THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
Introduction to VPN
Overview
A virtual private network (VPN) is as an encrypted connection between private networks over a public network such as the Internet. The word virtual in VPN refers to a logical connection between two devices. Information within a private network is transported over a public network.
The word Private means the traffic is encrypted to keep the data confidential.
A Virtual Private Network (VPN) provides the same network connectivity for remote users over a public infrastructure as they would have over a private network.
VPN services or benefits for network connectivity include:
-
Authentication: ensures that only authorized senders and devices enter the network.
-
Data integrity: guarantees that no tamperingmanipulación or alterations occur. Using hashing.
-
Data Confidentiality: Protects data against eavesdroppers (spoofing). By configuring encryption.
Types of VPN
There are two major categories into which VPNs could be placed: remote-access and site-to-site.
Site-to-Site VPNs:
-
Connects entire networks to each other.
-
VPN hosts do not require VPN client software.
-
VPNs send and receive normal TCP/IP traffic through a VPN “gateway” such as a Cisco ISR or an ASA.
-
The VPN gateway is responsible for encapsulating and encrypting outbound traffic over the Internet to a peer VPN gateway.
-
Upon receipt, the peer VPN gateway decrypts the content and relays the packet toward the target host inside its private network.
-
Many Cisco devices can work together to form the VPN, including routers, firewalls, and Adaptive Security Appliances.
-
You can deploy Site-to-Site IPSec VPN between routers, router and ASA, and between ASAs.
There are two types of site-to-site VPNs:
-
Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
-
Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.
Remote Access VPNs:
-
They securely connect remote users, such as mobile users and telecommuters, to the enterprise.
-
In a remote-access VPN, each host typically has Cisco VPN Client software or Cisco Anyconnect.
-
The client encapsulates and encrypts that traffic and sends it over the Internet to the target VPN gateway.
-
The VPN gateway behaves as it does for site-to-site VPNs.
The different types of Remote Access VPNs are:
-
Clientless SSL VPN (WebVPN):
-
Browser-based VPN that lets users establish a secure, remote-access VPN tunnel to the ASA/ISR using a web browser.
-
After authentication, users access a portal page and can access specific, supported internal resources.
-
-
Client-Based SSL VPN:
-
Provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host.
-
Requires a client, such as the Cisco AnyConnect VPN client to be installed on the host.
-
-
Cisco Easy VPN (IPSec Remote Access VPN):
-
Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances.
-
It greatly simplifies VPN deployment for remote offices and mobile workers.
-
Cisco Easy VPN can be deployed in a Cisco IOS router or an ASA appliance.
-
We need a Cisco VPN client software that can be installed on an operating system.
-
VPN Categories
The diagram below illustrates the four general VPN categories:
Policy-Based Vs Route-Based VPN
Both of these VPN categories make use of the IPSEC protocol (we will describe it later) which is the de facto standard for creating secure VPN networks; Let’s see a brief description of them below:
• Policy-Based IPSEC VPN: This is the traditional IPSEC VPN type which is still widely used today. This VPN category is supported on both Cisco ASA Firewalls and Cisco Routers. With this VPN type, the device encrypts and encapsulates a subset of traffic flowing through an interface according to a defined policy (using an Access Control List). The IPSEC protocol is used for tunneling and for securing the communication flow.
• Route-Based VPN: A route-based VPN configuration employs Layer3 routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a special Layer3 tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static or dynamic IP routes are configured to direct the desired traffic through the VPN tunnel interface. This configuration method is supported only on Cisco Routers and is based on GRE or VTI Tunnel Interfaces. For secure communication, Route-Based VPNs use also the IPSEC protocol on top of the GRE or VTI tunnel to encrypt everything.
The Table below shows the main differences between Policy-Based and Route-Based VPNs: