Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Concentrators O A VPN Concentrator is a network device used to create O It acts as a VPN router which is generally used to create a remote access or O It uses tunnelling protocols to parameters, create and manage tunnels, encapsulate, transmit, or receive packets through the tunnel, and de-encapsulate them 8 e Low speed remote user : Public Segment (Untrusted) VPN Migh speed remote user ;............................................................................................................... U EI F ‘ FTP Server............ File Server e Firewall........ Mail Server fae, Cisco VPN 3000 Concentrater............. Intranet Server Authentication Server VPN Concentrators VPN concentrators normally enhance the security of the connections made through a VPN. They are generally used when a single device needs to handle a large number of VPN tunnels. They are best used for developing a remote-access VPN and site-to-site VPN. VPN concentrators implement protocols manage the following: the security = Flow of packets through the tunnel = Encryption and decryption of packets = Creation of tunnels of tunnels using tunneling protocols. These A VPN concentrator works in two ways: = Receives plain packets at one end, encrypts at the other end, and forwards the packet to the final destination = Receives encrypted packets at one end, decrypts at the other end, and forwards the packet to the final destination Module 07 Page 915 Certified Cybersecurity Technician Copyright © by EG-Council Low speed remote user High speed remote user «j) Public Segment (Untrusted) Router = : FTP Server Firewall Segment Private Segment (Trusted) m VPN Accessvia Asssssnnnn® TN POTTTTT VPN Accessvia tssssssssssssssnns’ Exam 212-82 Asssssssnn?® POTTETT TN Certified Cybersecurity Technician Network Security Controls — Technical Controls - ‘::/ 'fi. » Firewall 4 Cisco VPN 3000 Concentrator s File Server Mail Server Intranet Server Authentication Server Figure 7.105: VPN concentrator In the figure, the VPN concentrator is placed in parallel with the firewall supporting two remote users who have a slow and fast Internet speed, respectively. If the VPN is placed behind the firewall, the implementation requires additional configuration changes and is vendordependent. VPN concentrators provide a high level of security for SSL and IPsec VPN architectures. A normal VPN tunnel requires IPsec to be implemented on the network layer of the OSI model. A major benefit of using a VPN concentrator is that the client is considered to be present outside the network and can access the network as if it is connected. Module 07 Page 916 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Functions O Exam 212-82 of a VPN Concentrator A VPN Concentrator functions as a bi-directional tunnel endpoint The VPN Concentrator functions are: Encrypts and decrypts data Manages security keys Authenticates users Establishes Tunnels Manages data transfer across the tunnel Assigns user addresses Negotiates tunnel Manages inbound and outbound data transfers as a tunnel endpoint or parameters Functions of a VPN router Concentrator A VPN Concentrator functions as a bi-directional tunnel end point. A VPN concentrator adds more security controls to the router, improving the security of the communication. The functions of a VPN concentrator are as follows. Data encryption: The VPN concentrator encrypts the data. Being bi-directional, it initially encrypts the plain packets it receives and later decrypts them at the end of the tunnel, before sending them to the destination. It manages security keys. Managing tunnels: By adding the features of advanced data and network security, a VPN concentrator has the ability to create and manage large VPN tunnels. These tunnels ensure data integrity among systems. It negotiates tunnel parameters. User authentication: A VPN concentrator authenticates users at either the computer level or the user level. Authentication at the computer level is performed using the Layer 2 Tunneling Protocol (L2TP), whereas authentication at the user level is performed using the Point-to-Point Tunneling Protocol (PPTP). Traffic handler: A VPN concentrator routes the tunneled and non-tunneled traffic depending on the server configuration. It simultaneously handles traffic of a corporate network as well as Internet resources. It manages inbound and outbound data transfers as a tunnel end point or router. It assigns user addresses. Module 07 Page 917 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82. 4 VPN Types and Categories This sub-section explains different types of VPN and their categories. Module 07 Page 918 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Client-to-Site (Remote-access) VPNs O Remote-Access VPNs allow individual hosts or clients, such as telecommuters and mobile users to establish secure connections to a company’s network over the Internet QO Each host contains VPN client software or uses a web-based client QO The VPN encrypts the data packets that are forwarded over the Internet to the VPN gateway at the edge of the target network, with the software installed on the client’s machine O 2 A VPN Gateway receives the packets and then closes the connection to the VPN after transfer is complete { VPN Architecture '''' VPN / 7/ M concentrator e ROu(N,y\‘I"I VPN Module b4 N 3G/ COMA/HSDPA- Mobile Broodband Tetocoplter/ TS VPN Connectivity ?., & Router with VPN Module ypn concentrator pop i Laptop with VPN Client —— Branch Office PC with VPN Client Copyright © by EC- All Rights Reserved. Reproductionis Strictly Prohibited. Client-to-Site (Remote-access) VPNs Remote-access VPNs allow individual hosts or clients such as telecommuters and mobile users to establish secure connections to a company’s network over the Internet. This allows the users to access the information provided in the private network. An older name for a remote-access VPN is a virtual private dial-network (VPDN), in which a dial-up configuration is required for the connection to a server. This type of VPN, also known as a split tunnel, provides remote access using a native IP configuration and DNS servers. Every host using a remote-access VPN must have the VPN client software installed; this software wraps and encrypts the data before the host sends any traffic over the Internet to a VPN gateway. After reaching the gateway, the data are unwrapped, decrypted, and passed over to the final destination in a private network. The gateway performs the reverse process to send data packets back to the user. Module 07 Page 919 Certified Cybersecurity Technician Copyright © by EC-Council Exam 212-82 pm——— £ ’ Certified Cybersecurity Technician Network Security Controls — Technical Controls |N VPN Architecture Head Office ------ VPN Connectivity ~ Rou‘t‘eayvith VPN Module - s $ /i /" 7 /. P / 3G/ CDMA/HSDPA- i...‘: Mobile Broadband ’l ’ Telecompiuter / * ‘I ’ ;. N Brosdbarid Moder / G ‘% ; ! Traveljirig persénal ’ Router with VPN Module -“"“"*-—---.‘2:\_‘ __________ Internet "@ N I' e ’ P4 Laptop with VPN Client Branch Office PC with VPN Client Figure 7.106: Remote-access VPN A remote-access VPN consists of two types of components. server (RAS): NAS is required while = Network access server (NAS) or remote-access = Client software: Users accessing a VPN from their own network need to install software that helps create and manage the VPN connection. users are accessing a VPN. A separate authenticating users accessing a VPN. authentication process is involved while VPN client software and a VPN gateway are required for the hosts supporting a remote-access VPN. Most VPN gateways support only IPsec while maintaining VPN services. Advantages = Remote-access VPNs minimize the connection cost for the users. * The encryption of data packets provides an added security layer. This hides the IP address of the packets and prevents attackers from accessing the packets. = Remote-access VPNs can handle a large number of users. The VPN provides the same service even if more users are added to the VPN network. = Remote-access VPNs allow the sharing of files from a remote location. Module 07 Page 920 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Disadvantages = Computers without any antivirus installed pose a threat to the VPN connection. = |mplementing many VPN connections simultaneously may affect the bandwidth of the network. = |tis time-consuming to accessing files and applications over the Internet. Module 07 Page 921 Certified Cybersecurity Technician Copyright © by EG-Gouncil