of functions.
Of course, not every VPN implementation will include all of these components or will not implement them as securely as other methods. How the connection is set up, protected, maintained, and torn down varies on the VPN solution. Therefore, it is very important to use your company's security policy in determining which VPN technology is best for your particular situation. In some instances, it is common to see more than one VPN solution being deployed in the same network.
VPN Connection Modes
Before I discuss the four general types of VPNs and the three VPN categories, I first need to discuss the two basic types of connection modes used to move data between devices:
If you have worked with Internet Protocol Security (IPsec) before, you are probably familiar with these two terms. Other types of VPNs might use different terminology to describe these two connections modes, but since I grew up with IPsec, I favor its terminology when I typically discuss VPNs.
Both modes define the basic encapsulation process used to move protected data between two entities. I commonly see people use the word "tunnel" to describe this process; however, I don't like to use the word tunnel because it can have other meanings with VPNs. Therefore, I like to use the term "encapsulation" to describe how data is moved between the two VPN entities. The next two sections will discuss these two connection modes.
A transport mode connection is used between the real source and destination IP addresses of the devices. Figure 1-3 illustrates the use of transport mode. In this example, the network administrator is concerned about sending syslog messages from the corporate office's PIX security appliance to the corporate office's internal syslog server. The network administrator has decided to use a VPN to protect the syslog messages.
Figure 1-3. VPN Types and Categories
Because this is a VPN connection between the devices actually transmitting data, a transport mode connection is used. In a transport mode connection, the actual user data (the UDP segment containing the syslog information) is encapsulated in a VPN packet.
Figure 1-4 shows an example of the encapsulation process used in transport mode. In this example, the PIX creates a UDP segment with the syslog data. The PIX encapsulates the UDP segment in a VPN packet or segment. The VPN encapsulation would include information that would help the destination validate the protection information (and would decrypt it, if encryption is used). The VPN information is then encapsulated in an IP packet, where the source address is the PIX and the destination is the syslog server.
Figure 1-4. Transport Mode Encapsulation Method
With transport mode, if the VPN-protected packet is examined by an eavesdropping attack, the attacker will know the actual source and destination devices involved in the communication; of course, if you're using encryption as one of the protection methods with the VPN, the attacker will not be able to decipher the actual payload being transported between the VPN devices (in this case, the syslog data).
One limitation of transport mode is that it doesn't scale very well because the protection is done on a device-by-device basis. Figure 1-3 illustrates a situation in which transport mode would not be a good VPN connection method. In this example, assume that there are 10 devices at the regional office that need to communicate with 10 devices at the corporate office, and assume further that all 10 devices from one side need to communicate with all 10 devices at the remote side. Given this information, you would need to create nine VPN connections on each device, and with 10 devices on each side, this would total 180 connections! In other words, you would have your work cut out for you when setting up this scenario.
Therefore, if you have many devices at two separated locations that need to talk to each other in a secure fashion, you would use tunnel mode instead of transport mode. In tunnel mode, the actual source and destination devices typically do not protect the traffic. Instead, some intermediate device is used to protect the traffic. From the previous example of devices at the corporate office and regional office requiring protection, the two routers at each location could be responsible for the VPN protection. Devices that provide VPN protection on behalf of other devices are commonly called VPN gateways.
I'll examine an example to illustrate how tunnel mode works. In this example, the local device would create a normal IP packet and forward this to the local VPN gateway. Assume that the PIX at the regional site (shown previously in Figure 1-3) needs to send a syslog message to the syslog server at the corporate site, where the perimeter routers at the two locations are performing the function of the VPN gateway.
Figure 1-5 shows an example of the encapsulation process used. In the figure, the regional PIX generates a syslog message and encapsulates it in UDP and then in an IP packet, where the source address is the PIX's local address and the destination address is the corporate syslog server's IP address. When the regional router/VPN gateway receives the syslog IP packet from the regional PIX, the VPN gateway encapsulates the packet with VPN protection information, possibly even encrypting the original entire PIX packet. Next, the VPN gateway places this information inside another IP packet, where the source address of the packet is the regional office router and the destination address is the corporate office VPN gateway (in this example, the perimeter router). Once the corporate office router receives the protected packet, it verifies the protection and removes it (if you were using encryption to protect the packet, the corporate office VPN gateway would decrypt it). The syslog server then receives the original IP packet, not knowing (or caring) that the packet was protected part of the way from the regional PIX appliance to the syslog server.
Figure 1-5. Tunnel Mode Encapsulation Method
Given this connection mode process, tunnel mode provides these advantages over transport mode:
A VPN type describes, generally speaking, the type of entities that are involved with the actual VPN connection. There are four general VPN types:
I'll use Figure 1-3 in the following sections to illustrate the four VPN types.
A site-to-site VPN uses a tunnel mode connection between VPN gateways to protect traffic between two or more sites or locations. Site-to-site connections are commonly referred to as LAN-to-LAN (L2L) connections. With L2L VPNs, a central device at each location provides the protection of traffic between the sites. This protection process, and thus the transport network sitting between the two VPN gateway devices, is transparent to the end-user devices at the two sites.
As to what kind of device can play the role of a VPN gateway, with Cisco, you have the following items to choose from:
In Figure 1-3, to set up a protected connection between the regional office and the corporate office, you could use the following configuration:
Cisco generally recommends that you use routers for VPN L2L solutions; however, this is a very general statement and many factors have to be considered before making this decision. As you will see throughout this book, each type of device has both advantages and disadvantages. For example, here are some basic advantages one type of Cisco product has over another:
Remote Access VPNs
Remote access VPNs typically are used for low-bandwidth or broadband connections between a single-user device, such as a PC or small-office-home-office (SOHO), a hardware client (a Cisco VPN 3002 hardware client, small-end PIX appliance or small-end IOS-based router), and a VPN gateway device. Remote access VPNs typically use tunnel more for their connections. At first this sounds strange, given that one device is a VPN gateway and the other is not. However, if you think about how a transport mode connection works where the protected data is transmitted between the real source and destination devices, a remote access connection doesn't quite fit into this mold. With remote access, the traffic needs to be protected from the source to some intermediate device, which verifies the protected information (and decrypts it if it was encrypted). The real destination will receive the unprotected information. For this to work, tunnel mode is used.
With remote access, the VPN endpoint, or client, that connects to the VPN gateway will need two IP addresses: one for its NIC and one for an internal address, which is sometimes referred to as a virtual or logical address or assigned IP address.
Figure 1-6 to illustrates an example of a remote access connection. In this example, a cable modem user from home is using a PC to connect to the corporate office through a VPN gateway, say the VPN 3000 concentrator. The ISP uses DHCP to assign an IP address to the user's NIC on the home PC. A second address is needed for communication to devices at the corporate office that need to be protected; this is the internal address, which can sometimes be assigned by the user manually, or, more commonly, acquired from the VPN gateway during the setup of the VPN session. Usually the IP address comes from a central site DHCP server or a locally defined address pool. When the remote access client wants to send information to a device behind the VPN gateway at the corporate office, such as the web server, the remote access client creates an IP packet where the source IP address is the internal address, and the destination IP address is the device at the corporate office network. This packet is then encapsulated and protected with VPN information, and then an outer IP header is added. In the outer IP header, the source address is the remote access user's ISP-assigned NIC address and the destination address is the VPN gateway. The VPN gateway, upon receiving the protected packet, will verify the protection, decrypt the encapsulated packet, if necessary, and forward the encapsulated IP packet to the internal corporate device.
Figure 1-6. Remote Access Example
Because the internal address is protected (that is, you're using tunnel mode), you can easily make the remote access client look like it is an extension of the corporate office network. For example, if the corporate office is using the address space of 172.16.0.0/16, as shown in Figure 1-6, you could have the client use an internal address from a pool, say 172.16.254.0/24, to make the client appear that it is connected to the 172.16.0.0/16 network. From a device at the corporate office's perspective, it appears that the remote access client is directly attached to the 172.16.0.0/16 network; however, in reality, the client can be many hops away from the corporate office, as demonstrated in Figure 1-6.
Cisco recommends that you use Cisco VPN 3000 series concentrators as the VPN gateway product for remote access connections. When comparing the 3000 series concentrators to Cisco routers or PIX or ASA security appliances for remote access VPN gateway solutions, it is much, much easier to set up and troubleshoot remote access connectivity on the concentrators than on the other two products. However, if I only had a small number of users who needed remote access connectivity, and I already had either a PIX or ASA appliance or IOS router installed at the corporate office, I would use the existing equipment instead of purchasing a 3000 concentrator. Once the number of users started going above a dozen or so, I would seriously consider the purchase of a concentrator. The only other time I would consider a router over a concentrator for remote access would be if I needed advanced QoS capabilities that the concentrator lacks.
A firewall VPN is basically an L2L or remote access VPN enhanced with additional security and firewall functions. Firewall VPNs typically are used when one side of the VPN connection needs enhanced security and firewall functions based on their company's security policy, and they manage or own the security solution that is currently in place in their network.
Some of these security or firewall functions performed by a firewall VPN include the following:
Other than the functions in the preceding list, a firewall VPN has the same characteristics as an L2L or remote access VPN. From my perspective, I don't like the classification of a firewall VPN as a separate VPN type; however, Cisco commonly uses this term when discussing VPN types. If you are deploying Cisco equipment to implement a firewall VPN, the VPN gateway device typically would be a PIX or ASA security appliance.
A user-to-user VPN type is basically a transport mode VPN connection between two devices. The two devices can be a PIX appliance and a syslog server, a router and a TFTP server, a user using Telnet to access a Cisco router, or many other connection pairings.
Cisco doesn't officially consider user-to-user as a VPN type, but since I commonly use this to protect specific kinds of traffic between specific devices, I've included this type to round out the VPN types you'll see in the real world.
There are three basic VPN categories that describe where a VPN is used:
Figure 1-3 to illustrates what these terms describe when used in conjunction with VPNs.
An intranet VPN connects resources from the same company across that company's infrastructure. Here are some simple examples of intranet VPN connections:
An extranet VPN connects resources from one company to another company, such as a business partner. These are typically L2L connections, but can be other types. An example of an extranet could be a company that has outsourced its help desk functions and sets up a VPN to provide a secure connection from its corporate office to the outsourcing company.
An Internet VPN uses a public network as the backbone to transport VPN traffic between devices. As an example, you might use the Internet, which is a public network, to connect two sites together (L2L connection), or have telecommuters use their local ISPs to set up a VPN connection to the corporate network (remote access connections).
Remember that all of the four VPN types are supported by the three VPN categories. As to which you should use, this is based on your access needs and your company's security policy's statements.