Virtual Private Networks


Overview

VPNs allow one to securely interconnect geographically distributed users and sites over the public Internet, maintaining the same security and management policies as a private network. VPNs are established using IPSec

There are two types of VPNs:

  1. Site-to-site
  2. remote-access


IPSec

IPSec is a set of protocols that act at the network layer, protecting and authenticating IP packets between participating IPSec peers.

Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network.
Data Integrity The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Data Origin Authentication The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
Anti-Replay The IPSec receiver can detect and reject replayed packets.


Internet Key Exchange

The IKE protocol allows one to implement IPSec without manual configuration of every peer.

Like IPSec, IKE uses a pair of security associations to establish a secure tunnel for communication between two peers. However, unlike IPSec, IKE does not transmit user information.

One can manually configure security associations to establish an IPSec tunnel between two peers. However, this method is not as secure, because manually configured security associations do not automatically expire. In addition, a severe problem of scalability occurs as the number of peers increases. A new pair of security associations is required on each existing peer whenever one adds a peer that uses IPSec. For this reason, manual configuration is only used when the remote peer does not support IKE.

IKE security associations can be established by using pre-share keys, in a way similar to manual configuration of IPSec security associations. This method, however, suffers from the same problems of scalability that affects manual configuration of IPSec security associations. A certification authority (CA) provides a scalable method to share keys for establishing IKE security associations.


Certification Authorities

Certification authorities issue public key certificates for a specific period of time. A public key certificate, or digital certificate, associates a key pair with a given IP address. Public/private keys, also called asymmetric keys, are a pair of keys with the property that data encrypted with one key can only be unencrypted using the other key. The private key is kept secret and the public key is made easily available.

A certification authority can be private, in-house, and run by ones own organization, or a public, like VeriSign. When a peer needs to share a secret, it encrypts the information using another peer's public key, which in turn uses it's private key to decrypt the information. If a message can be read using a given public key, one can know for certain that the sender of the message owns the corresponding private key.

Digital certificates are used by the IKE protocol to create the first pair of security associations and establish a secure channel for IPSec. Both peers:

  1. Generate public/private key pairs.
  2. Request and receive public key certificates.
  3. Trust the CA that issues the certificates.


Site-to-Site VPN

Alternative WAN infrastructure used to securily connect remote and branch offices. For site-to-site VPNs, the firewall can interoperate with any VPN-enabled network device, such as a VPN router.

Site-to-site VPNs are established between the firewall and a remote IPSec security gateway. The remote IPSec security gateway can be a VPN-enabled firewall, concentrator, or router, or any IPSec-compliant third-party device.


Remote Access VPN

Uses analog, dial, ISDN, DSL, mobile IP, and cable technologies to securely connect mobile users, telecommuters, and other individual systems to a network protected by the firewall using a VPN client such as.