04-08-2012, 01:25 PM
Virtual private network
Virtual private network.docx (Size: 119.01 KB / Downloads: 26)
INTRODUCTION :
In recent years, Network Security solutions have grown to include IPsec as a critical component of secure network architecture design. One primary objective of this project is therefore to provide security of IPsec on various Routing and Switching platforms and an understanding of the different components of the Cisco IPsec implementation on live environment . This project covers successful implementation of IPsec in a variety of network topologies. IPsec as an emerging requirement in most major vertical markets (service provider, enterprise financial, government), explaining the need for increased information authentication, confidentiality, and non repudiation for secure transmission of confidential data (government records, financial data, billing information).
The primary development objective of this project is to create a work that aids network architects, administrators, and managers in their efforts to integrate IPsec VPN technology into their existing IP Network infrastructures. The focus is on IPsec deployments in Cisco Network environments, from simple site-to-site virtual private network (VPN) configurations to comprehensive VPN strategies, including architectural redundancy and interoperability.
In this project, we approach toward building a working knowledge of fundamental IPsec VPN design, starting with an overview of basic IPsec business drivers and functional components. These concepts and components are then used as a foundation upon which IPsec VPN High Availability (HA) design considerations are presented. Lastly, several advanced IPsec VPN technologies that are commonly available in today's enterprise networks are presented and discussed. Within each chapter, the design concepts are presented and then reinforced with configurations, illustrations, and practical case studies where appropriate.
Interdiction to VPN
Modern business environments have been consistently changing since the advent of the Internet in the 1990s. Now more than ever, organizational leaders are asking themselves how efficiencies can be gained through making their workforce more mobile and thus increasing the scope of sales and distribution channels while continuing to maximize the economies of scope in their existing data infrastructure investments. Virtual private network (VPN) technologies provide a means by which to realize these business efficiencies in tandem with greatly reduced IT operational expenditures. In this chapter, we will discuss how today's VPN technologies enable enterprise workforces to share data seamlessly and securely over common yet separately maintained network infrastructures, such as through an Internet service provider (ISP) between enterprise networks or with corporate extranet partners. We will introduce several IPsec VPN topologies commonly found in today's enterprise networks, and we will conclude with the overview of two IPsec VPN business models, complete with cost savings realized by the enterprise.
Common Terminologies of VPN
A VPN is a means to securely and privately transmit data over an unsecured and shared network infrastructure. VPNs secure the data that is transmitted across this common infrastructure by encapsulating the data, encrypting the data, or both encapsulating the data and then encrypting the data. In the context of VPN deployments, encapsulation is often referred to as tunneling, as it is a method that effectively transmits data from one network to another transparently across a shared network infrastructure.
A common encapsulation method found in VPNs today is Generic Routing Encapsulation (GRE). IP-based GRE is defined in IETF RFC 2784 as a means to enclose the IP header and payload with a GRE-encapsulation header. Network designers use this method of encapsulation to hide the IP header as part of the GRE-encapsulated payload. In doing so, they separate or "tunnel" data from one network to another without making changes to the underlying common network infrastructure. Although IPSec-processed data is encrypted, it is also encapsulated with either Encapsulating Standard Protocol (ESP) or Authentication Headers (AH).
Encryption refers to the act of coding a given message into a different format, while decryption refers to decoding an encrypted message into its original unencrypted format. For encryption to be an effective mechanism for implementing a VPN, this encrypted, encoded format must only be decipherable by those whom the encrypting party trusts. In order to deliver upon these requirements, encryption technologies generally require the use of a mathematical operation, usually referred to as an algorithm, or cipher, and a key. Although generally complex in nature, mathematical functions are known. It is the symmetric key, or as you'll see in the case of asymmetric cryptography, the private key, that is to be kept unknown to would-be attackers. The key is the primary way to keep the encrypted tunnel secure.
VPNs exist to effectively, securely, and privately protect data that is transmitted between two networks from the common, shared, and separately maintained infrastructure between the two networks. In order to effectively perform this task, there are four goals that a confidential VPN implementation must meet:
• Data confidentiality: Protects the message contents from being interpreted by unauthenticated or unauthorized sources.
• Data integrity: Guarantees that the message contents have not been tampered with or altered in transit from source to destination.
• Sender non-repudiation: A means to prevent a sender from falsely denying that they had sent a message to the receiver.
• Message authentication: Ensures that a message was sent from an authentic source and that messages are being sent to authentic destinations.
Incorporating the appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents. IPsec is very effective at encrypting data using the encapsulating security protocol (ESP), described in RFC 1827. Utilizing ESP, IPsec transforms clear text in to encrypted data, or cipher text. Because ESP-transformed messages are only sent across in their ciphered representations, the original contents of the message are kept confidential from would be interceptors of the message
Hashes and digital signatures protect the integrity of a specific communication of data. Hashes and digital signatures append unique messages to the original message before transmission that ensure that the message has not been tampered with in transit.
By providing a unique fingerprint specific only to the sender of the message, a digital signature also provides the receiver a method of message authentication and sender non-repudiation.
Digital signatures require the use of a public decryption key unique to the sender's private encryption key. The use of this cryptographic keypair thus guarantees message authenticity, ensuring that the message was sent from the authentic origin, and safeguards against sender non-repudiation, preventing a situation in which the sender of a specific message intentionally and falsely denies their transmittal of the message. While a secure hash can provide data integrity, digital signatures provide added levels of security by offering message authentication and sender non-repudiation
Although IPsec-based VPNs represent one of the most secure and widely deployed types of VPNs, they are only one of many VPN technologies in existence today. VPNs have been designed to protect data at almost every layer of the OSI stack. For example, customers in different market verticals will deploy a range of encryption technologies, from Layer 1 bulk encryptors to encryption technologies embedded within the applications themselves (SSL-based VPNs).