VPN Concept:

o VPN stands for Virtual Private Network.

o VPN allows creating secure connection to another network over the Internet.
o VPNs create tunnels that allow users/systems to connect securely.
o Virtual Private Network (VPN) is a secure private tunnel over an insecure path.
o There are different technologies available for Wide Area Network (WAN) connectivity.
o Main drawback of many Wide Area Network (WAN) connectivity solutions is "Cost".
o VPN is a Network Security Technology, to secure private network traffic over a public.
o VPN ensures Privacy for network data from the source device to destination device.
o VPN ensures Data Integrity for network data from the source device to destination device.
o VPN using network security protocols like IPSec to provide Privacy and Data Integrity.
o IPSec VPN provide Data Confidentiality by encrypting the data at the sending device.
o IPSec VPN provide Data Confidentiality by decrypting the data at receiving end.
o IPSec VPN also provides Data Integrity by using Hashing Algorithms like MD5 and SHA.
o Cisco supports several types of VPN implementations on the ASA IPSec & SSL based.
o Virtual Private Network (VPN) technology relies on the concept of tunneling.
o VPN tunneling involves establishing and maintaining a logical network association.
o Public network is a network to which anyone can connect and anyone can use.
o Private network is any network to which access is restricted and not for public use.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

VPN Classification:
Classification Based on Deployment:
1. Site to Site VPN
2. Remote-Access VPN

Classification Based on OSI Layers:

1. Layer 4/7 VPN - WebVPN
2. Layer 3 VPN - IPSec, GRE, DMVPN, SSL VPN, L2TPV3
3. Layer 2 VPN - L2TP, PPTP, MPPE, Frame Relay, X.25, ATM

Classification Based on Trust Level:

1. Intranet VPN
2. Extranet VPN
3. Remote VPN

Classifications Based on Customer Point of View:

1. Traditional VPN:
1. Frame-Relay (L2 VPN)
2. ATM VPN (L2 VPN)

2. CPE Based VPN:

1. L2TP and PPTP (Layer 2 VPN)
2. IPSec VPN (Layer 3 VPN)

3. Provider Provisioned VPN:

1. BGP/MPLS (L2/L3 VPN)

4. Session Based VPN:

1. SSLVPN/WebVPN (L4/L7 VPN)

Classification Based on Security Level:

1. Secure VPN
2. Trusted VPN
3. Hybrid VPN
Classification based on Cleartext VPNs:
1. MPLS,VPLS
2. L2VPN, L3VPN
3. PPTP, L2F,L2TP

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Advantages of VPNs:
Cost Savings Organizations can use VPNs to reduce connectivity costs.
Scalability Organizations can use the Internet to easily interconnect new offices.
Security Advanced encryption and authentication protocols protect data.
Compatibility VPNs can be implemented across a wide variety of WAN link options.
Better Performance VPNs provide better performance.
Flexible & Reliable VPNs is flexible and reliable.

Why Use Secure VPN:

Eavesdropping Attacks Traffic can be sniffed from unsecured lines.
Network Spoofing Attacks Attacker can sniff the encrypted data over the public
network and use it to make itself as a legitimate VPN peer.
Man-in-The-Middle-Attacks Attacker gets in-line with normal flow of traffic just to sniff
the critical information.

Type of VPNs:
There are two main types or categories of VPNs, Site-to-Site VPNs and Remote-Access VPNs.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Site-to-Site VPNs:
o A VPN connection that allows connecting two LANs is called a Site-to-Site VPN.
o Connect two private LAN over Public Network, Private to Private over Public Network.
o It is also called Site-to-Site VPN, LAN-to-LAN VPN or Hub-and-Spoke VPN.
o Many organizations use IPsec, GRE, and MPLS VPN as Site-to-Site VPN protocols.
o Site-to-Site VPNs can connect branch office network to company Head-Office Network.
o VPN allows secure connection of corporate office with branch offices or remote offices.
o Site-to-Site, VPN are built over Internet between two or more office locations.
o Site-to-Site Virtual Private Network (VPN) connect entire networks to each other.
o The VPNs may be placed in the enterprise internet edge, enterprise WAN edge or branch.

Remote-Access VPNs:
o Enable users to work from remote locations such as their homes & other premises.
o Remote-Access VPNs connect client devices to LAN over the Internet infrastructure.
o Individual hosts or clients, access a company network securely over the Internet.
o Each host typically has VPN client software loaded or uses a web-based client.
o Whenever the host send any information, the VPN client software encapsulates it.
o Whenever the host send any information, the VPN client software also encrypts it.
o It allows individual users to establish secure connections with a remote network.
o Remote-Access VPN tunnels are formed between a VPN device & an end-user PC.
o The remote user requires the Cisco Virtual Private Network (VPN) client software.
o Remote access Virtual Private Network connect individual users to private networks.
o Remote-access Virtual Private Network connects individual host to company Network.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Protocols for VPN:
The following are different protocols use for VPN implementation:
Point-to-Point Tunneling Protocol PPTP
Layer 2 Forwarding Protocol L2FP
Layer 2 Tunneling Protocol L2TP
Generic Routing Encapsulation Protocol GRE
Multiprotocol Label Switching MPLS
Internet Protocol Security IPSec
Secure Sockets Layer SSL

Encryption Algorithms for VPN:

The following are the typical encryption (Confidentiality) algorithms:
Data Encryption Standard (DES) 064 bits long
Triple Data Encryption Standard (3DES) 168 bits long
Advanced Encryption Standard (AES) 128 bits long
Advanced Encryption Standard (AES) 192 bits long
Advanced Encryption Standard (AES) 256 bits long

Hashing Algorithms for VPN:

The following are the Hashing (Integrity) algorithms:
Secure Hash Algorithm SHA
Message Digest Algorithm 5 MD5

Authentication Algorithms for VPN:

The following are common authentication methods:
Pre-Shared Keys Digital Certificates

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Protocols:
o IPSec stands for Internet Protocol Security.
o IPSec is an open standard that enables secure and encrypted communication.
o IPSec is open standard, almost all firewall and router vendors support it.
o IPSec is a suit of protocols that provide data confidentiality, integrity, & authentication.
o IPSec is used both for remote access VPNs and Site-to-Site Virtual Private Networks.
o IPSec is use to build VPNs over the Internet or over any other non-secure networks.
o IPSec (Internet Protocol Security) works at the Network Layer.
o In IPSec VPN, only unicast IP traffic can pass through the VPN tunnel.
o IPSec encrypting and authenticating IP packets between participating devices.
o IPsec is a framework that helps us to protect IP traffic on the Network Layer.

IPSec Features:
Confidentiality:
o By encrypting data, nobody except the sender & receiver will be able to read the data.
o Encryption algorithms protect data so it cannot be read by a third party while in transit.
o It mean the data will keep as secret using encryption algorithm Like DES, 3DES, AES.
Integrity:
o IPSec Integrity provide to make sure that nobody changes the data in packets.
o Receiver can authenticate packets sent by sender to ensure data has not been altered.
o By calculating hash value, the sender & receiver will be able to check data is not alerted.
o IPSec integrity insure that data has not been altered during transmission.
o IPSec Integrity using hash algorithm such as MD5 and SHA.
Authentication:
o Authentication means both devices will authenticate each other before data exchange.
o Authentication algorithms verify the data integrity and authenticity of a message.
o IPSec Authentication using Pre-Shared or Certificate (PKI) to authenticate peer.
o The IPSec receiver can authenticate the source of the IPSec packets sent.
o IPSec Authentication make sure that we are really talking with the device we intend to.
Anti-Replay:
o Attacker could try to capture these packets & send them again.
o Each packet is unique, has not been duplicated or intercepted.
o By using sequence numbers, IPsec will not transmit any duplicate packets.
o It means that if the data arrive late it will consider as alter & it will be drop.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Protocols:
Encapsulating Security Payload (ESP):
o IPSec uses ESP to provide Data Integrity, Encryption & Authentication.
o IPSec uses ESP to provide also Anti-Replay functions.
o IPSec implementations uses DES, 3DES and AES for Data Encryption.
o ESP authenticates the data within the VPN, ensuring Data Integrity.
o ESP (Encapsulating Security Payload) provides all IPsec features.
o ESP (Encapsulating Security Payload) use IP protocol number 50.
o ESP (Encapsulating Security Payload) work with NAT using NAT-T.
o ESP protocols support two modes of use Transport and Tunnel.
o In Transport Mode, it use the original IP header & insert an ESP header.
o In Tunnel Mode, it use a new IP header, which is useful for site-to-site VPNs.
o Same to transport mode but add new header, original header is also encrypted.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Authentication Header (AH):
o IPSec uses AH to provide Data Integrity and Authentication functions.
o IPSec uses AH to provide Anti-Replay functions for IPSec VPN.
o IPSec Authentication Header (AH) does not provide any Data Encryption.
o AH is used to provide Data Integrity services to ensure Data is not tampered.
o Authentication Header (AH) use IP protocol number 51.
o Authentication Header (AH) does not works with NAT.
o Authentication Header (AH) does not use NAT-T.
o AH, protocols also support two modes of use Transport and Tunnel.
o Transport mode is simple, it just adds an AH header after the IP header.
o With tunnel mode, it add new IP header on top of the original IP packet.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Modes:
o There is two modes of IPSec, Tunnel Mode and Transport Mode:
Tunnel Mode:
o In Tunnel Mode, the entire packet is encrypts and authenticates by IPSec.
o IP Security (IPSec) tunnel mode is the default mode on most Cisco.
o The packet is then encapsulated to form a new IP packet header information.
o IP Security (IPSec) Tunnel Mode protect Layer 3 and upper Layer data.
o IPSec Tunnel Mode is used in Site-Site VPN, Remote-Access VPN and GETVPN.
o Tunnel mode is more secure and encrypts both the header and the payload.
o Tunnel mode is used to encrypt traffic between secure IPSec Gateways.

Transport Mode:
o IPSec only encrypts and/or authenticates the actual payload of the packet.
o In Transport mode, the header information remains unchanged.
o IPSec Transport mode is used for end-to-end communications.
o IPSec Transport mode is used for communication between client & server.
o IPSec Transport mode is used for communication between a workstation.
o Normally, encrypted Telnet or RDP session from workstation to server.
o IPSec Transport mode protect Layer 4 and upper Layer data.
o IPSec Transport Mode will use the original IP header.
o IPSec transport mode is used when another tunneling protocol like GRE is used.
o IPSec Transport Mode is used in Dynamic Multipoint Virtual Private Network.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Authentication:
MD5 Hashing:
o Hashing is the technique to ensure the integrity.
o MD5, which stands for Message Digest algorithm 5.
o The Message Digest (MD5) is a cryptographic hashing algorithm.
o MD5 hash is typically expressed as a 32 digit hexadecimal number.
o MD5 or message digest algorithm will produce a 128-bit hash value.
o Input data can be of any size or length, but the output size is always fixed.
o MD5 algorithm generates a fixed size (32 Digit Hex) MD5 hash.
o The hash is unique for every file irrespective of its size and type.

SHA Hashing:
o SHA, stands for Secure Hash Algorithm, is cryptographic hashing.
o SHA used to determine the integrity of a particular piece of data.
o The Secure Hashing Algorithm comes in several flavors.
o SHA-1 and SHA-2 are two different versions of that algorithm.
o SHA1 produces a 160-bit (20-byte) hash value.
o SHA2 has option to vary digest between 224 bits to 512 bits.
o SHA224 produces a 224-bit (28-byte) hash value.
o SHA256 produces a 256-bit (32-byte) hash value.
o SHA384 produces a 384-bit (48-byte) hash value.
o SHA512 produces a 512-bit (64-byte) hash value.

IPSec Encryption:
IPSec provide many Encryption methods mostly used are DES, 3DES & AES.
DES Encryption Algorithm:
o DES stands for Data Encryption Standard, its Encryption Algorithm.
o DES was developed by IBM in 1970s but was later adopted by the NIST.
o DES (Data Encryption Standard) key length is 56 bits & block size is 64-bit length.
o Data Encryption Standard uses 56-bit key, ensuring high-performance encryption.
o DES is not a secure encryption algorithm and it was cracked many times.
o DES is one of the most widely accepted, publicly available cryptographic systems.
o DES (Data Encryption Standard) is used to encrypt and decrypt packet data.
o DES turns clear text into ciphertext with an encryption algorithm.
o The decryption algorithm on the remote end restores clear text from ciphertext.
o DES shared secret keys enable the encryption and decryption on both sides.
o DES (Data Encryption Standard) is the weakest of the three algorithms.

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Triple DES Algorithm (3DES):
o Encryption algorithm based on DES that uses DES to encrypt the data three times.
o In 3DES, Data Encryption Standard encryption is applied three times to the plaintext.
o Plaintext is encrypted with key A, decrypted with key B & encrypted again with key C.
o Triple DES (3DES) is also supported encryption protocol for use in IPSec on Cisco products.
o Triple DES (3DES) operates similarly to DES in that data is broken into 64-bit blocks.
o 3DES then processes each block three times, each time with an independent 56-bit key.
o Triple DES effectively doubles encryption strength over 56-bit Data Encryption Standard.
o Triple DES is a variation of DES, which is secure than the usual Data Encryption Standard.

AES (Advanced Encryption Standard):

o AES (Advanced Encryption Standard) is strongest encryption algorithm available.
o Advance Encryption Standard (AES) algorithm was developed in the Year 1998.
o Advanced Encryption Standard (AES) is a newer and stronger encryption standard
o Firewalls can use AES encryption keys of these lengths: 128, 192, or 256 bits.
o Algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Diffie-Hellman (DH):
o Diffie-Hellman key agreement algorithm was developed in the Year 1976.
o Dr. Whitfield Diffie and Dr. Martin Hellman developed Diffie-Hellman Algorithm.
o Diffie-Hellman (DH) key exchange is a wonderful mathematical algorithm.
o Which allows two parties who have no prior knowledge to generate same secret keys.
o Diffie-Hellman allows two devices to establish a shared secret over an unsecure network.
o The encryption key for the two devices is used as a symmetric key for encrypting data.
o Diffie-Hellman key agreement algorithm is widely used in security protocols like IPSec.
o Diffie-Hellman algorithm is also use in Secure Shell (SSH) & Transport Layer Security (TLS).
o Only two parties involved in the DH key exchange and the key is never sent over the wire.
o Diffie-Hellman key group is a group of integers used for the Diffie-Hellman key exchange.
o Cisco Firewalls and Routers can use Diffie-Hellman (DH) groups 1, 2, 5, 14, 15, 19, and 20.
o Diffie-Hellman groups determine the strength of the key used in the key exchange process.
o Higher group numbers are more secure, but require additional time to compute the key.
o Diffie-Hellman groups (DH) is used within IKE to establish session keys.
o 768-bit and 1024-bit D-H groups are supported in the Cisco routers and Firewall.
o The 1024-bit group is more secure because of the larger key size.
o In terms of VPN, it is used in the in IKE or Phase1 part of setting up the VPN tunnel.
o There are multiple, Diffie-Hellman Groups that can be configured in an IKEv2 policy.
o Both peers in VPN exchange must use same DH group, which is negotiated during Phase 1.
o There are multiple Diffie-Hellman Groups 1 to 30 assigned and 31-32767 Unassigned.
DH Group Number Group Description Recommendation
Diffie-Hellman group 1 768 bit Modulus Avoid
Diffie-Hellman group 2 1024 bit Modulus Avoid
Diffie-Hellman group 5 1536 bit Modulus Avoid
Diffie-Hellman group 14 2048 bit Modulus Acceptable
Diffie-Hellman group 15 3072-bit Modulus Acceptable
Diffie-Hellman group 19 256 bit Elliptic Curve Elliptic Curve Acceptable
Diffie-Hellman group 20 384 bit Elliptic Curve Elliptic Curve NGE
Diffie-Hellman group 21 521-bit Elliptic Curve Elliptic Curve NGE
Diffie-Hellman group 24 2048-bit Modulus Next Generation Encryption

12 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717