VPN Tutorial Guide
A VPN (Virtual private network) is a secure connection between two or more endpoints.
It can also be seen as an extension to a private network. A VPN saves organizations \ companies from renting expensive dedicated leased lines,
VPN's give the ability for users to work from home and saves cost on resources such as e-
mail servers, file servers, etc, as all these can be accessed on the VPN connection at the
central site
A VPN is commonly used to provide secure connectivity to a site. There are two key types of VPN scenarios, Site to Site VPN and a Remote Access VPN.
Site to Site VPN
In a site to site VPN data is encrypted from one VPN gateway to the other, providing a secure link between two sites over the internet. This would enable both sites to share resources such as documents and other types of data over the VPN link. Site to site VPN is a VPN tunnel between two or more sites. This would allow offices to share files and other resources. A VPN tunnel would be created using VPN gateways on each site usually using IPSec to secure the VPN connection over the internet.
When a tunnel has been created between sites, users are able to access and share files and resources easily. However this would all rely on an internet connection and relying that both sites ISP's are up. Some site to site VPN's are configured using multi-wan setup which would provide them with some redundancy if an ISP went down. So on their VPN they would have two ISP's connected. The primary ISP would usually be the faster internet connection, and they would have a slower link connected as a back-up link. This backup link would come into affect if the primary ISP goes down.
VPN's can also be setup in a site to multi site configuration. So you would have all branch offices connected to the head office VPN. The branch offices can connect to each other via the head office. This is usually referred to as a hub and spoke deployment. The head office is the hub, and the branch offices are the spokes connecting to the hub. The head office VPN appliance would need to be powerful and scalable to provide connectivity to all branch offices.
Remote access users or Mobile users
In a remote access VPN scenario which is also known as mobile VPN a secure connection would be made from an individual computer to a VPN gateway. This would enable a user to access their e-mail, files and other resources at work from where ever they may be, providing they have an internet connection. There are two common forms of technology that exists in remote access VPN known as IPSec and SSL that are covered further below.
Remote access users are end users and employees who access their corporate network remotely. This would be via a VPN client. On the remote user's laptop VPN client software would be installed, which a remote user would use to connect to their VPN gateway at the corporate site over the internet. Initially when the client software is installed on a laptop, it would require setting up, so that it knows how to reach the corporate VPN gateway and how to encrypt and authenticate to it as well as other parameters.
Usually the VPN client software also consists of a firewall protecting them as well as the corporate network from outside threats. After all a remote user with a laptop can be a threat to the corporate network. The laptop may contain viruses and trojans. So for this reason a firewall is required mainly to protect the corporate network, as well as the remote user's laptop.
Also many VPN servers now come with the ability to control their end user's via network access control. For example if the laptop is not on the latest windows patch, is not up to date with the newest anti virus dat files, has not got a certain application running, then the laptop is not allowed access to the corporate network.
VPN Networking Protocols PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunneling Protocols) enabled systems. This is achieved with remote users dialing into their local internet security providers to connect securely to their networks via the internet.
PPTP has its issues and is considered as a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPSec, IPSec outweighs PPTP in other areas such as being more secure and a robust protocol.
In a remote access VPN scenario which is also known as mobile VPN a secure connection would be made from an individual computer to a VPN gateway. This would enable a user to access their e-mail, files and other resources at work from where ever they may be, providing they have an internet connection. There are two common forms of technology that exists in remote access VPN known as IPSec and SSL that are covered further below.
Remote access users are end users and employees who access their corporate network remotely. This would be via a VPN client. On the remote user's laptop VPN client software would be installed, which a remote user would use to connect to their VPN gateway at the corporate site over the internet. Initially when the client software is installed on a laptop, it would require setting up, so that it knows how to reach the corporate VPN gateway and how to encrypt and authenticate to it as well as other parameters.
Usually the VPN client software also consists of a firewall protecting them as well as the corporate network from outside threats. After all a remote user with a laptop can be a threat to the corporate network. The laptop may contain viruses and trojans. So for this reason a firewall is required mainly to protect the corporate network, as well as the remote user's laptop.
Also many VPN servers now come with the ability to control their end user's via network access control. For example if the laptop is not on the latest windows patch, is not up to date with the newest anti virus dat files, has not got a certain application running, then the laptop is not allowed access to the corporate network.
VPN Networking Protocols PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunneling Protocols) enabled systems. This is achieved with remote users dialing into their local internet security providers to connect securely to their networks via the internet.
PPTP has its issues and is considered as a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPSec, IPSec outweighs PPTP in other areas such as being more secure and a robust protocol.
L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point tunneling protocol), used by internet
service providers to provide VPN services over the internet. L2TP combines the
functionality of PPTP and L2F (Layer 2 forwarding protocol) with some additional
functions using some of the IPSec functionality. Also L2TP can be used in conjunction
with IPSec to provide encryption, authentication and integrity. IPSec is the way forward
and is considered better than the layer 2 VPN’s such as PPTP and L2TP.
4 key functions or services of IPSec are as follows;
1 Confidentiality – Encrypting data, and scrambling.
2 Data Integrity – data has not been changed.
3 Data Authentication – authenticating receiver. Sender receiver is who they say they are. 4 Anti-replay – each packet is unique, has not been duplicated or intercepted.
4 key functions or services of IPSec are as follows;
1 Confidentiality – Encrypting data, and scrambling.
2 Data Integrity – data has not been changed.
3 Data Authentication – authenticating receiver. Sender receiver is who they say they are. 4 Anti-replay – each packet is unique, has not been duplicated or intercepted.
5 phases of IPSec
1 define interesting traffic
2 IKE phase 1 – key exchange phase
3 IKE phase 2 – IPSec policy and transform sets are processed
4 Transfer data – After the tunnels are established you transfer the data.
5 Tear down the tunnel
IPSec uses two different protocols to encapsulate the data over a VPN tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
ESP is more secure as it provides data encryption. AH just provides authentication.
SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”.
The difference in using SSL VPN to IPSec is with IPSec a remote user would require client software which would need installing, configuring and sometimes troubleshooting. However with SSL there is no client software if a user was using the SSL portal. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network such as RDP and Outlook. SSL can also imitate the way IPSec works via a lightweight software. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing to the corporate network.
Using SSL VPN would mean thousands of end user’s would be able to access the corporate network without the support of an administrator and possible hours of configuring and trouble shooting, unlike IPSec. The end user would just need to know the address of the SSL VPN portal. Another advantage is they can do this from any computer as they do not have to rely on a configured client side software.
Now vendors have started making use of the SSL application layer protocol in conjunction with VPN’s. SSL provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”. The difference in using SSL VPN is, with IPSec a remote user would require client software and would need to configure this.
2 IKE phase 1 – key exchange phase
3 IKE phase 2 – IPSec policy and transform sets are processed
4 Transfer data – After the tunnels are established you transfer the data.
5 Tear down the tunnel
IPSec uses two different protocols to encapsulate the data over a VPN tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
ESP is more secure as it provides data encryption. AH just provides authentication.
SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”.
The difference in using SSL VPN to IPSec is with IPSec a remote user would require client software which would need installing, configuring and sometimes troubleshooting. However with SSL there is no client software if a user was using the SSL portal. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network such as RDP and Outlook. SSL can also imitate the way IPSec works via a lightweight software. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing to the corporate network.
Using SSL VPN would mean thousands of end user’s would be able to access the corporate network without the support of an administrator and possible hours of configuring and trouble shooting, unlike IPSec. The end user would just need to know the address of the SSL VPN portal. Another advantage is they can do this from any computer as they do not have to rely on a configured client side software.
Now vendors have started making use of the SSL application layer protocol in conjunction with VPN’s. SSL provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”. The difference in using SSL VPN is, with IPSec a remote user would require client software and would need to configure this.
However with SSL VPN you do not need any client software as you log into a portal.
You just need the URL address and use a web browser to access the portal.The portal is a
GUI interface that is accessed via a web browser and contains tools and utilities in order
to access applications on the network such as RDP and Outlook. SSL VPN can also
imitate the way IPSec works via a lightweight software client that can be configured and
installed without much effort, which simplifies the process in securely accessing the
corporate network.
Key points between IPSec and SSL VPN's
SSL VPN is accessed via a web portal front end after a secure https connection has been established between the client and server. From here a user can access the configured enterprise applications. IPSec VPN connectivity happens via the configured client software, and when connected can use resources available on the network.
SSL is very easy and simple to install and use as compared to IPSec. The IPSec protocol is sometimes blocked in public places such as hotels and cafe's where SSL is usually always open.
IPSec software has to be installed and configured on all client machines before being able to remotely connect. With SSL, the remote user only requires a web browser and the possibility to be able to download and install Java or ActiveX.
IPSec provides security to network access only, where SSL VPN's provides secure access to certain applications. IPSec is suitable for LAN to LAN or gateway to gateway connectivity where SSL VPN is suitable for remote client access only.
IPSec is an all or nothing scenario. This means you are either connected to the network or you are not. SSL VPN has much tighter control and can be setup so that for certain users they get access to certain applications only and can only access the network if their system is compliant.
Key points between IPSec and SSL VPN's
SSL VPN is accessed via a web portal front end after a secure https connection has been established between the client and server. From here a user can access the configured enterprise applications. IPSec VPN connectivity happens via the configured client software, and when connected can use resources available on the network.
SSL is very easy and simple to install and use as compared to IPSec. The IPSec protocol is sometimes blocked in public places such as hotels and cafe's where SSL is usually always open.
IPSec software has to be installed and configured on all client machines before being able to remotely connect. With SSL, the remote user only requires a web browser and the possibility to be able to download and install Java or ActiveX.
IPSec provides security to network access only, where SSL VPN's provides secure access to certain applications. IPSec is suitable for LAN to LAN or gateway to gateway connectivity where SSL VPN is suitable for remote client access only.
IPSec is an all or nothing scenario. This means you are either connected to the network or you are not. SSL VPN has much tighter control and can be setup so that for certain users they get access to certain applications only and can only access the network if their system is compliant.
Setting up VPN with IPSec
Below is a basic overview in the typical way a site to site VPN is configured using IPSec. IPSec is chosen as the example because it’s the most commonly used technology and is known to be a solid, robust and secure VPN technology.
You may be new to all the VPN terminology, so clicking on the links in this VPN article will give you a good understanding on meanings within the below guide.
Basics in setting up a site to site VPN with IPSec
Below covers what is required to set up a VPN connection on a VPN gateway with IPSec. It is not really aimed at a specific vendor and is fairly general.
First you would decide how your going to authenticate both VPN peers to each other. Either select a Pre-shared key or install a digital certificate. This is used for authentication and to ensure the VPN gateways are authorised. This would prove their identities to each other. Both gateways must use the same type of credentials, so either both use pre-shared keys or both use digital certificates. Also if you are using pre-shared keys, then both keys would have to match.
Phase 1 - Main Mode
VPN's are configured and processed in two phases, phase 1 and 2. In phase 1 using Main
mode or Aggressive mode you will set up a secure and encrypted channel, to protect your
phase 2 negotiations.
1) You will need to specify both gateway addresses. So you would specify the address of the local VPN gateway and you would also specify the address of the remote VPN gateway. You can either specify an IP address or a domain name. On some VPN gateways you could also specify an e-mail address, or if you use a digital certificate you could specify the certificates subject field.
2) Main mode or aggressive mode can be selected depending on which one you would want to use. Main mode is more secure, but slower than aggressive mode. In Main mode peers exchange identities with encryption, and Aggressive mode, although faster exchanges identities without encryption. Main mode is the more commonly used. Aggressive mode is typically for when one or both of the VPN gateway's have a dynamic IP address.
3) Specify whether to use Nat-Traversal. This is selected if your VPN gateway is behind a NAT device. Also specify whether you want both peers to use IKE keep-alive. This ensures that if a VPN gateway’s interface is not responding it will failover to the second interface. This is true when your ISP goes down and your secondary interface is a backup ISP.
4 You would now decide on your transform set. This includes the type of encryption, authentication and how long your security association will last. For your authentication you can either use Sha1 or MD5. Sha1 is the stronger authentication algorithm.
For your encryption you can select either DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.
You can specify a limit before your SA expires, which will add more security to your VPN if your keys have been hacked. Although this will also have a slight affect on performance as well.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 in which 14 is the most secure group.
You can optionally set up extra transform sets if needed. If you’re not sure on your peers transform settings, then you may want to set up more transform sets. Although it is recommended to know your peers settings and create the minimum transform set’s required as it is more secure this way.
Phase 2 - Aggressive Mode
In phase 2 using Quick mode you would establish the IPSec SA. You would tell the gateway what traffic you will be sending over the VPN, how to encrypt and authenticate it.
1) You will need to specify what traffic will go across the VPN. So you would be specifying an IP address, Network address, or IP address range. This is access to your internal network, so either remote users from home, or the peer office can have access to resources behind the VPN gateway.
1) You will need to specify both gateway addresses. So you would specify the address of the local VPN gateway and you would also specify the address of the remote VPN gateway. You can either specify an IP address or a domain name. On some VPN gateways you could also specify an e-mail address, or if you use a digital certificate you could specify the certificates subject field.
2) Main mode or aggressive mode can be selected depending on which one you would want to use. Main mode is more secure, but slower than aggressive mode. In Main mode peers exchange identities with encryption, and Aggressive mode, although faster exchanges identities without encryption. Main mode is the more commonly used. Aggressive mode is typically for when one or both of the VPN gateway's have a dynamic IP address.
3) Specify whether to use Nat-Traversal. This is selected if your VPN gateway is behind a NAT device. Also specify whether you want both peers to use IKE keep-alive. This ensures that if a VPN gateway’s interface is not responding it will failover to the second interface. This is true when your ISP goes down and your secondary interface is a backup ISP.
4 You would now decide on your transform set. This includes the type of encryption, authentication and how long your security association will last. For your authentication you can either use Sha1 or MD5. Sha1 is the stronger authentication algorithm.
For your encryption you can select either DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.
You can specify a limit before your SA expires, which will add more security to your VPN if your keys have been hacked. Although this will also have a slight affect on performance as well.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 in which 14 is the most secure group.
You can optionally set up extra transform sets if needed. If you’re not sure on your peers transform settings, then you may want to set up more transform sets. Although it is recommended to know your peers settings and create the minimum transform set’s required as it is more secure this way.
Phase 2 - Aggressive Mode
In phase 2 using Quick mode you would establish the IPSec SA. You would tell the gateway what traffic you will be sending over the VPN, how to encrypt and authenticate it.
1) You will need to specify what traffic will go across the VPN. So you would be specifying an IP address, Network address, or IP address range. This is access to your internal network, so either remote users from home, or the peer office can have access to resources behind the VPN gateway.
2) You can choose whether to use PFS (Perfect forward secrecy), for optional and an
extra layer of security. If you will be using PFS, remember that both VPN peers must
support and use PFS. You can select which Diffie-Hellman group to use for new keying
material. The higher the group you select, the stronger the key.
You would now need to specify some more parameters in securing your data within the IPSec SA (Phase 2), also known as phase 2 proposals. The parameters are made up of encryption and authentication algorithms.
3) Here you first specify the type of proposal, either selecting AH or ESP. AH only provides authentication, and ESP provides authentication and encryption.
4) If you have specified ESP, which the majority would choose, then you would specify your authentication and encryption. For authentication and integrity you can select SHA1 or MD5, where SHA1 is the strongest algorithm. For encryption you can select DES, 3DES or AES 128, 192, or 256-bit key strength. AES 256 is the strongest encryption protocol.
5) You may want to specify a value for when your key would expire. This would ensure your encryption keys would change over a period of time, adding more security, as well as having a slight affect on performance. The majority leave these settings as the default. However if your a bank or any other company dealing with confidential data then you may want to force keys to expire, and have them re-created.
Final steps
You may now need to create policies or rules to allow your VPN traffic in and out of your firewall. This may have already been done for you when you had completed configuring your gateway, and you may have had the option to either enable or disable your VPN gateway to automatically doing this for you, all depending on the product functionality. You can now save all changes to your VPN gateway.
You are done in configuring your VPN gateway, and you can now configure the peer VPN gateway. Remember to configure your peer VPN gateway with the exact same settings as you configured your local gateway or else the VPN tunnel will not form successfully.
You would now need to specify some more parameters in securing your data within the IPSec SA (Phase 2), also known as phase 2 proposals. The parameters are made up of encryption and authentication algorithms.
3) Here you first specify the type of proposal, either selecting AH or ESP. AH only provides authentication, and ESP provides authentication and encryption.
4) If you have specified ESP, which the majority would choose, then you would specify your authentication and encryption. For authentication and integrity you can select SHA1 or MD5, where SHA1 is the strongest algorithm. For encryption you can select DES, 3DES or AES 128, 192, or 256-bit key strength. AES 256 is the strongest encryption protocol.
5) You may want to specify a value for when your key would expire. This would ensure your encryption keys would change over a period of time, adding more security, as well as having a slight affect on performance. The majority leave these settings as the default. However if your a bank or any other company dealing with confidential data then you may want to force keys to expire, and have them re-created.
Final steps
You may now need to create policies or rules to allow your VPN traffic in and out of your firewall. This may have already been done for you when you had completed configuring your gateway, and you may have had the option to either enable or disable your VPN gateway to automatically doing this for you, all depending on the product functionality. You can now save all changes to your VPN gateway.
You are done in configuring your VPN gateway, and you can now configure the peer VPN gateway. Remember to configure your peer VPN gateway with the exact same settings as you configured your local gateway or else the VPN tunnel will not form successfully.
Sha-1 (Secure hash algorithm)
Sha-1 (Secure Hash Algorithm), also known as HMAC-Sha-1 is a strong cryptographic hashing algorithm, stronger than MD5. Sha-1 is used to provide data integrity (it is a guarantee data has not been altered in transit) and authentication (to guarantee data came from the source it was suppose to come from). Sha was produced to be used with the digital signature standard.
Sha-1 uses a 160-bit encryption key. It is cryptographically stronger and recommended
when security needs are higher. Cryptology specialists did announce a possible small
mathematical weakness in Sha-1 and as a result Sha-2 was made available. Sha-2 is
actually a group of algorithms, which consist of Sha-256, Sha-384 and Sha-512. However
Sha-1 has proven to be a strong hashing algorithm and no records of it being hacked so
far. Other integrity algorithms include MD2, MD5, MD6, Haval and Tiger.
MD5 (Message Digest Algorithm 5)
Message integrity algorithms ensure data has not been changed in transit. They use one way hash functions to detect if data has been changed.
The MD algorithms consist of a family of one way hash functions. MD2, created by Ron Rivest produces a 128 message digest hash. MD2 was considered slow, and so the creation of MD4 was developed. MD4 was faster, however found to be vulnerable to some attacks, and so finally the MD5 was developed.
MD5 is a cryptographic one way hashing algorithm which uses a 128 bit hash value just like its predecessors. Although it still uses the same hash value, the algorithm is more complex and difficult to break than the others. MD5 is used by to provide data integrity and authentication, ensuring data has not been altered in transit. However sha-1 is a stronger hash function than MD5, and ideally should be used if the option is available. MD5 will ensure data has not been tampered with and achieves this by converting plain data into unreadable ciphertext known as a hash. If any data during transit has changed, even slightly the hash will look completely different, and it would be assumed data has been tampered with.
In a nutshell MD5 will ensure data has not been changed when in transit. MD5 is a symmetric key algorithm. MD5 consists of a key size of 128 bits. A hash is appended to the original message.
Other common integrity algorithms include Sha1, Sha256, Sha384, Sha512, Haval and Tiger.
DES (Data Encryption Standard)
DES encryption algorithm uses a 56 bit key to encrypt data for transit. DES is a symmetric key algorithm, and so uses one key which does the encryption and decryption on the same data.
Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56 bits are actually used for keying material, where the remaining 8 bits are reserved for parity information and to ensure integrity of the remaining 56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of those 64 bits are not used to encrypt data. For the keying it actually uses 56 bits, so in other words the encryption strength is 56 bits.
DES is not used anymore as it is an old, weak and broken encryption algorithm, and was replaced by 3DES. AES is the standard and is being used as of today and proves to be safe and a strong symmetric encryption algorithm. However you will still find 3DES is supported with VPN gateways. This is for backward compatibility, as older VPN gateways may only support the 3DES algorithm.
MD5 (Message Digest Algorithm 5)
Message integrity algorithms ensure data has not been changed in transit. They use one way hash functions to detect if data has been changed.
The MD algorithms consist of a family of one way hash functions. MD2, created by Ron Rivest produces a 128 message digest hash. MD2 was considered slow, and so the creation of MD4 was developed. MD4 was faster, however found to be vulnerable to some attacks, and so finally the MD5 was developed.
MD5 is a cryptographic one way hashing algorithm which uses a 128 bit hash value just like its predecessors. Although it still uses the same hash value, the algorithm is more complex and difficult to break than the others. MD5 is used by to provide data integrity and authentication, ensuring data has not been altered in transit. However sha-1 is a stronger hash function than MD5, and ideally should be used if the option is available. MD5 will ensure data has not been tampered with and achieves this by converting plain data into unreadable ciphertext known as a hash. If any data during transit has changed, even slightly the hash will look completely different, and it would be assumed data has been tampered with.
In a nutshell MD5 will ensure data has not been changed when in transit. MD5 is a symmetric key algorithm. MD5 consists of a key size of 128 bits. A hash is appended to the original message.
Other common integrity algorithms include Sha1, Sha256, Sha384, Sha512, Haval and Tiger.
DES (Data Encryption Standard)
DES encryption algorithm uses a 56 bit key to encrypt data for transit. DES is a symmetric key algorithm, and so uses one key which does the encryption and decryption on the same data.
Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56 bits are actually used for keying material, where the remaining 8 bits are reserved for parity information and to ensure integrity of the remaining 56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of those 64 bits are not used to encrypt data. For the keying it actually uses 56 bits, so in other words the encryption strength is 56 bits.
DES is not used anymore as it is an old, weak and broken encryption algorithm, and was replaced by 3DES. AES is the standard and is being used as of today and proves to be safe and a strong symmetric encryption algorithm. However you will still find 3DES is supported with VPN gateways. This is for backward compatibility, as older VPN gateways may only support the 3DES algorithm.
3DES (Triple DES or Three DES)
3DES is simply the DES symmetric encryption algorithm, used three times on the same
data. The same data is encrypted two more time using DES, and hence where the name
triple DES came from. Of course this makes the encryption stronger and more difficult to
break, although Triple DES was later replaced by AES which proves to be the strongest
encryption algorithm.
3DES is a block cipher which uses 48 rounds in its computation (transpositions and substitutions), and has a key length of 168 bits.
The process of 3DES works as follows;
1) Data is encrypted using a 56-bit key
2) Data is decrypted using a different key
3) Data is encrypted using a completely new key
When the 3DES process is complete, data is sent to its final destination. However 3DES works in a number of other modes as well. As shown above it is basically Encrypt, Decrypt and finally encrypts again using 3 different keys. This is known as DES-EDE3.
There are also the following modes;
DES-EDE3 – Encrypt, Decrypt and Encrypt with 3 unique keys as mentioned above.
DES-EEE3 – A block of data is encrypted, and encrypted again with a different key and finally encrypted once more with another key, using a total of 3 unique keys.
DES-EDE2 – Here we only use two keys, in which the first and last encryption is done using exactly the same key.
DES-EEE2 – Finally this also uses two keys, the first and last encryption is done using the same key.
If you’re wondering what happened to Double-DES? This was also developed and tested but was later found it had weaknesses and is no stronger than DES, and so was considered obsolete.
As well as DES and 3DES, some other common symmetric encryption algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC.
3DES is a block cipher which uses 48 rounds in its computation (transpositions and substitutions), and has a key length of 168 bits.
The process of 3DES works as follows;
1) Data is encrypted using a 56-bit key
2) Data is decrypted using a different key
3) Data is encrypted using a completely new key
When the 3DES process is complete, data is sent to its final destination. However 3DES works in a number of other modes as well. As shown above it is basically Encrypt, Decrypt and finally encrypts again using 3 different keys. This is known as DES-EDE3.
There are also the following modes;
DES-EDE3 – Encrypt, Decrypt and Encrypt with 3 unique keys as mentioned above.
DES-EEE3 – A block of data is encrypted, and encrypted again with a different key and finally encrypted once more with another key, using a total of 3 unique keys.
DES-EDE2 – Here we only use two keys, in which the first and last encryption is done using exactly the same key.
DES-EEE2 – Finally this also uses two keys, the first and last encryption is done using the same key.
If you’re wondering what happened to Double-DES? This was also developed and tested but was later found it had weaknesses and is no stronger than DES, and so was considered obsolete.
As well as DES and 3DES, some other common symmetric encryption algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC.
Diffie-Hellman
Diffie-Hellman is an asymmetric key algorithm used for public key cryptography. As
well as IPSec it is also used for SSL, SSH, PGP and other PKI systems.
The Diffie-Hellman algorithm was created to address the issue of secure encrypted keys from being attacked over the internet when in transmission, though using the Diffie- Hellman algorithm in distributing symmetric keys securely over the internet.
The process works by two peers generating a private and a public key. Peer A would send it’s public key to peer B and peer B would send it’s public key to peer A. Peer A would then use the public key sent from peer B and it’s own private key to generate a symmetric key using the Diffie-Hellman algorithm. Peer B would also take the same process as peer A and in turn produce the exact same symmetric key as peer A, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.
However some concerns were found later within the Diffie-Hellman algorithm such as Man-in-the-middle attacks as there is no authentication in place before keys are exchanged. How would peer B know that it is about to exchange keys with peer A? It could easily be a hacker spoofing peer A’s identity. This led to the more advanced public key cryptography in RSA. However using authentication methods such as pre-shared keys and digital certificates to authenticate VPN gateways have overcome this issue. So using Diffie-Hellman along side authentication algorithms is a secure and approved solution. Diffie-Hellman is based on calculating discrete logarithms in a finite field.
Diffie-Hellman public key cryptography is used by all major VPN gateway's today, supporting Diffie-Hellman groups 1,2 and 5. DH group 1 consists of a 768 bit key, group 2 consists of 1024 bit key and group 5 comes with 1536 bit key. Group 5 is the strongest and most secure.
Diffie-Hellman just does key exchange and does not do data encryption, digital signatures or any authentication.
Authentication Header - IPSec protocol
IPSec uses two basic protocols, AH (authentication header) and ESP (encapsulation security payload). AH ensures data has not been tampered with and assures data integrity when in transmission. This is achieved by adding authentication information to a datagram. AH is not as used much as ESP as it does not provide data encryption (confidentiality) and so all data would be transported in clear text. So data would be readable although protected from any modification attempts.
However if authentication is all that is required then only AH should be used. By leaving ESP turned off will provide better performance.
ESP (Encapsulating Security Payload)
ESP provides all four security aspects of IPSec. These are confidentiality, integrity, origin authentication, and anti-replay protection. Confidentiality would ensure data is encrypted. Providing integrity would ensure data in transit has not been tampered with and origin authentication would ensure the remote peers are who they claim to be. Anti- replay will ensure duplicated traffic is not accepted which would prevent DOS attacks, as well as spoofed traffic.
ESP can operate in either tunnel mode which is more secure due to encrypting the routing, header information and IP payload, or can operate in transport mode in which it only encrypts the IP payload. Tunnel mode is usually used between gateways through the internet, and transport mode is usually used for host to host VPN’s such as between a server and a computer.
The Diffie-Hellman algorithm was created to address the issue of secure encrypted keys from being attacked over the internet when in transmission, though using the Diffie- Hellman algorithm in distributing symmetric keys securely over the internet.
The process works by two peers generating a private and a public key. Peer A would send it’s public key to peer B and peer B would send it’s public key to peer A. Peer A would then use the public key sent from peer B and it’s own private key to generate a symmetric key using the Diffie-Hellman algorithm. Peer B would also take the same process as peer A and in turn produce the exact same symmetric key as peer A, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.
However some concerns were found later within the Diffie-Hellman algorithm such as Man-in-the-middle attacks as there is no authentication in place before keys are exchanged. How would peer B know that it is about to exchange keys with peer A? It could easily be a hacker spoofing peer A’s identity. This led to the more advanced public key cryptography in RSA. However using authentication methods such as pre-shared keys and digital certificates to authenticate VPN gateways have overcome this issue. So using Diffie-Hellman along side authentication algorithms is a secure and approved solution. Diffie-Hellman is based on calculating discrete logarithms in a finite field.
Diffie-Hellman public key cryptography is used by all major VPN gateway's today, supporting Diffie-Hellman groups 1,2 and 5. DH group 1 consists of a 768 bit key, group 2 consists of 1024 bit key and group 5 comes with 1536 bit key. Group 5 is the strongest and most secure.
Diffie-Hellman just does key exchange and does not do data encryption, digital signatures or any authentication.
Authentication Header - IPSec protocol
IPSec uses two basic protocols, AH (authentication header) and ESP (encapsulation security payload). AH ensures data has not been tampered with and assures data integrity when in transmission. This is achieved by adding authentication information to a datagram. AH is not as used much as ESP as it does not provide data encryption (confidentiality) and so all data would be transported in clear text. So data would be readable although protected from any modification attempts.
However if authentication is all that is required then only AH should be used. By leaving ESP turned off will provide better performance.
ESP (Encapsulating Security Payload)
ESP provides all four security aspects of IPSec. These are confidentiality, integrity, origin authentication, and anti-replay protection. Confidentiality would ensure data is encrypted. Providing integrity would ensure data in transit has not been tampered with and origin authentication would ensure the remote peers are who they claim to be. Anti- replay will ensure duplicated traffic is not accepted which would prevent DOS attacks, as well as spoofed traffic.
ESP can operate in either tunnel mode which is more secure due to encrypting the routing, header information and IP payload, or can operate in transport mode in which it only encrypts the IP payload. Tunnel mode is usually used between gateways through the internet, and transport mode is usually used for host to host VPN’s such as between a server and a computer.
