The main advantages of using VPNs are:
- Cost savings – organizations are able to use cost-effective Internet transport instead of expensive dedicated WAN links.
- Security – VPN uses advanced encryption and authentication protocols that protect data from unauthorized access.
- Scalability – organizations are able to add new users without making significant changes to their infrastructure.
There are two types of VPNs: site-to-site and remote-access VPNs.
Site-to-site VPNs are used by organizations to connect dispersed locations in the same way as a leased line or Frame Relay connection is used. Site-to-site VPNs are extensions of the classic WANs. An organization can use site-to-site VPN to connect a branch office to the headquarters network, for example.
In site-to-site VPNs, the traffic is routed through a VPN gateway, such as a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The gateway is encapsulating and encrypting the traffic and sends it through a VPN tunnel to the remote site where it is received by another VPN gateway which strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
Remote-access VPNs are used by remote users, such as teleworkers, to access resources inside the organization network from a simple broadband connection. VPN users connect to a VPN gateway using VPN client software. After the connection is established successfully, the remote user can access the resources inside the network. The traffic between the client and the VPN gateway is encrypted.
The key characteristics of VPNs are:
- Data confidentiality – protects the data from being intercepted by unauthorized users, using encapsulation and encryption mechanisms.
- Data integrity – VPNs are able to verify the integrity of data and guarantee that no alterations occurred as the packet traveled from source to destination.
- Authentication – VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of the parties at the other end of the network, ensuring that only authorized persons get access.
VPN uses tunneling to establish a secured private network between two remote sites or from a VPN client to a VPN gateway. Tunneling allows the use of public networks to carry data from one VPN end to another. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. When the packet is received by the other end, the packet is decapsulated, and if it’s received by a VPN gateway, sent to the destination host inside the network.
If plain text data is transported over a public network, such as the Internet, it can be intercepted in read. VPNs provide encryption of the data as it travels across a public network. For encryption to work, both the sender and the receiver must know the message was encrypted so they will be able to decrypt it. The encrypted message is an unreadable cipher string as it passes through the public network and can be decrypted only with the correct key.
Some of the most common encryption algorithms used by VPN are:
- Data Encryption Standard (DES) – uses a 56-bit key and is a symmetric key cryptosystem.
- Triple DES (3DES) – is a newer variant of DES that encrypts with one key, decrypts with a different key and then encrypts one final time with another key.
- Advanced Encryption Standard (AES) – provides stronger security than DES and is computationally more efficient 3DES. It offers three different key lengths 128, 192, and 256-bit keys.
- Rivest, Shamir, and Adleman (RSA) – asymmetrical key cryptosystem which uses a key with a length of 512, 768, 1024-bits, or greater.
IPsec is a protocol suite for securing IP communications that provides encryption, integrity, and authentication. IPsec is used in secure VPNs, but relies on the existing algorithms.
There are two main IPsec framework protocols:
- Authentication Header (AH) – is used when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems but does not provide confidentiality (encryption) of packets. When used alone, AH provides weak protection, but in combination with ESP is able to provide data encryption and tamper-aware security features.
- Encapsulating Security Payload (ESP) – provides confidentiality, authentication, and integrity by encrypting the IP packets. Authentication provides data origin authentication and data integrity. Both encryption and authentication are optional in ESP, but at least one must be selected.
The standard IPsec algorithms used to implement encryption, authentication and key exchange are:
- DES – used to encrypt and decrypt packet data.
- 3DES – provides significant encryption strength over DES.
- AES – provides stronger encryption and faster throughput.
- MD5 – authenticates packet data using a 128-bit share secret key.
- SHA-1 – authenticates packet data using a 160-bit shared secret key.
- DH – allows parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communication channel.
There are some four steps you should be aware of when you configure an IPsec VPN: first of all, you must choose an IPsec protocol. The choices are ESP or ESP with AH. Next, you must select the encryption algorithm depending on your level of security: DES, 3DES, or AES. After the encryption algorithm is selected, you must choose the authentication algorithm to provide data integrity. Your options are MD5 or SHA. The last step is to select the Diffie-Helman (DH) algorithm to use for establishing the sharing of key information between peers. You can select DH1 or DH2.
When taking the CCNA exam you must be able to recognize basic VPN concepts, what VPN is used for, what encryption and hash algorithms is used, and what IPsec is. We do our best to explain every CCNA topic as easier to understand as possible and we hope you found this topic helpful.
