VPN Basics: Encryption and Security Protocols in a VPN

Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it.The most common forms of encryption are symmetric-key encryption or public-key encryption:

In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.

In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end.  A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE).

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

IPSec  (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets:

Encapsulated Security Payload (ESP) encrypts the packet's payload (the data it's transporting) with a symmetric key.

Authentication Header (AH) uses a hashing operation on the packet header to help hide certain packet information (like the sender's identity) until it gets to its destination.

Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks

Read More...

VPN Basics: Site-to-site VPN and Remote-access VPN

 Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway(Example : Cisco ASA or Fortigate Firwall). The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network.

There are two types of site-to-site VPNs:

    Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

    Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Tunneling is the process of placing an entire packet within another packet before it's transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.This layering of packets is called "encapsulation"

Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets.The tunnel interfaces are configured using tunneling protocol.The purpose of the tunneling protocol is to add a layer of security that protects each packet on its journey over the Internet.Even if a hacker got the packets they wont be able to read it

Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. For example, travelers and users working remotely  who need to access their company's network securely over the Internet can use remote access VPN. In a remote access VPN, every host must have VPN client software(Example : CIsco Anyconnect software) .

Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet.

Read More...

Basic Notes about VPN

Basic Notes about VPN

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together.It works by encapsulating data for one network inside of an ordinary IP packet and transporting that packet to another network. When the packet arrives at the destination network, it is unwrapped and delivered to the appropriate host on the destination network. By encapsulating the data using cryptographic techniques, the data is protected from tampering and snooping while it is transported over the public network.

Through VPN you can access your private network in remote location over Internet without compromising the security. VPNs allow employees to securely access their company's Intranet while travelling outside the office. Similarly, VPNs securely connect different branch offices together via internet without dedicated lease line and its much cheaper than lease lines. VPNs also use strong encryption to provide privacy and strong authentication to guarantee identity, so they are more secure than traditional networks.By using a VPN, businesses ensure security,That means even if the data is hacked while sending through VPN, hacker can't read data as its in encrypted format.

Different VPNs used 

VPNs can be either remote-access (connecting an individual computer to a network) or site-to-site (connecting two networks together). In a corporate setting, remote-access VPNs allow employees to access their company's Intranet from home or while travelling outside the office, and site-to-site VPNs allow employees in different geographically location to share one network.

One interesting thing to note about VPNs is that there are no standards about how to set them up. If you're establishing your own VPN, though, it's up to you to decide which protocols and components to use and to understand how they work together.

Five basic components of VPNs:

VPN Gateways:
A device used to connect an entire network to the VPN
VPN Client Software: 
Software for individual PCs that allow them to connect to the VPN
Authentication Servers: 
Systems such as certificate authorities and RADIUS servers that guarantee the identity of VPN Gateways and Clients
Manage Servers: 
Systems that provide control, monitoring, alerting and reporting on the VPN
Physical Transport: 
Any IP or Internet connection

Advantages of VPN

Security -- The VPN should protect data while it's travelling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.

Read More...