VPN

VPN tutorial

use vpn to encrypt internet traffic
all traffic between your computer and vpn server is encrypted first
then vpn server decrypts traffic and sends it along to internet
vpn is useful for wireless connections

all webpages does not provide https connection
with vpn all pages traffic is secured
https is applicable only to browser-based traffic not to other kinds like voice

• How VPN Works

Using VPNs, an organization can help secure private network traffic over an unsecured network, such as the Internet. VPN helps provide a secure mechanism for encrypting and encapsulating private network traffic and moving it through an intermediate network.
https://technet.microsoft.com/en-us/library/cc779919(v=ws.10).aspx

• A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.VPNs may allow employees to securely access a corporate intranet while located outside the office. They are used to securely connect geographically separated offices of an organization, creating one cohesive network. Individual Internet users may secure their transactions with a VPN, to circumvent geo-restrictions and censorship, or to connect to proxy servers for the purpose of protecting personal identity and location in order to stay anonymous on the internet. However, some Internet sites block access to known VPN technology to prevent the circumvention of their geo-restrictions

https://en.wikipedia.org/wiki/Virtual_private_network

• The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

https://wiki.untangle.com/index.php/IPsec_VPN

• Using Virtual Private Networks

Introduction
This publication provides guidance on how to securely configure the use of Virtual Private Networks between geographically-separated office buildings (site-to-site VPNs) and in support of remote workers (remote access VPNs).
VPN connections can be abused by an adversary to gain access to a network without relying on malware and covert communication channels
For the purpose of this document, the term ‘site-to-site VPN’ is used to refer to a connection between two networks, either via dedicated communications links or over the Internet, while the term ‘remote access VPN’ is used to refer to users connecting to a network from an offsite location over the Internet.

User accounts
User accounts for VPN connections should be separate from standard user accounts. This will limit the activities that can be performed by an adversary should a VPN user account be compromised.
Further, the permissions applied to VPN user accounts should be restricted to each user’s required level of access.
This will minimise the severity of a successful compromise. VPN user accounts with minimum permissions, that can only perform basic operations on a network, will also impede the ability of an adversary to gain a foothold on a network.
For example, if a user only needs access to email services, they should be denied access to file servers

Multi-factor authentication
Multi-factor authentication should be used for VPN connections. When multi-factor authentication has been implemented correctly, it is more difficult for an adversary to successfully exploit a network, as several authentication factors for accounts need to be compromised to gain access.

Device authentication
Device authentication is applicable to both site-to-site VPNs and remote access VPNs, and typically takes the form of a certificate issued to a device.he device, and by extension the device certificate, may or may not be tied to a specific user.

VPN termination points
To this end, VPN termination points should be within a DMZ to allow for the proper inspection and auditing of unencrypted VPN traffic prior to entering and leaving a network.

Split tunnelling
Devices accessing a network via a VPN connection should disable split tunnelling.
Split tunnelling allows a device to be simultaneously connected to an organisation’s network and directly to the Internet.
Organisations should ensure that web browsing from a device connected to a VPN connection is conducted through their internet gateway rather than via a direct connection to the Internet.

Whitelisting connection sources
If a site-to-site VPN implementation supports whitelisting, a whitelist of approved MAC or IP addresses should be implemented to only allow VPN connections from approved sources.
This will prevent unauthorised connection attempts even when legitimate credentials have been provided.
If a site-to-site VPN implementation does not support MAC or IP address whitelisting, VPN connection log entries should be monitored for anomalies. If a non-approved source appears in the VPN connection logs, it should be treated as suspicious and logged for further investigation.


https://www.cyber.gov.au/publications/using-vpns

Client-to-site VPNs connect remote users to the corporate network

How to Configure a Client-to-Site IPsec VPN with Client Certificate Authentication

SSL VPN to IPsec VPN

• VPN encryption explained: IPSec vs SSL

IPSec and SSL are the two most popular secure network protocol suites used in Virtual Private Networks, or VPNs
IPSec and SSL are both designed to secure data in transit through encryption.

This article, however, will examine how major commercial VPN providers utilize SSL and IPSec in their consumer services, which are intended to provide access to the web and not a corporate network.
VPN protocols that use IPSec encryption include L2TP, IKEv2, and SSTP. OpenVPN is the most popular protocol that uses SSL encryption, specifically the OpenSSL library. SSL is used in some browser-based VPNs as well.
This article compares and contrasts IPSec and SSL encryption from the VPN end user standpoint

The differences between varying types of encryption include:

    Encryption strength, or the method and degree to which your data is scrambled
    How the encryption keys are managed and exchanged
    What interfaces, protocols, and ports they use
    What OSI layers they run on
    Ease of deployment
    Performance (read: speed)
   
Security
IPSec connections require a pre-shared key to exist on both the client and the server in order to encrypt and send traffic to each other.
SSL VPNs don’t have this problem because they use public key cryptography to negotiate a handshake and securely exchange encryption keys

Firewall traversal
NAT firewalls often exist on wifi routers and other network hardware. To protect against threats, they throw out any internet traffic that isn’t recognized, which includes data packets without port numbers. Encrypted IPSec packets (ESP packets) have no port numbers assigned by default, which means they can get caught in NAT firewalls. This can prevent IPSec VPNs from working
To get around this, many IPSec VPNs encapsulate ESP packets inside UDP packets, so that the data is assigned a UDP port number, usually UDP 4500.
OpenVPN uses port 1194 by default for UDP traffic, but it can be forwarded through either UDP or TCP ports, including TCP port 443. This makes SSL more useful for bypassing firewalls and other forms of censorship that block traffic based on ports.

Speed and reliability
Both are reasonably fast, but IKEv2/IPSec negotiates connections the fastest.

Ease of use
SSL works by default in most web browsers, but a third-party application is usually necessary to use OpenVPN.
the general consensus is that IPSec is preferable for site-to-site VPNs, and SSL is better for remote access
The reason is that IPSec operates at the Network Layer of the OSI model, which gives the user full access to the corporate network regardless of application.
It is more difficult to restrict access to specific resources.
SSL VPNs, on the other hand, enable enterprises to control remote access at a granular level to specific applications.

IPSec vs SSL VPNs: conclusion
OpenVPN, which uses the OpenSSL library for encryption and authentication, is reasonably fast, very secure, open source, and can traverse NAT firewalls
It can support either the UDP or TCP protocol.
https://www.comparitech.com/blog/vpn-privacy/ipsec-vs-ssl-vpn/

IPsec vs. SSL VPNs: Understanding the basics

Comparison : SSL VPN vs IPSEC tunneling 

SSL VS IPSEC

Cisco Secure Remote Access Cisco ASA 5500 Series SSL/Ipsec VPN Edition

SSL VPN

Explanation of VPN Technologies:

Site-to-Site VPN:

• Creates a secure tunnel between two network locations, allowing them to communicate privately over the public internet.
• Used for connecting geographically dispersed offices, data centers, or cloud environments.
• Provides secure access to resources and applications located on the remote network.
• Commonly implemented with technologies like IPsec, DMVPN, or FlexVPN.

DMVPN (Dynamic Multipoint VPN):

• An extension of IPsec designed for efficient Site-to-Site VPN connections over shared infrastructure, such as MPLS or the public internet.
• Provides dynamic tunnel establishment and communication between multiple sites without requiring dedicated hardware at each location.
• Efficiently utilizes network resources and simplifies VPN deployment and management.

IPsec (IP Security):

• A suite of protocols and standards for securing IP communication.
• Encrypts data in transit and provides authentication and integrity checks.
• Commonly used for implementing Site-to-Site and remote access VPNs.
• Offers strong security capabilities but can be complex to configure and manage.

FlexVPN (Flexible VPN):

• A Cisco proprietary technology that simplifies VPN deployment and management.
• Combines the features of IPsec, DMVPN, and other VPN technologies into a single platform.
• Provides a centralized management interface and configuration options for various VPN scenarios.
• Offers automatic tunnel establishment and policy enforcement for easier deployment and management.

IKE (Internet Key Exchange):

• A protocol responsible for key negotiation and establishment of secure IPsec tunnels.
• Utilizes strong cryptographic algorithms to ensure secure communication.
• Different versions of IKE exist, with IKEv2 being the latest and most secure option.

RAVPN (Remote Access VPN):

• Provides secure remote access to corporate networks for individual users or devices.
• Allows users to connect to the network from anywhere with an internet connection.
• Often implemented using technologies like IPsec or SSL VPN.

GETVPN (Generic Encapsulation Transport VPN):

• A Cisco proprietary technology for remote access VPN connections.
• Utilizes GRE (Generic Routing Encapsulation) to encapsulate IPsec packets.
• Provides secure tunnel establishment and data encryption for remote users.

In summary:

• Site-to-Site VPN creates secure links between networks.
• DMVPN is a dynamic and efficient Site-to-Site VPN solution.
• IPsec is a suite of protocols for secure IP communication.
• FlexVPN simplifies VPN deployment and management.
• IKE negotiates keys and establishes secure IPsec tunnels.
• RAVPN provides secure remote access for individual users.
• GETVPN is a Cisco technology for secure remote access.

Choosing the appropriate technology depends on the specific requirements of your network and security needs.

Sure, these are different VPN (Virtual Private Network) technologies used to establish secure connections over the internet or untrusted networks. Here's an overview of each:

1. Site-to-Site VPN (Site2Site):

• Description: Site-to-Site VPN connects multiple sites or networks securely over the internet, allowing communication between different locations of an organization.
• Use Case: Ideal for connecting branch offices, data centers, or multiple locations within an organization to create a seamless network.

2. Dynamic Multipoint VPN (DMVPN):

• Description: DMVPN is a scalable VPN solution that simplifies the hub-and-spoke network topology, allowing direct spoke-to-spoke communication without requiring traffic to pass through the hub.
• Use Case: Suited for networks with multiple branch locations needing direct communication while maintaining security and scalability.

3. IPsec (Internet Protocol Security):

• Description: IPsec is a protocol suite used to secure communication at the IP layer by encrypting and authenticating IP packets.
• Use Case: Widely used in VPNs to establish secure connections, ensuring confidentiality, integrity, and authenticity of transmitted data.

4. FlexVPN / IKE (Internet Key Exchange):

• Description: FlexVPN is a highly modular and scalable VPN framework developed by Cisco, providing flexibility in configuration and deployment options. IKE is a key management protocol used within FlexVPN to establish security associations.
• Use Case: Offers versatility and adaptability in deploying VPN solutions across various network architectures.

5. Remote Access VPN (RAVPN):

• Description: Remote Access VPN allows individual users or remote devices to securely connect to a corporate network from external locations, typically over the internet.
• Use Case: Enables remote employees or users to access resources on a private network securely while working from different locations.

6. Group Encrypted Transport VPN (GETVPN):

• Description: GETVPN is a type of VPN architecture that provides encryption and authentication for IP multicast traffic within a private network.
• Use Case: Suited for enterprises needing to encrypt and secure multicast traffic across their network infrastructure.

Each VPN technology has its strengths and applications depending on the specific requirements of an organization, such as scalability, security, ease of deployment, or support for different network architectures. Choosing the right VPN solution involves considering factors like network topology, security needs, scalability, and the types of traffic to be secured.