Virtual Private Networks | SSCP Study Guide and DVD Training System

A Virtual Private Network (VPN) creates a secure private connection, usually over untrusted or public networks. It essentially creates a private tunnel between two hosts that passes data between the hosts and is only accessible to the two hosts. A VPN may use tunneling with or without encryption. Some common standards used to implement VPNs are discussed in the following sections. These standards are used to encrypt and protect the data over a VPN. An example of a VPN can be seen if Figure 7.19.

click to expand
Figure 7.19: A VPN Creates a Virtual Tunnel Using Public Networks Like the Internet

Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is a common protocol used for VPN connections. PPTP allows a single point-to-point connection between two systems. It uses standard PPP to create a private tunnel between the two systems. PPTP encapsulates packets and can travel across any TCP/IP network such as LAN-to-LAN or WAN-to-LAN.

PPTP usually involves three computers: the client, the network access server, and the PPTP server. The PPTP client accesses the network access server to establish a connection to the network. The connection is then created between the PPTP client and the PPTP server to create a secure connection.
A PPTP VPN can be created from computer to computer inside a LAN. In this case, the network access server mentioned in the previous bullet is not needed.
PPTP is primarily used for dial-up connections.
PPTP does not support RADIUS or TACACS+.
PPTP only supports IP.

Layer 2 Tunneling Protocol

Layer 2 Tunneling Protocol (L2TP) combines the PPTP and another protocol known as Layer 2 Forwarding Protocol (L2FP). Microsoft created the PPTP and Cisco created the L2TP. L2TP provides a hybrid solution that is more efficient, but virtually the same as PPTP described previously.

L2TP requires IPSec to provide encryption
L2TP supports RADIUS and TACACS+
L2TP can run on top of a number of protocols including Internetwork Packet Exchange (IPX)

Test Day Tip

IPSec plus LT2P is one of the most widely implemented combinations used to provide a secure VPN. L2TP is used to create a virtual tunnel between two hosts and IPSec can be used in either tunneling or transport mode to encrypt the data packets as they pass through the VPN.

Secure Shell

Secure Shell (SSH) is a cryptographically secure replacement for standard Telnet, rlogin, rsh, and rcp commands. SSH consists of both a client and a server that use public key cryptography to provide session encryption. It also provides the ability to forward arbitrary ports over an encrypted connection.

SSH has received wide acceptance as the secure mechanism for access to remote systems interactively. SSH was conceived and developed by Finnish developer, Tatu Ylonen. When the original version of SSH became a commercial venture, the license became more restrictive. A public specification was created, resulting in the development of a number of versions of SSH-compliant client and server software that do not contain the restrictions (most significantly, those that restrict commercial use).

SSH deals with the confidentiality and integrity of information being passed between a client and host. Since programs such as Telnet and rlogin transmit usernames and passwords in cleartext, sniffing a network is easy. By beginning an encrypted session before the username and password are transmitted, confidentiality is guaranteed. SSH protects the integrity of the data being transmitted by the use of session keys. The client keeps a list of user keys for servers with whom it previously established secure sessions. If the key matches, the secure session is established and the integrity of the data being transmitted is confirmed. Using SSH helps protect against different types of attacks including packet sniffing, IP spoofing, and manipulation of data by unauthorized users.

IP Security

The IPSec protocol, as defined by the IETF, is "a framework of open standards for ensuring private, secure communications over IP networks, through the use of cryptographic security services." This means that IPSec is a set of standards used for encrypting data so that it can pass securely through a public medium, such as the Internet. Unlike other methods of secure communications, IPSec is not bound to any particular authentication method or algorithm, which is why it is considered an "open standard." Also, unlike older security standards that were implemented at the application layer of the OSI model, IPSec is implemented at the network layer.

IPSec is made up of two separate security protocols. Authentication header (AH) protocol is responsible for maintaining the authenticity and integrity of the payload. AH authenticates packets by signing them, which ensures the integrity of the data. Since the signature is specific to the packet being transmitted, the receiver is assured of the data source. Signing packets also provide integrity, since the unique signature prevents the data from being modified. Encapsulating security payload (ESP) protocol also handles the authenticity and integrity of payloads, but adds the advantage of data confidentiality through encryption. AH and ESP can be used together or separately. If used together, the entire packet is authenticated.

IPSec Authentication

To ensure the integrity of data being transmitted using IPSec, there has to be a mechanism in place to authenticate end users and manage secret keys. The most common mechanism is called Internet Key Exchange (IKE). IKE is used to authenticate the two ends of a secure tunnel by providing a secure exchange of a shared key before IPSec transmissions begin.

For IKE to work, both parties must use a password known as a pre-shared key. During IKE negotiations, both parties swap a hashed version of a pre-shared key. When they receive the hashed data, they attempt to recreate it. If they successfully recreate the hash, both parties can begin secure communications.

IPSec also has the ability to use digital signatures. A digital signature is a certificate signed by a trusted third party called a certificate authority (CA) that offers authentication and nonrepudiation, meaning the sender cannot deny that the message came from them. Without a digital signature, one party can easily deny they were responsible for messages sent.

Although public key cryptology ("User A" generates a random number and encrypts it with "User B's" public key, and User B decrypts it with their private key [described in Chapter 6]) can be used in IPSec, it does not offer nonrepudiation. The most important factor to consider when choosing an authentication method is that both parties must agree on the method chosen. IPSec uses a SA to describe how parties will use AH and ESP to communicate. The security association can be established through manual intervention or by using the Internet Security Association and Key Management Protocol (ISAKMP). The Diffie-Hellman key exchange protocol, described in detail in Chapter 6, is used for secure exchange of pre-shared keys.

Transport Mode versus Tunnel Mode

IPSec is able to operate in two different modes: transport and tunnel. When in transport mode, only the payload of the packet is encrypted. An attacker could thus sniff the traffic and determine information regarding the two parties conducting the transaction. When IPSec is used in tunneling mode, both the payload and header are encrypted. This protects the entire packet from sniffing attacks.

Transport mode is faster, but only encrypts the payload.
Tunneling mode is slower, but encrypts the entire packet including the header.