Virtual Private Networks– Cisco Security Tools
You often do not want network devices between your host and some destination to be able to see the information you are sending. Virtual private networks (VPNs) use cryptography to hide traffic passing across the Internet. Figure 20-14 illustrates a VPN.
Figure 20-14 A Virtual Private Network Assume host A wants to communicate with server F without any other hosts connected to the public Wi-Fi network—like mobile device B—being able to see the information it sends.
Host A can accomplish this by building an encrypted tunnel using IPsec to some intermediate device, such as server D. In this case:
• Host A creates a packet with A as its source and F as its destination address.
• Host A places this packet in an encrypted tunnel and forwards it to router C. Server D is the destination of the tunneled packet.
• Host A sends this packet to router C.
• Router C forwards the packet to server D.
• Server D unencrypts the packet’s outer header and finds a packet destined for F.
• Server D forwards the inner packet—the packet A created—to F.
From F’s perspective, the packet’s source is still host A, so traffic from F to A will travel directly back through the network. Since the packets are unencrypted at D, devices like E can still see the plain text data.
It might not seem like encrypting just the packets host A sends to F is very useful, but it does make the A to F connection more secure. Consider what happens when A starts an encrypted connection with F.
Host A must start this encrypted session with a three-way handshake and exchange a session key with F. If device C observes this initial session startup, it may be able to execute a man-in-the-middle (MITM) attack. Observing the key exchange may allow C to observe all the data traveling between A and F.
Protecting the public Wi-Fi portion of the path increases the overall session security.
If more security is desired, host A can build a Secure Sockets Layer (SSL) tunnel to server D instead of an IPsec tunnel. In this case, server D is a proxy, terminating the IP connection. The IP connection between host A and server D is now separate from those between servers D and F.
From F’s perspective, the source IP address is server D. In this case:
• Host A builds a packet with D as the destination address. The data inside this packet is encrypted using a session key negotiated by A and D.
• Host A sends this packet to router C. Device B cannot read the contents of this packet because it is encrypted.
• Router C forwards this traffic to D.
• Server D unencrypts the data and sends it to server F in packets using D’s source address.
• Server F responds to these packets by sending them to D.
• Server D encrypts F’s responses into its encrypted tunnel with host A and sends them back over the network to A. Device C cannot read these packets because they are encrypted.
If A and F build an encrypted session, the traffic from A to D will be “double encrypted,” and the traffic from D to F will still be encrypted. Router E will still be able to see the traffic without its first layer of encryption.
Proxies encrypt traffic in both directions and hide the origin’s IP address. Tunnels on the open Internet protect traffic in only one direction and do not hide the origin’s IP address.
Organizational VPNs, however, can protect traffic in both directions. Assume server H is within an organization’s network—like a company or college. Router G acts as a VPN server for this network. In this case:
• Host A builds a packet with H’s destination address.
• The host encapsulates this packet in an encrypted IPsec packet with G’s destination and forwards it to router C. Device B cannot read the contents of this packet because it is encrypted.
• Router C forwards this packet toward G. Router E cannot read the contents of this packet because it is encrypted.
• Router G receives the packet, unencrypts it, and finds a packet destined for server H. Router G forwards it to H over the internal organizational network.
• Server H responds, sending a packet with A’s IP address. The only route H has to A is through router G; it cannot reach A through the global Internet.
• Router G receives this packet and finds its path to A is through a tunnel interface. This is an IPsec encrypted tunnel, so G encrypts the packet and sends it toward A.
• Host A receives the packet and unencrypts it.
Because organizations can control the path traffic takes through their network and ensure both sides of a flow are encrypted, tunneled VPNs are a common solution for organizational VPNs.
Many commercially available VPN products will act in either tunneled or proxy mode, depending on the traffic sent over the secured connection.