© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialISCW 1 ROUTE Module 7: Implementing VPN © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 2 CCNP – ROUTE Bachkhoa Networking Academy Objectives  What Is Needed to Build a VPN?  Overlay and Peer-to-Peer VPN Architecture  VPN Topologies  Characteristics of a Secure VPNs  VPN Security: Encapsulation  VPN Security: IPsec and GRE  VPN Security: Symmetric and Asymmetric Encryption Algorithms  Symmetric Encryption Algorithms  Asymetric Encryption  Diffie-Hellman Key Exchange  Data Integrity  VPN Security: Authentication Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 3 CCNP – ROUTE Bachkhoa Networking Academy Virtual Private Networks (VPNs)  A virtual private network (VPN) is a concept that describes how to create a private network over a public network infrastructure while maintaining confidentiality and security.  VPNs use cryptographic tunneling protocols to provide sender authentication, message integrity, and confidentiality by protecting against packet sniffing.  VPNs can be implemented at Layers 2, 3, and 4 of the Open Systems Interconnection (OSI) model. Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 4 CCNP – ROUTE Bachkhoa Networking Academy Virtual Private Networks (VPNs)  A Virtual Private Networks (VPN) creates a private connection, or network, between two endpoints.  This is a virtual connection because the physical means of connectivity is indifferent to the safety of the data involved.  IPsec adds a layer of protection to the data that travels across the VPN Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 5 CCNP – ROUTE Bachkhoa Networking Academy VPN Components 1. An existing network with servers and workstations 2. Connection to the Internet 3. VPN gateways (i.e., routers, PIX, ASA, VPN concentrators) that act as endpoints to establish, manage, and control VPN connections 4. Software to create and manage tunnels Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 6 CCNP – ROUTE Bachkhoa Networking Academy Security: Encapsulation and Encryption  The key to VPN technology is security  VPNs secure data by: – encapsulating the data – or encrypting the data – or both encapsulating the data and then encrypting the data  Encapsulation is also referred to as tunneling – encapsulation transmits data transparently from network to network through a shared network infrastructure.  Encryption codes data into a different format. – Decryption decodes encrypted data into the data’s original unencrypted format. Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 7 CCNP – ROUTE Bachkhoa Networking Academy  Service providers (SPs) are the most common users of the overlay VPN model.  The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow.  In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service. Học viện CNTT Bách Khoa - www.bkacad.com Overlay VPNs © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 8 CCNP – ROUTE Bachkhoa Networking Academy Overlay VPNs  L2 overlay VPN: –L2 overlay VPNs are independent of the network protocol used by the customer meaning that the VPN is not limited to carrying IP traffic. –If the carrier offers the appropriate ATM service, the overlay VPN will carry any kind of information. –Frame Relay VPNs are normally limited to data applications, although voice over Frame Relay customer premises equipment (CPE) devices may be useable on some services.  L3 overlay VPN: –L3 Overlay VPNs most often use an “IP in IP” tunneling scheme using Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP security (IPsec). Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 9 CCNP – ROUTE Bachkhoa Networking Academy  The overlay model includes L2 and L3 VPNs. Học viện CNTT Bách Khoa - www.bkacad.com Overlay VPNs © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 10 CCNP – ROUTE Bachkhoa Networking Academy Extra: Layer2- Based VPN Services Học viện CNTT Bách Khoa - www.bkacad.com [...]... Networking Academy CPE-Based VPN (Peer-to-Peer)  CPE-based VPN is another name for an L3 overlay VPN  The VPN is implemented using CPE  Customer creates a VPN: – across an Internet connection – without any specific knowledge or cooperation from the service provider  Customer gains increased privacy using an inexpensive Internet connection  SP loses opportunity for VPN service revenue ROUTE Học... ROUTE Bachkhoa Networking Academy SP-Provisioned VPN  Multiprotocol Label Switching (MPLS) combines: – the benefits of overlay VPNs (security and isolation among customers) – benefits of the simplified routing of a peer-to-peer VPN  Only the Provider Edge (PE) routers need to be provisioned to support the VPNs  Note that MPLS VPNs cannot replace all VPN implementations because MPLS only supports IP... Bachkhoa Networking Academy VPN Topologies Remote Access VPN  The party negotiating a secure connection with the VPN Gateway uses VPN client software  The VPN Client software allows telecommuters and traveling users to communicate on the central network and access servers from many different locations  Tunnels are created using either: –IPsec –Point to Point Tunneling Protocol (PPTP) - Microsoft –Layer... © 2010 Cisco Systems, Inc All rights reserved 12 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies  Remote Access VPN  Site-to-Site VPNs ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 13 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Remote Access VPN  Provide remote users access to an intranet or extranet over a shared infrastructure... reserved 18 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site Intranet VPN  Benefits: –Offer cost savings over traditional leased-line or Frame Relay technologies ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 19 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site Extranet VPN  VPN links to an enterprise customer's network... connections  Extranet VPNs allow access to users who are outside the enterprise  Use firewalls and VPN tunnels –Secure access to specific data and resources –Not gaining access to private corporate information ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 20 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site Extranet VPN  Benefits: –Businesses... Networking Academy VPN Topologies Remote Access VPN  Benefits: –Reduce long-distance charges that are associated with dialup access –Help increase productivity and confidence by ensuring secure network access regardless of an employee’s location ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 16 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site... Bachkhoa Networking Academy Characteristics of a Secure VPNs ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 22 CCNP – ROUTE Bachkhoa Networking Academy Characteristics of a Secure VPNs Authentication  Ensures that a message: –comes from an authentic source and –goes to an authentic destination  VPN technologies are making use of several reputable methods... Negotiate secure tunnels across the Internet ROUTE Học viện CNTT Bách Khoa - www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 17 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site Intranet VPN  Example –Data Center or mainframe at Main Office –Remote Offices have access to Data Center –Users from the networks on either side of the tunnel can communicate with one another... www.bkacad.com © 2010 Cisco Systems, Inc All rights reserved 16 CCNP – ROUTE Bachkhoa Networking Academy VPN Topologies Site-to-Site Intranet VPN  Links over a shared infrastructure using dedicated connections: –Headquarters –Remote offices –Branch offices  Site-to-Site Intranet VPNs allow access only to trusted employees  Gateways at various physical locations within the same business  Negotiate secure tunnels .  Overlay and Peer-to-Peer VPN Architecture  VPN Topologies  Characteristics of a Secure VPNs  VPN Security: Encapsulation  VPN Security: IPsec and GRE  VPN Security: Symmetric and. ConfidentialISCW 1 ROUTE Module 7: Implementing VPN © 2010 Cisco Systems, Inc. All rights reserved.ROUTE 2 CCNP – ROUTE Bachkhoa Networking Academy Objectives  What Is Needed to Build a VPN?  Overlay. Bachkhoa Networking Academy CPE-Based VPN (Peer-to-Peer)  CPE-based VPN is another name for an L3 overlay VPN  The VPN is implemented using CPE.  Customer creates a VPN: – across an Internet connection