[edit section] Tunneling, VPN, and IPSec
In the last lesson we learned about some of the more common remote access protocols in use today. You should recall that a remote access protocol allows remote access to a network or host and is usually employed in dial-up networking. Alternatively, some remote access technologies are involved in remote control of a host, such as through secure shell or Telnet.
However, another class of remote access technologies does exist. This class is related to two of the fundamental aspects of information security: confidentiality and availability. This type of remote access technology allows a user to securely dial in or otherwise access a remote network over an encrypted and difficult-to-intercept connection known as a “tunnel.” These protocols are therefore usually referred to as tunneling or secure remote access protocols.
[edit section] VPN
A virtual private network is a pseudo-LAN that is defined as a private network that operates over a public network. It allows remote hosts to dial into a network and join the network basically as if it were a local host, gaining access to network resources and information as well as other VPN hosts. The exam will test you on your ability to recognize different applications of VPN networks. Use common sense here! Obviously, VPN networks would likely be employed in settings in which information security is essential and local access to the network is not available. For example, a VPN might be utilized by a telecommuting employee who dials into the office network.
[edit section] PPTP
PPTP, or Point-to-point tunneling protocol, is a commonly implemented remote access protocol that allows for secure dial-up access to a remote network. In other words, PPTP is a VPN protocol. PPTP utilizes a similar framework as PPP (point-to-point protocol) for the remote access component but encapsulates data into undecipherable packets during transmission. It is as its name implies: an implementation of PPP that utilizes tunneling by encapsulating data.
[edit section] IPSec
IPSec is a heavily tested area of the Security+ exam. You will inevitably see at least one question on IPSec and probably around three, so it will be to your benefit to understand IPSec well. IPSec allows for the encryption of data being transmitted from host-to-host (or router-to-router, or router-to-host… you get the idea) and is basically standardized within the TCP/IP suite. IPSec is utilized in several protocols such as TLS and SSL. You should know that IPSec operates in two basic modes. We will now study these modes in greater detail.
- Transport Mode – Provides host-to-host security in a LAN network but cannot be employed over any kind of gateway or NAT device. Note that in transport mode, only the packet’s information, and not the headers, are encrypted.
- Tunneling Mode – Alternatively, in tunneling mode, IPSec provides encapsulation of the entire packet, including the header information. The packet is encrypted and then allowed to be routed over networks, allowing for remote access. Because of this, we are usually most interested (at least for exam purposes) in the Tunneling mode.
IPSec is comprised of two basic components that provide different functionality:
- AH – Authentication Header (AH) can provide authentication of the user who sent the information as well as the information itself
- ESP – Encapsulating Security Protocol (ESP) can provide actual encryption services which can ensure the confidentiality of the information being sent.
[edit section] L2TP
L2TP, or Layer 2 Tunneling Protocol, is an alternative protocol to PPTP that offers the capability for VPN functionality in a more secure and efficient manner. Rather than actually replacing PPP as a remote access protocol or IPSec as a security protocol, L2TP simply acts as an encapsulation protocol on a very low level of the OSI model – the Data Link layer. L2TP, therefore, commonly utilizes PPP for the actual remote access service and IPSec for security. Note that L2TP operates on a client/server model with the LAC (L2TP Access Concentrator) being the client and the LNS (L2TP Network Server) acting as the server.
[edit section] Quick Review
1. Your boss asks you to recommend a solution that meets the following requirements: 1) He wishes to access the company network remotely, and 2) The access must be as secure as possible. Which would you implement?
a. A VPN using L2TP and IPSec
b. A PPP dial-in network
2. Which of the following components of IPSec would allow a message to be traced back to a specific user?
3. Which of the following is a true statement regarding the difference between tunneling and transport modes of IPSec?
a. Transport only works with remote hosts
b. Tunneling only works between remote hosts
c. Transport is more secure than tunneling
d. Transport only works between local hosts
[edit section] Answers
1. Your boss is essentially asking for a solution that allows for secure remote access to the network (as opposed to a network host, which you might recommend SSH for). The answer is A because the VPN satisfies his basic requirements.
2. AH provides the essential service of authentication of users sending messages. This allows a message to be traced back to a specific host. The answer is C.
3. Transport mode is exclusive to local host traffic because only the payload is encrypted. Transport mode will not work between remote hosts; for this, you must employ tunneling. The answer is D.