ENSA Module 8 – Virtual Private Networks (VPN) Lecture Notes

8.1.1

VPNs have become a crucial technology in network infrastructure for several reasons.

• Internet connections are available nearly everywhere in the world and in many cases are more readily available than other types of private network service. This is because Internet access can be delivered over media such as coax and wireless. Traditional data connectivity from telecommunications providers are generally not provided over that type of media.
• In addition to Internet connections being more readily available, they are also must more cost effective. The monthly cost per megabit is much less expensive than traditional data connections from telecommunications.

8.1.4

Enterprise VPNs

These are virtual private networks that an organization will setup to provide network connectivity over the Internet between their remote offices (Site-to-Site VPNs) or between their employees at home or a remote location to the corporate network (Remote Access VPN).

Technologies used for Enterprise VPNs include:

• IPsec (handles the security side of VPN – authenticating endpoints, ensuring integrity, and encrypting the data)
• GRE – Generic Route Encapsulation (handles encapsulating IP packets so that they can route over the public Internet)
• SSL VPNs – These are VPNs that run over a TCP port 443 HTTPS connection

Site-to-Site VPNs

IPsec/GRE VPNs can be used to create site-to-site VPNs as well as client remote access VPNs.

Remote Access VPNs

Client-less Remote Access VPNs

SSL VPNs are generally only used for remote access VPNs. In many cases these are used in what are called “clientless” remote access VPNs. Clientless VPNs are created by connecting to a remote server over an HTTPS web server connection and then downloading a lightweight VPN client that is used to create the VPN connection for the length of that connection. Once the client disconnects from the VPN server, the client will be removed from memory.

Client-less VPNs are nice because you can use them from a machine that might not be yours and you would not be required to have admin rights to install the VPN client software.

The Cisco Network Academy ENSA curriculum mis-states the capabilities of client-less VPNs on slide 8.2.1. That module states:

Clientless VPN connection -The connection is secured using a web browser SSL connection. SSL is mostly used to protect HTTP traffic (HTTPS), and email protocols such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel. The SSL connection is first established, and then HTTP data is exchanged over the connection.”

Cisco Network Academy ENSA Curriculum Module 8.2.1

A client-less VPN creates a HTTPS connection to the VPN server and then uses this connection to tunnel all of your traffic through this connection. Although client-less VPNs can be configured to permit or deny certain types of traffic, most client-less VPNs allow a transitional tunnel to be established over that HTTPS connection. This means you can run any TCP/UDP/IP traffic through that tunnel and it will behave just like any other client-base remote access VPN. The ENSA curriculum states that these types of VPNs are mostly used to protect only HTTP and E-Mail, but in my experience all protocols are generally allowed.

Another reason that client-less are so popular is that most companies allow HTTPS through their firewalls which means that these types of VPNs should operate on almost any Internet connection. IPsec/GRE VPNs are going to utilize the GRE protocol which actually rides on top of IP (it does not use TCP or UDP). It uses IP protocol 47. So if you are on a firewall’d connection that is only allowing TCP and UDP traffic, your IPsec/GRE connection would be blocked. But the client-less SSL VPN on TCP port 443 HTTPS would flow through just fine.

Client-Based Remote Access VPNs

Client-Based VPNs rely on a client to be installed on the machine to operate. Most modern client-based VPNs allow you to configure them to use either IPsec or SSL so that you can avoid the problem mentioned above.

Service Provider VPNs

These are a very different type of virtual private network. Service provider VPNs are a type of private network service that telecommunications providers provide to customers. These types of networks do not ride over the Internet, but rather they use private networks that the telecommunications providers build to support a virtual network overlay. They are not using traditional VPN protocols like IPsec and GRE to build site-to-site VPNs, but rather they are using other technologies to create private overlays on top of their networks to provide a private network over a larger network they leverage for all of their customers.

Services that are provided that use a service provider style VPN include:

• Private IP Networks – These usually refer to Layer 3 IP Networks that are built on technologies like MPLS (Multi Protocol Label Switching). MPLS is used inside of the telecommunications provider network to build individual private networks that keep customers traffic separate from one another. The customer is never exposed to the “MPLS” site of the network. From the customer perspective they are just given a network connection that can route their traffic through the providers network privately and securely. In order to facilitate the successful routing, the customer will have to participate in a routing protocol with the providers network. In most cases BGP is used.
• FrameRelay / ATM – These were Layer 2 private networks that telecommunications providers built and sold to customers.
• Metro Ethernet Networks – These are also Layer 2 private networks that telecommunications providers provide to customers. In a sense they are giving you a VLAN that is yours to keep your traffic segmented from other customers traffic.