25 Nov 2020
To secure network traffic between sites and users, organisations use virtual private networks (VPNs)
Benefit | Description |
---|---|
Cost Savings | VPNs reduce an organisations connectivity costs while simultaneously increasing remote connection bandwidth. |
Security | VPNs provide security by using advanced encryption and authentication protocols that protect data from unauthorised access. |
Scalability | VPNs allow organisations to use the internet, making it easy to add new users without adding significant infrastructure. |
Compatibility | VPNs can be implemented across a wide variety of WAN link options. Remote workers can gain secure access to their corporate networks. |
VPNs can be managed and deployed as:
Enterprise-Managed VPNs
Site-to-Site VPNs
Remote Access VPNs
Service Provider-Managed VPNs
Layer 2 MPLS
Layer 3 MPLS
Legacy Solutions
Feature | IPsec | SSL |
---|---|---|
Applications supported | Extensive - All IP-based applications are supported. | Limited - Only web-based applications and file sharing are supported. |
Authentication strength | Strong - Uses two-way authentication with shared keys or digital certificates. | Moderate - Using one-way or two-way authentication. |
Encryption strength | Strong - Uses key lengths from 56 bits to 256 bits. | Moderate to strong - With key lengths from 40 bits to 256 bits. |
Connection complexity | Medium - Because it requires a VPN client pre-installed on a host. | Low - It only requires a web browser on a host. |
Connection option | Limited - Only specific devices with specific configurations can connect. | Extensive - Any device with a web browser can connect. |
Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunnelling (Carrier) protocol.
A standard IPsec VPN (non-GRE) can only create secure tunnels for unicast traffic. GRE supports multicast and broadcast traffic.
We can encapsulate routing protocol traffic using a GRE packet, and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway.
Site-to-site IPsec VPNs and GRE over IPsec are adequate to use when there are only a few sites, they are not sufficient when the enterprise adds many more sites because each site would require static configurations to all other sites.
Dynamic Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy, dynamic, and scalable manner.
DMVPN relies on IPsec
It uses a hub-and-spoke configuration to establish a full mesh topology.
Each site is configured using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel interface allows a single GRE interface to dynamically support multiple IPsec tunnels.
Like DMVPNs, IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process
IPsec VTI configurations are applied to a virtual interface instead of static mapping
VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic.
IPsec is an IETF standard that defines how a VPN can be secured across IP networks.
IPsec can protect traffic from Layer 4 through Layer 7 of the OSI model.
IPsec provides these essential security functions:
Terms
A Security Association (SA) is the basic building block of IPsec.
the peers must share the same SA to negotiate key exchange parameters, establish a shared key, authenticate each other, and negotiate the encryption parameters.
AH does not offer confidentiality as all text is transported encrypted.
DH groups 1, 2, and 5 should no longer be used.