1 00:00:08,584 --> 00:00:11,889 - So I'd like to introduce you to some concepts about VPNs 2 00:00:11,889 --> 00:00:14,442 and some terminology that you need to be familiar with 3 00:00:14,442 --> 00:00:15,407 for the CCNA Exam 4 00:00:15,407 --> 00:00:17,809 and just moving forward into your life 5 00:00:17,809 --> 00:00:20,361 as a network admin or network engineer. 6 00:00:20,361 --> 00:00:22,258 You're gonna hear these terms VPNs 7 00:00:22,258 --> 00:00:24,385 and some of these other terms quite a lot. 8 00:00:24,385 --> 00:00:26,726 So it helps to know what we're dealing with. 9 00:00:26,726 --> 00:00:28,143 So what is a VPN? 10 00:00:29,992 --> 00:00:34,723 So the acronym, VPN stands for Virtual Private Network 11 00:00:34,723 --> 00:00:37,651 and it's really a compilation of two separate 12 00:00:37,651 --> 00:00:38,778 overall themes, 13 00:00:38,778 --> 00:00:42,382 a private network and a virtualized network. 14 00:00:42,382 --> 00:00:43,443 What does that mean? 15 00:00:43,443 --> 00:00:44,743 Well, let's take a look at 16 00:00:44,743 --> 00:00:47,491 this whiteboard drawing here for a moment. 17 00:00:47,491 --> 00:00:50,926 Imagine that you are the network administrator in charge 18 00:00:50,926 --> 00:00:54,618 of company A and you have two sites. 19 00:00:54,618 --> 00:00:56,656 Maybe they're cross the country from each other. 20 00:00:56,656 --> 00:00:58,489 Site one and site two. 21 00:00:59,701 --> 00:01:01,901 So as the network administrator of company A 22 00:01:01,901 --> 00:01:05,017 first of all, you want all of this to be private. 23 00:01:05,017 --> 00:01:06,452 In other words, 24 00:01:06,452 --> 00:01:09,767 you want to make sure that when packets leave your network 25 00:01:09,767 --> 00:01:12,153 that they go along your private connections 26 00:01:12,153 --> 00:01:13,826 from one site to the other. 27 00:01:13,826 --> 00:01:16,154 They don't possibly, they couldn't possibly end up 28 00:01:16,154 --> 00:01:17,796 at your competitor's network 29 00:01:17,796 --> 00:01:20,743 or somewhere where they're not supposed to be. 30 00:01:20,743 --> 00:01:22,130 So you're packets are private. 31 00:01:22,130 --> 00:01:24,136 Only seen by your network. 32 00:01:24,136 --> 00:01:26,755 Travelling across your network connections. 33 00:01:26,755 --> 00:01:28,924 Also, another thing is, 34 00:01:28,924 --> 00:01:31,502 maybe these same packets in order to make them private 35 00:01:31,502 --> 00:01:33,946 you want them to be encrypted 36 00:01:33,946 --> 00:01:36,430 so that if anybody happens to sniff them 37 00:01:36,430 --> 00:01:39,544 or catch them along the way, they can't see what's in there. 38 00:01:39,544 --> 00:01:42,264 They don't know what kind of data that packet is holding. 39 00:01:42,264 --> 00:01:44,551 So the privacy is that the packets go 40 00:01:44,551 --> 00:01:46,155 from point A to point B, 41 00:01:46,155 --> 00:01:47,538 site one to site two. 42 00:01:47,538 --> 00:01:50,041 There's no other path it could possibly take. 43 00:01:50,041 --> 00:01:51,139 You're in control. 44 00:01:51,139 --> 00:01:54,199 The routing, the routing paths will never lead you astray 45 00:01:54,199 --> 00:01:56,626 and lead your packets somewhere they shouldn't go. 46 00:01:56,626 --> 00:01:59,165 And you probably also want some sort of privacy 47 00:01:59,165 --> 00:02:02,245 on top of that as far as encrypting your data, 48 00:02:02,245 --> 00:02:05,343 making sure that the data is authenticated, 49 00:02:05,343 --> 00:02:07,273 that it's going to the right location. 50 00:02:07,273 --> 00:02:09,002 So that's the private network here. 51 00:02:09,002 --> 00:02:11,123 This is all yours, it's private. 52 00:02:11,123 --> 00:02:14,234 Now what about a virtual private network? 53 00:02:14,234 --> 00:02:16,144 Well imagine for a moment, 54 00:02:16,144 --> 00:02:18,724 that this section here in the middle 55 00:02:18,724 --> 00:02:21,549 is actually not owned by you. 56 00:02:21,549 --> 00:02:23,253 This is not your network. 57 00:02:23,253 --> 00:02:25,277 This is somebody else's network. 58 00:02:25,277 --> 00:02:28,380 And as such there are other companies, 59 00:02:28,380 --> 00:02:29,849 not your own company, 60 00:02:29,849 --> 00:02:33,892 that are connected to that exact same section of routers 61 00:02:33,892 --> 00:02:36,848 and switches and cables and everything like that 62 00:02:36,848 --> 00:02:38,772 and their packets are going through 63 00:02:38,772 --> 00:02:40,446 that exact same 64 00:02:40,446 --> 00:02:41,510 red area 65 00:02:41,510 --> 00:02:43,515 that your packets are going through. 66 00:02:43,515 --> 00:02:46,959 But from the perspective of your routers 67 00:02:46,959 --> 00:02:50,029 at site one and site two, they don't know that. 68 00:02:50,029 --> 00:02:53,400 In other words, if we take a look at this router right here, 69 00:02:53,400 --> 00:02:55,377 these routers on the edge, 70 00:02:55,377 --> 00:02:59,528 they believe that they are connected to a private network. 71 00:02:59,528 --> 00:03:01,703 Those routers have no idea 72 00:03:01,703 --> 00:03:03,125 that the network they're connected to 73 00:03:03,125 --> 00:03:05,114 is being shared with other companies. 74 00:03:05,114 --> 00:03:07,992 They don't have to take any special precautions about that. 75 00:03:07,992 --> 00:03:11,091 They trust that this network in the middle 76 00:03:11,091 --> 00:03:13,258 is providing them privacy. 77 00:03:14,467 --> 00:03:16,655 It looks like it's their network. 78 00:03:16,655 --> 00:03:18,825 It looks like it's just an end to end network 79 00:03:18,825 --> 00:03:20,362 connecting site one to site two. 80 00:03:20,362 --> 00:03:22,926 It just looks like one big long network. 81 00:03:22,926 --> 00:03:25,895 But in reality, the part in the middle is not yours. 82 00:03:25,895 --> 00:03:30,375 It's sort of, providing you this virtual end to end network 83 00:03:30,375 --> 00:03:32,496 when in reality you don't have an end to end network 84 00:03:32,496 --> 00:03:34,134 that's fully in your control. 85 00:03:34,134 --> 00:03:36,067 You are leasing or using the services 86 00:03:36,067 --> 00:03:38,299 of somebody else's network in the middle 87 00:03:38,299 --> 00:03:41,570 to give you that sort of end to end connectivity. 88 00:03:41,570 --> 00:03:44,921 So that's why we say say virtual private network. 89 00:03:44,921 --> 00:03:47,105 Because even though it looks like it's all yours, 90 00:03:47,105 --> 00:03:48,224 this is just for you 91 00:03:48,224 --> 00:03:50,089 and its private, just for you. 92 00:03:50,089 --> 00:03:52,408 In reality, the section in the middle 93 00:03:52,408 --> 00:03:54,621 could be also transporting lots and lots 94 00:03:54,621 --> 00:03:56,352 of other customer's data. 95 00:03:56,352 --> 00:03:58,252 But it looks like it's just for you. 96 00:03:58,252 --> 00:04:02,655 That's why we call it a virtual private network. 97 00:04:02,655 --> 00:04:05,292 So we're using or leasing another's network, 98 00:04:05,292 --> 00:04:08,055 typically the public internet to connect two 99 00:04:08,055 --> 00:04:11,245 or more of your sites together. 100 00:04:11,245 --> 00:04:13,639 Now, before VPNs existed 101 00:04:13,639 --> 00:04:14,875 how do we get this privacy? 102 00:04:14,875 --> 00:04:19,450 How do we connect these various spoke sites to our hub 103 00:04:19,450 --> 00:04:22,508 and maintain privacy and confidentiality? 104 00:04:22,508 --> 00:04:24,492 Well, in order to do that, 105 00:04:24,492 --> 00:04:26,775 we had to have point to point connections 106 00:04:26,775 --> 00:04:29,492 between pretty much everything. 107 00:04:29,492 --> 00:04:30,739 Each spoke would have to have 108 00:04:30,739 --> 00:04:35,496 some sort of point to point connection to the hub. 109 00:04:35,496 --> 00:04:37,682 And if you wanted the spokes to talk to each other 110 00:04:37,682 --> 00:04:39,982 they'd have to have point to point connections between them. 111 00:04:39,982 --> 00:04:41,921 You basically had to maintain a lot 112 00:04:41,921 --> 00:04:43,463 of point to point connections. 113 00:04:43,463 --> 00:04:45,999 And each one of those was a T-1 114 00:04:45,999 --> 00:04:48,001 or a frame relay circuit or something. 115 00:04:48,001 --> 00:04:49,674 That was very pricey. 116 00:04:49,674 --> 00:04:50,932 But it was all yours. 117 00:04:50,932 --> 00:04:52,532 Each one of those black lines there, 118 00:04:52,532 --> 00:04:55,681 each one of these connections represented 119 00:04:55,681 --> 00:04:56,627 your privacy. 120 00:04:56,627 --> 00:05:00,369 So what you would have here is these grey lines 121 00:05:00,369 --> 00:05:02,677 are what you're using for your internet connectivity. 122 00:05:02,677 --> 00:05:04,130 There's no privacy here. 123 00:05:04,130 --> 00:05:06,207 This is just what you went to the internet. 124 00:05:06,207 --> 00:05:09,418 But if you want privacy between your spokes and your hubs, 125 00:05:09,418 --> 00:05:11,558 that's what the black lines represented right here, 126 00:05:11,558 --> 00:05:13,601 what I'm coloring in blue right now. 127 00:05:13,601 --> 00:05:15,489 These were your point to point connections. 128 00:05:15,489 --> 00:05:18,898 So you'd had to have not only connections to the internet, 129 00:05:18,898 --> 00:05:20,753 that you were paying for or maintaining, 130 00:05:20,753 --> 00:05:22,635 in addition to that every single month 131 00:05:22,635 --> 00:05:24,716 you'd had to have these additional connections, 132 00:05:24,716 --> 00:05:27,411 these point to point connections to give you privacy 133 00:05:27,411 --> 00:05:29,526 between each of the spokes. 134 00:05:29,526 --> 00:05:32,717 Or between the spokes and the hubs. 135 00:05:32,717 --> 00:05:34,789 Another problem with this was that 136 00:05:34,789 --> 00:05:37,146 a lot of subnets were in use right here. 137 00:05:37,146 --> 00:05:38,889 For example, 138 00:05:38,889 --> 00:05:40,911 look at just spoke number one. 139 00:05:40,911 --> 00:05:44,223 There was some sort of IP subnet in use along this link, 140 00:05:44,223 --> 00:05:46,161 give you a connection to the internet. 141 00:05:46,161 --> 00:05:48,345 There was a second IP subnet that had to be used 142 00:05:48,345 --> 00:05:50,551 for it's point to point connection with the hub. 143 00:05:50,551 --> 00:05:51,943 A third subnet used 144 00:05:51,943 --> 00:05:54,069 for it's point to point connection with spoke four. 145 00:05:54,069 --> 00:05:55,583 And another one for spoke three. 146 00:05:55,583 --> 00:05:57,148 And another one for spoke two. 147 00:05:57,148 --> 00:05:59,482 So to maintain all of these connections 148 00:05:59,482 --> 00:06:03,514 we had to have one, two, three, four, five subnets 149 00:06:03,514 --> 00:06:05,380 just on one spoke one alone. 150 00:06:05,380 --> 00:06:07,799 And as we know IP subnets come at a premium. 151 00:06:07,799 --> 00:06:09,499 They are very, 152 00:06:09,499 --> 00:06:10,332 they're rare. 153 00:06:10,332 --> 00:06:12,104 There's, there's... They're running out. 154 00:06:12,104 --> 00:06:15,043 And so this was not really a scalable situation. 155 00:06:15,043 --> 00:06:19,097 But after VPNS were invented, then we could actually use 156 00:06:19,097 --> 00:06:21,236 our existing connections to the internet. 157 00:06:21,236 --> 00:06:22,801 And those connections to the internet 158 00:06:22,801 --> 00:06:24,309 could actually do two things. 159 00:06:24,309 --> 00:06:25,688 We could use that connection to the internet, 160 00:06:25,688 --> 00:06:29,359 to actually send this normal data to the internet 161 00:06:29,359 --> 00:06:32,200 to a web browsing or you know Google, 162 00:06:32,200 --> 00:06:34,584 or amazon.com or whatever it was. 163 00:06:34,584 --> 00:06:37,140 But we could use those same connections 164 00:06:37,140 --> 00:06:41,595 to build these tunnels from one router to the other. 165 00:06:41,595 --> 00:06:43,325 Now what do I mean by tunnel? 166 00:06:43,325 --> 00:06:46,510 What I mean by tunnel is that there were IP packets, 167 00:06:46,510 --> 00:06:49,639 we could have IP packets sent 168 00:06:49,639 --> 00:06:52,760 from spoke one as an example 169 00:06:52,760 --> 00:06:54,766 to this hub, to the hub. 170 00:06:54,766 --> 00:06:56,295 Here's a tunnel. 171 00:06:56,295 --> 00:06:58,535 The source of these packets would be spoke one. 172 00:06:58,535 --> 00:07:01,020 The destination of these packets would be spoke two 173 00:07:01,020 --> 00:07:05,582 but inside the packets themselves would be our data. 174 00:07:05,582 --> 00:07:07,634 So whatever spoke one needed to send to hub one, 175 00:07:07,634 --> 00:07:10,499 let's say there was some file server over here, 176 00:07:10,499 --> 00:07:13,190 that the hub was connected to, 177 00:07:13,190 --> 00:07:15,175 and there was some PC siting over here 178 00:07:15,175 --> 00:07:16,999 in the office of spoke one. 179 00:07:16,999 --> 00:07:19,947 Well, that PC when it sent data to the internet, 180 00:07:19,947 --> 00:07:23,253 like just doing web browsing or whatever it was, 181 00:07:23,253 --> 00:07:24,688 that information would just go 182 00:07:24,688 --> 00:07:26,265 through the regular internet connection, 183 00:07:26,265 --> 00:07:27,815 unencrypted, just normal. 184 00:07:27,815 --> 00:07:30,880 But if that PC sent some data that was destined 185 00:07:30,880 --> 00:07:32,338 for this server right here, 186 00:07:32,338 --> 00:07:34,861 the spoke router would say, "Oh okay, 187 00:07:34,861 --> 00:07:36,398 "I need to take that packet, 188 00:07:36,398 --> 00:07:40,088 "put it inside of another packet, encrypt the body of it 189 00:07:40,088 --> 00:07:41,753 "and then send it to the hub." 190 00:07:41,753 --> 00:07:45,137 So even though, both packets are going through the internet 191 00:07:45,137 --> 00:07:47,797 one packet's destined for an internet destination, 192 00:07:47,797 --> 00:07:52,171 Google.com, CNN.com, BankofAmerica.com, whatever. 193 00:07:52,171 --> 00:07:54,980 That's a regular unecrypted packet destined 194 00:07:54,980 --> 00:07:56,461 for a point on the internet. 195 00:07:56,461 --> 00:08:00,512 The other packet leaving this exact same physical interface 196 00:08:00,512 --> 00:08:03,757 is destined for a server within your own company 197 00:08:03,757 --> 00:08:05,638 at a different location. 198 00:08:05,638 --> 00:08:07,177 And that s going through a tunnel 199 00:08:07,177 --> 00:08:08,983 meaning we're protecting that packet. 200 00:08:08,983 --> 00:08:10,596 We're adding privacy to that packet. 201 00:08:10,596 --> 00:08:12,198 We're probably encrypting that packet 202 00:08:12,198 --> 00:08:14,967 so somebody can't see what's inside of it. 203 00:08:14,967 --> 00:08:16,732 So that's what, 204 00:08:16,732 --> 00:08:20,500 that's how a VPN would give us that connectivity. 205 00:08:20,500 --> 00:08:21,950 So now when it comes to VPNs, 206 00:08:21,950 --> 00:08:24,795 there's two major types of 207 00:08:24,795 --> 00:08:26,567 VPNS we need to be familiar with, 208 00:08:26,567 --> 00:08:28,290 and just a couple more terms. 209 00:08:28,290 --> 00:08:32,634 One type of VPN is called a Peer-to-Peer VPN. 210 00:08:32,634 --> 00:08:34,542 So in a peer-to-peer VPN you can see 211 00:08:34,542 --> 00:08:37,301 these dashed red lines in this particular case 212 00:08:37,301 --> 00:08:40,442 indicate peerings of routing protocols 213 00:08:40,442 --> 00:08:41,942 like EIGRP or OSPF 214 00:08:43,109 --> 00:08:44,850 or maybe even BGP. 215 00:08:44,850 --> 00:08:46,850 So in a peer-to-peer VPN 216 00:08:48,493 --> 00:08:50,438 you are actually exchanging routes 217 00:08:50,438 --> 00:08:52,139 with your service provider. 218 00:08:52,139 --> 00:08:54,773 So you at the spoke would actually send 219 00:08:54,773 --> 00:08:56,422 you know whatever your subnets are here 220 00:08:56,422 --> 00:08:58,700 at your spoke location would send those subnets 221 00:08:58,700 --> 00:09:01,553 to your service provider via some sort of routing protocol. 222 00:09:01,553 --> 00:09:02,485 That would be something that you 223 00:09:02,485 --> 00:09:04,320 and your service provider would work out. 224 00:09:04,320 --> 00:09:07,444 Could be RIPv, could be OSPF, could be anything. 225 00:09:07,444 --> 00:09:09,597 And then your service provider would have to have 226 00:09:09,597 --> 00:09:11,369 some sort of routing protocol running 227 00:09:11,369 --> 00:09:14,228 between their own routers 228 00:09:14,228 --> 00:09:16,749 and then eventually, that route would pop out here 229 00:09:16,749 --> 00:09:17,936 and this service provider, 230 00:09:17,936 --> 00:09:20,524 remember we call it a provider edge router 231 00:09:20,524 --> 00:09:23,875 or a provider edge would send it to the hub router. 232 00:09:23,875 --> 00:09:26,117 So in peer-to-peer, we're really talking 233 00:09:26,117 --> 00:09:28,610 about routing protocol Peering. 234 00:09:28,610 --> 00:09:30,326 Who are you Peering with? 235 00:09:30,326 --> 00:09:32,905 In some types of VPNs your router, 236 00:09:32,905 --> 00:09:35,385 your customer premises router is actually forming 237 00:09:35,385 --> 00:09:38,770 a routing relationship, an EIGRP neighbor relationship, 238 00:09:38,770 --> 00:09:43,167 an OSBF neighbor relationship with the ISP's router. 239 00:09:43,167 --> 00:09:45,584 And then the two of you are exchanging routes, 240 00:09:45,584 --> 00:09:47,655 and you are relying on the ISP 241 00:09:47,655 --> 00:09:49,611 to really get heavily involved here 242 00:09:49,611 --> 00:09:51,974 to transfer those routes all the way 243 00:09:51,974 --> 00:09:54,920 to the other end to your other site. 244 00:09:54,920 --> 00:09:56,858 So that's called a Peer-to-Peer router. 245 00:09:56,858 --> 00:09:58,164 So in this particular case, 246 00:09:58,164 --> 00:10:00,646 the service provider is not only giving you 247 00:10:00,646 --> 00:10:04,754 your physical and data link layer connectivity to the VPN 248 00:10:04,754 --> 00:10:07,006 It's also providing you layer three connectivity 249 00:10:07,006 --> 00:10:08,977 because you're doing routing with them, 250 00:10:08,977 --> 00:10:10,660 with the service provider. 251 00:10:10,660 --> 00:10:12,827 The other type of VPN, 252 00:10:12,827 --> 00:10:15,270 is something called an overlay VPN. 253 00:10:15,270 --> 00:10:18,461 This is the type of VPN where the service provider 254 00:10:18,461 --> 00:10:22,259 all they're doing is giving you connectivity to their cloud. 255 00:10:22,259 --> 00:10:24,812 You're not actually doing routing with them. 256 00:10:24,812 --> 00:10:25,893 So with the service provider, 257 00:10:25,893 --> 00:10:27,506 they're providing you like your physical 258 00:10:27,506 --> 00:10:29,079 and your data link layer connectivity. 259 00:10:29,079 --> 00:10:31,406 They're setting up your physical circuits 260 00:10:31,406 --> 00:10:33,148 from one point to the other. 261 00:10:33,148 --> 00:10:36,004 But as far as actual routing protocols are concerned 262 00:10:36,004 --> 00:10:38,001 your router in 263 00:10:38,001 --> 00:10:39,501 spoke location one 264 00:10:40,884 --> 00:10:43,035 is actually forming an EIGRP 265 00:10:43,035 --> 00:10:44,979 or an OSPF neighbor relationship 266 00:10:44,979 --> 00:10:47,102 with your hub router which is hundreds 267 00:10:47,102 --> 00:10:49,569 or maybe even thousands of miles away. 268 00:10:49,569 --> 00:10:52,888 And so the VPN is just being overlayed, 269 00:10:52,888 --> 00:10:56,968 or laid on top of whatever transport mechanism 270 00:10:56,968 --> 00:10:58,728 the ISP address is actually giving you. 271 00:10:58,728 --> 00:11:00,579 So they're just giving you the physical path, 272 00:11:00,579 --> 00:11:02,497 they're providing like the street, 273 00:11:02,497 --> 00:11:04,583 but you're the one who's actually driving the car 274 00:11:04,583 --> 00:11:06,299 across the street. 275 00:11:06,299 --> 00:11:09,382 So that would be like an overlay VPN. 276 00:11:10,461 --> 00:11:11,911 And a couple of additional terms 277 00:11:11,911 --> 00:11:14,328 Client-side or Site-side VPN. 278 00:11:15,746 --> 00:11:17,753 So all the examples I've given you so far, 279 00:11:17,753 --> 00:11:21,425 are called are called site-to-site VPNS. 280 00:11:21,425 --> 00:11:22,258 What's that mean? 281 00:11:22,258 --> 00:11:26,154 Well that means that there is some networking device 282 00:11:26,154 --> 00:11:30,485 typically a router or some sort of security appliance 283 00:11:30,485 --> 00:11:33,310 and that device sitting at the edge of your customer network 284 00:11:33,310 --> 00:11:36,150 is the one that's implementing the tunnel. 285 00:11:36,150 --> 00:11:37,786 That's the one that's encrypting 286 00:11:37,786 --> 00:11:39,656 and de-encrypting all the traffic. 287 00:11:39,656 --> 00:11:42,362 It's implementing all the VPN policies. 288 00:11:42,362 --> 00:11:45,947 So the laptops, the PCs, the tablets and your company 289 00:11:45,947 --> 00:11:47,431 they don't have to know anything 290 00:11:47,431 --> 00:11:48,596 about what's getting involved. 291 00:11:48,596 --> 00:11:51,027 All they're doing is just generated ethernet frames, 292 00:11:51,027 --> 00:11:54,646 just generating IP packets and forwarding into the network. 293 00:11:54,646 --> 00:11:57,458 Eventually those packets reach that edge router 294 00:11:57,458 --> 00:11:58,966 that does all the encryption, 295 00:11:58,966 --> 00:12:00,325 that does all the tunneling. 296 00:12:00,325 --> 00:12:03,075 So from one site to another site, 297 00:12:03,928 --> 00:12:05,760 everything from one site to another site 298 00:12:05,760 --> 00:12:08,633 is being encrypted by these network infrastructure devices. 299 00:12:08,633 --> 00:12:11,926 That's called a site-to-site VPN. 300 00:12:11,926 --> 00:12:14,251 A Client VPN is like it says here, 301 00:12:14,251 --> 00:12:17,090 something typically initiated by a client. 302 00:12:17,090 --> 00:12:18,254 For example, 303 00:12:18,254 --> 00:12:19,848 for those of you who are watching this video 304 00:12:19,848 --> 00:12:21,605 who might be able to telecommute. 305 00:12:21,605 --> 00:12:23,149 Maybe you work from home. 306 00:12:23,149 --> 00:12:24,660 A lot of times, what companies will do 307 00:12:24,660 --> 00:12:25,931 is if you work from home, 308 00:12:25,931 --> 00:12:29,509 they'll install on your laptop some VPN software, 309 00:12:29,509 --> 00:12:32,025 which might look something like this. 310 00:12:32,025 --> 00:12:33,670 Where this an example of Cisco's 311 00:12:33,670 --> 00:12:36,517 Anyconnect Secure Mobility Client. 312 00:12:36,517 --> 00:12:39,201 This is an example of VPN software. 313 00:12:39,201 --> 00:12:40,628 So on your laptop, 314 00:12:40,628 --> 00:12:43,320 you actually double click this, you open it up. 315 00:12:43,320 --> 00:12:45,014 You type in your credentials. 316 00:12:45,014 --> 00:12:47,105 Whatever your company has given you 317 00:12:47,105 --> 00:12:49,538 and now that tunnel, that security, 318 00:12:49,538 --> 00:12:52,555 is actually being implemented from your laptop. 319 00:12:52,555 --> 00:12:54,821 Your laptop is one end of the tunnel 320 00:12:54,821 --> 00:12:56,879 going all the way to probably a router 321 00:12:56,879 --> 00:12:59,280 or something at your corporate headquarters 322 00:12:59,280 --> 00:13:01,666 and that's termining the tunnel on the other side. 323 00:13:01,666 --> 00:13:04,999 So now the VPN is extending all the way to you, 324 00:13:04,999 --> 00:13:05,832 the client. 325 00:13:05,832 --> 00:13:08,160 You are one end of that VPN. 326 00:13:08,160 --> 00:13:11,493 And so that is called a Client-Side VPN. 327 00:13:12,895 --> 00:13:15,922 So what are some typical expectations of an VPN? 328 00:13:15,922 --> 00:13:17,777 You know, why would people use these? 329 00:13:17,777 --> 00:13:20,123 What are they hoping to get out of a VPN? 330 00:13:20,123 --> 00:13:22,768 Well, number one, route exchange privacy. 331 00:13:22,768 --> 00:13:25,999 In other words, if I'm doing routing in this VPN, 332 00:13:25,999 --> 00:13:28,320 whether I'm peering with my service provider 333 00:13:28,320 --> 00:13:30,001 and I'm sending them my routes, 334 00:13:30,001 --> 00:13:33,305 or my service provider is just providing me the pathway 335 00:13:33,305 --> 00:13:36,443 and I'm peering with my own router at the other end 336 00:13:36,443 --> 00:13:39,201 of that tunnel that might be 300 miles away. 337 00:13:39,201 --> 00:13:40,414 Either way, 338 00:13:40,414 --> 00:13:43,590 when I send routes into that cloud that I don't own, 339 00:13:43,590 --> 00:13:46,318 that network infrastructure that I'm renting, 340 00:13:46,318 --> 00:13:48,270 I need some assurances that my routes 341 00:13:48,270 --> 00:13:50,701 will not go to anybody else. 342 00:13:50,701 --> 00:13:53,874 My routes will only go to where they're supposed to go. 343 00:13:53,874 --> 00:13:56,040 That I won't accidentally learn 344 00:13:56,040 --> 00:13:57,777 of routes from somebody else. 345 00:13:57,777 --> 00:14:01,446 If you watch the video I did before this one on MPLS VPNs, 346 00:14:01,446 --> 00:14:04,489 I mentioned how one of the primary benefits of MPLS VPNS 347 00:14:04,489 --> 00:14:07,021 from a service provider's perspective, 348 00:14:07,021 --> 00:14:09,074 is that they could have two different customers, 349 00:14:09,074 --> 00:14:12,209 and give the customers the exact same networks. 350 00:14:12,209 --> 00:14:14,608 This customer could be the 20-20 network 351 00:14:14,608 --> 00:14:17,232 and this customer could be the 20-20 network. 352 00:14:17,232 --> 00:14:18,880 Well the only way that's gonna work 353 00:14:18,880 --> 00:14:21,095 is if we have route privacy. 354 00:14:21,095 --> 00:14:22,008 In other words, 355 00:14:22,008 --> 00:14:24,369 if the service provider somehow has some mechanisms 356 00:14:24,369 --> 00:14:28,108 in place that he knows that packets from customer A 357 00:14:28,108 --> 00:14:29,872 should only go to customer A, 358 00:14:29,872 --> 00:14:33,059 and packets from customer B should only go to customer B. 359 00:14:33,059 --> 00:14:35,149 Even if they're using the same subnet, 360 00:14:35,149 --> 00:14:37,676 their service provider, the VPN has to have some way 361 00:14:37,676 --> 00:14:40,300 of keeping those separated from each other. 362 00:14:40,300 --> 00:14:43,957 That's what we mean by route exchange privacy. 363 00:14:43,957 --> 00:14:46,358 And path determination for packets. 364 00:14:46,358 --> 00:14:47,371 Same type of thing. 365 00:14:47,371 --> 00:14:50,192 We wanna make sure that when I put a packet into my VPN, 366 00:14:50,192 --> 00:14:52,430 there is no way that packet could end up 367 00:14:52,430 --> 00:14:54,110 on my competitors network. 368 00:14:54,110 --> 00:14:57,152 There's no way that packet could accidentally be leaked out 369 00:14:57,152 --> 00:14:59,232 into the internet for everybody to see. 370 00:14:59,232 --> 00:15:00,832 It should only go to one place. 371 00:15:00,832 --> 00:15:02,528 The other end of this VPN 372 00:15:02,528 --> 00:15:05,588 and the other end of the VPN is, belongs to me. 373 00:15:05,588 --> 00:15:06,638 It's my site. 374 00:15:06,638 --> 00:15:07,854 It's my secure site. 375 00:15:07,854 --> 00:15:10,876 So I want some assurance that my packets will go 376 00:15:10,876 --> 00:15:13,152 where they're supposed to go. 377 00:15:13,152 --> 00:15:15,131 And then lastly, data security. 378 00:15:15,131 --> 00:15:17,611 You know, if heavens forbid, 379 00:15:17,611 --> 00:15:19,943 someone's able to actually to intercept my packet, 380 00:15:19,943 --> 00:15:22,619 I don't want them to be able to tell what's inside of it. 381 00:15:22,619 --> 00:15:24,564 And this is where we would typically use something called 382 00:15:24,564 --> 00:15:26,166 IPSec, IP security, 383 00:15:26,166 --> 00:15:29,348 which I'll look at in a real high level in just one second 384 00:15:29,348 --> 00:15:30,385 after this slide. 385 00:15:30,385 --> 00:15:33,797 But data security says, "I want to encrypt this packet, 386 00:15:33,797 --> 00:15:37,450 "so that only the actually intended recipient, 387 00:15:37,450 --> 00:15:39,775 "the person who's really supposed to get it, 388 00:15:39,775 --> 00:15:42,363 "will actually be able to read it and understand it. 389 00:15:42,363 --> 00:15:45,705 "If anybody else sees that packet who it is not meant for, 390 00:15:45,705 --> 00:15:47,647 "they won't be able to tell what's inside of it, 391 00:15:47,647 --> 00:15:49,175 "they won't know what it is." 392 00:15:49,175 --> 00:15:51,663 So I want data security. 393 00:15:51,663 --> 00:15:53,583 So typically, IPSec, 394 00:15:53,583 --> 00:15:57,841 which stands for IP Security is what's used for this. 395 00:15:57,841 --> 00:16:00,834 So IP security is sort of like an umbrella term 396 00:16:00,834 --> 00:16:02,573 for a whole bunch of protocols. 397 00:16:02,573 --> 00:16:05,029 And you sort of get to pick and choose 398 00:16:05,029 --> 00:16:06,546 which of these security protocols, 399 00:16:06,546 --> 00:16:09,256 that fall under the umbrella of IPSec, 400 00:16:09,256 --> 00:16:12,233 that you actually want to use to secure your network, 401 00:16:12,233 --> 00:16:14,026 to secure your VPN. 402 00:16:14,026 --> 00:16:16,192 So depending on which protocols you choose, 403 00:16:16,192 --> 00:16:18,909 IPSec can provide any or all 404 00:16:18,909 --> 00:16:21,576 of these four things right here. 405 00:16:22,857 --> 00:16:25,403 So all these protocols within IPSec are defined 406 00:16:25,403 --> 00:16:27,257 in a wide variety of RFCs. 407 00:16:27,257 --> 00:16:30,958 There's not just one RFC that says here's how you do IPSec. 408 00:16:30,958 --> 00:16:33,275 Because we're talking about literally dozens 409 00:16:33,275 --> 00:16:35,977 of different protocols that can do these types of things. 410 00:16:35,977 --> 00:16:38,190 Each one has its own RFC, 411 00:16:38,190 --> 00:16:41,055 and a lot of times there's multiple versions of the RFC. 412 00:16:41,055 --> 00:16:43,989 So IPSec is just the umbrella term. 413 00:16:43,989 --> 00:16:45,876 So depending on what protocols you select, 414 00:16:45,876 --> 00:16:47,924 you might get confidentiality. 415 00:16:47,924 --> 00:16:50,085 So confidentiality is like what I was talking about, 416 00:16:50,085 --> 00:16:51,972 that's typically what we mean by when we say 417 00:16:51,972 --> 00:16:54,688 data encryption, the data is confidential. 418 00:16:54,688 --> 00:16:57,358 Someone can't see what's in the body of that packet 419 00:16:57,358 --> 00:17:00,324 unless they are the intended recipient. 420 00:17:00,324 --> 00:17:02,365 That packet is confidential. 421 00:17:02,365 --> 00:17:03,959 Integrity. 422 00:17:03,959 --> 00:17:06,215 Integrity means we have some way 423 00:17:06,215 --> 00:17:08,409 of checking to see if anything in that packet 424 00:17:08,409 --> 00:17:11,006 has been changed in transit. 425 00:17:11,006 --> 00:17:13,824 You know, when someone was sending a bank transfer 426 00:17:13,824 --> 00:17:15,348 and trying to do a deposit. 427 00:17:15,348 --> 00:17:17,777 Is there someway that a zero was lost 428 00:17:17,777 --> 00:17:19,614 and they're trying to deposit $1,000 429 00:17:19,614 --> 00:17:22,497 and it showed up at the bank as $100? 430 00:17:22,497 --> 00:17:25,137 That would be an example a loss of integrity. 431 00:17:25,137 --> 00:17:27,707 So some IP set protocols can detect that. 432 00:17:27,707 --> 00:17:30,152 They can say, "Wait a second here. 433 00:17:30,152 --> 00:17:32,744 "This packet isn't exactly the same 434 00:17:32,744 --> 00:17:36,060 "as when it first left the originator. 435 00:17:36,060 --> 00:17:37,443 "Something's been changed. 436 00:17:37,443 --> 00:17:38,951 "I've checked the integrity. 437 00:17:38,951 --> 00:17:40,210 "Something's wrong here." 438 00:17:40,210 --> 00:17:42,363 Integrity checking. 439 00:17:42,363 --> 00:17:43,510 Authentication. 440 00:17:43,510 --> 00:17:44,663 This is like what we talked about 441 00:17:44,663 --> 00:17:46,437 when we talked about the point-to-point protocol. 442 00:17:46,437 --> 00:17:47,870 Authentication simply means, 443 00:17:47,870 --> 00:17:49,845 "Hey, before I send something to you, 444 00:17:49,845 --> 00:17:51,668 "I need to make sure you are, 445 00:17:51,668 --> 00:17:53,482 "who you really say you are. 446 00:17:53,482 --> 00:17:54,683 "How do I know that you're the person 447 00:17:54,683 --> 00:17:56,847 "I'm supposed to be talking to?" 448 00:17:56,847 --> 00:17:59,457 So there's IP set protocols that can do that, 449 00:17:59,457 --> 00:18:01,811 do that verification of authentication. 450 00:18:01,811 --> 00:18:04,714 And the last one is anti-replay. 451 00:18:04,714 --> 00:18:07,153 Anti-replay would be something like, okay, 452 00:18:07,153 --> 00:18:11,027 let's say that somebody was watching our conversation. 453 00:18:11,027 --> 00:18:14,071 And maybe they can't see the body of the packet, 454 00:18:14,071 --> 00:18:17,683 but they get enough information that they can spoof me, 455 00:18:17,683 --> 00:18:20,293 and now they can get free internet access 456 00:18:20,293 --> 00:18:21,691 because they send packets to you 457 00:18:21,691 --> 00:18:24,001 that look like they were coming from me, 458 00:18:24,001 --> 00:18:25,599 when in reality, they weren't. 459 00:18:25,599 --> 00:18:28,000 They just took my packets, copied them, 460 00:18:28,000 --> 00:18:29,623 and resent them to you. 461 00:18:29,623 --> 00:18:32,168 So you're actually getting duplicate copies of packets. 462 00:18:32,168 --> 00:18:35,363 Packets are being replayed to you. 463 00:18:35,363 --> 00:18:38,232 So anti-replay says how do we prevent that? 464 00:18:38,232 --> 00:18:40,143 How do we prevent people from capturing packets 465 00:18:40,143 --> 00:18:42,269 and replaying them back into the network? 466 00:18:42,269 --> 00:18:44,501 How do we detect that that's happening? 467 00:18:44,501 --> 00:18:45,819 So there's various collections 468 00:18:45,819 --> 00:18:47,789 of security standards within IPSec 469 00:18:47,789 --> 00:18:50,634 that can prevent that kind of thing 470 00:18:50,634 --> 00:18:53,765 or detect that kind of thing from happening. 471 00:18:53,765 --> 00:18:56,727 So that concludes this video on An Overview 472 00:18:56,727 --> 00:19:00,810 and An Introduction of Virtual Private Networks.