Download Protocols used by the virtual private network.

Networking Services and Applications
Lesson overview.
In this lesson, we will cover:
●
●
●
●
The basics of the virtual private network.
Protocols used by the virtual private network.
Network access services.
Other services and applications.
The basics of the virtual private network.
A virtual private network (VPN) is used by remote hosts to access a private network through an
encrypted tunnel through a public network.
Once the VPN connection is made, the remote host is no longer considered remote. It is
actually seen by the private network as a local host. Even though the network traffic may pass
through many different routers or systems, it is seen by both ends as a direct connection.
The use of the VPN can help to reduce networking costs for organizations and businesses. The
cost reduction is partially achieved because the VPN doesn’t require the use of a dedicated
leased line to create the connection.
Highlights:
●
●
●
A VPN is used by remote hosts to access a private network through an encrypted tunnel
through a public network.
Once the VPN connection is made, the remote host is actually seen by the private
network as being a local host.
Using a VPN can help to reduce networking costs.
VPN types.
Several different types of VPNs are available for implementation. The choice will depend upon
the security needs and/or the application requirements.
Site-to-site VPN
A site-to-site VPN allows a remote site's network to connect to the main site's network and be
seen as a local network segment. VPN concentrators on both ends of the VPN manage the
connection.
Remote access VPN
A remote access VPN, which is also called a host-to-site VPN, allows select remote users to
connect to the local network. A VPN concentrator on the local network will manage the
connection coming in from the remote users. The remote system making the connection uses
special software called VPN client software to make the connection.
Host-to-host VPN
A third type of VPN is the host-to-host VPN, which is often called an SSL VPN. It allows a
secure connection between two systems without the use of VPN client software. A VPN
concentrator on the local network manages the connection. The host seeking to connect uses a
Web browser that supports the correct encryption technology, which is either SSL or, more
likely, TLS to make the connection to the VPN concentrator.
Highlights:
●
●
●
A site-to-site VPN allows a remote site’s network to connect to the main site’s network
and be seen as a local network segment.
A remote-access VPN allows select remote users to connect to the local network.
A host-to-host VPN allows a secure connection between two systems without the use of
VPN client software.
Protocols used by the virtual private network.
There are several security protocols that can be used by the virtual private network. Without
these protocols, VPN connections would not be secure.
Internet Protocol Security (IPsec).
The main protocol for VPNs is called Internet Protocol Security (IPsec). It isn't actually a
protocol in itself. Instead, it is an entire set of protocols. IPsec works at Layer 3 of the OSI model
or above. It is the most common suite of protocols used to secure a VPN connection.
IPsec can be used with the Authentication Header (AH) protocol. The AH protocol only offers
authentication services, but no encryption. It authenticates the user, but there is no encryption of
the session.
IPsec can also be used with the Encapsulating Security Payload (ESP) protocol. The ESP
protocol both authenticates and encrypts the packets. It is the most popular method of securing
a VPN connection.
Both AH and ESP will operate in one of two modes. The first mode is transparent mode, which
is between two devices, as in a host-to-host VPN. The second mode in which they can operate
is tunnel mode, which is between two endpoints, as in a site-to-site VPN.
IPsec implements Internet Security Association and Key Management Protocol (ISAKMP) by
default. ISAKMP provides a method for transferring security key and authentication data
between systems outside of the security key generating process. It is a much more secure
process than using the pre-shared key method.
Highlights:
●
●
●
IPsec works at Layer 3 of the OSI model and above.
IPsec is the most common suite of protocols to secure a VPN connection.
IPsec will use either the AH protocol or the ESP protocol. Both operate in one of two
modes—transport or tunnel.
●
IPsec implements Internet Security Association and Key Management (ISAKMP) by
default. It provides a secure method for transferring security key and authentication data
between systems.
Generic Routing Encapsulation (GRE).
Generic Routing Encapsulation (GRE) is a tunneling protocol that is capable of encapsulating a
wide variety of other network layer protocols. It is often used to create a sub-tunnel within an
IPsec connection. The reason that GRE is used is that IPsec will only transmit unicast packets,
which is one-to-one communication. In many cases, there's a need to transmit multicast (one-tosome communication) or broadcast (one-to-many communication) packets across an IPsec
connection. By using GRE, this can be accomplished.
Highlights:
●
●
GRE is a tunneling protocol that is capable of encapsulating a wide variety of network
layer protocols.
GRE is often used to create a sub-tunnel within an IPSec connection to allow for
multicast or broadcast transmissions.
Point-to-Point Tunneling Protocol (PPTP).
Point-to-Point Tunneling Protocol (PPTP) is an older VPN technology that supports dial-up VPN
connections. On its own, it lacked native security features, so it was not very secure. However,
Microsoft's implementation included additional security by adding GRE to PPTP.
Highlights:
●
●
An older VPN technology that supports dial-up VPN connections. On its own, it lacked
native security features.
Microsoft’s implementation of PPTP included additional security with GRE.
Transport Layer Security (TLS) protocol.
Transport Layer Security (TLS) is a common VPN protocol. TLS is a cryptographic protocol
used to create a secure encrypted connection between two end devices or applications. It uses
asymmetrical cryptography to authenticate endpoints and then negotiates a symmetrical
security key, which is used to encrypt the session. TLS works at Layer 5 and above of the OSI
model. Its most common usage is in creating a secure encrypted Internet session (SSL) VPN.
All modern Web browsers support TLS. TLS has largely replaced the Secure Socket Layer
(SSL) protocol.
Highlights:
●
●
●
●
TLS is a cryptographic protocol used to create a secure encrypted connection between
two end devices or applications.
TLS uses asymmetrical cryptography to authenticate endpoints and then negotiates a
symmetrical security key, which encrypts the session.
It works at Layer 5 and above of the OSI model.
The most common use is in creating a secure encrypted Internet session (SSL VPN).
Secure Socket Layer (SSL) protocol.
Secure Sockets Layer (SSL) is an older cryptographic protocol that is very similar to TLS. The
most common use is in Internet transactions. All modern Web browsers support SSL, but due to
issues with earlier versions of the protocol, it has largely been replaced by TLS. SSL version 3.3
has been developed to address the weaknesses of earlier versions, but it may never achieve
the popularity the TLS protocol.
Highlights:
●
●
●
SSL is an older cryptographic protocol that is very similar to TLS.
The most common use is in Internet transactions.
Due to issues with earlier versions of the protocol, it has largely been replaced by TLS
protocol.
Network access services.
Network access services are the means and/or methods by which computers, or nodes, connect
to networks. Some of these are hardware based and others are application based (software).
Network interface controller (NIC).
A network interface controller (NIC) is actually a piece of hardware. It can also be called the
network interface card. The NIC is how a device connects to a network. The network interface
controller works at two layers of the OSI model.
At Layer 2, the data link layer, a NIC provides the functional means of network communication,
by determining which networking protocols will be used. For example, a NIC can provide
Ethernet communication or a NIC can provide Point-to-Point Protocol. It also provides the local
network node address through its burned in physical media access control (MAC) address.
At Layer 1, the physical layer, the NIC determines how the network data traffic will be converted,
a bit at a time, into an electric signal that can traverse the network media being used (i.e., it
provides the connection to the network). Most modern computers come with at least one built in
Ethernet NIC. Routers and other network devices may use separate modules that can be
inserted into the device to provide the proper NIC for the type of media they are connecting to
and the networking protocols that are being used.
Highlights:
●
●
●
A NIC is how a device connects to a network.
NICs work at two layers of the OSI model.
○ At Layer 2, it provides the functional means of network communication by
determining which networking protocols will be used and also provides the local
network node address through its burned in physical MAC address.
○ At Layer 1, it determines how the network data traffic will be converted a bit at a
time into an electrical signal that can traverse the network media being used.
Routers and other network devices may use separate modules that can be inserted into
the device to provide the proper NIC for the type of media and protocol being used.
RADIUS (Remote Authentication Dial-In User Service).
RADIUS (Remote Authentication Dial-In User Service) is a remote access service that is used
to authenticate remote users and grant them access to authorized network resources. It is a
popular AAA (Authentication, Authorization and Accounting) protocol, which is used to help
ensure that only authenticated end users have access to the network resource they are
authorized to use. The accounting services of RADIUS are very robust. The only drawback to
RADIUS is that only the requestor's (the end user's) password is encrypted; everything else
gets sent in the clear.
Highlights:
●
●
RADIUS is a remote access service that is a popular AAA protocol used to authenticate
remote users and grant them access to authorized network resources.
With RADIUS, only the requestor’s (the end user’s) password is encrypted.
TACACS+ (Terminal Access Controller Access-Control System Plus).
Terminal Access Controller Access-Control System Plus (TACACS+) is a remote access service
that is used to authenticate remote devices and grant them access to authorized network
resources. TACACS+ is also a popular AAA protocol used to help ensure that only
authenticated remote network devices are using the network resources that they are authorized
to use. With TACACS+, the accounting features are not as robust as those found in RADIUS;
however, all network transmissions between devices are encrypted with TACACS+, ensuring
that transmissions remain secure between devices.
Highlights:
●
●
TACACS+ is a remote access service that is a populate AAA protocol used to
authenticate remote devices and grant them access to authorized network resources.
With TACACS+, all transmissions between devices are encrypted.
Other services and applications.
RAS (Remote Access Services).
RAS (Remote Access Services) is not a protocol. Instead, it is a roadmap, which provides a
description of the combination of software and hardware required for a remote access
connection. A client requests access from a RAS server, which either grants or rejects that
access.
Web services.
Web services creates a means of cross communications and provides the means for
communication between software packages or disparate platforms. The cross communication is
usually achieved by translating the information into an XML (Extensible Markup Language)
format. Web services is becoming more popular as systems diverge.
Unified voice services.
Unified voice services involves creating a better voice communication system. It is a description
of the combination of software and hardware required to integrate voice communication
channels into a network, as in Voice over IP.
Highlights:
●
●
●
RAS is not a protocol, but is a roadmap, providing a description of the combination of
software and hardware required for a remote access connection.
Web services create a means of cross communication between software packages or
disparate platforms, usually by translating the information into an XML format.
Unified voice services create better voice communication systems and provide a
description of the combination of software and hardware required to integrate voice
communication channels into a network.
What was covered.
The basics of the virtual private network.
A VPN connection is used to allow remote sites or users to access a private network and to
function as a local segment. A site-to-site VPN connects two sites together. A remote-access
VPN allows select users to connect, but requires those users to have preconfigured VPN clients
installed on their systems. A host-to-host VPN allows users to connect to the private network
without the use of VPN client software.
Protocols used by the virtual private network.
IPsec is the most common protocol suite used to secure VPN connections. It works at Layer 3
and above of the OSI model. GRE is a tunneling protocol that can encapsulate a wide variety of
other network layer protocols. It is used in conjunction with IPsec to allow for multicast and
broadcast packet transmissions. PPTP is an older VPN technology that supports dial-up VPN
connections. TLS is a cryptographic protocol that provides authentication services; it is
commonly used in Web based transactions and has largely replaced SSL. SSL is similar to TLS
and has largely been replaced by it.
Network access services.
The NIC operates at both layers 2 and 1 of the OSI model. It is what determines what
networking protocol a device will use on the network and is responsible for converting the
network bits into an electrical signal. RADIUS is an AAA protocol used to authenticate end
users. It has very robust Accounting features. TACACS+ is a AAA protocol used to authenticate
end devices. It encrypts all transmissions between devices.
Other services and applications.
RAS is a description of the combination of software and hardware required for a remote access
connection (it’s not a protocol). Web services are used to allow disparate software or platforms
to communicate. They will usually translate communication into an XML format that most
software can understand. Unified voice services is a description of the combination of software
and hardware used to bring voice communication into a network.