Tunneling and IPSec Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:04
>> As I'm sure you are aware,
00:04
dial-up communications were replaced
00:04
>> by the idea of VPNs and tunneling.
00:04
>> When we talk about VPNs,
00:04
Virtual Private Network,
00:04
that's the whole idea.
00:04
That even though you're in a remote location,
00:04
it seems as if you have your own private network
00:04
>> into your local office
00:04
>> or some resource across the Internet.
00:04
>> The idea is that this encapsulation
00:04
>> provided is passing through a tunnel.
00:04
>> We already talked about encapsulation
00:04
when discussing the OSI reference model.
00:04
What happens with encapsulation
00:04
>> is you get a protocol within a protocol,
00:04
>> or you get some additional headers
00:04
>> that are added that protect
00:04
>> the original data in its format.
00:04
>> With Virtual Private Networks,
00:04
we have to have tunneling protocols
00:04
that allow this protection.
00:04
Your tunneling protocols are either
00:04
going to provide encapsulation,
00:04
encryption, authentication,
00:04
>> all of these things,
00:04
>> or just some of these things.
00:04
It really is driven by the protocol that you choose.
00:04
The question then sometimes is why
00:04
>> would I not want encryption and authentication
00:04
>> if I'm tunneling across the Internet?
00:04
>> The answer to that is that,
00:04
some tunneling protocols just help
00:04
>> traffic moves from one network
00:04
>> across the different network.
00:04
>> For instance, an IP version 4 packet
00:04
can't travel across an IP version 6 network.
00:04
You can create or use a tunneling protocol
00:04
>> where the IPB for traffic is given transport
00:04
>> as encapsulated into IP version 6.
00:04
>> Ultimately, encapsulation provides us
00:04
with a lot more than just encryption
00:04
>> and authentication.
00:04
>> It really allows just one type of traffic
00:04
>> to traverse a different type of network.
00:04
>> Of course, this process of encapsulation
00:04
>> and perhaps encryption authentication,
00:04
>> is created through the use of protocols.
00:04
There are other protocols
00:04
>> that can be used for tunneling.
00:04
>> These are the most common.
00:04
You have a protocol that's based off
00:04
>> of a Point-to-Point Protocol
00:04
>> that we saw with the dial up.
00:04
>> It's called Point-to-Point tunneling protocol.
00:04
We also have L2TP,
00:04
which stands for Layer 2 Tunneling Protocol.
00:04
We can create a tunnel with IPsec.
00:04
GRE is Generic Routing Encapsulation.
00:04
Then we have Secure Sockets Layer.
00:04
We can create SSL tunnels really today, TLS tunnels.
00:04
If we start off by looking at
00:04
Point-to-Point Tunneling Protocol,
00:04
this was developed by Microsoft.
00:04
Again, we're really getting away
00:04
>> from dial-up communication,
00:04
>> because of the expense,
00:04
>> not the security.
00:04
>> What we wanted to do is allow users
00:04
>> to connect across the Internet
00:04
>> as opposed to having to dial it.
00:04
>> That's what PPTP was all about,
00:04
because it's some Point-to-Point Protocol,
00:04
>> if you'll remember, we talked about PAP,
00:04
>> CHAP, and EAP for authentication.
00:04
It uses a new protocol called MPPE for encryption.
00:04
Some of the same ideas,
00:04
but it provides the tunneling,
00:04
the connection to connection.
00:04
It's the creation of this virtual network.
00:04
One of the drawbacks to PPTP is that
00:04
>> it only works across IP based networks,
00:04
>> which is okay at the time because we're
00:04
communicating across the Internet today.
00:04
But back in our time,
00:04
we had a frame relay networks and ATM networks.
00:04
We really needed something more flexible
00:04
that worked across different network types,
00:04
which is exactly why L2TP was developed.
00:04
Cisco came out with a protocol
00:04
>> called L2F, Layer 2 Forwarding.
00:04
>> But Cisco likes to keep their good ideas proprietary.
00:04
We basically took what was good about
00:04
L2F and what was good about PPCP,
00:04
and came up with L2TP,
00:04
Layer 2 Tunneling Protocol.
00:04
Because it's a Layer 2 Protocol,
00:04
it doesn't require a specific network type.
00:04
It's agnostic, so it's not bound
00:04
>> to an IP network the way that
00:04
>> Point-to-Point Tunneling Protocol is.
00:04
The problem with L2TP is that
00:04
it's just the encapsulation in and of itself.
00:04
It can be used to have one type of
00:04
traffic traverse a dissimilar network type.
00:04
But if you're using it's create a tunnel,
00:04
IPsec is going to be used with L2TP.
00:04
IPsec will actually provide the security.
00:04
With that being said,
00:04
>> you can actually just use IPsec
00:04
>> in and out of itself to create a tunnel.
00:04
>> That way, it's really most common today.
00:04
Is that for instance,
00:04
>> if I'm doing site-to-site VPN
00:04
>> from one location to another,
00:04
>> I have VPN concentrators
00:04
>> and they communicate across
00:04
>> a unsecured network with IPsec.
00:04
>> IPsec really is an interesting protocol,
00:04
because it was designed as a part of an IP version 6.
00:04
One of the things about IPV6
00:04
>> is that this was going to finally give us
00:04
>> a protocol that was integrated with security.
00:04
Now, we've seen the masses
00:04
>> have not flocked to IPV6.
00:04
>> I almost feel like we'd see IPV6
00:04
>> as soon as we see that metric system.
00:04
>> But IPsec was designed as part of IPV6.
00:04
It is made to work backwards
00:04
>> or be backwards compatible.
00:04
>> You can use it with IP version 4.
00:04
But even though IPV6 isn't everywhere you look,
00:04
IPsec is very popular.
00:04
It is the framework of choice
00:04
>> for encryption, authentication,
00:04
>> and encapsulation.
00:04
>> Let's talk a little bit about configuring IPsec.
00:04
When you set up IPsec,
00:04
one of the first choices that you have to make
00:04
>> is the mode in which IPsec should operate.
00:04
>> Now, you have Tunnel Mode
00:04
>> and you have Transport Mode.
00:04
>> Whichever one of those you choose
00:04
>> is going to determine what gets encapsulated.
00:04
>> For instance, if we think about
00:04
typical IP version 4 packet,
00:04
we have a header, data, and a trailer.
00:04
In Tunnel Mode, the entire IPV4 packet is encapsulated.
00:04
You can see with the diagram here,
00:04
IPsec adds a header before the IP header.
00:04
The entire IPV4 packet is the IPsec payload,
00:04
and then there's an IPsec trailer at it as well.
00:04
The whole packet is wrapped up.
00:04
This is in Tunnel Mode.
00:04
Again, when you think about tunneling,
00:04
it's transmitted across an unsecured network.
00:04
It makes sense the whole IP packet is encapsulated.
00:04
But with Transport Mode,
00:04
we might be using transport mode internally.
00:04
Maybe we want to protect traffic
00:04
going to and from our payroll database.
00:04
We don't want that stuff on the network on encrypted,
00:04
so you might use IPsec and Transport Mode
00:04
>> to protect internal traffic,
00:04
>> because Transport Mode is only going to
00:04
encapsulate the IP payload, the data.
00:04
It doesn't encapsulate the IP header and trailer.
00:04
What you get when you add
00:04
some security services
00:04
>> is less security in Transport Mode.
00:04
>> But the understanding that
00:04
>> you're not really tunneling across
00:04
>> the Internet and Transport Mode,
00:04
>> so you get greater security in Tunnel Mode.
00:04
But you always treat performance for a security.
Up Next