Tunneling and IPSec Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 19 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:05
as I'm sure you are aware, dial up communications were replaced by the idea of VPNs and tunneling.
00:12
When we talk about VPNs virtual private network,
00:15
that's the whole idea that even though you're in a remote location, it seems as if you have your own private network into your local office or some resource across the Internet.
00:25
The idea is that this encapsulation provided is passing through a tunnel.
00:29
We already talked about encapsulation when discussing the OSI reference model.
00:34
What happens with encapsulation is you get a protocol within a protocol
00:38
or you get some sort of additional headers that are added that protect the original data in its format.
00:44
With virtual private networks, we have to have tunneling protocols that allow this protection.
00:50
Mhm.
00:51
You're tunneling protocols are either going to provide encapsulation, encryption, authentication, all of these things or just some of these things,
00:59
and it really is driven by the protocol that you choose.
01:03
Question Then sometimes is. Why would I not want encryption and authentication if I'm trying to lean across the Internet?
01:10
And the answer to that is that some tunneling protocols just help traffic move from one network across a different network
01:15
For instance, an IP version for a pocket can't travel across an IP Version six network
01:23
so you can create or use a tunneling protocol where the I P B for traffic is given transport and it's encapsulated into I p version six.
01:30
So ultimately, encapsulation provides us with a lot more than just encryption and authentication.
01:38
It really allows just one type of traffic to traverse a different type of network.
01:42
Of course, this process of encapsulation and perhaps encryption authentication is created through the use of protocols.
01:51
There are other protocols that can be used for tunneling, but these are the most common.
01:56
So you have a protocol that's based off of a point to point protocol that we saw with the dial up. That's called point to Point Tunneling Protocol.
02:04
We also have L two TP,
02:06
which stands for Layer two Tunneling protocol.
02:08
You can create a tunnel with I p sec
02:12
G R E is generic routing encapsulation
02:15
and then we have secure sockets layer.
02:17
We can create SSL tunnels really today TLS tunnels.
02:23
So if we start off by looking at point to point tunneling protocol, this was two developed by Microsoft, and again we were really getting away from dial up communication because of the expense, lack of security and what we wanted to do was allow users to connect across the Internet
02:38
as opposed to having to dial it.
02:40
So that's what PP tp was all about
02:44
because it's based on point to point protocol. If you'll remember, we talked about P A, P, C J P and eat for authentication.
02:53
It uses a new protocol called MPP for encryption,
02:57
so some of the same ideas, but it provides the tunneling the connection of connection. So it's the creation of this sort of virtual network.
03:05
One of the drawbacks, to PP tp, is that it only works across I p based networks,
03:10
which is okay at the time because we're communicating across the Internet today.
03:15
But back in that time, we had a frame relay networks and ATM networks,
03:20
and we really needed something more flexible that worked across different network types.
03:23
Which is exactly why l two tp was developed.
03:27
Cisco came out with a protocol called l two f layer two forwarding,
03:31
but Cisco likes to keep their good ideas proprietary.
03:36
So we basically took what was good about l two F and what was good about P PCP and came up with L two tp Layer two Tunneling Protocol.
03:45
Because it's a Layer two protocol, it doesn't require specific network type.
03:49
It's kind of agnostic, so it's not bound to an I. P Network. The way that point to point Tunneling Protocol is
03:54
the problem with L two TP is that it's the just the encapsulation in and of itself.
04:00
It can be used to have one type of traffic traverses a similar network type.
04:05
But if you're using it to create a tunnel, I p SEC is going to be used with l two TP and I P SEC will actually provide the security.
04:16
With that being said, you can actually just use IP sec in and out of itself to create a tunnel.
04:21
That's what's really most common today.
04:25
Is that, for instance, if I'm doing site to site VPN from one location to another, I have VPN concentrators and they communicate across an unsecured network with I p. Sec.
04:34
I. P sec really is an interesting protocol because it was designed as a part of an IP version six.
04:41
One of the things about I P B six is that this was going to finally give us a protocol that was integrated with security.
04:47
Now we've seen them. Asses have not flocked to I p b six.
04:51
I almost feel like we see IBV six as soon as we see that metric system,
04:57
but I P SEC was designed as part of I P v six.
05:00
It is made to work backwards or be backwards compatible.
05:04
You can use it with I p version for But even though I P V six isn't everywhere you look
05:10
a piece that is very popular,
05:12
it is the framework of choice for encryption, authentication and encapsulation.
05:18
Let's talk a little bit about configuring i p sec
05:23
when you set up by P. Sec. One of the first choices that you have to make is the mode in which I p *** should operate.
05:30
Now you have tunnel mode and you have transport mode.
05:32
Whichever one of those you choose is going to determine what gets encapsulated.
05:36
For instance, if we think about typical IP version four pocket, we have a header data and a trailer
05:44
in tunnel mode. The entire IPB four pocket is encapsulated.
05:47
You can see with the diagram here i p sec as a hunter before the I p Hunter,
05:53
the entire I p before pocket is the i P. SEC payload. And then there's an I. P. Sec trailer added as well,
06:00
so the whole pocket is wrapped up.
06:01
This is in tunnel mode,
06:03
and again, when you think about tunneling, it's transmitting across an unsecured network.
06:09
So it makes sense that the whole I p track it is encapsulated.
06:13
But with transport mode,
06:14
we might be using transport mode internally.
06:16
Maybe we want to protect traffic going to and from our payroll database.
06:21
We don't want that stuff on the network unencrypted, so we might use I P sec in transport mode to protect internal traffic because transport mode is only going to encapsulate the I P payload the data.
06:33
It doesn't encapsulate the i. P. Hadary trailer.
06:36
So what you get when you add some security services is less security and transparent mode,
06:42
but the understanding that you're not really tunneling across the Internet and transparent mode,
06:46
so you get greater security in tunnel mode,
06:49
but you always trade performance for security
Up Next