Mini Lecture
Set up of commercial VPNs.
Device --Encrypted Pipe–> VPN Server --> Internal Network
Does everything need to go through a VPN?
Area of risk: the internet.
Traffic through internal network can be unencrypted; but at the edge of the network (the router), the data should be encrypted as it goes through the big bad internet. Once it hits the other internal network (e.g. difference office), it can be decrypted again.
That is, VPNs create secure distributed networks.
Types of networks:
- Branch office interconnect
- Routers/firewalls responsible for encrypting all traffic between branches
- TODO
- Supplier networks
- Supplier’s device (not their network) responsible for encrypting traffic to/from the enterprise
- Remote access
- TODO
Design consideration:
- Are the cryptographic algorithms implemented in hardware or software?
- How many simultaneous sessions are required?
Types:
OpenVPN:
- Difficult to build and configure
- Cryptographic options limited
- Authentication: digital certificates
SSLVPN:
- Encryption handled by firewall
- Firebox/WatchGuard VPN apps required
IPSec:
- Most common commercial solution
- Very flexible, but also very complex
- Provides confidentiality, integrity and authentication
- Security parameter index: devices agree on TODO
Authentication only:
- Wraps packet with TOOD
- Works in transport and tunnel mode
Encapsulating security payload:
- TODO
IKEv2:
- Recent standard
- Digital certificates
- Wireguard: available in many new Linux distros
TODO
IKEv2 and OpenVPN, each tunnel (device) has its own IP address. Hence, pool of IP address pool required.
IP layer so no ports. So on internal network each VPN-connected device has its own virtual IP
IKEv2 done on router with hardware crypto module