1 00:00:00,519 --> 00:00:01,703 VPNs. 2 00:00:01,703 --> 00:00:04,470 Virtual private networks, or VPNs, 3 00:00:04,470 --> 00:00:06,076 allow end users to create a tunnel 4 00:00:06,076 --> 00:00:08,196 over an untrusted network like the Internet 5 00:00:08,196 --> 00:00:10,327 and remotely and securely connect back 6 00:00:10,327 --> 00:00:11,789 to our enterprise networks. 7 00:00:11,789 --> 00:00:13,910 These VPN connections provide 8 00:00:13,910 --> 00:00:15,814 a layer of encryption around that connection, 9 00:00:15,814 --> 00:00:17,939 creating this virtual and secure circuit 10 00:00:17,939 --> 00:00:19,421 between your end user's device 11 00:00:19,421 --> 00:00:22,371 and the VPN concentrator that terminates that connection 12 00:00:22,371 --> 00:00:24,920 back inside our enterprise networks. 13 00:00:24,920 --> 00:00:27,451 VPNs are commonly used by teleworkers 14 00:00:27,451 --> 00:00:30,269 and traveling employees so that they can remotely access 15 00:00:30,269 --> 00:00:31,949 the corporate resources, things like 16 00:00:31,949 --> 00:00:34,149 our intranets and our file servers. 17 00:00:34,149 --> 00:00:37,661 This type of VPN is what we call a remote access VPN 18 00:00:37,661 --> 00:00:40,910 or a client-to-site VPN, because one person 19 00:00:40,910 --> 00:00:43,480 is connecting back to the larger site. 20 00:00:43,480 --> 00:00:45,549 Now, in addition to this, VPNs can also be used 21 00:00:45,549 --> 00:00:47,399 to connect two different sites together. 22 00:00:47,399 --> 00:00:48,970 So, instead of having to purchase 23 00:00:48,970 --> 00:00:51,520 a dedicated lease line between two offices, 24 00:00:51,520 --> 00:00:54,131 I can use the Internet as my transport path. 25 00:00:54,131 --> 00:00:56,800 For example, if a company has a small satellite office 26 00:00:56,800 --> 00:00:59,029 in Washington DC and wants to connect it back 27 00:00:59,029 --> 00:01:01,021 to their headquarters out in San Francisco, 28 00:01:01,021 --> 00:01:04,060 it could be less expensive to implement a site-to-site VPN 29 00:01:04,060 --> 00:01:06,701 instead of having to purchase a dedicated lease line 30 00:01:06,701 --> 00:01:09,701 that goes that 3,000 miles between those two cities. 31 00:01:09,701 --> 00:01:12,349 Now, when you're creating a site-to-site VPN connection, 32 00:01:12,349 --> 00:01:14,950 routers on both sides are going to be configured 33 00:01:14,950 --> 00:01:17,160 with an encryption key and this key's going to be used 34 00:01:17,160 --> 00:01:19,080 to encrypt all of the traffic between the sites 35 00:01:19,080 --> 00:01:20,789 to keep it safe from prying eyes 36 00:01:20,789 --> 00:01:22,840 and confidential as it goes over 37 00:01:22,840 --> 00:01:25,990 that untrusted and dirty Internet between the two locations. 38 00:01:25,990 --> 00:01:27,931 VPNs rely on two different protocols 39 00:01:27,931 --> 00:01:29,460 when they're being operated. 40 00:01:29,460 --> 00:01:31,171 One is called the point-to-point tunneling protocol 41 00:01:31,171 --> 00:01:33,600 and the other one is the layer two tunneling protocol. 42 00:01:33,600 --> 00:01:36,400 These are their underlying connection protocols 43 00:01:36,400 --> 00:01:38,410 and we're going to discuss them both in depth when we get 44 00:01:38,410 --> 00:01:41,208 to the security protocols lesson later on in this course. 45 00:01:41,208 --> 00:01:44,080 For your organization to allow VPN connections, though, 46 00:01:44,080 --> 00:01:45,861 you have to have a server sitting there 47 00:01:45,861 --> 00:01:48,370 and answering all of those requests for connection. 48 00:01:48,370 --> 00:01:50,224 If you don't want to have a dedicated server to do that, 49 00:01:50,224 --> 00:01:52,274 you can, instead, buy a hardware device 50 00:01:52,274 --> 00:01:54,266 known as a VPN concentrator. 51 00:01:54,266 --> 00:01:56,085 Now, a VPN concentrator can allow 52 00:01:56,085 --> 00:01:58,284 hundreds of simultaneous VPN connections 53 00:01:58,284 --> 00:02:01,220 from all of your remote workers to easily connect 54 00:02:01,220 --> 00:02:02,514 back into your company's intranet, 55 00:02:02,514 --> 00:02:04,269 and this frees up your server. 56 00:02:04,269 --> 00:02:07,605 One area of concern we have with VPNs is how do we ensure 57 00:02:07,605 --> 00:02:10,194 that clients aren't using split tunneling? 58 00:02:10,194 --> 00:02:12,104 Well, when they're using split tunneling, 59 00:02:12,104 --> 00:02:14,223 what this means is that a remote worker's device 60 00:02:14,223 --> 00:02:15,975 will use their own Internet connection 61 00:02:15,975 --> 00:02:18,253 for their web request, but they're going to use 62 00:02:18,253 --> 00:02:20,952 your VPN connection for all of their intranet requests 63 00:02:20,952 --> 00:02:22,952 like your file server request. 64 00:02:22,952 --> 00:02:25,263 Now, this is efficient from a bandwidth perspective, 65 00:02:25,263 --> 00:02:26,670 because they don't have to send 66 00:02:26,670 --> 00:02:28,618 all of their requests over the VPN to your company 67 00:02:28,618 --> 00:02:31,674 and then out to the Internet and then back to the company 68 00:02:31,674 --> 00:02:33,794 and then back over the VPN to get to them. 69 00:02:33,794 --> 00:02:35,834 But by doing split tunneling, 70 00:02:35,834 --> 00:02:38,064 you are allowing a security risk to occur. 71 00:02:38,064 --> 00:02:40,565 This is because your company now has an alternate path 72 00:02:40,565 --> 00:02:43,154 to the Internet because it can go from your file servers 73 00:02:43,154 --> 00:02:44,664 out to the remote worker's laptop 74 00:02:44,664 --> 00:02:46,013 and then out to the Internet, 75 00:02:46,013 --> 00:02:49,045 bypassing a lot of your network perimeter defenses. 76 00:02:49,045 --> 00:02:51,304 This can be prevented by proper configuration 77 00:02:51,304 --> 00:02:53,544 of your client's VPNs, as well as utilizing 78 00:02:53,544 --> 00:02:56,990 proper network segmentation for your VPN concentrator 79 00:02:56,990 --> 00:02:58,470 and its connections to the Internet, 80 00:02:58,470 --> 00:02:59,524 so you can avoid split tunneling 81 00:02:59,524 --> 00:03:01,960 and get all the benefits of VPNS.