10. Transport Layer Security (TLS) / Secured Socket Layer (SSL) Part 4
Digital certificate, public key certificate or identity certificate. This is an electronic document used to prove the ownership of a public key. This is also the information about the identity of its owner which is called subject. This is most of the time the organization or the server or the computer and the initial certificate of an entity that has verified their certificate content called the issuer. Most of the time the issuer is the CA. If the signature is valid and the software examining this software is the client web browser, it’s the one that’s examining the certificate trust the issuer. Then it can use the keys. We’re talking about public key and the private key to communicate securely with certificate subject.
Again, the public key is used for encryption while the private use for decrypting that message. Now, the certificate authority or the CA is again the third party entity that issues digital certificate and verify if the owner is true legit. It is trusted by both the subject which is again the owner of the certificate and by the party relying upon the certificate. Certificate format is specified by the x 509 standard. Now, what is x 509 standard? Well, it’s just a standard in the digital world when you create different types of certificate and it is used as different format like 10:00. P. m cort and p twelve. Now, the CA, there are many CA out there that is trusted by many web browsers.
But one of the most common are identity or Ident. We also have the Semantech, which is previously known as Verisign. We have GoDaddy. We have Google. We also have Microsoft Transport Layer Security or TLS is a cryptographic protocols designed to provide communication security over a computer network. Most of the time it’s a client and a server communicating securely. It’s a protocol independent tool that allows to be used in many applications. It’s not just only for web applications, but it can also be used for email, instant messaging, voice over, IP and many more. Most of the time called by its older name SSL.
Well, it’s a successor of SSL. SSL is already obsolete and duplicated by the ieTF way back 2015. Now, it’s funny because most benders, even the top vendors still use SSL, even F five. We talk about SSL profile, we talk about SSL termination and I don’t think we’re going to change that. Sooner or later we’re not going to change it to TLS offloading or TLS termination or TLS profile. It will still be SSL notable for being a part of Https and a protocol for securing the web communications. Now, as I mentioned, SSL and TLS and Https, all these three technologies is used interchangeably. But they have their difference.
11. Transport Layer Security (TLS) / Secured Socket Layer (SSL) Part 5
Why do we need to use Https again? Imagine you are this client and you open a web browser because you want to access a website in the Internet. So let’s say this is the website and this is the internet. Now as you said, data to the Internet to send traffic to any website. Not just this website, but to any servers from the public network. Anyone. And when I say anyone can sniff or eavesdrop the data that you’re sending. And because there’s a lot of bad guys out there, it’s everywhere. Some are professionals, some are trying to be professionals. Okay, you see a lot of bad guys. Now our goal is to protect from many different types of attack.
And one is very common if you send a plain text over an unsecured network such as the Internet, we want to protect from a specific attack called the man in the middle. Now, we need to add a protocol that secures our payload, tunneling it to our Http applications. So what I’m going to do is I’m going to add a tunnel here that has secured communication using our web browser towards to our destination. In this case, this is the website. Now, as I mentioned as well, this is our Http application. And inside our Http application we use many different protocols using certificate and this is our Tlsl. Why do we need Http? Again, we just want to secure our data in the Internet.
12. Virtual Private Network (VPN) Part 1
Let’s discuss our VPN discussion with two most common VPN deployments we have first the side to side VPN. How it works is like this. We have two branches, branch one and branch two. And each branch we have have layer three device, let’s say router. And behind this routers we have our LAN. And in our land we have servers. Let’s add two servers here and one client behind router one we also have client PCs. We have servers as well. And router one and router two communicate to each other via the internet. The reason why they do this, because this company, this organization, let’s say they don’t have budget for dedicated one links. So they use the less expensive, which is the internet.
But like what we discussed from our previous video, if we send data via the Internet, it is plain text and anyone can eavesdrop our traffic. It is prone to manning the middle attacks. Now let’s say this setup or this organization is also not looking for growth. Meaning currently they have two branches and maybe in the next couple of years or after three years, that’s the only time they may add a new branch. So only two branches for now. Now our goal again is to secure the data that is sent from router one to router two or branch one to branch two. Because maybe this guy here needs to access this server or this application and maybe this guy here needs to access this server as well.
So two branches, some of the servers and applications are in branch one and branch two. Now what we need to do is to enable security or Ipsec. First we’re going to define the interesting traffic. How do we know what’s the interesting traffic? Let’s say branch one land or their local network area or local area network is 192 one 68100 while branch two land is 109 216824. The interesting traffic would be from branch one is 192 168, 100 to 200. Now on the other branch it would be 192, 168, 20 dot zero to ten dot zero. So this is what we will define on these two routers. Take note, these are just routers and they can also perform VPN configuration. Specifically on IP set and many different we call it head end or VPN concentrators can perform VVPN.
It’s not just routers, it can be firewalls, it can also be application, delivery controller and many other devices. Now again we’re going to create and define the interesting traffic. These are the interesting traffic. We use this to trigger. Well, before it triggers, we need to associate first to our Ipsec configuration. And we’re not going to detail what is Ipsec configuration. We have two phases, the Ike and then the phase, which is phase one, then the phase two where we enable the authentication header and the ESP, the encapsulation security protocol. The most important part here is how does Ipsec enable in our site to site VPN? Again, we associate the interesting traffic to Ipsec configuration, apply it to our VPN concentrator, and here’s what’s going to happen.
Assuming our Ipsec site to site VPN is properly configured, when one host, let’s say, send traffic to router one, router one would know, hey, this destination is configured behind router two. And before it reaches router two, it will create a tunnel. And inside the tunnel, it will start encrypting the traffic. Router two will receive it and it will decrypt the data. So it will send it to the destination. And it works both ways sometimes. This is also called land to land VPN because we’re not just encrypting one host or two communicating hosts, but we are encrypting the entire network behind our, in this case, router. Just going to add here LAN to LAN ipsec VPN.
13. Virtual Private Network (VPN) Part 2
Side to side Ipsec VPN is good because we are able to send data from one network of a branch to another network from a different branch. But this is not quite designed for teleworkers. What is teleworkers? Again, these are your employees who doesn’t stay much on your company’s. Supremacists. Why? Because they likely travel a lot to attend corporate events and attend client meetings. So we have teleworkers who move places. And the question is, how can they access company resources like applications? How about they configure VPN head end concentrators such as routers firewalls and ADC. After configuring it, they bring it along to everywhere they go.
Is that a good option? Probably not. But we have another option. This is what we called the remote access VPN. And we have two examples for remote Access VPN. The first one would be the client VPN. Now what I have here is a client and he needs to send data from any locations. He can travel from any cities in the world. And all he needs to do is an internet connection. I have here the headquarters or corporate headquarters or data centers of the company where we have most of the resources. So I’m going to connect and add servers here. Going to add more servers. And another one, there you go. So this is your headquarters or data center of your company.
Now this connects to the Internet and your client VPN requires a dedicated software to connect to your company’s resources. So on the client you need to install again a dedicated software for VPN. Now, Remote Access VPN, one of the advantage compared to side to side VPN is less complex. It has less configuration. The configuration is focused on the head end VPN concentrator. So the configuration is here. Now for the client, all they need to do is open the software, in this case for client VPN, a dedicated software for him to connect to this router. So on the software, he needs to input the destination, which can be the IP address or a fully qualified domain name of this VPN device plus its username and password.
Because he needs to be authenticated and authorized so he can be connected to the VPN device and send data encrypted. So at this point, this client VPN here is now sending encrypted traffic to the VPN device. And this VPN device, this router will encrypt it and forwards it to the application in this application or this application. Now another note that I need to highlight for client VPN depends on the router or your VPN device. Here you can use either Ipsec or SSL. Now we have the second remote access VPN example. This is the SSL VPN. Now like client VPN, all you need to do is have a client device.
It can be PC, it can be laptop, it can also be a mobile device or a tablet. But the difference between client VPN and SSL VPN, we don’t need to install a dedicated VPN software. For SSL VPN we use our web browser and from the web browser like client. VPN, we input the fully qualified domain name or the IP address of the VPN device. We input it here, Https and the IP address or the fully qualified domain. As soon as we get to the portal, we enter our credentials, the username, the password and if everything is configured properly, this client will also be able to send data securely over the Internet.
So it is sending data as soon as the VPN device, in this case the router receive it, it can decrypt it and forwards it to the destination, which is your company resources many different applications. Now, both examples, the client VPN and SSL VPN can be used anywhere as long as you have an Internet connection. And of course it allows this ports. The ports requires for this VPN settings. Okay? That’s the beauty of remote access VPN where it is less complex because the configuration and maintenance is more on the VPN device that is residing in our headquarters or in our data centers. As for the client, all they need to do is install and run the software required to connect to the VPN concentrators.
14. Virtual Private Network (VPN) Part 3
Ipsecvpn. This secured Protocol suite for IP communications and our goal is to secure data over unsecured medium such as the Internet. Because we know internet is open for everybody and anyone can easily sniff or eavesdrop the data in the internet. Iets standard provides data confidentiality. Confidentiality means we were able to secure by encrypting our traffic authentication. This allows only few devices or users to encrypt traffic to that specific VPN concentrator. And we also have integrity. Integrity means maintaining and ensuring the accuracy of completeness of the data it authenticates and encrypts. Like I mentioned in side to side VPN.
For example router one, router two must shared keys or password they need to authenticate each other and for the remote access VPN user using their either web browser or the VPN client software, they need to input their credentials in order to connect to the VPN concentrator and it encrypts a packet over the network. Uses cryptographic security service to protect communications over IP. It’s not only SSL uses cryptographic security services, even Ipsec as well. Now the benefits cost going back to our first example. Instead of using dedicated wildlins which can be very costly, we’ll just use internet and we enable Ipsec from our routers or other VPN concentrators scalability.
Now on our first example where we use only two VPN devices, it’s not so scalable and if we add more VPN devices to many branches, what will happen is you will manually configure these VPN devices and the more VPN devices you have or the more branches you have, the more complex the configuration. It’s not really that scalable because you will be creating tunnels in every pair of your company’s branches. Now, it’s not all VPN like that, some of the VPNs are very scalable. The example for this is the SSL VPN and we also have many different types of VPN. Some of them are proprietary. We also have flexibility, well VPN configuration, sometimes it’s easy, none the side to side example, but there are other VPN configuration that is not as complex as the others.
And of course security. That is our main goal to encrypt our data that is sent over the internet times of VPN we have secure VPN. So this is the ITC and SSL VPN and this is designed to secure our data sent via the internet. We also have trusted VPN. Now if you hear Mpls VPN well it’s VPN, it’s virtual private network to the fact that you’re using your service provider network which is private, it’s just that it is not designed to be secured or encrypted. You are just trusting the service provider and expect no one will sniff or do man in the middle attack but it is possible by your service provider. We also have high prevpn. This is a combination of both secure VPN and trusted.
Now if you are subscribed to your service provider and you’re using their Mpls VPN services, you still have an option to enable ipsec or SSL VPN. You also have different types of VPN deployment. Unfortunately, some of the VPN deployments are proprietary and it’s not actually appropriate to discuss it here. It’s also not part of F 5101 scope, but the most common would be the site to site VPN which we discuss in our whiteboard session. And the remote access. Remote access has two types, SSL VPN probably the more common. And we also have the client VPN where we use a dedicated VPN software to connect to our VPN head end device.
We also use two Ipsec protocols. We have the authentication header where we only allow authentication the audiences of the payload while ESP encapsulating security payload or protocol. Sometimes they use PS protocol. This is what enables encryption. Now if you see or hear genetic routing encapsulation or GRE, well GRE is not a VPN but it’s just a tunnel. So you can still communicate from one branch to another using private IP address or private network over the internet. But by default it is not secured. Although you have an option to add Ipsec to secure your data, when you enable Ipsec over GRE, this will be called GRE Ipsec VPN.
Again side to side, VPN uses Ipsec VPN to replace dedicated one links creates a dedicated tunnel for VPN connections. So if you have multiple branch again that will be one tunnel per pair of branches. That’s why it’s not scalable and it’s not ideal for teleworkers. Remote access VPN. You may use either Ipsec or SSL. Dls. It depends on what your head end VPN device is requiring. And from the client end you use laptop or other devices such as mobile or tablet to connect to your VPN concentrators. Again, it’s client base or client list. Meaning you don’t need to use a dedicated software because you can use your web browser. It’s more flexible and ideal for teleworkers. And this is what makes VPN a VPN.
First, the authentications. It validates the identity. So every router, every firewall or ABC that enables it SEC VPN, this is authenticated every single device they need to authenticate each other using preshape key or other mechanisms such as Certificates. Attackers will not be able to spoof the servers and that’s the main goal. You also have privacy, encrypts and decrypts data. Again, either it’s a public network or over private network. Attackers will not be able to view the data integrity where we use hashing algorithm to detect if message has been changed. Attacks will not be able to modify data and detect it.