Chapter8 Renewable Energy Quiz

Study Notes

VPNs are used to ensure data integrity, authentication, and encryption to ensure confidentiality of packets over unprotected networks or the internet.
They were originally used to avoid the cost of leased lines, but now are crucial for security, and in some cases privacy.
Many different protocols have been employed for VPN implementations, including PPTP, L2F, L2TP, GRE, MPLS VPN, IPsec, and SSL.
PPTP, L2F, L2TP, and some MPLS VPN deployments do not include data integrity, authentication, or encryption. Combine L2TP, GRE, and MPLS with IPsec for these benefits.

Site-to-site VPNs: Enable connections between two or more network infrastructure devices in different sites to communicate over a shared medium (like the internet). Common protocols for these VPNs include IPsec, GRE and MPLS.
Remote-access VPNs: Allow users to connect to a company's network from any remote location (home, hotel, etc.) as if they were directly connected to the network. This is used when employees work from home/remotely.

Uses Internet Key Exchange (IKE) protocol to establish secure site-to-site or remote-access tunnels.
IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP).
IKEv1 Phase 1: Attributes exchanged include encryption algorithms, hashing algorithms, Diffie-Hellman groups, authentication method, and vendor-specific attributes
IKEv1 Phase 2: Negotiation of IPsec security associations (SAs). IKEv2 is more efficient, with fewer packets exchanged.
IKE version 2 (IKEv2) adds enhancements like Dead Peer Detection (DPD), NAT Traversal (NAT-T), and Initial Contact.
Security associations (SAs) are unidirectional
There are two modes for SAs:
- Transport mode: Protects upper-layer protocols (like UDP and TCP) in the IP packet
- Tunnel mode: Protects the entire IP packet, for use with multicast traffic, or where the whole packet needs to be protected.
SAs are typically negotiated in "main mode" or "aggressive mode". "main mode" offers added security with pre-shared keys, while "aggressive mode" is common with remote-access VPN configurations.
IKEv1 and IKEv2 are incompatible, and cannot be used together for VPN tunnels. Use of IKEv2 is generally preferred due to its improved security and performance features.

Leverages the SSL/TLS protocol
Popular for remote web access to internal resources (like websites, file shares, internal apps)
Clientless access possible, where no additional software needs to be installed on the clients (end-user side). This is more common with public or non-trusted computers like internet kiosks.
Supports a range of business applications.
Supports port forwarding for application-specific access.
Supports smart tunnels for managing specific application traffic over the SSL VPN tunnel.
More efficient operation when paired with firewalls and NAT. Using TCP port 443 as the standard port, this reduces the potential need for specific firewall configurations.

NAT Traversal (NAT-T): Used to work around network address translation (NAT) problems that frequently occur with IPsec VPN deployments.
Firewall Considerations: VPNs often use specific ports (e.g., UDP port 4500 for IKEv2).
Traffic Filtering (Optional): Firewalls and security appliances can be configured to filter the traffic that passes through the VPN. Filtering will improve security if done correctly.

Podcast