68. Lecture-68:Introduction to Internet Protocol Security IPSec.
Is IPsec protocol. What is IPsec? Internet protocol security. Basically, IPsec is an open standard. It’s like a suit, you know, like a kit, football kit, hockey kit, either like your exercise kit, where everything is available. Like a first aid kit, first aid kit. What there is, there is everything available, caesar and everything. So whenever somebody got a wand or something, so you have a complete kit to put first aid. So, Ipsick is like a suit, like a kit which provide each and everything for VPN. So what those things are, those are Confidentiality integrity Authentication and Entry Replay. So IPC can provide you all these details, and it’s an open standard. You can use in any vendor router, any vendor firewall, anything. So IPSA can provide you confidentiality. What is confidentiality? Basically, encryption. Call confidentiality. What is encryption? We just discuss encryption. Encryption means to make the data hide so that nobody know in the middle. And we use one method from that. I’ll show you from the software. This is called confidentiality. Confidentiality to hide your data. Confidential. Only the sender and receiver know and only sender and receiver will able to read the data.
This is called confidentiality. Another is integrity. We just discuss integrity. MD Five and Shaw are the two method. Integrity means that whatever send the data, the receiver can receive the same data without changing, no alter. The data is not being altered, not being changed in the middle. And how they will check, they use hashing. I just show you in this side the VPN router. Either the VPN firewall will generate a hash value and they will send the hash value separately to the other device. And when the other device receive the data, they will generate a hash and they will compare with the hash. So, if the hash are similar, it means integrity is there. Nobody changed the data in the packet. This is called integrity. IPSA can provide you this.
Third one is authentication. We also need to know that the data which I am given to someone is the authorized person or someone else. Suppose if you receive a letter and somebody knock on the door, postman that is there is hema inside and somebody else come out and he received my letter and he said yes, I’m hehmad no, postman will not give them. They will say give me your identity, your passport, your identity card and anything which whatever ID, photo ID with signature, so that I can verify you that this letter belonged to you. This is called authentication. So they will authenticate the other party are you the actual person to receive the data. And then the last one is Nt Replay. Suppose if somebody slow the packet and duplicate them and intercept them, so when they receive the same packet, they will say no, this is not that packet, it’s Miss Udder packet. So Ipsic can provide you Nt replay as well. So Ipsic has these protocol ESP and ah encryption has so many. Three of them is Des.
Three DS and AES. Authentication is MD five ensure and DP helmet. It can support many, but three of them I mentioned here. So IPsec protocol. There are two ways to configure IPsec. One is ESP, which is the best one and side to side VPN. We are using ESP integrity Encryption Authentication and Nt replay everything you will receive if you are using encapsulating security payload method of IPV Six. Sorry, IPsec. Also it working with netted devices if native devices is coming in the middle. So ESP what they will do, they will encrypt the entire packet and will create a new IP header. But there is another method as well authentication Header which can provide you integrity. Integrity we just discussed in authentication but no encryption. It will not encrypt the data. The data will go in clear text. So it’s not a good solution. So you can configure IP Six in two different way. Authentication header and ESP. This method will not create a header but they will put their own header inside the IP header. Then IP Six can be configured into different mode, not different method mode. Tunnel mode which will create a tunnel between two devices. This is a firewall and this is a router.
Any combination, it can be a firewall and firewall. They will make a tunnel between these two. But after the tunnel the data will be in clear text. Because we don’t care. This is now in our infra in our insights. We don’t care. It’s like a security suppose MNA either the president, so when they go from their home, so when they come out from their door, then security will start and when they reach to office, security will stop on the door. Inside the office we don’t care. And inside the home we don’t care. So this is called tunnel mode. And normally side to side. VPN remote Access VPN get VPN. We all use tunnel mode. Then there is a transport mode which is security start from your bed, from your home bed. Security guard will be there with you inside your home as well. Inside your room, inside your bed. And they will encrypt the data and they will secure you until you reach to your office chair. This is called Transport Mode which is not normally used. Authentication we use these we already discussed. There are two way MD. Five NSHA. Then ensure. We have so many flavor encryption we already discuss to encrypt the data to make them garbage. Nobody know. There are so many methods.
One of them is DS. DS means encryption. Data encryption. Standard. It will encrypt the data. There is triple DS which is more powerful than three DS three time it will encrypt the data. And there is AES more advanced than that one. Advanced encryption. Standard. So for encryption you have three different way DS DS the old one, then three DS and then AES. Then in AES you have 128, 192 and 256 flavor. So you can go more and DP hellman, I already told you how it is working then.
69. Lecture-69:Introduction to Virtual Private Private Network.
Now coming to VPN. What is VPN? Virtual private network means whatever we are doing this is virtual and private and we are using network to make our network so virtually we are creating our private network and this concept we call them VPN. So basically using unsecure internet and make our secure path. So this concept we call them VPN. Normally not all VPN are secure. There are many VPN which is sending data in clear text but most of the time we want to use VPN so send our traffic and secure way. So basically there are two possibilities. Either to buy your own lease line so nobody will come your line and then you can send and receive data and clear text and whatever. Nobody can come to your lease line but they will charge you much and it’s cost. So the chief solution is VPN because the internet is everywhere. At home, at office, everywhere you just need two MP internet, that’s enough. You can create a VPN tunnel even from me to you. You can create a VPN tunnel and window as well and PC as well and Linux as well and router as well and switches as well and anything which they support there you can create a VPN even in window.
If you go to VPN there is a VPN setting and you will see many VPN protocol point to point and all these so because it’s cheap solution VPN it just require internet connection and public IP either dynamically they can get the IPS and using the IDNs. So basically we use VPN to provide privacy and data integrity to hide the data so that nobody know anything between let me give an example here. Suppose you are in the boat in water, you are visible to everyone. Anybody can hate you, they can fire on you, they can do anything they can damage you because you are visible. So water is like an internet and when you are sending your data and clear text so maybe hacker can hack you and they can take your data and they can damage your network and they can down your services and they can get your sensitive data. So this is one method. If you are sending everything clear text so what is the solution? We have a solution to use submarine which is underwater again that water is internet but now you are protected, nobody can see you you are not visible like this you’re going underwater and also underwater your data is encrypted nobody can hit you nobody can see anything who is inside this submarine?
This is called VPN. Either when you shifting from one home to another home and your SOPA and everything, your house stuff, you put them in a truck and that vehicle is going okay, but inside it’s not visible to anyone. So this road is like an Internet. And this is your packet. But inside is encrypted. So this is a VPN car ship to use a public transport. This is a public transport. Either you can buy your own car to put your stuff up home. Now your stuff is only $20 and you want to buy 20,000 car to take your data from one place to another. Which is not a good decision. That’s why we never want a lease line. Because it’s so costy. So that’s why we use VPN. We use Internet like public transport, like a water to encrypt our data and send to the other party.
Now, VPN can be classified in many, but mostly two of them are famous side to side VPN and Remote Access VPN. Even that can be classified based on OSI layer. Layer four VPN, layer seven VPN, Web VPN and it can be by layer three IPsec, VPN, GRE, VPN, DMVPN, SSL, VPN, L two Tpvpn also can be layer two VPN, L two Tpvpn I just show you Nwando PPTP, VPN, Frame Relay, ATM It can be classified on trust level intranet VPN extranet VPN remote VPN It can be in traditional VPN frame relay and ATM NKTB by provider like MPLS BGP. MPLS VPN It can be by session like SSL, VPN and WebVPN. It can be secure VPN, Trusted VPN, Hybrid VPN and it can be classified as a clear text VPN. There are clear text VPN as well MPLS VPLs, GRE all these sending data and clear text now coming why we need a VPN? Why? What is the advantages? So cost saving definitely these line will cost you much scalability, security compatibility, better performance, flexibility, reliability you can add anytime, any branch JSON two three click and your VPN will be ready. Also security it can provide you why use secure VPN? So that nobody can attack on you. Nobody can do men in the middle attack. Nobody can spoof your data. Because if you are not using VPN your data will be sent in clear text and when you send in clear text anybody can see now in 40 gate firewall we can configure many VPN the most famous one is side to side. VPN and the other one is remote users remote access VPN side to side means lane to lane VPN hub to spoke VPN there are so many names of side to side. VPN.
If you want to connect one branch office to main office we call them side to start VPN. If you want to connect to remote side with each other we call them side to start VPN. If you want to connect central side to remote side, we call them side to side VPN. Like the so 40 gate. They will connect this branch to this branch. And we have a remote user to side VPN. Like your mobile phone, your Android phone, your make operating system, your window, Linux, your iPad, ipod. You can connect to your network, your office network. This is called remote VPN. You can remotely connect from home, from office, from anywhere. From on the move, from car, from anywhere. So side to side VPN we call them land to land VPN have to spoke VPN private to private or public network VPN, land to public network VPN, side to side VPN. And so many name you can give them.
And remote XS, I already told you. Then in remote access VPN, there are further two categories. One is to install an application like this one, like Global Protected for Palo Alto. So FortiGate has their own software to install. And also you can use SSL based VPN. You just need a browser. So client based VPN and client list VPN and remote Ssvpn. Then you have two more category then coming to protocol of VPN. There are so many protocol of VPN. Point to point tunnel protocol, layer two, forwarding protocol, layer two tunnel protocol. Generic routing and capsulation protocol multiprotocol label switching MPLS, IPsec and SSL. But these two are more famous. But you have so many protocol for encryption, they have so many method I we already discussed des three DS. AES 128, 128, AES 192 and AES 256. For hashing, they have sharp secure hash algorithm and message digest. And for authentication they have preshale key and digital certificate. This was uepn. Okay.
70. Lecture-70: Policy-Based and Route-Based VPNs Theory.
Now in Palo Alto firewall you can configure policy based VPN and route based VPN and both policy based VPN and route based VPN both phases are there, you can configure them as normal but in routebased VPN there will be interface created automatically. Tunnel interface will be created, but in policy based VPN there will be no interface. We will see both in the left, then you will feel the difference. What is the difference between policy based VPN and route based VPN? For route based VPN you need to create two policy. When we do the lab I will mention you. What is this two policy? Security policy means one policy from Len to VPN and another from VPN to lend your local area network. So per route based VPN you need to create two policy. But for policy based VPN you just need only one policy which will work for both direction. Route based VPN also call interface based VPN. Either tunnel based VPN and policy based VPN. No, this is interface based. Policy based VPN. We call them tunnel based VPN. So here we require two policy to allow the traffic. And here we require only one policy to allow the traffic. In both cases we need to create phase one and phase two VPN. These are the major difference between these two. Policy based VPN and route based VPN both support and net and transparent mode. We have net mode and transparent mode, you remember? So policy based can be configured in both mode, but route based VPN can only be configured in net mode because this is route based. So in transparent it will not work. L two TPU or IP six support.
Yes, both are support. GRE support no policy based, not support but routebased support. Them security policy requirement. S require policy and S also require policy. S require only one policy and this require a separate policy for every connection. This is the major difference between these two. Otherwise the end of the day is almost similar. Now before going to lab we need to know some terminologies which we will face when we will do lab and that is overlay controller VPN. You can configure many VPN in four ticket firewall. Many options for VPN, one of them Ocvpn which we call them overlay controller VPN. This is like a cloud based. If you are all 40 gate firewall is registered and they are in the public cloud. So you can connect them directly and they will learn each other automatically. This is not our topic but we will see this terminology there. So maybe you will ask what is this one? So that’s why I’m telling you. So you can configure this type of VPN as well. But it’s required a license and it’s required a proper FortiGate to be registered and cloud. Another thing which we will face when we configure VPN in the lab die is Blakehold route. What is Blake? Hold route.
You know in Cisco and Linux we also use the same null we use null eagrp summarized route they created automatically null interface. So whenever the traffic came and there is no one to receive them so the null interface will destroy them. The same case is here blake Hold route suppose one side is down and in VPN and the other side is sending the data again and again. So this side will receive but cannot respond so what they will do in this case this Blake hold route will destroy those packet. So in this way there will be no burden on your firewall on your network. Because there is nobody to receive the data. So this for this purpose we will use black hole route and the administrative distance is the last 1254 we already discussed administrative distance we will give them the last one if nobody is there to receive the data so it will be destroyed by this black hole route. Then another thing which when we do lay, we will see VPN Template. VPN Template is like a visit. Just do Next, Next, Next and you will configure VPN in two minutes.
You can configure VPN side to side VPN in 40 Gate Firewall if you are using VPN Template. So Template is nothing but a visit which you click Next, Next, Next and predefined everything. And you will configure VPN side to side. Either. Remote excess VPN. So this is called VPN template. Another thing which we will do a lab we will see dead peer detection dead we know dead peer means your peer you are NIPER and deduction means to detect so dead peer detection maybe your other side up for wall is down side to side VPN you have two side you configure them. But one side for wall is down so how this firewall will know? So in this way you have to enable dead peer detection. One is unedal and the other is on demand. UN idle means whenever you are not using VPN tunnel side to side. And so they will keep them on an idle whenever the VPN is empty and nobody is using sending and receiving data. So dead peer detection if you enable them and choose an idle situation so they will send traffic, they will reestablish. The VPN will make them on. They will say no don’t sleep. Because if you are not using side to side VPN it will be down. Because they have a lifetime we set lifetime that if nobody is used so it will be down. So when you start sending so it will up but if you say no, no I don’t want to down them so you can use debt peer detection that don’t be sleep so one is UN idle and the other is on demand. undemand means on your demand whatever you want you can make them on. So we will see this type of option as well. Another option we will see net reversal what is net traversal sometime when you create sidetoside VPN between two side because this is a side and this the side. Maybe there is a router in the middle either here in the router in the middle and this is internet cloud and there is net enable net is configured on this router. But your firewall is here and your firewall is here behind the router. But in router there is net configure. We already discussed net in so detail.
So if you are not enable net reversal, so it will destroy here. Because net will change the packet. They will say okay, wait, let me change your IP to another IP. This is called net. Yeah. So when you’re changing something, VPN will drop the packet. This is the beauty of VPN that whatever you send has to be received same everything. So if net change our IP, so what the hell is left? The integrity is gone. So when the packet has been received by this firewall, they will destroy them. They will say no, this is changed because the original hash and now the receiving hash is different. So what is the solution in this case? Because net will change the IP. As we know net is changing the IP. So for this purpose we need net revulsive. We will enable net reversal to bypass the net devices and reach so the packet will be not modified and they will accept the packet.
And this way when they receive so for this purpose we are using net reversal. In shortcut, I told you then there is a net keep alive frequency. For this purpose we can enable keep alive frequency means the timer. You can enable that feature so that they can check after a while frequency after a while frequently. Another thing which we will see in the lab is xrth authentication means extended authentication. This is a new concept for dialup client user. This is out of topic, but I’m just telling you we will see there. Maybe you will ask what is this like a mechanism tape chape ingredients LDAP for this type of authentication, if you want to authenticate a user using remote dialup client so you can use xarth authentication method as well, which is not an action you will not see in real world, but SDL. So this is some terminologies which we discuss.