Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 07_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 03_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 05_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 08_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 01_ocred_fax_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 02_ocred_fax_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 05_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Technologies O Were used before the Internet became universal O Used when the Internet became a corporate communications medium O Companies leased circuits from a communications provider and used them t...
Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Technologies O Were used before the Internet became universal O Used when the Internet became a corporate communications medium O Companies leased circuits from a communications provider and used them the same way as physical cables in a private LAN O Vendors created a protocol which encrypts the traffic at the originating computer and decrypts at the receiving computer O Organization's know and control the pathway for their transmission O Q A customer trusted communication provider maintains the integrity and security but not the encryption, these are called Trusted VPNs The encrypted traffic acts as a tunnel between two networks, even if an attacker sees the traffic will not be able to read it O Secure VPNs are networks constructed using encryption Technologies such as ATM circuits, frame-relay Q They protect the confidentiality and integrity of the data, but do not ensure the transmission path O circuits, Multiprotocol Label Switching (MPLS) are used to implement trusted VPNs |. All Rights Reserved. Reproduction Is Strictly Prohibited Copyright © by E 03 VPN Technologies (Cont’d) Network Network Hybrid VPNs Secure VPN w3 Secure VPN Q Asecure VPN is part of a trusted VPN, creating v a hybrid VPN Trusted VPN Hybrid VPN consisting of a secure VPN across an Q The secure partofa intermediary trusted VPN hybrid VPN is administered by the customer or the provider, who has Secure VPN Qoorvesrnasnsnnnnrnsnrnssnssnnane - provided the trusted part of the hybrid VPN Network e Network Copyright © by EC-{. All Rights Reserved. ReproductionIs Strictly Prohibited VPN Technologies VPN technology enables organizations to connect mobile and remote users with network access and also to connect separate branches of the same organization to a single network. Module 07 Page 937 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 The following are common technologies used to deploy VPNs for secure data transmission. Trusted VPN Even before the popularity of the Internet, service providers provided customers with specific circuits that could not be used by anyone else. Companies leased circuits from a communications provider and used them in the same manner as physical cables in a private LAN. Organizations know and control the pathway for their transmission. This gave customers privacy and the ability to have their own IP addresses measures and avoid sniffing of the data, VPN providers and policies. To provide security are entrusted to maintain circuit integrity. This type of VPN is called a trusted VPN. The technologies used for implementing trusted VPNs over an IP network are Asynchronous Transfer Mode (ATM) circuits, frame relay circuits, and MLPS. ATM and frame relay operate at layer 2 of the OSI model, and MLPS operates in between the data link layer and network layer. The requirements for a trusted VPN are as follows: = Any changes in the path of a VPN can be made only by a trusted VPN. = All routing and addressing methods need to be described before creating a trusted VPN. = Only a VPN provider can inject, change, or delete the data in the path of a VPN. Secure VPN Secure VPNs are used when the Internet became a corporate communications medium. The main goal behind implementing a secure VPN is to ensure complete security of the data in transit. In a secure VPN, all the data packets sent through the tunnel undergoes an encryption process at one end of the tunnel and decryption process at the other end. This thwarts any attempt from an attacker to obtain data in transit. Secure VPNs protect the confidentiality and integrity of the data but do not ensure the transmission path. The main requirements for secure VPNs are as follows: = All the data packets in the traffic are encrypted and authenticated before sending to the client. = The client and server need to be in a mutual understanding before initiating the connection between each other. = The security of the connection must be confirmed by unauthorized users. Hybrid VPN Hybrid VPNs are those with trusted VPNs as part of secure VPNs. They implement different network components of an organization simultaneously to confirm security at very low costs. A security professional takes extra time in differentiating between the data transfer among the trusted VPNs that are part of the secured VPNs. The secure part of a hybrid VPN is administered by the customer or the provider of the trusted part of the hybrid VPN. The main requirements for hybrid VPNs are as follows: = There should be clear differentiation between the trusted VPN and secure VPN. Module 07 Page 938 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Network s Network Secure VPN """"" > Secure VPN v Trusted VPN Hybrid VPN consisting of a secure VPN across an intermediary trusted VPN Secure VPN Network Network Figure 7.112: Hybrid VPN Module 07 Page 939 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Topologies Q A VPN topology specifies how the peers and networks within a VPN are connected O Some VPN topologies include Hub-and-Spoke VPN Topology @ ‘ — ‘ Point-to-Point VPN Topology @. — -w Full Mesh VPN Topology e Copyright © by [ I. Al Rights Reserved. Reproductionis Strictly Prohibited. VPN Topologies A VPN topology mainly deals with the specifications of how nodes in a network are connected and how they communicate with the other nodes. A VPN enables companies in a different networks to communicate with each other with data sharing. VPN topologies enable an organization to design the way they communicate with other networks. The following are the different VPN topologies: ®= Hub-and-spoke = Point-to-point = Full mesh = Star It is important to note that organization. For example, a needs to share information topology is best suited for an Module 07 Page 940 the selection of topologies depends on the requirements of the star topology is best suited in environments where the company with another company located in a different network. A mesh intranet. Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 @.fl..L Hub-and-Spoke VPN Topology e @ e Each individual spoke connected to the remote office is communicated securely with the central \‘) device (hub) L. A separate and secure tunnel is established =) between the hub and each individual spoke N i Manoftce O forvestience secure | | Spoke Spoke aAnAa A persistent connection is established between an k.... aAnn - organization’s main office and their branch offices using a third-party network or the Internet " A _RL_ Branch Office Copyright © by EC-C L. All Rights Reserved. Reproductionis Strictly Prohibited Hub-and-Spoke VPN Topology In hub-and-spoke technology, the main organization is considered the hub, and its remote offices are considered the spokes. The spokes access the VPN through the hub. This topology is mainly used in banking and international organizations. The hub controls the following two types of communication: = Communication between a spoke and hub = Communication between spokes This topology is used to represent an intranet VPN connecting an organization’s main office to its regional offices. The hubs facilitate the sharing of large amounts of data. There are separate tunnels for data transfer between the hub and a spoke. All data transfers occur through the hub. The hub-and-spoke topology can become a multilevel topology depending on the growth of the network. In a multi-site network, the central hub controls the data transfer or is considered the gateway for the remote sites to communicate with each other. For example, a cell-phone tower in an area is the hub, and all the mobile devices in and around the cell-phone tower are the spokes. A security professional must always thoroughly study the hub-and-spoke technology in their network. Advantages = The hub-and-spoke topology is relatively less expensive and easy to repair when one of the spokes fails. = Bonded circuits between the hub and a spoke increase the flexibility of the network. Module 07 Page 941 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 = This topology offers enhanced security, as each device in the network is separated from others through a single connection to the hub. = This topology provides high performance, centralization, and simplicity. Disadvantages = Any issue in the hub can affect the connection between the hub and a spoke and the connection between different spokes. -- Branch Office Spoke Spoke maaa aaaa Secure o~ — Tunnel HUB FELELEE R L L L L -.:--...ln.t_e.rnet Main Office Optional Secondary HUBs for resilience Secure Tunnel Spoke \ mAA Spoke A (Aaa A - @afl) Branch Office Figure 7.113: Hub and Spoke VPN topology The figure clearly illustrates the hub-and-spoke topology. In the figure, each spoke at the branch offices establishes a secured connection with the hub at the main office. These secured connections are established across the Internet. The main office can have more than one hub at a time, but only one hub is used to connect to each spoke. The other hubs are kept as backup hubs for flexibility. This topology works well if the traffic is between the hub and spoke, rather than between spokes or remote sites. This is because traffic between two spokes needs to pass through the Module 07 Page 942 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 hub before being forwarded to the respective spoke. This increases the chance of a bottleneck at the hub due to increased spoke-to-spoke connections. All IPsec technologies can be used in this topology. If the hub faces any connection issue, IPsec failover transfers the connection to a backup hub to be used by all spokes. It is possible to configure multiple hubs as the main hub. Module 07 Page 943 Certified Cybersecurity Technician Copyright © by EG-Gouncil