IPSec VPN - Fundamentals

-

A VPN, or Virtual Private Network, is a way to establish a tunnel between two endpoints, like two routers or two endpoints. VPN’s are used to provide a way of secure communication over an unsecure medium. A simple example would be secure communication between two branch offices over the unsecure internet. This is important because we need secure communication so that people can’t eavesdrop and steal important company information. Oftentimes, people misunderstand VPN's and think just because "private" is in the name that it's secure. This is not always the case, especially in the service provider world where there are different types of VPN's that do not provide any sort of encryption. IPSec VPN's do however provide encryption and other features.

There are several different types of VPN’s that can be deployed. The most common ones are Site-To-Site and Remote Access, although there are many more and depending on the use case, the most common could be different. A site-to-site VPN is just that, from one site to another, like a branch office to the headquarters. This type of implementation is common for backhauling site traffic to the headquarters where you might scrub traffic before coming in or going out to the internet. A remote access VPN is more common in situations where you have remote workers, and they need to access remote resources in the company network. This is very common in today’s world, especially after a pandemic that made a lot of people work from home. Both VPN’s are implemented with SSL/TLS or with IPSec. The focus of this blog will be IPSec VPN’s and how they work. I will leave SSL/TLS to another blog post.

IPSec is a suite of security protocols used in building a secure communication tunnel. IPSec VPN’s can be established in one of two ways: via the Internet Key Exchange(IKE) protocol or with manual key exchange. Or in other words in a dynamic way or static way. Manual key exchange, as its name suggests, is where you exchange the encryption key in some manual way i.e., email, phone, etc. This is not the best way and not the most efficient way either as it requires the key to be manually changed by both parties. IKE can be used instead to dynamically exchange encryption keys and to also re-negotiate the keys so that it’s harder for an eavesdropper to compromise it. 

IKE works in two phases, phase 1 and phase 2, and each phase is responsible for different things. IKE Phase 1 is responsible for creating a secure tunnel through which the VPN encryption keys are negotiated. In Phase 1, there are two modes that can be configured, main mode and aggressive mode. Main mode is the most common mode and requires six messages be exchanged during the negotiation. Main mode is also more secure than aggressive mode because it encrypts the messages containing the IKE identities. The downside of using main mode is that it is more process intensive. 

The second mode is aggressive mode and it is mainly used when creating VPN's from clients to a VPN gateway, such as a remote access VPN. Aggressive mode is faster in that it requires half the messages that main mode does, but it also exposes the IKE identities in clear text. IKE Phase 2 is responsible for generating the encryption keys used for traffic inside the VPN. In phase 2 the only negotiation mode is quick mode, where the IPSec keys get negotiated.

Encryption Algorithms:                                                 Authentication Algorithms:
            DES                                                                                         MD5
            3DES                                                                                       SHA1
            AES                                                                                         SHA2

IKE Phase 1 Events:


·       The encryption and authentication algorithms needed are negotiated.

·       A phase 1 tunnel is established using the Diffie-Hellman Key Exchange.

·       The peer is authenticated using either a pre-shared key or a digital certificate.

IKE Phase 2 Events:

·       The encryption and authentication algorithms needed to encrypt data traffic are negotiated.

·       The VPN protocol used to encrypt and/or authenticate is negotiated. This will be either ESP or AH.

·       The proxy IDs(identify traffic) are negotiated.

·       Other optional processing such as perfect forward secrecy(PFS)

One thing to note is that in the phase 2 tunnel, Encapsulating Security Payload(ESP) is the most common protocol as it provides both authentication and encryption whereas Authentication Header(AH) only provides authentication.

IPSec VPN’s are implemented in two modes: Tunnel Mode and Transport Mode. Tunnel Mode is where the original IP packet gets encapsulated within another IP packet, hiding the original source IP. Transport Mode does not encapsulate the original packet in a new packet, like tunnel mode, instead the original L3 header is used instead of being encapsulated. Tunnel mode is the most common implementation on the internet. As with any design there are pros and cons to consider before implementing one way over the other.

In short, VPN's are a vital part of networking and having a basic understanding of them is very important. There are more VPN components to discuss but that will be in another post - if you enjoyed this post, please consider sharing it.

 

Comments

Post a Comment

Popular posts from this blog

AWS Identity and Access Management(IAM)

-
Image
 IAM   With the cloud becoming more and more prevalent, how do we secure who can access cloud resources and which resources can speak to each other. This very important problem is solved with AWS Identity and Access Management(IAM) resource.  IAM enables you to control who can access your AWS environment, what actions they can perform, and which resources they can interact with. It allows you to set fine-grained permissions and policies to meet your security and compliance requirements. So what are the parts that make up Identity and Access Management(IAM) ? - User groups - Users - Roles - Policies - Identity Provider Lets go into more detail about each resource that makes up IAM. User groups are groups you can define to logically group users together that perform similar functions in job. This is kind of like having different groups for different job roles. Users are just the manually configured users created for use on the management console. This is where you define all the diffe
Read more

AWS Virtual Private Clouds(VPCs)

-
Image
   In the spirit of my last blog on cloud computing, we will discuss VPC's in this blog.  What are VPC's ? Before I answer this question I need to explain this picture and the terms used. In AWS(and other cloud providers) we have several things that make up the global cloud infrastructure. Those things are Regions, Availability Zones, and Edge Locations(not pictured). A region is a geographical area around the world that consist of multiple availability zones. An availability zone can be thought of as multiple discrete data centers that have separate power, cooling, networking, and housed in separate buildings. Edge locations are places where CloudFront caches your content to provide ultra-low latency delivery of your content. According to AWS they currently have 32 regions, 102 availability zones, and more than 550 PoP's(points of presence). These things together make it possible to create global resources in minutes that serve millions of customers.  A VPC or Virtual Pri
Read more