What are Features of a Secure VPN?
VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet.
The basis of a secure VPN is data confidentiality, data integrity, and authentication:
i . Data confidentiality – The common network security concern is protecting data from hackers. Data confidentiality aims at protecting the contents of messages from being intercepted by unauthorized sources. VPNs achieve data confidentiality by using mechanisms of encapsulation and encryption.
ii. Data integrity – Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes – a checksum or a seal that guarantees that no one has read the content – to ensure data integrity.
iii. Authentication – Authentication ensures that a message comes from a reliable source and goes to an authentic destination. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network. See diagram below :
Most large enterprises deploy VPNs to provide data integrity, authentication, and data encryption to assure confidentiality of the packets sent over an insecure network or the Internet.
VPNs are designed to avoid the cost of needless leased lines.
There are many different protocols are used for VPN implementations, including these:
• Point-to-Point Tunneling Protocol (PPTP)
• Internet Protocol Security (IPsec)
• Secure Socket Layer (SSL)
• Layer 2 Forwarding (L2F) Protocol
• Layer 2 Tunneling Protocol (L2TP)
• Generic Routing Encapsulation (GRE) Protocol
• Multiprotocol Label Switching (MPLS) VPN
Although, PPTP, L2F, L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and data encryption. But, you can combine L2TP, GRE, and MPLS with IPsec to provide these benefits. Most large enterprise networks use IPsec as their preferred protocol because it supports all three features described earlier (data integrity, authentication, and data encryption).
The Cisco ASA integrates many IPsec and SSL VPN features with firewall capabilities. Other Cisco products that support VPN features are as follows:
• Cisco VPN 3000 series concentrators
• Cisco IOS routers
• Cisco PIX firewalls
• Cisco Catalyst 6500 switches and Cisco 7600 series routers WebVPN services module
• Cisco 7600 series/Catalyst 6500 series IPsec VPN shared port adapter
How IPsec works
IPsec uses the Internet Key Exchange (IKE is defined in RFC 2409, “The Internet Key Exchange.”) Protocol to negotiate and establish secured site-to-site or remote access VPN tunnels.
IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).
The Internet Security Association and Key Management Protocol (ISAKMP) has two phases.
* Phase 1 is used to create a secure bidirectional communication channel between the IPsec peers. This channel is known as the ISAKMP Security Association (SA).
Within the Phase 1 negotiation, several features are exchanged, including:
• Encryption algorithms
• Hashing algorithms
• Diffie-Hellman groups
• Authentication method
• Vendor-specific attributes
Also, the following are the typical encryption algorithms:
• Data Encryption Standard (DES): 64 bits long
• Triple DES (3DES): 168 bits long
• Advanced Encryption Standard (AES): 128 bits long
• AES 192: 192 bits long
• AES 256: 256 bits long
Hashing algorithms include these:
• Secure Hash Algorithm (SHA)
• Message digest algorithm 5 (MD5)
The common authentication methods are preshared keys (where the peers agree on a shared
secret) and digital certificates with the use of Public Key Infrastructure (PKI).
Phase 2 is used to negotiate the IPsec Security Associations (SAs). This phase is also known as the quick mode. The ISAKMP SA protects the IPsec SAs, because all payloads are encrypted except the IPsec uses two different protocols to encapsulate the data over a VPN tunnel:
• Encapsulation Security Payload (ESP): IP Protocol 50
• Authentication Header (AH): IP Protocol 51
IPsec can use two modes with either AH or ESP:
• Transport mode: Protects upper-layer protocols, such as User Datagram Protocol
(UDP) and TCP
Transport mode is used for encryption and authentication of the data packets between the peers. A typical example of this is the use of GRE over an IPsec tunnel.
Tunnel mode: Protects the entire IP packet. The Tunnel mode is used to encrypt and authenticate the IP packets when they are originated by the hosts connected to the VPN device
SSL-based VPNs are the most sort after in today internet of things network. SSL is a protocol that has been in existence since the early 1990s. SSL is also known as Transport Layer Security (TLS).
The Internet Engineering Task Force (IETF) created TLS to combine the different SSL vendor versions into a common and open standard.
One of the most popular features of SSL VPN is the ability to launch a browser like Microsoft Internet Explorer and Firefox and simply connect to the address of the VPN device. In most operations, a no-customer solution is possible.
SSL VPN enables users to access corporate intranet sites, portals, and e-mail from almost anywhere, this is the fact that most people permit SSL (TCP port 443) over their firewalls, it is needless to open additional ports.
Cisco devices support both clientless SSL VPN (WebVPN) and a lite-client. The SSL VPN Client (SVC) enables remote users the benefits of an IPsec VPN client without the need for network administrators to install and configure IPsec VPN clients their computers.
The SVC uses the SSL encryption that is already present on the remote computer to authenticate to the VPN device. Cisco supports SSL VPN on the following products:
• Cisco ASA
• Cisco VPN 3000 series concentrators
• Cisco IOS routers
• Cisco WebVPN Services Module
Read more on VPN HERE