Virtual Private Networks (VPNs) and Internets

Increasingly, enterprise network connectivity has the need for cost effective, secure and reliable communication between remote users and offices.  Leased lines, dedicated circuits and other private line solutions meet the need, but their high cost often places them beyond the reach of most organizations.  A Virtual Private Network (VPN) simulates a private network through the use of authenticated, encrypted, IP tunnels, but at significantly less expense.  By utilizing an existing public network infrastructure, and with the ability to interconnect many tunnels, a private and secure internetwork can be created.  This course presents an in-depth discussion of the capabilities, standards and technologies that are necessary for successfully implementing VPNs.

• Understand the security issues motivating VPN implementation
• Identify the architectural components of a VPN
• Recognize the fundamental technology requirements for a VPN
• Discuss the potential benefits of VPNs over alternative solutions
• Have a working knowledge of data privacy, integrity and authenticity solutions offered by VPNs
• Distinguish between and identify the advantages of the various VPN protocols
• Identify the issues with designing and managing your VPN

This 3-Day Virtual Private Networks (VPNs) and Internets course will benefit network administrators, network designers, IT managers, consultants and other technical professionals interested in deploying VPNs.

Why Do I Need a VPN?

• Various attack methods
  • Denial of service, session hijacking, sniffers, port scans, replay, man in the middle, password attacks, IP address spoof, data altering, compromised key
• Alternatives to VPNs
  • A Privately Owned Data Network
    • Advantages and Disadvantages
  • Publicly Owned Data Networks
    • Advantages and Disadvantages
• The Cost Benefits of VPNs
  • Cost comparison of VPNs with alternatives

VPN Architecture and Components

• How does a VPN work?
• Components of a VPN
  • VPN client, VPN server, tunnel, transit network, encapsulation, encryption
• Common VPN implementations
  • Client to LAN VPN
  • Router to router VPN

• Keeping data confidential
  • Symmetric cryptography
    • Common algorithms; DES, 3DES, RC5, AES
  • Asymmetric cryptography
    • Common algorithms; RSA, Diffie-Hellman
• Maintaining data integrity and authenticity
  • Digital signatures and certificates
    • X.509 and PGP
  • Message digests (Hashing)
    • Hashing algorithms; MD5, SHA1, HMAC
• Public Key Infrastructure (PKI)
  • Why do I need PKI?
  • Certification Authorities (CA)
    • Maintaining your own PKI  
    • Outsourcing your PKI; 3^rd party options

• Password based systems
• Challenge handshake authentication protocols (CHAP)
• Tokens and digital certificates
• Biometric devices
• RADIUS
• Policy-based authorization

• Application layer protocols
  • Protecting email
    • PGP/MIME
    • S/MIME
  • Protecting Web Access
    • Secure Socket Layer (SSL)
• Layer 3 Tunneling Protocol
  • IPSec – What is it?
    • History of IPSec
    • How does IPSec work?
    • Advantages/Disadvantages of IPSec
• Layer 2 Tunneling Protocols
  • PPTP – What is it?
    • History of PPTP
    • How does PPTP work?
    • Advantages/Disadvantages of PPTP
  • L2F – What is it?
    • History of L2F
    • How does L2F work?
    • Advantages/Disadvantages of L2F
  • L2TP –What is it?
    • History of L2TP
    • How does L2TP work?
    • Advantages/Disadvantages of L2TP

• Communication through IPSec
  • Transport mode
  • Tunnel mode
  • IPSec and the OSI Model
    • IPSec packet modifications
  • Security Association
    • SA databases
• The IPSec Protocols
  • Authentication header (AH) protocol
    • The AH header in transport mode
    • The AH header in tunnel mode
    • Processing the AH; inbound and outbound
  • Encapsulating Security Payload (ESP)
    • ESP packet format
    • ESP in tunnel mode
    • ESP in transport mode
    • Processing the ESP; inbound and outbound
  • Internet Security Association Key Management Protocol (ISAKMP)
    • Negotiating the Security Association (SA)
    • ISAKMP header format
    • The ISAKMP payloads
    • ISAKMP exchanges
  • Internet Key Exchange (IKE)
    • Exchange modes
• IPSec User Authentication
  • Methods supported by IPSec

• PPTP Encryption Methods
  • Microsoft’s Point to Point Encryption (MPPE)
• PPTP Encapsulation
  • Generic Routing Encapsulation (GRE)
  • Issues with using GRE
• PPTP packet types
  • Control messages
  • Tunnel data
• PPTP User Authentication
  • Methods supported by PPTP

• L2TP Encryption methods
  • IPSec
• L2TP Encapsulation methods
  • UDP
• L2TP packet types
  • Control messages
  • Tunnel data
• L2TP User Authentication
  • Methods supported by L2TP

• VPN architectural models
  • Connecting remote offices
  • Remote access
  • Extranet
• Designing with IPSec in mind
• Designing with PPTP in mind
• Assessing Available VPN Products
  • Product types
    • Software implemented
    • Integrated hardware - routers and firewalls
  • Vendor offerings
• Integrating VPNs with other IP Technologies
  • QoS
  • VoIP
  • Video

• Policy driven management models
  • Profiling your users
• Centralized management
  • Automatic topology configuration
• Second generation products
  • Integrated dynamic routing protocols
  • Load balancing
  • Fault tolerance
• ISP Managed VPNs
  • Service Level Agreements (SLAs)
  • ISP VPN provider specifics
• What Vulnerabilities Remain?
  • What VPNs don’t solve