Introduction

In this section it will be discussed VPNs and the several types of it. All of this Read was based on the documentation referred in REFERENCES.

Network-Layer Security: IPsec and Virtual Private Networks

The IP security protocol, more commonly known as IPsec, provides security at the network layer. IPsec secures IP datagrams between any two network-layer entities, including hosts and routers. As it will soon describe, many institutions (corporations, government branches, non-profit organizations, and so on) use IPsec to create virtual private networks (VPNs) that run over the public Internet.

Before getting into the specifics of IPsec, let’s step back and consider what it means to provide confidentiality at the network layer. With network-layer confidentiality between a pair of network entities (for example, between two routers, between two hosts, or between a router and a host), the sending entity encrypts the payloads of all the datagrams it sends to the receiving entity. The encrypted payload could be a TCP segment, a UDP segment, an ICMP message, and so on. If such a network-layer service were in place, all data sent from one entity to the other—including e-mail, Web pages, TCP handshake messages, and management messages (such as ICMP and SNMP)—would be hidden from any third party that might be sniffing the network. For this reason, network-layer security is said to provide “blanket coverage.”

In addition to confidentiality, a network-layer security protocol could potentially provide other security services. For example, it could provide source authentication, so that the receiving entity can verify the source of the secured datagram. A network-layer security protocol could provide data integrity, so that the receiving entity can check for any tampering of the datagram that may have occurred while the datagram was in transit. A network-layer security service could also provide replay-attack prevention, meaning that Bob could detect any duplicate datagrams that an attacker might insert. We will soon see that IPsec indeed provides mechanisms for all these security services, that is, for confidentiality, source authentication, data integrity, and replay-attack prevention.

IPsec and Virtual Private Networks (VPNs)

An institution that extends over multiple geographical regions often desires its own IP network, so that its hosts and servers can send data to each other in a secure and confidential manner. To achieve this goal, the institution could actually deploy a stand-alone physical network—including routers, links, and a DNS infrastructure—that is completely separate from the public Internet. Such a disjoint network, dedicated to a particular institution, is called a private network. Not surprisingly, a private network can be very costly, as the institution needs to purchase, install, and maintain its own physical network infrastructure.

Instead of deploying and maintaining a private network, many institutions today create VPNs over the existing public Internet. With a VPN, the institution’s inter-office traffic is sent over the public Internet rather than over a physically independent network. But to provide confidentiality, the inter-office traffic is encrypted before it enters the public Internet. A simple example of a VPN is shown in Figure 8.27. Here the institution consists of a headquarters, a branch office, and traveling salespersons that typically access the Internet from their hotel rooms. (There is only one salesperson shown in the figure.) In this VPN, whenever two hosts within headquarters send IP datagrams to each other or whenever two hosts within the branch office want to communicate, they use good-old vanilla IPv4 (that is, without IPsec services). However, when two of the institution’s hosts

communicate over a path that traverses the public Internet, the traffic is encrypted before it enters the Internet. To get a feel for how a VPN works, let’s walk through a simple example in the context of the figure above. When a host in headquarters sends an IP datagram to a salesperson in a hotel, the gateway router in headquarters converts the vanilla IPv4 datagram into an IPsec datagram and then forwards this IPsec datagram into the Internet. This IPsec datagram actually has a traditional IPv4 header, so that the routers in the public Internet process the datagram as if it were an ordinary IPv4 datagram—to them, the datagram is a perfectly ordinary datagram. But, as shown the Figure above, the payload of the IPsec datagram includes an IPsec header, which is used for IPsec processing; furthermore, the payload of the IPsec datagram is encrypted. When the IPsec datagram arrives at the salesperson’s laptop, the OS in the laptop decrypts the payload (and provides other security services, such as verifying data integrity) and passes the unencrypted payload to the upper-layer protocol (for example, to TCP or UDP).

I have just give a high-level overview of how an institution can employ IPsec to create a VPN.

From the next section I will base myself on the explanation and images I heard from Professor Messer in order to make a summary and focus on the points that I consider most important.

VPNs

Normally, you would be connecting to a VPN concentrator. This might be something integrated into a firewall, or might be a standalone device specifically designed for VPNs.

There are many ways to implement a VPN. You could use specialized hardware, or you could have a software-based VPN that's using an existing server. This is usually integrated with software that's running in the client device.

Client-site-VPN

If a host want to be able to sent and receive data to some of these devices on the corporate network, but he wants to be sure that all of this communication is encrypted.

The host would use software on his laptop to be able to create this VPN tunnel. This software is commonly configured as on demand, so he would turn it on or off as needed, or may be configured always on. When he stats this software it will encrypt all of the data that he needs to send between your in station and the vPN concentrator. The VPN concentrator receives the encrypted data, decrypts the information, and sends it into the corporate network. The process is reversed on the way back, and the laptop is responsable for decrypting the data when it's received on the other side.

Site-to-site VPN

A site-to-site Virtual Private Network (VPN) refers to a connection set up between multiple networks. This could be a corporate network where multiple offices work in conjunction with each other or a branch office network with a central office and multiple branch locations.

Site-to-site VPNs are useful for companies that prioritize private, protected traffic and are particularly helpful for organizations with more than one office spread out over large geographical locations. These businesses often have to access resources housed on a primary network, which could include servers that facilitate email or store data. In some instances, a server may be the operational hub of an application essential to the company’s business. A site-to-site VPN can, in that case, give all sites full access to the application—as if it were housed within their physical facility.

The modern iteration of a VPN gained popularity because of people wanting to mask their IP addresses and surf the internet more safely. A hidden IP address gives you the freedom to download torrents without revealing who you are. You can also gain access to geo-blocked content, regardless of your location. In addition, on a public network, you have to deal with a constant barrage of cyberattacks, but with a VPN, you can enjoy a more secure, encrypted connection. These attributes made private VPNs a top choice among individual users.

However, VPNs designed for one—or a few—users at a time do not have the capabilities to serve the needs of a large organization. In many cases, big companies must send many terabytes of data between locations, quickly and safely, and the kind of VPN sufficient for a normal torrent user or web surfer would not be able to handle the workload.

Let's see the figure below:

Imagine that we have a corporate network and a remote site and we would like all communication between those sites to be encrypted over a VPN. This is a configuration that should will be set to always be on, because there would never be a time when you would not to secure the data between those locations.

Often the firewall here us used as the VPN concentrator, we saw in the Client-site-VPN, so you would create an encrypted tunnel between those two firewalls and each firewall as the VPN concentrator would be responsable for decrypting that data and sending it into the local network.

Clientless VPNs

The lateste browsers in our devices are able to use hypertext markup language version 5, or HTML5. HTML5 includes a number of enhanced capabilities, including API support and a web cryptography API. This means your browser has the ability to perform cryptographic functions within the browser itself and can effectively act as a VPN endpoint. This means you would not have to install any additional software or have any support for VPNs built into your operating system. Instead, you would have a clientless VPN that all operates from the HTML5 browser.

Full Tunnel

In the Client-to-site VPN explanation, the host had a VPN tunnel to a VPN concentrator and that dropped of all of that traffic onto the corporate network. But there may be times when this host needs to communicate with devices that are elsewhere on the internet. If that VPN is configured to be a full tunnel, then all of the traffic sent to the corporate network would be sent over that tunnel and any traffic that needed to go elsewhere on the internet would first need to go to the VPN concentrator at the corporate network and then be redirected to the devices out on the internet.

Split Tunnel

With split tunnel the VPN administrator can determine what traffic is sent over the VPN and what traffic could be sent outside of the scope of the VPN.

This allows the host to communicate without using any resources located on the VPN concentrator at the corporate network.

Remote Desktop Connection

This allows you to be in one location but be able to see and control the desktop that's on a remote device. You can remote a Windows device even though you might be using a completely different operating system.

If you are using a remote desktop on a Linux or a Mac OS device, then you're probably using VNC (Virtual Network Computing). This uses RFB, or the remote frame buffer protocol, to be able to share the screen and control the remote desktop.

Remote Desktop Gateway

In an enterprise environment, you may need a secure gateway to provide access to these remote desktops.

To provide this functionality you might have remote desktop clients communicating to a centralized remote desktop gateway over SSL. This is Secure Socket Layer, or what today we call TLS or transport layer security, allows someone to authenticate to the remote desktop gateway and then be able to conect to remote desktop services that may be on the internal network.

In this case the Remote Desktop Gateway is acting as a proxy to all the remote desktop servers.

SSH (Secure Shell)

If you are communication into the terminal session of a remtote device, especially a Mac OS or Linux device, then you're probably using SSH, or secure shell.

SSH allows you to have the entire communication us secure and encrypted.

Cloud-hosted virtual desktops

In some environments you may find that the user doesn't have a full sized desktop or laptop computer at their desk. Instead, they have a thin client and they connect to a virtual desktop infrastructure. If you move that VDI to the cloud, you can now have a cloud hosted virtual desktop and be able to access nearly any operating system from your browser.

And all of these implementations, the communication from your local machine to the cloud based virtual desktop, is all over an encrypted channel very similar to performing a remote desktop connection. This allows you to havea desktop set up in the cloud that you can then access from a browser but all of that communication will be secure.

Questions

• What is a site-to-site VPN?

A site-to-site VPN, also known as a router-to-router VPN, is a type of virtual private network that allows two or more geographically separate local area networks (LANs) to be connected securely over the internet. It creates a secure tunnel between the two networks, encrypting all the data that passes through it, and ensuring that only authorized parties can access the information.

A site-to-site VPN is commonly used by businesses with multiple locations to securely connect their networks and share resources such as files, databases, and applications. It is also used by organizations that need to connect their remote workers to their headquarters or other office locations. With a site-to-site VPN, remote users can access the company's resources as if they were physically present in the office.

The setup of a site-to-site VPN involves configuring VPN routers at each end of the connection, which establishes the secure tunnel between the networks. The VPN routers may use various protocols, such as IPsec (Internet Protocol Security) or SSL (Secure Sockets Layer), to encrypt and authenticate the data that passes through the tunnel.

For example, in the figure above, the routers at each end of the connection are labed as pfSense0 and pfSense1, which they establish an IPSec tunnel.

• What is TCP/IP and what is it used for?

It stands for Transmission Control Protocol/Internet Protocol and is the backbone of the internet. TCP/IP is a set of protocols that establish how data is transmitted and received over the internet.

TCP is responsible for ensuring that data is transmitted accurately and in the correct order, while IP is responsible for routing the data packets between devices on the internet. TCP/IP is a layered protocol, with each layer responsible for a specific aspect of data transmission.

• What are some popular reasons for using a VPN?

Some popular reasons are for security and privacy purposes. They allows to transmite data in a secure manner and allows users to connect to the headquarters of the company making it easy for others to intercept and read the data. VPNs help to protect users' online privacy by masking their IP address and location.

• Explain the difference between the three types of VPNs.

Remote access VPN: This type of VPN allows users to securely connect to a private network from their laptop from anywhere, such as from home or beach. A remote access VPN typically uses a client application installed on the user's device to establish a secure connection to the VPN server.

Intranet-based site-to-site VPN: This type of VPN is used to connect two or more private networks located in different physical locations. All traffic between the networks is encrypted and transmitted over the public internet.

Extranet-based site-to-site VPN: This type of VPN is similar to an intranet-based site-to-site VPN, but it is used to connect two or more private networks that belong to different organizations or companies. An extranet-based site-to-site VPN allows authorized users from each organization to securely access resources on the other organization's network.

REFERENCES

1 - https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn

2 - Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION

3 - https://www.professormesser.com/network-plus/n10-008/n10-008-video/remote-access-n10-008/

4 - https://www.professormesser.com/network-plus/n10-008/n10-008-video/other-useful-protocols-n10-008/