Theory 1
Theory 1
11/02/2021 1
Basics of VPN
• What is VPN?
• Types of VPN
11/02/2021 2
What IS VPN ?
A VPN is a means to securely and privately transmit data over
11/02/2021 3
Types of VPN
• Access VPN
• Intranet VPN
• Extranet VPN
4
Access VPN
• Whenever a user establish a VPN connectivity with a
dial-up or mobile connection then it is called as a
Access VPN
• This type of VPN is commonly called as remote
access VPN.
Switch 6
Switch
Extranet VPN
• Extranets are almost identical to Intranets, except they are
meant for external business partners.
In order to do so, the IPSec standard incorporates a number of protocols into the IPsec
protocol suite.
As such, IPsec is not defined as a single protocol, but is instead a collection of protocols,
each focusing on particular elements of the IPsec mission to secure IP communications over
untrusted networks.
IPSec provides data confidentiality, data integrity, and origin authentication between
participating peers at the IP layer.
8
Data confidentiality: Protects the message contents from being interpreted by unauthenticated
or unauthorized sources.
Data integrity: Guarantees that the message contents have not been tampered with or altered
in transit from source to destination.
Message authentication: Ensures that a message was sent from an authentic source and that
messages are being sent to authentic destinations.
11/02/2021 9
11/02/2021 10
IPSec consists of the following components:
This is an IP header added to an IP packet that provides a cryptographic checksum on the entire IP
packet.
It is used to achieve data authentication and integrity, to insure that the packet has been sent by the
correct source and has not been modified in transit.
11/02/2021 11
IPSec consists of the following components:
This is a header applied to an IP packet after the packet has been encrypted.
It provides for data confidentiality so that the original packet cannot be read in transit.
This header can also provide for data authentication and integrity checking as well,
making the Authentication Header less necessary in certain circumstances.
Authenticated
11/02/2021 12
IPSec consists of the following components:
Before any two devices can communicate via IPSec, they must first establish a set of
Security Associations.
These associations specify the important cryptographic parameters that must be agreed
upon before data can be transferred securely.
13
The figure shows four IPSec framework squares to be filled.
IPSec provides the framework, and the administrator chooses the algorithms that are used to
implement the security services within that framework.
11/02/2021 14
The four sections of the IPSec framework are as follows:
11/02/2021 15
The four sections of the IPSec framework are as follows:
11/02/2021 16
11/02/2021 17
IPSec Security Functions
11/02/2021 18
IPSec Critical Function 1.Confidentiality
11/02/2021 19
This topic describes how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality :
11/02/2021 20
IPSec Critical Function 1.Confidentiality
11/02/2021 21
Confidentiality with Encryption
11/02/2021 22
Confidentiality with Encryption
For encryption to work, both the sender and receiver need to know the rules used to transform
the original message into its coded form.
An algorithm is a mathematical function, which combines a message, text, digits, or all three with a
string of digits called a key.
In the example, someone wants to send a financial document across the Internet.
At the local end, the document is combined with a key and is run through an encryption algorithm.
At the remote end, the message is recombined with a key and sent back through the decryption
algorithm.
1. Symmetric
2. Asymmetric
11/02/2021 24
Confidentiality with Encryption
1. Symmetric:
With symmetric key encryption, each peer uses the same key to encrypt and
decrypt the data.
11/02/2021 25
Confidentiality with Encryption
2. Asymmetric:
With asymmetric key encryption, the local end uses one key to encrypt, and
the remote end uses another key to decrypt the traffic.
11/02/2021 26
Confidentiality with Encryption
If someone tries to hack the key through a brute-force attack, guessing every possible combination, the
number of possibilities is a function of the key length.
The time to process all the possibilities is a function of the computer processing power.
Therefore, the shorter the key, the easier it is to break. A 64-bit key with a relatively sophisticated
computer can take approximately 1 year to break.
A 128-bit key with the same machine can take roughly 1019 years to decrypt.
11/02/2021 27
11/02/2021 28
11/02/2021 29
11/02/2021 30