Tunneling enable users to access private networks from public networks. tunneling encapsulates an entire packet within another packet and sends the new composite packet over a network. three classes of tunneling protocol:
  • Carrier protocol. the protocol over which the information is travelling (Frame-relay, ATM, MPLS)
  • Encapsulating protocol. the protocol that wraps around the original data (GRE, L2F, L2TP)
  • Passenger protocol. the protocol over which the original data was sent over (IPv4, AppleTalk, IPv6, IPX)

Tunneling works as the original data is wrapped by the encapsulating protocol, then as leaving the VPN gateway ("tunnel interfaces"), the data will be encapsulated by the carrier protocol with the source and destination adress are the "tunnel interface"s address, when the data arrived at the other end of the VPN gateway, the original data will be extracted and sent over the destination.

for the message to be private, it must be encrypted. VPN encryption rules include an algorithm and a key. the message will be encrypted using the combination of the algorithm and the key. the result is a cipher text, that's very difficult if not impossible to be decrypted without the correct key. there are two kinds of encryption algorithm, symmetric algorithm which uses the same key for the encryption and decryption process, and asymmetric algorithm that uses different keys for the encryption and decryption process. some common used encryption algorithm are:
  • Data Encryption Standard (DES). a symmetric key encryption. developed by IBM, uses 56-bit key giving high-performance encryption.
  • Triple DES (3DES). developed from DES. a symmetric key cryptosystem. it encrypts a message with one key, decrypts it with another key and finally encrypts it with another different key. this provides more strength than DES.
  • Advanced Encryption Standard (AES). developed by the National Institute of Standards and Technology. replacing DES. it offers more strength than DES and more efficient than 3DES. it offers using three different key-lengths: 128, 192 and 256 bit keys.
  • Rivest, Shamir, and Adleman (RSA). named as its founders. this is an asymmetric cryptosystem. it uses a key bit length of 512, 768, 1024 or larger.

a Hash is a string generated from a text. it's generated using algorithms that there will be no two different texts that will produce the same hash value. the hash is smaller than the text. it can be used to guarantee that a message hasn't been modified. the sender can generate a hash of the message and send it along with the message to the receiver. the receiver then receive the message and will generate a hash value from the message again. the result then will be matched with the hash value sent by the sender. if both hashes are the same, then the message hasn't been changed/modified.

a keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. a HMAC has two parameters: a message input and a secret key known only to the sender and the receiver of the message. two commons HMAC algorithm are:
  • Message Digest 5 (MD5), uses 128-bit shared key. the 128-bit key is combined through the message and produces a 128-bit hash. the hash is appended with the message and sent to the destination.
  • Secure Hash Algorithm 1 (SHA-1), uses 160-bit shared key. the 160-bit key is combined through the message and produces a 160-bit hash. the hash is appended with the message and sent to the destination.

both ends on VPNs connectin must be authenticated. so that a secure connection and communication can be made. two peer authentication in VPNs are:
  • Pre-Shared Key (PSK), a secret key shared between the two parties. a PSK is entered manually at each party and is used to authenticate the peer. it uses symmetric key cryptosystem. the key shared is combined with other information to form the authentication key.
  • RSA signature, exchange digital certificates to authenticate the peers. local device (local end) derives a hash and encrypts it with its private key. the encrypted hash (digital signature) is sent along with the message. the remote end will decrypt the hash using the public key of the local end. if the decrypted hash matched the recomputed hash, the signature is genuine.

Internet is a public network and it reaches almost everwhere in the world. the fact that internet is a worldwide network, makes internet an option for oranizations and corporations to connect their teleworkers with the organization's private network. but the fact that it is a public network, makes it fragile to security risks. with VPN technology, organizations can create a private network from the internet and can safely transfer their private data over the internet from branches and remote teleworkers. instead of using a dedicated layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed over the internet.

the benefits of using VPN are:
  • cost saving. unlike a leased line which requires an expensive cost to establish a connection between sites. VPN uses the public network Internet, which is cheaper.
  • security. VPN encrypts and authenticates its data. protecting the data from unauthorized access.
  • scalability. anyone, anywhere within an ISP area can connect to the VPN. organizations can add new users, big or small organizations without adding significant infrastructure.

Types of VPN:
  • site-to-site VPN. a site-to-site VPN is used to connect between company intranets or a company intranet with a business partner extranet. for example it can connect a branch with the headquarter office. a site-to-site VPN uses a VPN gateway at each site to send and receive TCP/IP traffic. a VPN gateway in a site-to-site VPN could be a router, PIX firewall appliance or an Adaptive Security Appliance (ASA). the VPN gateway is responsible for encrypting outgoing traffic and decrypting incoming traffic.
  • remote access VPN. remote access VPNs are used to connect mobile users and teleworkers as well as extranet consumer-to-business. since most teleworkers have access to the internet, they can establish a remot VPN connection to the company. each host typically has a VPN client software. this software will encrypts/decrypts incoming/outgoing traffic. at the company site, a VPN gateway which could be a PIX firewall, a router, an ASA or a VPN concentrator will do the encrypts and decrypts tasks.

a VPN creates a virtually private network which must maintain confidentiality and security. it must protect data against sniffing activity, sender authentication and message integrity.
typically a VPN would require the following components:
  • a network with servers and workstations.
  • an access to the internet.
  • VPN gateway capable devices, such as routers, firewalls, VPN concentrators and ASAs. at the endpoints that establish and manage VPN connections.
  • appropriate software to create and manage VPN tunnels.

Most VPN can do both
  • Encapsulation. also called as tunneling, this enables data to be transferred between private networks over a shared public network.
  • Encryption. codes data to another format using a secret key. decryption decodes the encrypted data to its original format.

Keypoints of security in VPNs are:
  • data confidentiality. guarantees that data are not stolen as they travel across a shared networks. VPNs achieve this using encapsulation and encryption.
  • data integrity. guarantees that the data received by the receiver are the same as the data sent by the sender. this means that data are not modified. VPNs usually use hashes to ensure data integrity. a hash is like a seal that guarantees that no one has read the content of the message.
  • authentication. this guarantees that only authorized users may participate in the private network. unauthorized users must not be given access to the private network. VPNs achieve this by using passwords, digital certificates or other authenticate mechanisms.

IPsec is a protocol suite for securing communications in IP networks. there are two frameworks for IPsec:
  • Authentication Header (AH), provides authentication and integrity. use this when confidentiality (ecnryption) is not needed or permitted. this makes AH weaker, that's why AH is often used along with ESP.
  • Encapsulation Security Payload (ESP), provides authentication, integrity and confidentiality (encryption). although encryption and and authentication are optional, at a minimum, one of them must be selected.

we can choose and implement standards for encrytion, authentication and key exchange
IPsec Framework Choices

IPsec Protocol - ESP, AH, ESP + AH
Encryption - DES, 3DES, AES
Authentication - MD5, SHA
DH - DH1, DH2, DH5

DH allows two parties to establish a shared secret key used for the encryption and hash algorithm.