SSL VPN and VPN Technologies
As defined in RFC 2828, a Virtual Private Network (VPN) is:
A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.
We cover network security in detail in many courses such as Cisco CyberOps.
There are three distinct types of VPN technologies that are available today, as follows:
- Secure Virtual Private Networks
- Trusted Virtual Private Networks
- Hybrid Virtual Private Networks
This blog post will cover all three.
Secure Virtual Private Networks
Secure VPNs are also referred to as Cryptographic VPNs. These VPN types use cryptographic technologies and protocols to ensure the confidentiality, integrity, and authenticity of data. Secure VPNs are often deployed over insecure communication channels, such as the Internet. These VPN types are commonly used to replace or augment existing point-to-point networks that utilize dedicated leased lines (e.g. T1/E1 and T3/E3 circuits) or even WAN networks over common technologies such as Frame Relay. Secure VPN technologies include:
- IP Security (IPsec) – covered in another blog post
- Layer 2 Tunneling Protocol (L2TP) over IPsec
- Point-to-Point Tunneling Protocol (PPTP)
- SSL Encryption (SSL VPN)
The Layer 2 Tunnel Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP). L2F is beyond the scope of the IINS course requirements. L2TP is one of the key building blocks for virtual private networks in the dial access space. It does not provide any encryption on its own but can be deployed in conjunction with IPsec to provide encryption services and data confidentiality.
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. In a manner similar to L2TP, PPTP does not provide confidentiality or encryption by itself and, as such, is typically deployed in conjunction with IPsec to provide encryption services and data confidentiality. PPTP has been made obsolete by L2TP and IPSec.
The SSL VPN solution offers a flexible and highly secure way to extend network resources to virtually any remote user with access to the Internet and a web browser. Unlike traditional VPNs that require software programs to allow client machines to connect to the VPN, the SSL VPN is accessible via HTTP over almost all web browsers. This flexibility allows SSL VPN technology to be customized for special applications, for example. SSL VPNs support asymmetric algorithms, such as RSA and the Diffie-Hellman protocol, for authentication and key exchange. Additionally, SSL VPNs use symmetric algorithms, such as DES, Triple-DES, and AES, for encryption.
SSL VPNs are becoming very popular and are perceived by many as a solid alternative and possible replacement for all IPsec VPNs. However, it should be noted that SSL VPNs can be deployed on routers in conjunction with IPsec VPNs (although this does have some performance impact), allowing greater secure VPN flexibility. The three most common secure VPN deployment scenarios are:
- Intranet-based VPNs
- Internet-based VPNs
- Extranet-based VPNs
An Intranet-based VPN is used to provide protection for private communications within an enterprise or organization that may or may not involve traffic traversing a WAN. An Intranet-based VPN connection takes advantage of IP connectivity in an organization intranet. The following diagram illustrates an Intranet-based VPN. This VPN type is used to allow secure communication between users and hosts in the Sales and Finance departments of Company Z:
Internet-based VPNs are the most common types of VPNs. These VPNs protect private communications over the public network, or Internet. Internet-based VPNs can take several forms. Although there are numerous types of secure Internet-based VPNs, the only type that falls within the confinements of the IINS course requirements is a site-to-site VPN using IPsec. The following diagram serves to illustrate a typical site-to-site Internet-based VPN between two different office locations of the same company:
Another common Internet-based VPN is a remote access VPN. A remote access VPN is used to establish a secure connection to a trusted network over unsecure communications channels, such as the Internet. A remote access VPN is illustrated in the following diagram:
In the diagram illustrated above, the home-based employee uses a remote VPN to establish a secure connection to the corporate network. The home-based employee uses software installed onto his or her PC to establish a connection to the VPN termination device, also referred to as the headend VPN device. Once a secure connection has been established, the home-based employee is able to access internal network resources in the same manner as employees physically located at the corporate office.
Extranet-based VPNs provide private communications between two or more separate entities. For example, a company can deploy an extranet VPN between its headquarters to certain business partner networks. The business partner is given access only to the headquarters’ public server to perform various IP-based network tasks, such as placing and managing product orders, as illustrated in the following diagram:
Trusted Virtual Private Networks
Trusted VPNs are also referred to as non-cryptographic VPNs. These VPN technologies are usually provided by a dedicated service provider. Trusted VPNs allow service providers to offer a dedicated or leased circuit or channel to a customer, which allows pseudo point-to-point communication for different customer locations.
Unlike secure VPNs, the security and integrity of trusted VPN traffic relies on the fact that the circuit is not shared because each circuit is dedicated to a single site. Trusted VPN technologies are beyond the scope of the IINS course requirements and will not be described further.
Hybrid Virtual Private Networks
A hybrid VPN is a combination of both a trusted VPN and a secure VPN. Hybrid VPNs are an emerging technology that is slowly gaining momentum. While going into detail on the hybrid VPN technologies is beyond the scope of the IINS course requirements, it is important to note that a hybrid VPN is only secure in the parts that are based on secure VPNs. That is, adding a secure VPN to a trusted VPN does not increase the security for the entire trusted VPN, only to the part that was directly secured. The secure VPN only acquires the advantages of the trusted VPN.
Please read the Cisco SSL VPN guide.
Leave a Reply