Topic: VPN types

Today, most communication over the Internet happens over Transport Layer Security (TLS), which has superseded Secure Sockets Layer (SSL). Typically, a browser process initiates a TLS session with a web server thread, and HTTP traffic is tunneled through a TLS tunnel. This is essentially interprocess communication over a secure tunnel. A VPN is a secure tunnel between a device and a network. We call the network to which a VPN facilitates access the internal network.

All processes running on a device that is attached to a VPN may communicate securely with other processes residing on the internal network, without the need for each interprocess communication to be secured separately. When a VPN is established, the VPN is indistinguishable from a cable directly attached to a switch in the internal network.

VPNs come in two major varieties: remote access VPNs and site-to-site VPNs.

A remote access VPN connects a single device, such as a laptop or smartphone, to an internal network. This is most useful for remote workers who need access to internal resources through an Internet connection. Another use case for remote access VPNs is the enforcement of a security policy for all communications from and to a remote corporate asset.

Remote access VPNs exist to help remote employees securely connect to remote locations (such as a home office) while they are traveling or “dialing in” from home. Remote access VPNs are hugely popular thanks to robust client software that vendors provide to seamlessly make the connections on behalf of users. Cisco Mobility AnyConnect is a great example of this software.

A site-to-site VPN is a VPN between two sites, usually established between two edge devices, one on each site. A site-to-site VPN interconnects two internal networks over an untrusted underlay.

A site-to-site VPN connects many more users and devices simultaneously than does a remote access VPN. For example, you might have a branch office with hundreds of employees who all need access to vital resources stored at the HQ location. In such a scenario, you can establish a site-to-site VPN between the branch office and HQ and permit many different users to connect over this connection. Oftentimes, the VPN end devices are integrated services routers, multilayer switches, or specialized security devices that form the VPN connection and then permit the sharing of this connection by those who need it.

Topic: Virtual private network (VPN) basics (including cryptography)

The services offered by VPNs are similar to those offered by most other secure tunnels:

• ▸ Data confidentiality

• ▸ Data integrity

• ▸ Data origin authentication

• ▸ Anti-replay

• ▸ Nonrepudiation

VPNs use technologies such as an authentication infrastructure, encryption protocols, and (for remote access VPNs) security policy enforcement tools.

An authentication infrastructure may include RADIUS, LDAP integration, or the Cisco Identity Services Engine (ISE). The dominant encryption protocol for VPNs is IPsec, but TLS can be used in some VPN solutions as well (especially those that need to blend in with the rest of the Internet traffic).

Cisco ISE is a solution for enforcing a security policy on remote access devices. ISE can also be part of an overarching Cisco AnyConnect deployment that enforces a security policy on all devices connected to the internal network, whether over a VPN or otherwise.

Another key concept here is cryptography. This technology continues to evolve and forms the basis for encrypting data so that it cannot be read or successfully processed by anyone who is not intended to be able to work with the data.

Cryptography began very early on in human history. Simple “classic cryptography” approaches engaged in simple techniques such as substituting pieces of data for other pieces of data to make the end result incomprehensible. As you would guess, modern approaches are much more sophisticated.

Remember that, with cryptography, we like to call the password used for encryption (and decryption) the key. In symmetric-key algorithms, the same key is used for encryption and decryption. In public key cryptography (also known as asymmetric), there are two mathematically related, yet different, keys: the public key and the private key. Anyone can have the public key, but without also possessing the private key, it is impossible to decrypt the data.

VPNs often use the IPsec suite of protocols in their operation. IPsec provides flexibility in the configuration of a VPN. You can choose different protocols for authentication and encryption, which means you can configure the precise level of security required for different environments.

Any text discussing VPNs would be remiss to not mention Dynamic Multipoint VPN (DMVPN), Cisco’s crown jewel of site-to-site VPN solutions. DMVPN allows for the rapid provisioning of VPN connections from new remote sites and simplified configuration; it also makes possible an on-demand full mesh of site-so-site IPsec tunnels. DMVPN leverages IPsec, Multipoint Generic Routing Encapsulation (mGRE), and Next Hop Resolution Protocol (NHRP) to achieve all these capabilities.

Review Questions

1. What type of key technology is used with public key cryptography?

A. Single key

B. Prime factor

C. Asymmetric

D. Symmetric

2. What types of keys are used in public key cryptography? Choose two.

A. Private key

B. Prime key

C. Public key

D. Secondary key

Answers to Review Questions

1. C is correct. Public key cryptography uses an asymmetric key approach.

2. A and C are correct. Private and public keys are the primary mechanisms through which asymmetric (public key) cryptography functions.

Additional Resources

What Is a VPN?

https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html

How Virtual Private Networks Work

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-how-vpn-works.html