Tuesday, April 6, 2010


VPN is one of the newer topics in CCNA. Together with VPN is Wireless and IPv6. However, only the theory is tested in the certification. VPN allows you cheaper connections and is available anywhere the Internet is available. VPN is heavily encrypted and secured and you can do many-to-many connections.
VPN allows you cheaper connections in the sense that instead of a private line (like a T1 line), you can create your own private lines through the internet. A T1 link costs $2000 a month, but a typical internet connection is just a mere $50 a month.

VPN allows you to link offices together, and even allow SOHO offices to join the corporate network. The heavy encryption allows for privacy even on the internet, and is not easy to break into. This gives rise to the concept of teleworkers.

Any offices connected via the internet can connect to each other. This is what it means by having many-to-many connections. However, due to the heavy encryptions, there will be much CPU overhead compared to private T1 lines.

VPN connections come in two major styles:
-Site-to-Site (L2L or Lan-to-Lan)

In a site-to-site VPN, data within a site are cleartext (typically, or can be encrypted with an internal scheme) but once it leaves the internet, it would be encrypted till it reaches the other terminating router. The routers are responsible for encryption.

-Remote Access

Remote access VPN is when the client itself connects to the terminating router. The client is responsible for the encryption here. Technologies like WebVPN allows this sort of connection. WebVPN is established through a browser and data are sent through an SSL tunnel.

IPSec is the security protocol of VPNs. IPSec can be broken up into 4 parts:
Negotiation Protocol




IPSec is a suite of protocols. When you want to use IPSec, you'll have to first build it back up using the components. Encryption is there for confidentiality (end-to-end). Authentication is there for Integrity (source integrity). Protection is the method used to exchange the encryption key. The negotiation protocol is like a framework where the components plug into. AH couldn't do authentication, so ESP was used to replace it.

For encryption to work properly, you'll have to exchange the symmetric keys. Symmetric keys are keys that can be used to both encrypt and decrypt data. Symmetric keys are bit-wise stronger than asymmetric keys. Symmetric keys are also faster.

In a Diffie-Hellman scenario, the keys are asymmetric. Each host has two keys, one for encryption (public) and one for decryption (private). Let's see a scenario:

Two hosts, RA and RB, want to exchange shared secret keys (AES symmetric key):
RA: PublicA PrivateA Shared
RB: PublicB PrivateB
First thing that happens is that they exchange public keys:
RA: PublicA PrivateA SharedA PublicB
RB: PublicB PrivateB SharedB PublicA
Now after the exchange, they would encrypt their own shared key with the other side's public key:
RA: PublicA PrivateA SharedA PublicB SharedA'B
RB: PublicB PrivateB SharedB PublicA SharedB'A
Now they send it back to each other:
RA: PublicA PrivateA SharedA PublicB SharedA'B SharedB'A
RB: PublicB PrivateB SharedB PublicA SharedB'A SharedA'B
Finally they decrypt the opposite's shared keys with their own private key:
RA: PublicA PrivateA SharedA PublicB SharedA'B SharedB'A Shared B
RB: PublicB PrivateB SharedB PublicA SharedB'A SharedA'B Shared A
For more theory (not covered in CCNA), refer to the VPN Introduction article.

No comments :

Post a Comment