VPN TRAINING

11/02/2021 1
 Basics of VPN

• What is VPN?

• Types of VPN

11/02/2021 2
 What IS VPN ?
 A VPN is a means to securely and privately transmit data over

an unsecured and shared network infrastructure.

11/02/2021 3
 Types of VPN

• Access VPN

• Intranet VPN

• Extranet VPN

4
 Access VPN
• Whenever a user establish a VPN connectivity with a
dial-up or mobile connection then it is called as a
Access VPN
• This type of VPN is commonly called as remote
access VPN.

• Example : A user working from home want to

establish VPN to Connect with servers at H.O.

H.O Network with essential Servers

Interne
Interne
Switch Router t tcloud
cloud
Remote User working from home 5
 Intranet VPN
• Intranet VPN, gateways at different locations within the
same business negotiate a secure communication channel
across the Internet.

• Intranet VPNs allow companies with geographically dispersed

locations to communicate like one large network.

• Example: Intranet VPN ensures to integrate different branch

offices spread across the country with Head Office located a
particular location.

H.O Server Room Router B.O

Router Interne
Interne Switch
Switch t tcloud
cloud
Switch
Switch

Switch 6
Switch
 Extranet VPN
• Extranets are almost identical to Intranets, except they are
meant for external business partners.

• Restrictions on certain type of data access is configured on

VPN gateway, so that business partners are only able to gain
secure access to specific resources.

• Example: A manufacturer may want to create an Extranet with

a supplier in order to make it possible for that partner to view
an inventory database only.
Server Room Supplier
Router
Router Interne
Interne Switch
Switch t tcloud
cloud
Switch
Switch
Only
Only
inventory
inventory
data Switch
Switch data
7
Manufacturing Industry
 What is IPSEC ?

 IPSec provides us with a framework by which to secure data communications at the

network layer of the OSI model, or, more specifically, to secure IP communications.

 In order to do so, the IPSec standard incorporates a number of protocols into the IPsec
protocol suite.

 As such, IPsec is not defined as a single protocol, but is instead a collection of protocols,
each focusing on particular elements of the IPsec mission to secure IP communications over
untrusted networks.

 IPSec provides data confidentiality, data integrity, and origin authentication between
participating peers at the IP layer.

8
Data confidentiality: Protects the message contents from being interpreted by unauthenticated
or unauthorized sources.

Data integrity: Guarantees that the message contents have not been tampered with or altered
in transit from source to destination.

Message authentication: Ensures that a message was sent from an authentic source and that
messages are being sent to authentic destinations.

11/02/2021 9
11/02/2021 10
 IPSec consists of the following components:

1. Authentication Header (AH):

 This is an IP header added to an IP packet that provides a cryptographic checksum on the entire IP
packet.

 It is used to achieve data authentication and integrity, to insure that the packet has been sent by the
correct source and has not been modified in transit.

 This header is separate to the ESP header described below.

11/02/2021 11
 IPSec consists of the following components:

2. Encapsulating Security Payload (ESP):

 This is a header applied to an IP packet after the packet has been encrypted.

 It provides for data confidentiality so that the original packet cannot be read in transit.

 This header can also provide for data authentication and integrity checking as well,
making the Authentication Header less necessary in certain circumstances.

IP packet with ESP encapsulation

Original IP TCP ESP ESP ESP

Data Original IP TCP Data
header Header Trailer Authentication
header
IP packet without ESP encapsulation
Encrypted

Authenticated

11/02/2021 12
 IPSec consists of the following components:

3. Security Association (SA):

 These are the building blocks of IPSec communication.

 Before any two devices can communicate via IPSec, they must first establish a set of
Security Associations.

 These associations specify the important cryptographic parameters that must be agreed
upon before data can be transferred securely.

13
  The figure shows four IPSec framework squares to be filled.

 IPSec provides the framework, and the administrator chooses the algorithms that are used to
implement the security services within that framework.

11/02/2021 14
 The four sections of the IPSec framework are as follows:

11/02/2021 15
 The four sections of the IPSec framework are as follows:

11/02/2021 16
11/02/2021 17
 IPSec Security Functions

11/02/2021 18
 IPSec Critical Function 1.Confidentiality

11/02/2021 19
This topic describes how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality :

11/02/2021 20
 IPSec Critical Function 1.Confidentiality

11/02/2021 21
 Confidentiality with Encryption

11/02/2021 22
 Confidentiality with Encryption
 For encryption to work, both the sender and receiver need to know the rules used to transform
the original message into its coded form.

 Rules are based on an algorithm and a key.

 An algorithm is a mathematical function, which combines a message, text, digits, or all three with a
string of digits called a key.

 The output is an unreadable cipher string.

 Decryption is extremely difficult or impossible without the correct key.

 In the example, someone wants to send a financial document across the Internet.

 At the local end, the document is combined with a key and is run through an encryption algorithm.

 The output is undecipherable cyber text.

 The cyber text is then sent through the Internet.

 At the remote end, the message is recombined with a key and sent back through the decryption
algorithm.

 The output is the original financial document.

11/02/2021 23
 Confidentiality with Encryption

There are two types of encryption keys:

1. Symmetric

2. Asymmetric

11/02/2021 24
 Confidentiality with Encryption

1. Symmetric:
With symmetric key encryption, each peer uses the same key to encrypt and
decrypt the data.

11/02/2021 25
 Confidentiality with Encryption
2. Asymmetric:
With asymmetric key encryption, the local end uses one key to encrypt, and
the remote end uses another key to decrypt the traffic.

11/02/2021 26
 Confidentiality with Encryption

 The degree of security depends on the length of the key.

 If someone tries to hack the key through a brute-force attack, guessing every possible combination, the
number of possibilities is a function of the key length.

 The time to process all the possibilities is a function of the computer processing power.

 Therefore, the shorter the key, the easier it is to break. A 64-bit key with a relatively sophisticated
computer can take approximately 1 year to break.

 A 128-bit key with the same machine can take roughly 1019 years to decrypt.

11/02/2021 27
11/02/2021 28
11/02/2021 29
11/02/2021 30