Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 07_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Technolo...

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Technologies O Were used before the Internet became OQ Used when the Internet became a corporate universal communications medium O Companies leased circuits from a OQ Vendors created a protocol which encrypts the communications provider and used them the traffic at the originating computer and decrypts same way as physical cables in a private LAN at the receiving computer O Organization's know and control the pathway O The encrypted traffic acts as a tunnel between for their transmission two networks, even if an attacker sees the traffic will not be able to read it OQ A customer trusted communication provider maintains the integrity and security but not the OQ Secure VPNs are networks constructed using encryption, these are called Trusted VPNs encryption QO Technologies such as ATM circuits, frame-relay Q They protect the confidentiality and integrity circuits, Multiprotocol Label Switching (MPLS) of the data, but do not ensure the transmission are used to implement trusted VPNs | | path Copyright © by E I. All All Rights Reserved. Reproduction Rights Reserved. Reproduction isIs Strictly Strictly Prohibited. Prohibited VPN Technologies (Cont’d) 03 Network Network Hybrid VPNs Secure VPN > w3 Secure VPN OQ Asecure VPN is part of a trusted VPN, creating vv Trusted VPN a hybrid VPN Hybrid VPN consisting of a secure VPN across an Q Q The secure The secure partofa part ofa intermediary trusted intermediary trusted VPN VPN hybrid VPN is administered by the customer or the provider, who has Secure VPN Qoorvesrnasnsnnnnrnsnrnssnssnnane - e provided the trusted part of the hybrid VPN Network Network Copyright © by E EC-{ I.. All All Rights Reserved. Reproduction Rights Reserved. ReproductionisIs Strictly Strictly Prohibited Prohibited VPN Technologies VPN technology enables organizations to connect mobile and remote users with network access and also to connect separate branches of the same organization to a single network. Module 07 Page 937 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls The following are common technologies used to deploy VPNs for secure data transmission. Trusted VPN Even before the popularity of the Internet, service providers provided customers with specific circuits that could not be used by anyone else. Companies leased circuits from a communications provider and used them in the same manner as physical cables in a private LAN. Organizations know and control the pathway for their transmission. This gave customers privacy and the ability to have their own IP addresses and policies. To provide security measures and avoid sniffing of the data, VPN providers are entrusted to maintain circuit integrity. This type of VPN is called a trusted VPN. The technologies used for implementing trusted VPNs over an IP network are Asynchronous Transfer Mode (ATM) circuits, frame relay circuits, and MLPS. ATM and frame relay operate at layer 2 of the OSI model, and MLPS operates in between the data link layer and network layer. The requirements for a trusted VPN are as follows: = Any changes in the path of a VPN can be made only by a trusted VPN. = All routing and addressing methods need to be described before creating a trusted VPN. = Only a VPN provider can inject, change, or delete the data in the path of a VPN. Secure VPN Secure VPNs are used when the Internet became a corporate communications medium. The main goal behind implementing a secure VPN is to ensure complete security of the data in transit. In a secure VPN, all the data packets sent through the tunnel undergoes an encryption process at one end of the tunnel and decryption process at the other end. This thwarts any attempt from an attacker to obtain data in transit. Secure VPNs protect the confidentiality and integrity of the data but do not ensure the transmission path. The main requirements for secure VPNs are as follows: = All the data packets in the traffic are encrypted and authenticated before sending to the client. = The client and server need to be in a mutual understanding before initiating the connection between each other. = The security of the connection must be confirmed by unauthorized users. Hybrid VPN Hybrid VPNs are those with trusted VPNs as part of secure VPNs. They implement different network components of an organization simultaneously to confirm security at very low costs. A security professional takes extra time in differentiating between the data transfer among the trusted VPNs that are part of the secured VPNs. The secure part of a hybrid VPN is administered by the customer or the provider of the trusted part of the hybrid VPN. The main requirements for hybrid VPNs are as follows: = There should be clear differentiation between the trusted VPN and secure VPN. Module 07 Page 938 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Network Network s Secure VPN o A W """"" >> Secure Secure VPN VPN e v Trusted Trusted VPN VPN Hybrid VPN consisting of a secure VPN across an intermediary trusted VPN Secure VPN Network Network Figure 7.112: Hybrid VPN Module 07 Page 939 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Topologies Q A VPN topology specifies how the peers and networks within a VPN are connected QO O Some VPN topologies include Hub-and-Spoke VPN Topology @ ‘ — | ———— ‘ -w Full Mesh VPN Topology Point-to-Point VPN Topology @. - — ee — Copyright © byby k[ I. Al Rights Reserved., Reserved. Reproductionis Strictly Prohibited. VPN Topologies A VPN topology mainly deals with the specifications of how nodes in a network are connected and how they communicate with the other nodes. A VPN enables companies in a different networks to communicate with each other with data sharing. VPN topologies enable an organization to design the way they communicate with other networks. The following are the different VPN topologies: =®= Hub-and-spoke = Point-to-point = Full Full mesh = Star It is important to note that the selection of topologies depends on the requirements of the organization. For example, a star topology is best suited in environments where the company needs to share information with another company located in a different network. A mesh topology is best suited for an intranet. Module 07 Page 940 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls T @.fl..L Hub -and-Spoke VPN Hub-and-Spoke VPN & Top ology Topology e e e e @ Each individual spoke connected to the remote office is communicated securely with the central \‘) device (hub) HuB k.l L. N — ii | = m H : A separate and secure tunnel is established Manoftce moinotice O forvestience PRSI secure | e =) between the hub and each individual spoke | Tumel Spoke Spoke Sp;kfi aAnAa A ARA aAnn aAan sA AA persistent persistent connection connection isis established established between an ".... -.n.. _RL_ between an g\ organization’s main office and their branch offices k using a third-party network or the Internet Branch Office Copyright ©© by Copyright by EC-C EC-C |L. All All Rights Rights Reserved. Reserved. Reproduction Reproductionisis Strictly Strictly Prohibited. Prohibited Hub-and-Spoke VPN Topology In hub-and-spoke technology, the main organization is considered the hub, and its remote offices are considered the spokes. The spokes access the VPN through the hub. This topology is mainly used in banking and international organizations. The hub controls the following two types of communication: = Communication between a spoke and hub = Communication between spokes This topology is used to represent an intranet VPN connecting an organization’s main office to its regional offices. The hubs facilitate the sharing of large amounts of data. There are separate tunnels for data transfer between the hub and a spoke. All data transfers occur through the hub. The hub-and-spoke topology can become a multilevel topology depending on the growth of the network. In a multi-site network, the central hub controls the data transfer or is considered the gateway for the remote sites to communicate with each other. For example, a cell-phone tower in an area is the hub, and all the mobile devices in and around the cell-phone tower are the spokes. A security professional must always thoroughly study the hub-and-spoke technology in their network. Advantages = The hub-and-spoke topology is relatively less expensive and easy to repair when one of the spokes fails. *= Bonded circuits between the hub and a spoke increase the flexibility of the network. Module 07 Page 941 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls = This topology offers enhanced security, as each device in the network is separated from others through a single connection to the hub. = This topology provides high performance, centralization, and simplicity. Disadvantages = Any issue in the hub can affect the connection between the hub and a spoke and the connection between different spokes. -- Branch Office Spoke Spoke maaa aaaa Secure Tunnel o~ — HUB - - FELELEE R L L L L.:--...ln.t_e.rnet Optional Secondary HUBs Main Office for resilience Secure Tunnel Spoke Spoke mAA A (Aaa A \ - @afl) Branch Office Figure 7.113: Hub and Spoke VPN topology The figure clearly illustrates the hub-and-spoke topology. In the figure, each spoke at the branch offices establishes a secured connection with the hub at the main office. These secured connections are established across the Internet. The main office can have more than one hub at a time, but only one hub is used to connect to each spoke. The other hubs are kept as backup hubs for flexibility. This topology works well if the traffic is between the hub and spoke, rather than between spokes or remote sites. This is because traffic between two spokes needs to pass through the Module 07 Page 942 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls —- Technical Controls hub before being forwarded to the respective spoke. This increases the chance of a bottleneck at the hub due to increased spoke-to-spoke connections. All IPsec technologies can be used in this topology. If the hub faces any connection issue, IPsec failover transfers the connection to a backup hub to be used by all spokes. It is possible to configure multiple hubs as the main hub. Module 07 07 Page Page 943 Certified Cybersecurity Technician Certified Cybersecurity Technician Copyright Copyright ©© by EG-Gouncil EG-Gounell

Use Quizgecko on...
Browser
Browser