Beruflich Dokumente
Kultur Dokumente
1. Types of VPN
1.1 Site-to-Site VPN
1.1.1 Intranet
1.1.2 Extranet
1.2 Remote –Access VPN
A remote access VPN is for home or traveling users who need to access
their corporate network from a remote location. They dial their ISP and
connect over the Internet to companies internal WAN. This is made
possible by installing client software program on the remote users’
laptop or PC that deals with the encryption and decryption of the VPN
traffic between itself and the VPN gateway on the central LAN.
3.1 Firewalls
3.2 Authentication
3.3 Encryption
Encryption is the process of taking all the data that one computer is
sending to another and encoding it into a form that only the other
computer will be able to decode. Most computer encryption systems
belong in one of two categories:
(1) Symmetric-key encryption
(2) Public-key encryption
In this, each computer has a secret key (code) that it can use to
encrypt a packet of information before it is sent over the network to
another computer. Symmetric-key requires that you know which
computers will be talking to each other so you can install the key on
each one. Symmetric key encryption is essentially the same as a
secret code that each of the two computers must know in order to
decode the information. The code provides the key to decoding the
message.
It uses a combination of a private key and a public key. The private key
is known only to your computer, while the public key is given by your
computer to any computer that wants to communicate securely with it.
To decode an encrypted message, a computer must use the public
key, provided by the originating computer, and its own private key. A
very popular public-key encryption utility is called Pretty Good Privacy
(PGP).
4. VPN Components
IPsec can either be used to directly encrypt the traffic between two
hosts (known as Transport Mode), or to build “virtual tunnels” between
two subnets, which could be used for secure communication between
two corporate networks (known as Tunnel Mode). The latter is more
commonly known as a Virtual Private Network (VPN).
MPLS VPN support Multiple Protocol to secure traffic i.e. data through
the Network. MPLS belongs to the family of packet-switched networks.
In an MPLS network, data packets are assigned labels. Packet-
forwarding decisions are made on the contents of this label, without
the need to examine the packet itself. This allows one to create end-to-
end circuits across any type of transport medium, using any protocol.
The primary benefit is to eliminate dependence on a particular Data
Link Layer technology, such as frame relay and eliminate the need for
multiple Layer 2 networks to satisfy different types of traffic. MPLS
operates at an OSI Model layer that is generally considered to lie
between traditional definitions of Layer 2 (Data Link Layer) and Layer 3
(Network Layer), and thus is often referred to as a "Layer 2.5" protocol.
GRE is a tunneling protocol. GRE tunnels end-point does not keep any
information about the state or availability of the remote tunnel end-
point. A consequence of this is that the local tunnel end-point router
does not have the ability to bring the line protocol of the GRE tunnel
interface down if the remote end-point is unreachable. GRE tunnel
interface comes up as soon as it is configured and it stays up as long
as there is a tunnel source address or interface which is up. The tunnel
destination IP address must also be routable. This is true even if the
other side of the tunnel has not been configured. This means that a
static route or PBR forwarding of packets via the GRE tunnel interface
remains in effect even though the GRE tunnel packets do not reach the
other end of the tunnel.
6. Tunneling
Tunneling is a method of using an internetwork infrastructure to
transfer data for one network over another network. The data to be
transferred (or payload) can be the frames (or packets) of another
protocol. Instead of sending a frame as it is produced by the
originating node, the tunneling protocol encapsulates the frame in an
additional header. The additional header provides routing information
so that the encapsulated payload can traverse the intermediate
internetwork.
7. VPN Overview
8. VPN solutions
There are four main components of an Internet-based VPN: the
Internet, security gateways, security policy servers and
certificate authorities. The Internet provides the fundamental
plumbing for a VPN. Security gateways sit between public and private
networks, preventing unauthorized intrusions into the private network.
They may also provide tunneling capabilities and encrypt private data
before it is transmitted on the public network. In general, a security
gateway for a VPN fits into one of the following categories: routers,
firewalls, integrated VPN hardware and VPN software.