CCNA Advance

Chapter 6
Virtual Private Network - VPN

VPN Concepts

VPN Overview
Virtual Private Network (VPN) is
defined as network connectivity
deployed on a shared infrastructure
with the same policies and security
as a private network.
A VPN can be between two end
systems, or it can be between two
or more networks.
A VPN can be built using tunnels
and encryption. VPNs can occur at
any layer of the OSI protocol stack.
A VPN is an alternative WAN infrastructure that replaces or augments
existing private networks that use leased-line or enterprise-owned Frame
Relay or ATM networks.

VPN Overview
VPNs provide three critical functions (C-I-A):
Confidentiality (encryption): The sender can encrypt the
packets before transmitting them across a network.
By doing so, no one can access the communication without
permission.
If intercepted, the communications cannot be read.
Data integrity: The receiver can verify that the data was
transmitted through the Internet without being altered.
Origin authentication: The receiver can authenticate the
source of the packet, guaranteeing and certifying the source of
the information.

Tunneling and Encryption

1. Host A want to send packet to host B, packet will be:

10.0.2.3 10.0.1.3

Others

Segment

IP dest IP source
2. Route A can send it out, but no more router in Internet can forward that packet !
Because that IP is Private IP, not Public IP
5

Tunneling and Encryption

3. Our solution ?: Tunneling at Router

Original Packet 10.0.2.3 10.0.1.3
IP dest

Others

Segment

IP source

Tunnel-ed 172.30.1.2 172.30.2.2 Others

10.0.2.3 10.0.1.3

IP dest

Others

Segment

IP source

4. Tunnel-ed packet will be forward in Internet

6

Tunneling and Encryption

Tunnel-ed 172.30.1.2 172.30.2.2 Others

10.0.2.3 10.0.1.3

IP dest

Others

Segment

IP source

5. Tunnel-ed packet is clear-text, can be lack of information anytime

6. Our solution ? - encryption
Tunnel-ed 172.30.1.2 172.30.2.2 Others

10.0.2.3 10.0.1.3

IP dest

Others

Segment

IP source
Encrypted data
7

VPN Usage Scenarios

Remote to Access
- Client Access
- Network Access
Site-to-site
- Intranet
- Extranet

Key VPN Terms

Tunnel:
A virtual point-to-point connection used in a network to carry traffic from one
protocol encapsulated inside another protocol.
For example, encrypted cyphertext carried in an IP packet.
Encryption/decryption:
Encryption is the process of transforming information content called clear
text, or plain text, into a hidden form called cyphertext so that it will not be
readable or usable by unauthorized users.
Decryption transforms cyphertext back into clear text, or plain text, so that it is
accessible for reading or use by authorized users.
Ciphertext is created by feeding data into encryption algorithm along with an
encryption key (a string of bits that seeds the encryption process).

Key VPN Terms

Cryptosystem: A system to accomplish the encryption/decryption, user
authentication, hashing, and key-exchange processes. A cryptosystem may
use one of several different methods, depending on the policy intended for
various user traffic situations.
Hashing:
A data integrity technology that uses a formula or algorithm to convert a
variable length message and shared secret key into a single fixed-length
string of digits.
The message/key and hash travel the network from source to destination.
At the destination the recalculated hash is used to verify that the message and
key have not changed while traveling the network.
Examples of hashing formulas or algorithms are SHA and MD5.

10

Key VPN Terms

Authentication: The process of identifying a user or process attempting to
access a computer system or network connection.
Authentication ensures that the individual or process is who he, she, or it
claims to be.
Authentication does not confer associated access rights.
Authorization: The process of giving authenticated individuals or processes
access to computer system or network connection resources.
Key management: A key is information, usually a sequence of random or
seemingly random binary digits, used initially to set up and periodically to
change the operations performed in a cryptosystem.
Key management is the supervision and control of the process whereby keys
are generated, stored, protected, transferred, loaded, used, and destroyed.

11

Key VPN Terms

Certificate of Authority (CA) service: A third-party service that

is trusted to help secure the communications between network
entities or users by creating and assigning digital certificates, such
as public-key certificates, for encryption purposes.
A CA vouches for the binding between the data security items in
the certificate. Optionally, a CA creates user's encryption keys.

12

Key VPN Terms

IPSec uses three main protocols to create a security framework:

Internet Key Exchange (IKE):
Provides framework for negotiation of security parameters
Establishment of authenticated keys
Encapsulating Security Payload (ESP):
Provides framework for encrypting, authenticating, and
securing of data
Authentication Header (AH):
Provides framework for authenticating and securing of data

13

IPSec Key Protocols and Elements

Internet Security Association and Key Management Protocol (ISAKMP): A

protocol framework that defines payload formats, the mechanics of
implementing a key exchange protocol, and the negotiation of an SA.
Note: IKE is synonymous with ISAKMP in Cisco router or PIX Firewall
configurations.
Security Association (SA): A set of policy and key(s) used to protect
information. The ISAKMP SA is the shared policy and key(s) used by the
negotiating peers in this protocol to protect their communication.

14

Cisco IOS Cryptosystem Overview

15

Data Confidential: Encryption

Algorithms

16

Data Confidential: Encryption

Algorithms
Symmetrical/secret key encryption.

As-symmetrical
/public key encryption.
17

Symmetrical Algorithms
Common Symmetrical algorithms:
RC-4.
56 bit Data Encryption Standard (DES).
168 bit 3DES, triple DES.
128 or 256 bit Advanced Encryption
Standard (AES).
Blowfish.
Advantages of Symmetrical algorithms:
Speed, fast.
Mathematical computations are easy to implement in
hardware (small key).
Good for large amounts of data.
Disadvantage of Symmetrical algorithms
Sender and receiver share same passwords.
There is the problem of how to share the password (key
management).
18

Asymmetrical Algorithms
Common Asymmetrical algorithms:
RSA, ElGamal, eliptic curves
Advantages of Asymmetrical algorithms:
No problems with key management, one
key is kept private and the other key is
Public and given to anyone that needs
to encrypt data.
Great for authentication because you are the only one with the
private key used to decrypt the data.
Can be used for digital signatures, authenticated key exchanges,
email or small amounts of data.
Based on very hard mathematical equations (large key).
Disadvantage of Symmetrical algorithms:
Slower in encrypting than symmetrical algorithms
19

Data Integrity Hash Functions

Fixed length
acb34hxiq14xs11.

Text/file 1
MD5
Text/file 2

zsaecbd4hxiq14x.

Hash functions are used to provide integrity service.

At the local end, the message is sent through a hash algorithm.
A hash algorithm is a formula used to convert a variable length message
into a single string of digits of a fixed length, called a hash value.
One-way hashing algorithm has two advantages:
Can not determine original data from the hash value.
Fixed-size hash output value makes for a predictable amount of packet
overload.
Example: MD5 (128 bits output), SHA ( 160 bits output).
20

Data Integrity and Source

Authentication

Validates datagrams by verifying they came from the proper source.

The authentication process uses Hashing Message Authentication
Code (HMAC)
Adds a secret pre-shared key to the hashing process.
Example: HMAC-MD5, HMAC-SHA-1

21

Keys Get Exchanged

How Do Keys Get Exchanged

In a VPN network, fast, strong encryption is a must. This is why
most implementations use a symmetrical algorithm to do payload
encryption.
Problem with symmetrical algorithms and hash functions is key
management.
Manual configuration:
Prone to configuration errors
Rarely changed
Automatic exchange:
Uses public connections how to secure the key exchange ?
The solution: Diffie-Hellman Key Exchange Algorithm
First published public key cryptography standard
Solves the key distribution problem through use of public/private
key pairs
Only public key sent across the network
23

The DH Key Exchange Process

- The Diffie-Hellman public key algorithm states that:
- If user A and user B exchange public keys and a calculation
is performed on their individual private key and on the public key
of the other peer, the end result of the process is an identical
shared key. The shared key will be used to encrypt and decrypt
the data.
- Security is not an issue with the Diffie-Hellman key exchange.
Although someone may know a users public key, the shared
secret cannot be generated because the private key never
becomes public knowledge.

24

Diffie-Hellman Algorithm Simplified

Rachel

Lauren
- Step 1: Rachel chooses her secret color
and adds 1 liter of blue to her paint can.
Lauren chooses her secret color red and
adds 1.5 liters of red. (secret key)
- Step 2: A shared secret color is chosen
that both Rachel and Lauren add 1.1 liters
of green to their can. (public key)
- Step 3: The paint cans are exchanged.
Rachel adds 1 liter of her original secret
color blue to the paint can she got from
Lauren. Lauren adds her 1.5 liters original
secret color red to the paint can she got
from Rachel.
Now both paint cans have the identical
colors with the same amounts. (shared-key
use to encrypt, de-encrypt)
25

Question ?
Thank you !