Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Site-to-Site VPNs Site-to-site VPN is classified in two types: O Intranet-based: VPN connectivity is between sites of a single organization 0O Extranet-based: VPN connectivity is between different organizations such as business partners, business, and its clients f \ Site-to-Site VPNs QO Site-to-site VPN extends the company's network, allows access of an organization's network resources from different locations Q Q connection % It connects a branch or remote office network to the company's headquarters network e 1 s} o E ,,,,,,,,,, X... Branch Office o ¥ 2 & pamn),.- Also known as LAN-to-LAN or L2L VPNs s ~ sinofice —~ Mol w K Branch Office Site-to-Site VPNs The site-to-site VPN helps connects all the networks together. For example, the branch offices of an organization can be connected to the main campus through a site-to-site VPN. The main differentiation between a remote and a site-to-site VPN is that site-to-site VPNs do not require the need for any client software. The entire traffic is sent through a VPN gateway that encrypts the data packets passing through it. Such VPNs are also known as full tunnels. They alter IP address and DNS server options of every data packet entering and leaving the tunnel. In a site-to-site VPN, the outbound traffic is passed through a tunnel to the VPN gateway. The data packets in the outbound traffic are encrypted at the gateway and are passed to the tunnel over the Internet. The traffic is sent to the nearest gateway to the target location. The nearest gateway decrypts the data packets, and they are then forwarded to the final destination. Site-to-site connection : w NAS........---Y-" \L ~ Main Office Internet Branch Office - % p. saan) Branch Office :.° H B Branch Office Figure 7.107: Site-to-site VPN Module 07 Page 922 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 There are two types of site-to-site VPNs. * Intranet-based: In this type, VPN connectivity is between the sites of a single organization. It creates an intranet VPN to connect each individual LAN to a single WAN. = Extranet-based: In this type, VPN connectivity is between different organizations such as business partners, businesses, and clients. An extranet VPN connects every single LAN of an organization. The extranet VPN configuration prevents any access to an intranet VPN. Module 07 Page 923 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 O A dedicated hardware VPN appliance is used to connect routers and gateways to ensure communication over an insecure channel QO Itis designed to serve as a VPN endpoint and multiple LANs H ardware VPNS can connect to LAN1 LAN 2 = VPN Appliance VPN Appliance..................................... ;mlfl ) - P _‘—‘m) — Encrypted VPN Tunnel _— VPN appliances create secure connection between two or more LANs _ =m __ — Hardware VPNs Hardware-based VPNs are separate devices that consist of individual processors and hardware firewalls. They easily manage the authentication advantage of using a hardware-based software variant. VPN and encryption is that they provide of data more packets. The protection than the LAN 1 LAN 2 - - 1l - v, Se ‘_— - — — - main L:_. : [ VPN Appliance VPN Appliance =———— PN SO e |I Encrypted VPN Tunnel : - 1l Y = S| = : —) _— = R— VPN appliances create secure connection between two or more LANs - i —— Figure 7.108: Hardware VPN Advantages = A hardware VPN provides load balancing, especially for large client loads. Disadvantages = |t is more expensive than a software VPN. = |t is more useful for large business organizations than for smaller ones. = |t has low scalability. Module 07 Page 924 Certified Cybersecurity Technician Copyright © by EC-Council Exam 212-82 Certified Cybersecurity Technician Network Security Controls — Technical Controls Cisco Systems SonicWALL VPN 3000 series concentrators, VPN 3002 Hardware Clients, 7600 series routers, and Web VPN Services Module SonicWALL PRO https://www.cisco.com ] 5060,4060,3060,2040,1260 https://www.sonicwall.com Juniper Networks NetScreen 5000, 500,200, and Y6 savies https://www.juniper.net WatchGuard WatchGuard Firebox X series https://www.watchguard.com Hardware VPN Products Manufacturer Web Site Product Name VPN 3000 series concentrators, VPN 3002 Cisco Systems Hardware Clients, 7600 series routers, and https://www.cisco.com Web VPN Services Module SonicWALL SonicWALL PRO 5060,4060,3060,2040,1260 Juniper Networks | NetScreen 5000, 500,200, and ISG series WatchGuard https://www.sonicwall.com https://www.juniper.net https://www.watchguard.com WatchGuard Firebox X series Table 7.5: Hardware VPN products Module 07 Page 925 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Software VPNs 5a VPN O 4 and configured on routers, servers and firewallsor as a gateway No extra devices need to be installed Q Itis an easy and low-cost way to deploy a VPN and does not change the target network Advantages g! QO Extra processing burden to devices on which it is installed Disadvantages O Itis less secure and prone to attacks Copyright © by Al Rights Reserved. ReproductionIs Strictly Prohibited. Software VPNs VPN software is installed and configured on routers, servers, functions as a VPN. Software-based VPNs are best suited for when the same party does not manage the VPN end points. using a tunneling process depending on the protocol and encryption accelerators are used to improve the performance and firewalls or as a gateway that network traffic management and Traffic management is performed address of the traffic. Hardware of the network. Advantages = Asoftware VPN minimizes the cost of additional hardware purchases. = |tis easy and inexpensive to deploy and does not change the target network. * |t has high scalability. Disadvantages = |t causes increased processing tasks for devices implementing the VPN. = Security is an issue; a software VPN is prone to attacks as they need to share the server with other servers and OSes. Module 07 Page 926 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Software VPN Products T | Manufacturer | CheckPoint NETGEAR CEEIRIIE ProductName VPN-1 YSX,VPN-l Pro, VPN-1 Edge, Firewall-1 | ProSafe VPN Cisco AnyConnect Secure Mobility Client WebSite https://www.checkpoint.com https://www.netgear.com https://www.cisco.com Copyright © by | I. All Rights Reserved. Reproductions Strictly Prohibited Software VPN Products Manufacturer heckPoi RiICEKEQME Product Name VPN-1 VSX,VPN-1 Pro, VPN-1 Edge, Firewall-1 NETGEAR ProSafe VPN Cisco Systems | robility Client Cisco AnyConnect Secure Web Site https.//www.checkpoint.com https.//www.netgear.com https.//www.cisco.com Table 7.6: Software VPN products Module 07 Page 927 Certified Cybersecurity Technician Copyright © by EG-Council