1
00:00:00,450 --> 00:00:04,320
In this section, we're going to look at virtual private networks or VPNs.

2
00:00:04,830 --> 00:00:12,480
VPN solutions provide for secure access across insecure medium, such as the Internet, allowing for

3
00:00:12,480 --> 00:00:20,400
the connection of branch offices, home offices, business partners and remote telecommuters to all

4
00:00:20,610 --> 00:00:22,860
or some part of a corporate network.

5
00:00:23,940 --> 00:00:30,660
VPNs have become very popular because of low cost, high bandwidth Internet connectivity, which allows

6
00:00:30,660 --> 00:00:34,500
for secure encrypted connections back to central sites.

7
00:00:34,680 --> 00:00:41,340
Previously, remote offices had to connect to the central office or head office through expensive leased

8
00:00:41,340 --> 00:00:43,860
lines or dial up phone lines.

9
00:00:44,970 --> 00:00:51,180
VPNs have helped reduce network costs by allowing for secure connections through broadband technologies

10
00:00:51,180 --> 00:00:53,160
such as DSL and cable.

11
00:00:54,100 --> 00:00:57,610
These days, VPNs can transport mission critical data.

12
00:00:57,730 --> 00:01:03,970
Voice over IP and client server applications without compromising quality or security.

13
00:01:05,200 --> 00:01:09,190
In this section, we can look at an overview of VPNs at a level.

14
00:01:09,190 --> 00:01:11,980
They just expect you to have an appreciation of VPNs.

15
00:01:12,490 --> 00:01:17,290
But in my experience, I find people get really confused if you just gloss over some of the terms and

16
00:01:17,290 --> 00:01:23,200
technologies and VPN components, and thus I'm going to delve into it in a little bit more detail.

17
00:01:23,800 --> 00:01:29,650
We're going to explain what IPsec is, what encryption is, what authentication is, and what integrity

18
00:01:29,650 --> 00:01:30,100
is.

19
00:01:30,430 --> 00:01:33,250
All vital components in a VPN.

20
00:01:34,630 --> 00:01:36,400
So again, what is a VPN?

21
00:01:36,850 --> 00:01:43,090
A VPN is an encrypted connection between private networks over a public network such as the Internet.

22
00:01:43,450 --> 00:01:50,980
So it's a virtual private network which allows for the sending of traffic securely across an insecure

23
00:01:50,980 --> 00:01:51,760
medium.

24
00:01:52,150 --> 00:01:59,470
Thus, you can send private data and private information across the Internet without the worry of someone

25
00:01:59,470 --> 00:02:02,290
intercepting and reading your information.

26
00:02:02,920 --> 00:02:09,190
To keep the data private, the traffic is encrypted so that confidentiality is maintained.

27
00:02:09,699 --> 00:02:16,870
Instead of using a dedicated connection between two sites, such as a leased line, we are using a public

28
00:02:16,870 --> 00:02:23,950
infrastructure such as the Internet, to send data securely from one private network, let's say a home

29
00:02:23,950 --> 00:02:31,210
network where a user's telecommuting to a central office or head office, where the user's accessing,

30
00:02:31,210 --> 00:02:33,400
for instance, an Oracle database.

31
00:02:33,730 --> 00:02:40,300
So secure data is sent between these two private sites across the public Internet.

32
00:02:41,250 --> 00:02:42,360
Now a bit of history.

33
00:02:42,630 --> 00:02:44,730
Why the requirement for VPNs?

34
00:02:45,180 --> 00:02:50,370
Well, IP version four was created in the 1970s, and in those days, network security wasn't a big

35
00:02:50,370 --> 00:02:51,000
issue.

36
00:02:51,510 --> 00:02:57,540
It's important to realize that IP transmits a lot of data as clear text, which is often referred to

37
00:02:57,540 --> 00:02:58,980
as transmitting in a clear.

38
00:02:59,790 --> 00:03:03,900
That is just transported into raw form with no encryption.

39
00:03:04,440 --> 00:03:07,890
Lots of private information, including usernames and passwords.

40
00:03:07,890 --> 00:03:15,510
So authentication information and other private data is transmitted in clear text and if captured,

41
00:03:15,690 --> 00:03:19,200
can easily be read by hackers and other individuals.

42
00:03:20,830 --> 00:03:28,270
Is a simple example of a sniff capture of a user logging into an FTP server and you can clearly see

43
00:03:28,270 --> 00:03:35,530
that the username is anonymous available in clear text and the password of Cisco is also shown in clear

44
00:03:35,530 --> 00:03:36,190
text.

45
00:03:36,580 --> 00:03:43,090
So when you connect, for instance, to a web server, if that web server is not using encrypted HTTP,

46
00:03:43,450 --> 00:03:49,750
your username and password, for instance, will be sent in clear text, which is easy to capture and

47
00:03:49,750 --> 00:03:50,350
read.

48
00:03:50,920 --> 00:03:55,060
All information transmitted in an email, for example, is sent in clear text.

49
00:03:56,050 --> 00:03:58,330
So you have some examples of clear text protocols.

50
00:03:58,690 --> 00:04:04,630
For instance, FTP, all the data as well as the authentication information is sent in clear text if

51
00:04:04,630 --> 00:04:06,880
you are telling to a writer or a switch.

52
00:04:07,270 --> 00:04:09,880
All your authentication information is in clear text.

53
00:04:10,210 --> 00:04:15,190
So usernames and passwords can easily be captured as well as any commands that you type on the rudder

54
00:04:15,370 --> 00:04:16,180
or switch.

55
00:04:16,269 --> 00:04:21,190
So as an example, if you type show run, the entire running configuration could be captured.

56
00:04:22,180 --> 00:04:26,440
There are some really powerful hacking tools available on the Internet.

57
00:04:27,630 --> 00:04:31,770
Please note I don't recommend you using them, but just be aware that they exist.

58
00:04:32,010 --> 00:04:38,310
An example would be Cain and Abel, which is extremely powerful and can capture usernames and passwords

59
00:04:38,310 --> 00:04:41,730
from multiple protocols, including those listed here.

60
00:04:42,590 --> 00:04:46,490
Just do a search for Cain and Abel in Google.

61
00:04:47,530 --> 00:04:49,120
And you can see this website.

62
00:04:49,480 --> 00:04:49,900
Okay.

63
00:04:50,350 --> 00:04:51,130
It.

64
00:04:51,920 --> 00:04:53,810
Provides Cain and Abel for free.

65
00:04:55,330 --> 00:05:00,010
And has really powerful features for capturing and recovering passwords.

66
00:05:01,280 --> 00:05:03,500
You use this program at your own risk.

67
00:05:03,830 --> 00:05:07,910
And again, I don't recommend that you use it, but be aware that it exists.

68
00:05:08,600 --> 00:05:13,700
SMTP sends the contents of mail messages in clear text, so it does pop three.

69
00:05:14,030 --> 00:05:17,630
So does HTTP, so does SNMP version one.

70
00:05:17,840 --> 00:05:24,410
So be aware a lot of the protocols that we use in everyday environments send information in clear text

71
00:05:24,680 --> 00:05:29,120
which could be captured and read by undesirables.

72
00:05:30,110 --> 00:05:35,210
Cryptography, like so many other things in life, has its own terminology.

73
00:05:35,480 --> 00:05:39,890
Some of the terms that you need to understand firstly, what an algorithm is.

74
00:05:40,190 --> 00:05:47,360
An algorithm is detailed steps for performing a function, and a cipher is an example of an encryption

75
00:05:47,360 --> 00:05:48,140
algorithm.

76
00:05:48,680 --> 00:05:56,180
We look at a lot of the algorithms in the next few slides, but as an example, days, triple days.

77
00:05:56,600 --> 00:06:04,580
And these are encryption algorithms used for taking clear text data and putting it into non readable

78
00:06:04,580 --> 00:06:06,770
form or ciphertext.

79
00:06:06,950 --> 00:06:08,660
In other words, encrypted data.

80
00:06:08,960 --> 00:06:12,410
There are two main types of encryption algorithms that we're going to look at in this course.

81
00:06:12,710 --> 00:06:14,990
The first one is a symmetric algorithm.

82
00:06:15,230 --> 00:06:22,310
A symmetric algorithm is where the same key is used for encryption and decryption and secret key algorithms

83
00:06:22,670 --> 00:06:23,990
like days, triple days.

84
00:06:23,990 --> 00:06:27,200
And these are asymmetric encryption algorithms.

85
00:06:27,530 --> 00:06:33,800
An asymmetric algorithm is an algorithm in which different keys are used for encryption and decryption.

86
00:06:34,340 --> 00:06:41,000
Public key algorithms such as RSA or asymmetric encryption algorithms are going to look at those in

87
00:06:41,000 --> 00:06:42,140
more detail in a moment.

88
00:06:42,140 --> 00:06:48,440
But just be aware that with a symmetric algorithm, the same key is used to encrypt and decrypt.

89
00:06:48,680 --> 00:06:54,380
With an asymmetric algorithm, a different key is used to encrypt versus decrypt.

90
00:06:55,480 --> 00:06:56,680
So what is the key?

91
00:06:56,980 --> 00:07:02,710
The key is a bit of information that is required to decrypt the message, usually in the form of a value

92
00:07:02,710 --> 00:07:06,070
that is used with a cipher to encrypt the message.

93
00:07:06,490 --> 00:07:11,380
It's important that the key remains secret in order for the message to remain private.

94
00:07:11,710 --> 00:07:14,170
Think of a key as a password.

95
00:07:14,620 --> 00:07:20,500
A key or password is used with an encryption algorithm, and together they make the data secret.

96
00:07:21,870 --> 00:07:27,390
Think of it as follows The algorithm is well known and can be read about in books.

97
00:07:27,600 --> 00:07:29,370
You can look on Wikipedia.

98
00:07:29,910 --> 00:07:35,280
There's lots of documentation explaining various algorithms like A's, triple DS and Des.

99
00:07:36,210 --> 00:07:38,340
However, the key is a secret value.

100
00:07:38,550 --> 00:07:42,150
A key user with an algorithm makes the data unique.

101
00:07:42,970 --> 00:07:44,650
What are we trying to accomplish?

102
00:07:45,190 --> 00:07:49,780
There are four things that you typically want to accomplish in a VPN.

103
00:07:50,140 --> 00:07:55,570
The first one, and the one most people think about is data confidentiality or encryption, where no

104
00:07:55,570 --> 00:08:01,390
one else should be able to read the information by manipulating the data that is sent across the public

105
00:08:01,390 --> 00:08:02,290
infrastructure.

106
00:08:02,410 --> 00:08:07,300
In other words, if a hacker captures your information on the Internet that hackers should not be able

107
00:08:07,300 --> 00:08:10,150
to decrypt or read the information.

108
00:08:10,450 --> 00:08:16,510
Data confidentiality is provided by using encryption algorithms with associated keys.

109
00:08:17,410 --> 00:08:23,530
The second goal is data integrity and how we want to know that the data has traversed unchanged between

110
00:08:23,530 --> 00:08:24,610
the two parties.

111
00:08:24,970 --> 00:08:31,930
For instance, if a send something to party B, party B wants to know that that data has not been manipulated

112
00:08:31,930 --> 00:08:33,520
or changed in transit.

113
00:08:33,880 --> 00:08:39,700
That data has arrived without changes as it was sent by Party A.

114
00:08:40,299 --> 00:08:42,940
The third goal is data origin authentication.

115
00:08:43,299 --> 00:08:50,230
The receiver of the data needs to be able to verify that the data that it received could only have originated

116
00:08:50,230 --> 00:08:51,220
from the sender.

117
00:08:51,400 --> 00:08:56,680
In other words, the so called sender is the actual sender that we believe them to be.

118
00:08:57,070 --> 00:09:02,680
The receiver wants to be able to authenticate the source of the packet that arrived, guaranteeing and

119
00:09:02,680 --> 00:09:06,610
certified who the source of the information actually is.

120
00:09:07,870 --> 00:09:10,600
And then the fourth goal is empty replay protection.

121
00:09:11,110 --> 00:09:14,920
We want to verify that each package is unique and is not duplicated.

122
00:09:15,940 --> 00:09:22,240
So he has a very basic example of confidentiality or encryption and is one of the earliest forms of

123
00:09:22,240 --> 00:09:23,590
encryption used by Caesar.

124
00:09:23,620 --> 00:09:31,510
Years and years ago, if a hacker captured the following text inject, what does it mean?

125
00:09:31,630 --> 00:09:34,030
Well, two things have been done to this text.

126
00:09:34,060 --> 00:09:39,790
The first is that an algorithm has been applied to clear text with a key.

127
00:09:40,450 --> 00:09:46,660
So in this example, the algorithm used is a so called Cesar's algorithm, where data has been moved

128
00:09:46,660 --> 00:09:51,520
to the right hand side and the key space or key used is five.

129
00:09:52,430 --> 00:09:59,090
Now, if you reverse that process, in other words, move the letters by five to the left hand side.

130
00:09:59,390 --> 00:10:01,880
This can be decrypted as hello.

131
00:10:02,300 --> 00:10:03,740
Just take an alphabet.

132
00:10:03,980 --> 00:10:10,520
Look at M for example, move by five letters and you'll get an H and so forth and so on.

133
00:10:10,940 --> 00:10:17,450
So if a hacker captured the encrypted text, he or she would have to know firstly which algorithm was

134
00:10:17,450 --> 00:10:21,050
used and secondly, what the key is.

135
00:10:21,380 --> 00:10:26,180
Once you know those two pieces of information, it's just a matter of reversing the algorithm.

136
00:10:26,570 --> 00:10:31,430
So there's a very simple example of data confidentiality or encryption.

137
00:10:32,720 --> 00:10:35,390
This is the process involved with encryption.

138
00:10:35,540 --> 00:10:39,260
We firstly take some secret data which is in clear text.

139
00:10:39,890 --> 00:10:47,090
This might be an order or a confidential email or some data that is in clear text, but we want to keep

140
00:10:47,090 --> 00:10:48,500
it confidential.

141
00:10:48,830 --> 00:10:57,590
We then take a key in combination with an algorithm, let's say a US or advanced encryption standard.

142
00:10:57,890 --> 00:11:03,470
I'll explain more about the algorithms in a moment, but for now, just understand that you take the

143
00:11:03,470 --> 00:11:05,750
original data, which is in clear text.

144
00:11:06,410 --> 00:11:07,580
You take a key.

145
00:11:07,850 --> 00:11:09,740
You take the encryption algorithm.

146
00:11:10,430 --> 00:11:17,720
The clear text, when sent through the encryption algorithm with a specific key results in ciphertext

147
00:11:17,720 --> 00:11:19,040
or encrypted data.

148
00:11:19,460 --> 00:11:27,170
That encrypted data can then be sent across a public infrastructure such as the internet and a non desirable,

149
00:11:27,170 --> 00:11:32,240
like a hacker will not be able to read the information because it's encrypted.

150
00:11:32,630 --> 00:11:38,300
The receiving party will receive the encrypted data and will reverse the process.

151
00:11:38,300 --> 00:11:45,170
So in other words, by applying the same algorithm and the same key, but in the reverse direction,

152
00:11:45,440 --> 00:11:52,880
the encrypted data is reversed back to the original clear text data and the receiving party can read

153
00:11:52,880 --> 00:11:53,840
the information.

154
00:11:54,110 --> 00:12:00,410
So it's a simple process where you take clear text data, you apply an encryption algorithm with a key

155
00:12:00,410 --> 00:12:03,050
to it which results in ciphertext.

156
00:12:03,530 --> 00:12:07,400
The sender then transmits that across an insecure medium, such as the Internet.

157
00:12:07,670 --> 00:12:11,660
The receiver reverses the process by applying the same key.

158
00:12:11,900 --> 00:12:20,300
If it's a symmetric algorithm and the algorithm but reverses the process, which results in the original

159
00:12:20,300 --> 00:12:21,410
clear text data.

160
00:12:22,130 --> 00:12:28,970
Now an algorithm's key space or key length is a set of all possible values for that algorithm.

161
00:12:29,570 --> 00:12:34,910
I find this confuses a lot of people, so I'm going to explain it by using an IP address end.

162
00:12:34,910 --> 00:12:39,800
But Keys produces a two to the N key space size.

163
00:12:40,010 --> 00:12:46,160
So by looking at a class A address as an example, an IP version for addresses, 32 bits in size, the

164
00:12:46,160 --> 00:12:50,360
network portion is eight bits and the host portion is 24 bits.

165
00:12:50,540 --> 00:12:58,490
So two to the power of 24 gives you over 16 and a half billion options or host addresses in theory.

166
00:12:58,970 --> 00:13:06,650
So think about it as follows A 24 bit key space results in over 16 and a half billion combinations.

167
00:13:06,980 --> 00:13:07,910
So keep that in mind.

168
00:13:07,910 --> 00:13:13,880
When we look at the key spaces available in the various algorithms, the greater the key space, the

169
00:13:13,880 --> 00:13:20,240
harder it's going to be to crack the encryption algorithm because there are more combinations available.