VPN: Virtual Private Network

​An encrypted (private) connection over the (public) Internet from a device to a network or a network to a network.

• A VPN uses tunneling (via port forwarding or by encapsulating data using one protocol inside of another protocol) to encrypt data at the sending end and decrypt it at the receiving end

• A VPN concentrator (gateway) handles encryption an decryption either as a standalone device (hardware) or as a feature integrated into the firewall (software)

• Protects the data in transit from eavesdropping or other undesirable situations.

​Remote Access VPN
(Client to Site)

​How it works 

1. A user installs a VPN client software on their device

2. The software authenticates the user and creates an encrypted tunnel to the VPN gateway

3. The gateway acts as the VPN server, allowing the user to access the network

​Site to Site VPN

​Use case:

Primarily used by businesses with multiple locations to connect their networks and securely share data across different sites, enabling secure data transfer between different network locations and a cost-effective alternative to dedicated private lines.

 
How it works:

VPN gateways at each site encrypt data before sending it over the internet, and the receiving site decrypts it upon arrival, providing seamless and secure access to shared resource.

How SSL VPN works:

A user connects to the SSL VPN gateway using a web browser

The VPN gateway presents a secure page for the user to authenticate

If the user authenticates, the SSL VPN creates an encrypted connection between the user's device and the network

The user can then access the network's applications, files, and services

​SSL VPN - uses SSL or TLS encryption to provide authentication and confidentiality at the application layer between the user's browser and the network. (HTTPS)

IPsec VPN- a secure network connection that uses IPsec protocols to encrypt data at the Network layer as it travels over the internet (Popular with Unix, Linux, MacOS, and Windows)

How it works 

Two devices establish a mutual authentication

The devices exchange cryptographic keys

The devices encapsulate data packets, encrypting them and adding an IPsec header

The data is sent over the internet to the VPN server

The VPN server decrypts the data using the correct cryptographic key

Provides authentication, integrity and confidentiality through encryption of IP packets. Include anti-replay

​Encapsulating Security Payload (ESP)

Provides data integrity and transport protection services. Designed to be inserted into an IP packet to add authentication data and protect the contents from modification, but does not encrypt the packet.

​Authentication Header (AH)

IPsec Protocols - stands for Internet Protocol Security, is a network security protocol that encrypts data transmitted across IP networks

​Internet Key Exchange (IKE)

Manages the key negotiation process for establishing a secure communication channel (Security Association (SA)) over an untrusted network.

Exchanges encryption keys to create a secure tunnel between a client and a server through which they can send encrypted traffic based on the Diffie-Hellman key exchange.

Hosts behind one gateway communicate securely with multiple hosts behind the other gateway.

For example, users of systems in a branch office can securely connect with any systems in the main office (i.e. printer server, file server, mail server)

The IPsec tunnel is established between the two gateway hosts, and the entire IP packet including the IP header is encapsulated into a new UP packet. Generally considered more secure

​Tunnel Mode

Two hosts that need to interact with one another (temporarily) set up a directly connected IPsec VPN connection.

For example, to enable a remote IT support technician to log in to a remote server to do maintenance work.

Encrypts only payload (data) of the IP packet, not the header and requires both endpoints of the VPN tunnel to be hosts.

​Transport Mode

IPSec Modes - IPsec has two modes of operation

Air Gapping

​ isolating a computer or network and preventing it from establishing an external connection.

• An air-gapped computer is physically segregated and incapable of connecting wirelessly or physically with other network devices.

• Air-gapped networks are used to protect many types of critical systems from hackers or other malicious threat actors. (stock market, military, industrial power systems, and government industries)

• Air gaps are also used for backup and recovery. (i.e. Ransomware attack)

Exit Slip

You are almost there!

Today, hopefully, you learned about VPN's and IPsec. If you not, you must be living in a tunnel. Get it? VPN? Tunnel? Well, if you paid attention today you would know that was a funny little network security joke. Anyway, answer the following 6 questions to show how well you understood the lesson. Good luck!

Congratulations!

​You are VPN credible!

Did you get all 5 right? Or at least 4? If you did, give yourself a pat on the back and stunt on your neighbor. If not, turn the VPN in your brain on next lesson a create a secure tunnel to Mr. Carr's lecture.