1 00:00:00,360 --> 00:00:05,760 As mentioned, there are some major advantages to using digital signatures rather than pre-set keys. 2 00:00:06,210 --> 00:00:12,060 There is, however, one major stumbling block when Peter sends his public key to Sarah. 3 00:00:12,480 --> 00:00:20,700 Joe Hacker could intercept that public key and replace it with his own public key and send that on to 4 00:00:20,700 --> 00:00:23,040 Sarah pretending to be Peter. 5 00:00:23,520 --> 00:00:29,520 That means that Sarah believes that traffic coming from Joe Hacker is actually Peter. 6 00:00:29,910 --> 00:00:38,130 In this case, she needs a mechanism to prove that Peter is who he says he is and that he hasn't been 7 00:00:38,130 --> 00:00:40,110 replaced with someone else. 8 00:00:41,500 --> 00:00:45,460 And that allows us to introduce the concept of a certificate of authority. 9 00:00:46,090 --> 00:00:52,030 Now, in brief, the easiest way to understand this is to think of the certificate of authority as a 10 00:00:52,030 --> 00:00:53,860 trusted third party. 11 00:00:54,220 --> 00:00:59,050 When you connect to a website like Amazon.com, you trust that website. 12 00:00:59,700 --> 00:01:03,360 Because of a trusted third party like VeriSign or thought. 13 00:01:04,900 --> 00:01:11,980 Essentially a certificate of authority is introducing Peter to Sarah and allowing them to receive each 14 00:01:11,980 --> 00:01:17,710 other's public keys, knowing that that public key actually belongs to that person. 15 00:01:18,620 --> 00:01:26,600 What happens in brief is Peter will send his public key to the certificate of authority, and the certificate 16 00:01:26,600 --> 00:01:33,530 of authority will issue Peter with a certificate stating that the public key contained in the certificate 17 00:01:33,560 --> 00:01:36,440 is actually Peter's public key. 18 00:01:37,430 --> 00:01:44,480 The certificate of authority does that by taking some of Peter's information, his public key, hashing 19 00:01:44,480 --> 00:01:49,460 that data, and then signing it with the certificate of authority's private key. 20 00:01:50,550 --> 00:01:54,300 Putting that into certificate and issuing that certificate to Peter. 21 00:01:54,720 --> 00:02:02,760 The certificate of authority will do the same with Sarah taking Sarah's data, taking her public key, 22 00:02:03,240 --> 00:02:08,520 hashing that information, and signing it with the certificate of authorities. 23 00:02:08,520 --> 00:02:09,509 Private key. 24 00:02:10,330 --> 00:02:18,970 This whole infrastructure known as the public key infrastructure or PKI, relies on businesses trusting 25 00:02:19,000 --> 00:02:23,020 the certificates issued by the certificate of authority. 26 00:02:24,180 --> 00:02:28,440 Before setting up a VPN, Peter and Sarah will exchange certificates. 27 00:02:28,650 --> 00:02:31,320 So Peter will send his certificate to Sarah. 28 00:02:31,950 --> 00:02:39,030 Sarah trusts the information contained in the certificate from Peter because the certificate has been 29 00:02:39,030 --> 00:02:41,110 signed by a trusted third party. 30 00:02:41,130 --> 00:02:43,350 Let's say in this case, VeriSign. 31 00:02:43,680 --> 00:02:45,990 And she trusts VeriSign. 32 00:02:46,690 --> 00:02:51,700 So because Sara trusts VeriSign and VeriSign trusts Peter. 33 00:02:52,390 --> 00:02:54,400 Sarah now trusts Peter. 34 00:02:55,160 --> 00:02:58,760 By the same token, Sarah sends her certificate to Peter. 35 00:02:59,600 --> 00:03:04,610 Peter trusts Sarah because he trusts VeriSign. 36 00:03:04,610 --> 00:03:06,860 And VeriSign trusts Sarah. 37 00:03:07,840 --> 00:03:14,560 VeriSign or whichever certificate of authority you use, is the trusted third party allowing for the 38 00:03:14,560 --> 00:03:17,020 secure exchange of public keys. 39 00:03:18,320 --> 00:03:21,080 Now what is IP, sec, IP, sec or IP? 40 00:03:21,080 --> 00:03:23,930 Security is a network layer protocol. 41 00:03:24,140 --> 00:03:29,420 In actual fact, it's a suite of protocols that protects and authenticates IP packets. 42 00:03:30,050 --> 00:03:36,770 It's a framework of open standards that is algorithm independent and thus can use multiple algorithms. 43 00:03:37,450 --> 00:03:40,330 There are three main IPsec protocols. 44 00:03:40,480 --> 00:03:47,260 The first one is Internet Key Exchange, or IK, which provides a framework for negotiating security 45 00:03:47,260 --> 00:03:50,650 parameters and establishing authenticated keys. 46 00:03:51,850 --> 00:03:57,160 A lot of the information I've just covered about appreciate keys and digital signatures relies on Ike. 47 00:03:57,520 --> 00:04:04,210 We also have authentication, header or a.H, which does not provide encryption but provides authentication 48 00:04:04,210 --> 00:04:05,260 and integrity. 49 00:04:05,680 --> 00:04:11,110 And then thirdly, we have what's called encapsulating security payload or ESP, which provides for 50 00:04:11,110 --> 00:04:14,200 encryption, authentication and integrity. 51 00:04:15,010 --> 00:04:17,920 There are two modes that can be used in IPsec VPNs. 52 00:04:18,040 --> 00:04:24,880 The first one is transport mode, where the original IP head of the packet being encrypted is used to 53 00:04:24,880 --> 00:04:26,260 transport the packet. 54 00:04:26,650 --> 00:04:33,340 And the second one is tunnel mode, where the original IP packet being encrypted is not used to transport 55 00:04:33,340 --> 00:04:34,060 the packet. 56 00:04:34,240 --> 00:04:39,610 A new IP header is tagged on the front, so you have double IP addresses. 57 00:04:40,620 --> 00:04:47,430 The head is used for writing the packets or the IP addresses of the PIA devices involved in the VPN, 58 00:04:47,430 --> 00:04:51,060 not the originating host and destination host. 59 00:04:51,600 --> 00:05:00,870 So he has an example of a site to site VPN and we're going to use ESP with tunnel mode, which is very 60 00:05:00,870 --> 00:05:01,470 common. 61 00:05:02,100 --> 00:05:08,640 Please note we have a MacBook with an IP address of ten 111 and a server with an IP address of ten 121. 62 00:05:09,390 --> 00:05:15,630 But we also have two routers router one with IP address quadruple one and router two with IP address 63 00:05:15,630 --> 00:05:16,590 quadruple two. 64 00:05:16,950 --> 00:05:22,200 And the IP SEC VPN is going to be set up between router one and router two. 65 00:05:22,860 --> 00:05:28,530 So if we look at the IP headers, when the MacBook sends traffic to the server, the source address 66 00:05:28,530 --> 00:05:34,650 will be ten 111 and the destination address will be ten 121 on the local LAN. 67 00:05:35,070 --> 00:05:41,160 That traffic will then be routed to router one when that traffic is sent through the IP seq tunnel. 68 00:05:41,370 --> 00:05:43,500 Notice all the information. 69 00:05:44,040 --> 00:05:47,700 So the data and the original IP headers. 70 00:05:48,180 --> 00:05:55,290 In other words source address ten 111 and destination ten 121 are encrypted and non readable on the 71 00:05:55,290 --> 00:05:56,010 internet. 72 00:05:56,490 --> 00:06:05,610 An ESP header is tagged onto the front as well as a new source IP address and destination IP address. 73 00:06:05,910 --> 00:06:13,290 So if Joe Hacker was sniffing packets on the internet, he would see traffic from router one going to 74 00:06:13,290 --> 00:06:14,220 router two. 75 00:06:14,250 --> 00:06:18,360 He would not see who was actually involved in the conversation. 76 00:06:19,650 --> 00:06:23,430 When Radha two receives those encrypted packets. 77 00:06:24,630 --> 00:06:32,250 Router two will strip off the outside headers, decrypt the packets as per what we've discussed previously 78 00:06:32,250 --> 00:06:36,480 and then send the original packets on towards the server. 79 00:06:36,840 --> 00:06:41,880 So the source IP address will be ten 111 destination will be ten 121. 80 00:06:42,090 --> 00:06:44,490 If sniffed on this local lan. 81 00:06:45,090 --> 00:06:49,680 So this once again is an example of a site to site IPsec VPN. 82 00:06:50,450 --> 00:06:53,570 Using ESP in tunnel mode. 83 00:06:54,020 --> 00:06:57,350 ESP, if you remember, provides encryption. 84 00:06:57,860 --> 00:07:02,780 So confidentiality, data integrity and authentication. 85 00:07:03,670 --> 00:07:09,250 Notice also that we're using tunnel mode because we have inserted new IP headers. 86 00:07:10,340 --> 00:07:14,810 Now when using IPsec, you have various options to choose from. 87 00:07:15,320 --> 00:07:19,190 The first thing to choose is which IPsec protocol are you going to use? 88 00:07:19,580 --> 00:07:26,510 Are you going to use ESP or are you going to use a or are you going to use them together? 89 00:07:26,960 --> 00:07:32,320 Now firstly ESP provides encryption but doesn't. 90 00:07:32,330 --> 00:07:38,330 So if you need confidentiality, don't use a or authentication header by itself. 91 00:07:38,720 --> 00:07:40,040 Use ESP. 92 00:07:40,900 --> 00:07:48,670 However, ESP combined with a PH provides for stronger authentication and encryption and therefore, 93 00:07:48,670 --> 00:07:54,910 for example, in banking environments they may choose to use both ESP and PH together. 94 00:07:55,510 --> 00:07:58,830 The next thing to choose, which I haven't got on the slide, is which mode are you going to use? 95 00:07:58,850 --> 00:08:02,710 Are you going to use tunnel mode or are you going to use transport mode? 96 00:08:03,470 --> 00:08:10,730 Please remember if the devices setting up the VPN are not the actual devices communicating you need 97 00:08:10,730 --> 00:08:12,050 to use tunnel mode. 98 00:08:12,170 --> 00:08:18,560 So in this example, because the routers are not the source and destination of the actual traffic, 99 00:08:18,560 --> 00:08:21,260 they are configured in tunnel mode. 100 00:08:22,140 --> 00:08:24,240 You need to choose an encryption algorithm. 101 00:08:24,470 --> 00:08:32,100 So are you going to use days or triple days or as it's recommended today, to use as what authentication 102 00:08:32,100 --> 00:08:33,960 and integrity are you going to use? 103 00:08:34,200 --> 00:08:36,480 Is it MD5 or SHA? 104 00:08:37,169 --> 00:08:43,380 Also, are you going to use preset keys or are you going to use digital signatures and therefore digital 105 00:08:43,380 --> 00:08:44,310 certificates? 106 00:08:45,410 --> 00:08:48,890 Digital certificates are harder to implement but are more scalable. 107 00:08:49,400 --> 00:08:55,760 So for a very small VPN, you might use preset keys for authentication, but in a large environment 108 00:08:55,760 --> 00:08:58,730 you may decide to use digital certificates. 109 00:08:59,470 --> 00:09:01,720 Which version of Duffy helmet are you going to use? 110 00:09:01,720 --> 00:09:02,020 Duffy. 111 00:09:02,050 --> 00:09:03,250 Helmand one or Duffy? 112 00:09:03,250 --> 00:09:04,180 Helmand two or Duffy? 113 00:09:04,210 --> 00:09:05,110 Helmand five. 114 00:09:05,910 --> 00:09:10,230 Now, I'm hoping at this point that you have a good understanding of the various protocols. 115 00:09:11,060 --> 00:09:15,680 And that's why I spend a lot of time discussing the various protocols because. 116 00:09:16,520 --> 00:09:19,520 If we don't cover the groundwork, the slide will mean nothing. 117 00:09:21,150 --> 00:09:24,690 So what types of VPNs can you expect to encounter? 118 00:09:25,320 --> 00:09:32,190 The first type is site to site where you, for instance, have a remote office or home office with a 119 00:09:32,190 --> 00:09:40,020 local router connecting back to the head office, which may be using a router or an assay or another 120 00:09:40,020 --> 00:09:41,190 type of device. 121 00:09:41,950 --> 00:09:48,100 The IPsec VPN tunnel is set up directly between router one and router two. 122 00:09:48,820 --> 00:09:56,710 The advantage of this is firstly that the devices like the MacBook and Server do not need to run any 123 00:09:56,710 --> 00:09:58,090 encryption software. 124 00:09:59,020 --> 00:10:06,520 From their point of view, it's as if there is a lease line or direct connection between the two lands. 125 00:10:07,150 --> 00:10:12,550 Another advantage of using IPsec is because it runs at the network level of the OCI model. 126 00:10:12,760 --> 00:10:15,850 It can encrypt all higher layer protocols. 127 00:10:16,240 --> 00:10:22,090 So rather than just being able to encrypt, for instance, HTTP, it can encrypt Oracle traffic, SQL 128 00:10:22,090 --> 00:10:26,110 traffic, HTTP, traffic, FTP traffic and so forth and so on. 129 00:10:26,620 --> 00:10:32,110 The second type of VPN you'll probably encounter is a remote Access IPsec VPN. 130 00:10:32,410 --> 00:10:39,580 In this case, a remote client like a Windows laptop has installed the Cisco VPN client. 131 00:10:40,440 --> 00:10:47,160 And a VPN is being configured and set up between the laptop and HQ router directly. 132 00:10:48,210 --> 00:10:51,970 The advantage of this method is that the user could be roaming. 133 00:10:51,990 --> 00:10:58,770 So in other words, the user could be in a hotel and can connect securely across a public wireless network 134 00:10:58,770 --> 00:11:00,990 in the hotel to the head office. 135 00:11:01,350 --> 00:11:07,080 The user could also be in an Internet cafe or a Starbucks or somewhere connecting to a wireless network. 136 00:11:07,080 --> 00:11:12,510 But because they're running the VPN client software, they traffic is encrypted and authenticated and 137 00:11:12,510 --> 00:11:16,800 so forth, directly from the laptop to the central site, rather. 138 00:11:17,650 --> 00:11:21,700 As an example of the Cisco VPN client software running on my laptop. 139 00:11:22,390 --> 00:11:27,760 All I would need to do to connect back to the office, for instance, would be to double click on the 140 00:11:27,760 --> 00:11:33,370 VPN entry, put in my authentication information like my username and password, and I'll be able to 141 00:11:33,370 --> 00:11:35,560 connect back to the corporate environment. 142 00:11:36,800 --> 00:11:41,750 The disadvantage of this method is that you have to install the Cisco VPN client. 143 00:11:42,080 --> 00:11:43,550 So it's not client list. 144 00:11:43,580 --> 00:11:46,190 You have to install a piece of software. 145 00:11:47,830 --> 00:11:52,990 The next type of remote access VPN is an SSL or secure sockets layer VPN. 146 00:11:53,820 --> 00:11:55,980 These days, there are two variants of this. 147 00:11:56,970 --> 00:12:03,390 You firstly got the client list SSL tunnel where you could be in an internet cafe or somewhere and you 148 00:12:03,390 --> 00:12:11,790 can connect securely to the HQ router without installing any software on your PC or client. 149 00:12:13,380 --> 00:12:18,300 There were some restrictions originally with which applications and protocols could be used. 150 00:12:19,210 --> 00:12:25,660 These days, Cisco have something called the interconnect client, which allows you to connect via ASL, 151 00:12:25,960 --> 00:12:32,230 but download a Java applet that allows more applications to be used through the Sstl tunnel. 152 00:12:32,260 --> 00:12:38,230 No software has to be installed locally that any connect client can automatically be downloaded and 153 00:12:38,230 --> 00:12:40,750 installed when connecting to the central site. 154 00:12:41,290 --> 00:12:48,280 So for this course, just be aware the advantage of an sstl VPN is that you do not need to install any 155 00:12:48,280 --> 00:12:49,030 software. 156 00:12:50,250 --> 00:12:52,740 Now which devices support VPNs? 157 00:12:53,100 --> 00:12:57,150 Cisco routers do Cisco firewalls like the Cisco RSA do? 158 00:12:57,600 --> 00:12:59,430 They are various clients that can be used. 159 00:12:59,440 --> 00:13:01,500 The first one is a certain client. 160 00:13:02,300 --> 00:13:05,720 Which can be used on wireless PDAs and other devices. 161 00:13:06,140 --> 00:13:11,630 We have a legacy device called the VPN 302 hardware client, which was a physical device that would 162 00:13:11,630 --> 00:13:17,030 be installed at a remote site that would allow for easy VPN connections back to a central site. 163 00:13:17,420 --> 00:13:21,800 And then, as I've shown you, you have the Cisco VPN software client these days. 164 00:13:21,800 --> 00:13:27,710 You also have the ENE Connect client that can be downloaded automatically when connecting via an Sstl 165 00:13:27,710 --> 00:13:28,460 VPN. 166 00:13:28,910 --> 00:13:32,150 So to sum up, what are the benefits of using VPNs? 167 00:13:32,940 --> 00:13:37,980 A major driver for VPNs is cost savings because VPNs are compatible. 168 00:13:38,720 --> 00:13:46,190 With broadband technologies like DSL and cable, rather than having to install expensive lease lines 169 00:13:46,400 --> 00:13:52,370 or other private networks, a virtual private network can be established across a public infrastructure 170 00:13:52,370 --> 00:13:53,390 like the Internet. 171 00:13:54,340 --> 00:14:02,890 VPNs provide security in that they provide encryption, authentication, data integrity, non repudiation, 172 00:14:03,010 --> 00:14:05,710 anti replay protection and so forth. 173 00:14:06,070 --> 00:14:08,380 And VPNs are very scalable. 174 00:14:09,130 --> 00:14:15,130 VPNs can scale to many, many countries, and I've been involved in VPNs that spanned 50 countries. 175 00:14:15,670 --> 00:14:22,300 Now, at a level you're not expected to know how to configure and set up IPsec VPNs. 176 00:14:22,390 --> 00:14:29,080 But I'm going to demonstrate the setup of an IPsec VPN by using the VPN config generator, which you 177 00:14:29,080 --> 00:14:31,690 may have got depending on which package you purchased. 178 00:14:32,480 --> 00:14:40,520 So let's look at setting up a site to side VPN between router one and router two with networks ten 110 179 00:14:40,670 --> 00:14:45,320 and ten 120 as private networks that need to be encrypted. 180 00:14:46,760 --> 00:14:49,670 So I'll launch the site to site VPN wizard. 181 00:14:49,880 --> 00:14:54,080 In our example, both sides of the IPsec Tunnel or Routers. 182 00:14:54,170 --> 00:14:55,430 So we'll click next. 183 00:14:55,790 --> 00:14:59,660 In this case, we are requiring IPsec encryption. 184 00:14:59,750 --> 00:15:01,700 So we're going to go for an encrypted tunnel. 185 00:15:04,340 --> 00:15:09,770 We're not running dynamic routing protocols or multi costing, etc., so I'll click next there. 186 00:15:10,550 --> 00:15:15,980 In our example, let's just assume that we're using static IP addresses on both sides and not dynamic 187 00:15:15,980 --> 00:15:16,970 IP addresses. 188 00:15:19,230 --> 00:15:20,610 So we'll click next. 189 00:15:22,700 --> 00:15:25,220 So this is sort of what our diagram looks like. 190 00:15:25,430 --> 00:15:28,040 We're going to encrypt traffic from ten 110. 191 00:15:29,740 --> 00:15:32,830 Going to ten 120. 192 00:15:34,250 --> 00:15:38,570 And our two routers IP addresses all quadruple one and quadruple two. 193 00:15:40,180 --> 00:15:41,680 And when setting up IP sick. 194 00:15:42,480 --> 00:15:46,500 You've got to specify your Ike or Isaac and P options. 195 00:15:46,950 --> 00:15:48,960 So for example. 196 00:15:49,900 --> 00:15:52,510 Let's be really secure and go for a turn. 197 00:15:52,510 --> 00:15:53,380 56. 198 00:15:54,070 --> 00:15:57,310 In this example, we're only going to use a preset key, so I'm just going to leave that at Cisco. 199 00:15:57,310 --> 00:15:58,180 One, two, three. 200 00:15:59,220 --> 00:16:05,460 And then I'm going to click on the generate button and this is what that configuration would look like. 201 00:16:05,940 --> 00:16:10,020 You have to create an access list specifying which networks are going to be encrypted. 202 00:16:10,050 --> 00:16:12,990 This is known as an interesting traffic access list. 203 00:16:13,680 --> 00:16:20,790 So traffic from ten 110 going to ten 120 would be encrypted because we're looking at router one side 204 00:16:20,790 --> 00:16:21,960 of the configuration. 205 00:16:22,910 --> 00:16:26,030 Now notice here we are using md5 hashing. 206 00:16:26,030 --> 00:16:27,860 We could change that to use sha. 207 00:16:28,040 --> 00:16:32,000 We're using a 256 encryption. 208 00:16:32,060 --> 00:16:34,250 We're using Duffie Hellman group to. 209 00:16:35,040 --> 00:16:37,770 We're using pre shared authentication. 210 00:16:39,740 --> 00:16:41,660 Notice when talking to Radha, too. 211 00:16:41,690 --> 00:16:43,190 We're using a password of Cisco. 212 00:16:43,190 --> 00:16:44,150 One, two, three. 213 00:16:45,930 --> 00:16:57,690 From an IP point of view, we're using ESP as so encapsulating security payload using as with MD5 and 214 00:16:57,690 --> 00:16:59,310 we are using tunnel mode. 215 00:17:00,390 --> 00:17:03,630 We are specifying who our peer is for ip seq. 216 00:17:04,230 --> 00:17:06,270 We are binding the access list. 217 00:17:06,940 --> 00:17:10,780 So the writer knows which networks should be encrypted and so forth. 218 00:17:10,960 --> 00:17:15,099 I hope that gives you an idea of how to configure an IPsec VPN. 219 00:17:15,670 --> 00:17:21,640 Once again for Q&A, it's not expected that you know this configuration, but I've just put it in for 220 00:17:21,640 --> 00:17:22,599 completeness. 221 00:17:22,869 --> 00:17:27,339 On router two, we would just have a mirror image of that configuration. 222 00:17:27,670 --> 00:17:29,620 So notice the same password. 223 00:17:29,860 --> 00:17:32,410 But going to IP address quadruple one. 224 00:17:33,100 --> 00:17:34,360 So what have we covered? 225 00:17:34,900 --> 00:17:37,040 We looked at an overview of VPNs. 226 00:17:37,060 --> 00:17:39,400 I explained various VPN components. 227 00:17:39,550 --> 00:17:45,760 We discussed IP, SEK discuss a lot of options, including encryption, authentication and integrity. 228 00:17:45,910 --> 00:17:50,650 Please remember at this course level, you're not expected to know commands, but you expect it to have 229 00:17:50,650 --> 00:17:55,600 an appreciation and an understanding of the various IPsec VPN technologies. 230 00:17:56,290 --> 00:17:57,340 Thank you for watching.