VPN

I think it would be beneficial to have an overview of how an IPsec VPN is built so we can at least see the “big picture” before delving into the specifics.  There are essentially five main phases.  They are as follows:

1.  “Interesting Traffic” initiates the VPN process on the security appliance.

There are usually many different data streams flowing through your devices and not all of them will be part of the VPN tunnel.  Some may be HTTP traffic, SMTP connections etc.  There needs to be a way of the appliance distinguishing what traffic should be tunnelled and what shouldn’t.  The most common method is to use an Access Control List (ACL) or rulebase.

2.  IKE Phase 1.  IKE (Internet Key Management protocol)

IKE Phase 1 is the process that occurs when the two endpoints first establish connectivity.  The purpose of which is to create a secure connection between VPN peers that will facilitate the IKE Phase 2 security parameters agreement.

3.  IKE Phase 2

Once a temporary secure connection has been formed between the two VPN peers, IKE Phase 2 will negotiate the security parameters that will be used between the two endpoints for the VPN tunnel and then periodically renegotiate them throughout the lifetime of the tunnel to ensure maximum security in the event of an attack.

4.  IPsec VPN Tunnel Established

Once IKE Phase 2 has completed both peers may now send data to each other.  As data is sent and received through the tunnel it will be encrypted and decrypted by the VPN peers using the security parameters agreed upon in IKE Phase 2.

5.  IPsec VPN Tunnel Terminated

IPsec VPN tunnels will be torn down after a specified period or by manually stopping the IPsec.  The tunnel can be re-established before the timeout is reached if new security parameters can be agreed again using IKE Phase 2.  This ensure a stable connection and no interuption of data flow should the timeout expire during communications.

I intend for this to be the first of a number of articles explaining VPN technologies.  The articles that follow on from this one will provide a more in-depth discussion of Virtual Private Networks.  VPNs have become increasingly popular due to the flexibility they offer and the cost of site-to-site circuits.  The demand for unified communications and mobility means that companies must ensure their networks facilitate inter-site communications while keeping costs reasonable.  VPN technology enables us to safely transmit data streams over a public network (the internet) without fear of it being compromised.

There are many different vendors producing appliances responsible for terminating VPN tunnels and it is because of this that VPNs must conform to open standards for interoperability.  The IPsec protocol suite was developed to provide a means of securing data transfer between two points and it can provide data encryption, authentication and anti-replay mechanisms.

IPsec works at layer 3 in the OSI stack and can therefore be used independently of application encryption.  As this article is intended as a guide please remember that this is a brief overview of IPsec.

Amongst others discussed later, IPsec uses two protocols to provide these services, both of which offer different security parameters.  They are:

Authentication Header (AH)

and

Encapsulating Security Payload (ESP)

Nowadays, AH is used when the data being sent and received is not deemed confidential and therefore does not require to be encrypted.  AH offers connectionless integrity and data origin authentication and also optionally provides an anti-replay mechanism using sequence numbers.  This function is enabled by default but it is optional to the receiver if they perform anti-replay checking on it.  AH provides authentication by appending a hash value to the packet.

ESP provides data origin authentication, integrity and confidentiality.  The latter being the reason ESP is far more popular than AH.  ESP uses an encryption algorithm to scramble data that only the receiver can unscramble at the other end.  This means that as well as ensuring you are connected to the correct person and the data hasn’t been modified, you can relax knowing that in the event someone is sniffing data along the path they cannot decipher what has been sent.  ESP can use different forms of encryption algorithms to provide confidentiality - more on this in later articles.

Well, that is a a very brief overview of IPsec VPNs.  My next article will discuss the process of a VPN being established, used and then torn down and articles from there on in will discuss individual areas of an IPS VPN.  Once I have bored you all to tears with IPsec I’ll do a few articles about GRE tunnels.

Stay tuned and please remember before commenting that this a brief overview and I’ll focus on the other areas as each article progresses.

Ian