1 00:00:00,070 --> 00:00:01,720 In this lesson, we're going to talk 2 00:00:01,720 --> 00:00:03,610 about the different VPN protocols. 3 00:00:03,610 --> 00:00:05,060 But first, a reminder 4 00:00:05,060 --> 00:00:07,800 of what a virtual private network is, or VPN. 5 00:00:07,800 --> 00:00:10,280 It's a secure connection between two or more computers 6 00:00:10,280 --> 00:00:13,700 or devices that aren't on the same private network, 7 00:00:13,700 --> 00:00:16,020 creating a virtual private network. 8 00:00:16,020 --> 00:00:19,120 Now, when we talk about VPN protocols there's three big ones 9 00:00:19,120 --> 00:00:20,870 we're going to talk about in this lesson. 10 00:00:20,870 --> 00:00:25,320 We're going to talk about PPTP, L2TP and IPSec. 11 00:00:25,320 --> 00:00:27,470 The first VPN protocol we're going to talk about 12 00:00:27,470 --> 00:00:31,480 is a Point-to-Point Tunneling Protocol, or PPTP. 13 00:00:31,480 --> 00:00:34,550 This is a protocol that encapsulates PPP packets 14 00:00:34,550 --> 00:00:37,770 and ultimately sends data out as encrypted traffic. 15 00:00:37,770 --> 00:00:39,400 Now, what is PPP? 16 00:00:39,400 --> 00:00:41,790 PPP is the Point-to-Point Protocol, 17 00:00:41,790 --> 00:00:44,230 and it was originally used for dial-up connections, 18 00:00:44,230 --> 00:00:47,610 but it's used in combination with the PPTP protocol 19 00:00:47,610 --> 00:00:50,990 over Port 1723 to allow servers and devices 20 00:00:50,990 --> 00:00:54,040 to connect over a wide area network like the internet. 21 00:00:54,040 --> 00:00:57,620 Now, PPTP uses CHAP-based authentication, 22 00:00:57,620 --> 00:00:59,640 and that makes it vulnerable to attack. 23 00:00:59,640 --> 00:01:02,290 If you're going to use PPTP for your VPNs, 24 00:01:02,290 --> 00:01:03,290 you should always require 25 00:01:03,290 --> 00:01:05,950 a strong authentication mechanism be used instead, 26 00:01:05,950 --> 00:01:09,110 something like EAP-TLS, like we've talked about before. 27 00:01:09,110 --> 00:01:11,770 This is going to rely on PKI and digital certificates 28 00:01:11,770 --> 00:01:13,550 for stronger authentication. 29 00:01:13,550 --> 00:01:17,540 Otherwise, you should look at something like L2TP or IPSec. 30 00:01:17,540 --> 00:01:19,910 And that brings us to L2TP. 31 00:01:19,910 --> 00:01:22,940 L2TP is the Layer 2 Tunneling Protocol. 32 00:01:22,940 --> 00:01:24,170 This is going to give you a connection 33 00:01:24,170 --> 00:01:26,380 between two or more computers or devices 34 00:01:26,380 --> 00:01:28,580 that aren't on the same private network. 35 00:01:28,580 --> 00:01:31,200 Notice here, I didn't use the word secure. 36 00:01:31,200 --> 00:01:34,280 That is because L2TP is not secure on its own 37 00:01:34,280 --> 00:01:37,080 and it provides no encryption and no confidentiality 38 00:01:37,080 --> 00:01:38,160 by itself. 39 00:01:38,160 --> 00:01:41,040 Instead, we usually are going to pair it with IPSec 40 00:01:41,040 --> 00:01:42,840 to provide that security. 41 00:01:42,840 --> 00:01:44,710 IPSec is going to provide us with the encryption 42 00:01:44,710 --> 00:01:47,700 and confidentiality while we're using L2TP, 43 00:01:47,700 --> 00:01:50,490 and this is going to enable us to use things like PKI 44 00:01:50,490 --> 00:01:53,100 with L2TP if we're using Windows Servers 45 00:01:53,100 --> 00:01:55,150 as part of that authentication process. 46 00:01:55,150 --> 00:01:58,930 L2TP is used over Port 1701 as you may have remembered 47 00:01:58,930 --> 00:02:00,890 from our Ports and Protocol lesson. 48 00:02:00,890 --> 00:02:04,410 Now, IPSec is a TCP protocol that authenticates 49 00:02:04,410 --> 00:02:06,540 and encrypts IP packets effectively, 50 00:02:06,540 --> 00:02:09,018 securing those communications between computers and devices 51 00:02:09,018 --> 00:02:10,700 using the protocol. 52 00:02:10,700 --> 00:02:13,720 This is going to create a nice secure tunnel for us 53 00:02:13,720 --> 00:02:16,720 that we can send our traffic and create our VPNs across. 54 00:02:16,720 --> 00:02:19,710 This is what we use heavily inside of VPNs. 55 00:02:19,710 --> 00:02:21,270 Now, when we talk about IPSec, 56 00:02:21,270 --> 00:02:23,640 IPSec is going to provide us confidentiality 57 00:02:23,640 --> 00:02:24,890 by giving us encryption, 58 00:02:24,890 --> 00:02:27,287 it's going to provide integrity for us by using hashing 59 00:02:27,287 --> 00:02:28,956 and it's going to give us authentication 60 00:02:28,956 --> 00:02:31,360 by performing a key exchange. 61 00:02:31,360 --> 00:02:32,790 When we talk about that key exchange, 62 00:02:32,790 --> 00:02:35,660 it's known as IKE, the Internet Key Exchange. 63 00:02:35,660 --> 00:02:37,770 This is a method that's used by IPSec 64 00:02:37,770 --> 00:02:39,910 to create a secure tunnel by encrypting the connection 65 00:02:39,910 --> 00:02:41,670 between authenticated peers. 66 00:02:41,670 --> 00:02:44,060 This can occur in one of three ways. 67 00:02:44,060 --> 00:02:47,450 A Main mode, an Aggressive mode or a Quick mode. 68 00:02:47,450 --> 00:02:49,830 In Main mode, there are three separate exchanges 69 00:02:49,830 --> 00:02:50,870 that are going to occur. 70 00:02:50,870 --> 00:02:52,870 When we use Aggressive mode, the key exchange 71 00:02:52,870 --> 00:02:54,150 is going to happen more quickly, 72 00:02:54,150 --> 00:02:56,930 but it still achieves basically the same result as Main mode 73 00:02:56,930 --> 00:02:58,680 but it only uses three packets. 74 00:02:58,680 --> 00:03:00,280 If we decide to use Quick mode, 75 00:03:00,280 --> 00:03:03,080 only the negotiated parameters of the IPSec session 76 00:03:03,080 --> 00:03:04,310 are going to be handled. 77 00:03:04,310 --> 00:03:06,198 This key exchange occurs during the establishment 78 00:03:06,198 --> 00:03:09,170 of an IPSec tunnel in two different phases. 79 00:03:09,170 --> 00:03:11,840 So, let's take a look at how this happens. 80 00:03:11,840 --> 00:03:13,700 First we have IKE phase one, 81 00:03:13,700 --> 00:03:15,268 and here's where we're going to establish the encryption 82 00:03:15,268 --> 00:03:18,850 and authentication protocols between our two VPN endpoints. 83 00:03:18,850 --> 00:03:21,760 And this is going to help us to create the IKE phase one tunnel 84 00:03:21,760 --> 00:03:23,810 when the devices authenticate using certificates 85 00:03:23,810 --> 00:03:25,089 or pre-shared key. 86 00:03:25,089 --> 00:03:27,920 Then we're going to have ISAKMP is going to be established, 87 00:03:27,920 --> 00:03:29,700 and using our Main or Aggressive mode, 88 00:03:29,700 --> 00:03:30,790 we're going to create what is known 89 00:03:30,790 --> 00:03:32,828 as those Security Associations. 90 00:03:32,828 --> 00:03:35,520 Each side then creates a private key and derives 91 00:03:35,520 --> 00:03:38,490 a public key from it, using the Diffie-Hellman protocol. 92 00:03:38,490 --> 00:03:41,660 And then a key exchange is going to occur in both directions. 93 00:03:41,660 --> 00:03:44,150 This establishes the first phase. 94 00:03:44,150 --> 00:03:46,820 So now that we have the IKE phase one tunnel created, 95 00:03:46,820 --> 00:03:49,010 the shared secret key that was created in phase one 96 00:03:49,010 --> 00:03:50,800 is then going to be used to establish encryption 97 00:03:50,800 --> 00:03:53,670 and integrity protocols within that IPSec tunnel. 98 00:03:53,670 --> 00:03:56,120 So we get a tunnel inside of a tunnel. 99 00:03:56,120 --> 00:03:59,170 Then, the data is going to flow in each direction securely 100 00:03:59,170 --> 00:04:00,500 within this new tunnel, 101 00:04:00,500 --> 00:04:02,550 and that's going to complete our phase two. 102 00:04:02,550 --> 00:04:03,730 Now, during those steps, 103 00:04:03,730 --> 00:04:06,470 I mentioned a term called Security Association. 104 00:04:06,470 --> 00:04:08,120 For the Security Plus exam, you need to know 105 00:04:08,120 --> 00:04:09,720 what a Security Association is. 106 00:04:09,720 --> 00:04:11,937 Well, a Security Association, or an SA, 107 00:04:11,937 --> 00:04:14,260 is an establishment of secure connections 108 00:04:14,260 --> 00:04:16,780 and shared security information using certificates 109 00:04:16,780 --> 00:04:18,380 or cryptographic keys. 110 00:04:18,380 --> 00:04:21,490 So, basically it's you trust me and I trust you, 111 00:04:21,490 --> 00:04:24,070 we've shared information and now we know each other 112 00:04:24,070 --> 00:04:26,000 and we've verified our identities. 113 00:04:26,000 --> 00:04:27,620 Now, the next thing we have to talk about 114 00:04:27,620 --> 00:04:30,200 is this concept of an Authentication Header, 115 00:04:30,200 --> 00:04:31,767 this is because the Authentication Header 116 00:04:31,767 --> 00:04:34,860 is a protocol using IPSec to provide integrity 117 00:04:34,860 --> 00:04:36,260 and authentication. 118 00:04:36,260 --> 00:04:38,040 The Authentication Header is actually hashed 119 00:04:38,040 --> 00:04:40,310 to provide that integrity and it's often used 120 00:04:40,310 --> 00:04:44,130 with an Encapsulating Security Payload known as an ESP. 121 00:04:44,130 --> 00:04:47,280 An ESP is going to provide you integrity, confidentiality, 122 00:04:47,280 --> 00:04:49,400 and authentication for the packets 123 00:04:49,400 --> 00:04:51,740 by encapsulating them and encrypting them. 124 00:04:51,740 --> 00:04:54,270 So, by using just the Authentication Header, 125 00:04:54,270 --> 00:04:56,570 we're going to get integrity and authenticity. 126 00:04:56,570 --> 00:04:59,810 But, if we use ESP as well we're going to get integrity, 127 00:04:59,810 --> 00:05:01,920 confidentiality and authenticity. 128 00:05:01,920 --> 00:05:03,780 So a lot of times we'll use both of them 129 00:05:03,780 --> 00:05:05,620 to get us a more secure tunnel. 130 00:05:05,620 --> 00:05:08,680 Now, IPSec can be operated in one of two modes. 131 00:05:08,680 --> 00:05:11,170 There's Transport mode and there's Tunnel mode. 132 00:05:11,170 --> 00:05:12,407 When we talk about Transport mode, 133 00:05:12,407 --> 00:05:15,050 this is where there's a Host-to-Host transport mode 134 00:05:15,050 --> 00:05:18,250 using only encryption of the payload of an IP packet 135 00:05:18,250 --> 00:05:19,450 but not its header. 136 00:05:19,450 --> 00:05:21,960 I like to think about this like a semi-truck. 137 00:05:21,960 --> 00:05:24,140 The cab in the front that pulls the trailer, 138 00:05:24,140 --> 00:05:26,580 that's the header, that part's not encrypted. 139 00:05:26,580 --> 00:05:29,080 But everything in that back trailer is encrypted, 140 00:05:29,080 --> 00:05:30,810 we put a lock on that back door. 141 00:05:30,810 --> 00:05:32,680 That's the idea with Transport mode. 142 00:05:32,680 --> 00:05:34,777 Now that means that we can route things around the network 143 00:05:34,777 --> 00:05:36,350 and people are going to know where it went 144 00:05:36,350 --> 00:05:38,210 and where it came from, but they're not going to know 145 00:05:38,210 --> 00:05:39,470 what the payload is. 146 00:05:39,470 --> 00:05:40,610 That's pretty good. 147 00:05:40,610 --> 00:05:43,340 But, when we do that, that means people can see 148 00:05:43,340 --> 00:05:45,950 where it's going, and so Transport mode is only used 149 00:05:45,950 --> 00:05:48,610 for transmission between hosts on a private network, 150 00:05:48,610 --> 00:05:50,000 or at least it should be. 151 00:05:50,000 --> 00:05:52,130 If you're going to send things over the internet, 152 00:05:52,130 --> 00:05:53,960 you really don't want to use Transport mode, 153 00:05:53,960 --> 00:05:56,190 instead we want to use Tunnel mode. 154 00:05:56,190 --> 00:05:57,640 And, Tunnel mode is going to create 155 00:05:57,640 --> 00:05:59,900 an end-to-end network tunnel that's created 156 00:05:59,900 --> 00:06:02,290 that's going to encrypt the entire IP packet, 157 00:06:02,290 --> 00:06:03,720 the payload and the header. 158 00:06:03,720 --> 00:06:06,450 So I like to think about this again as that semi-truck. 159 00:06:06,450 --> 00:06:08,560 I've got the cab in the front where the driver sits 160 00:06:08,560 --> 00:06:10,400 and I've got the payload in the back. 161 00:06:10,400 --> 00:06:13,090 If I put that entire truck into another box 162 00:06:13,090 --> 00:06:15,980 and put it on a ship, that's the idea of Tunnel mode, 163 00:06:15,980 --> 00:06:17,790 nobody can see the driver and the payload 164 00:06:17,790 --> 00:06:18,730 and where he's going, 165 00:06:18,730 --> 00:06:21,190 and nobody can see what's in the back, the payload part. 166 00:06:21,190 --> 00:06:22,700 And so by doing that encryption, 167 00:06:22,700 --> 00:06:24,740 you're going to get the entire thing tunneled. 168 00:06:24,740 --> 00:06:27,420 Usually we're going to use this when we're doing point-to-point 169 00:06:27,420 --> 00:06:29,120 over something like the internet. 170 00:06:29,120 --> 00:06:31,177 Tunnel mode is commonly used for transmission 171 00:06:31,177 --> 00:06:34,050 between networks over an untrusted network. 172 00:06:34,050 --> 00:06:36,100 And so you're going to see Tunnel mode used a lot 173 00:06:36,100 --> 00:06:38,165 inside of VPNs. 174 00:06:38,165 --> 00:06:40,525 (electronic music)