VPN Concentrators – CompTIA Security+ SY0-501 – 2.1

one of the challenges we have with communicating across the internet is we’re never quite certain who might be in the middle and able to see the traffic that’s going by for that reason we will often encrypt the traffic between two points one of the most common ways to do this is with a virtual private system or a VPN this allows us to set up an encrypted passage and any traffic we route through that tunnel to the device on the other side will be encrypted and completely useless by anybody who might listen in along the way it’s common to implement this encryption method working a VPN concentrator this is a design that is specifically designed to provide this encryption and decryption of network freight and allows countless beings to use this encryption mechanism simultaneously it’s very common to have this concentrator built into an existing firewall there’s also software based VPN concentrators you can configure as well and on the client side most operating system these days come with software that will allow you to automatically connect to a number of these VPN concentrators without having to load additional software on your workstation when you’re using a VPN concentrator you usually have a corporate structure that has the VPN concentrator right on the front of it frequently connected to the Internet and then somewhere out on the Internet is your device maybe it’s a laptop at a coffee shop you start your patron VPN software which then communicates over an encrypted tunnel to the VPN concentrator the VPN concentrator will take that encrypted traffic decrypt the communication and send all of that into the corporate structure when that traffic needs to get back to your laptop it is be forwarded to the VPN concentrator which then encrypts the communication and moves it back over that encrypted passage this VPN tunnel is something that’s usually composed on involve you sit down on the coffee shop you start the software and it constructs that passageway back to your remote location some software can be configured as always-on which entails any time you’re using your laptop it’s always applying an encrypted passageway back to your corporate network one very common type of VPN in use is a Secure Sockets Layer VPN or SSL VPN this is using the very calm SSL or TLS protocol running over TCP port 443 because this SSL VPN is using this very common SSL protocol that we frequently be utilized in our web browsers you generally find that most networks allow this traffic to spurt freely most SSL VPN patrons are built into existing browsers or operating systems and you’re often entering in with your regular authentication you don’t need added digital certificates you don’t have to set up a separate IPSec tunnel the SSL VPN is simply guiding from a browser connecting back to a concentrator and you’re connected over this encrypted passage if the head of your VPN has prepared it up as a full passageway that means that all traffic regardless of its destination will all Traverse this passage that represents if you’re sending commerce to your corporate system that will obviously go over your encrypted tunnel but if you do need to communicate to a third party website it will first traverse this passageway at which season the VPN concentrator will redirect that traffic to the third party website who will then direct it back to the VPN concentrator so that it is possible to encrypted and was sent out to you you can contrast this with a split VPN tunnel that’s when all of the traffic from your site to the corporate system pass this encrypted passage but if you need to communicate to a third party website that is not part of your corporate network it will use the normal communication outside the scope of that VPN communication that might speed up the communication on your area and if it’s not required that you have encryption between you and that third party site then there’s no reason to use the encrypted passageway if you’re part of a company that has a large corporate department and then numerous remote areas there may previously be a VPN configured between firewalls at the corporate department and at your remote website you’ll find that most site to site VPN czar always-on which intends when you are transmit traffic it’s always going to go through that encrypted passageway some site-to-site VPN s are configured to disable the passageway after a certain amount of non-use but as soon as you try to send traffic through to the corporate network it will rebuild the tunnel and refer that traffic over the encrypted connect in most cases an organization is going to use the existing firewalls that are place to act as VPN concentrators that means you don’t have to have a separate invention at all these remote locations and you are eligible to simply take advantage of the firewall that’s already there most site to site VPN czar encrypting this traffic squandering a protocol announced Internet Protocol security or IPSec this allows layer 3 encryption of all IP traffic from one site to the other not only are we supplying confidentiality through the encryption of this traffic IPSec also stands an soundnes check so you can make sure that nobody is replaying traffic through this VPN connection this is also a extremely standardized etiquette which means you can have one makes firewall at one side and a quite different manufacturers firewall at the other side but they’ll still be able to communicate exerting IPSec there are two core etiquettes associated with IPSec there is a H or the authentication header and there’s also ESP or the encapsulation security warhead IPSec can use two different modes of communication one is transport mode and the other is tunnel mode the acces this works is that you have your original container and that packet has an IP header and data inside of it we certainly need to protect this data in transport mode the data is encrypted you have an IPSec header and an IPSec trailer put on either side of the data and then you use the original IP header to be able to get that data to the remote site in passageway procedure both the IP header and the information is encrypted they’re wrap around an IPSec header in an IPSec trailer and then a quite different IP header is put one over the front of the container this means that if somebody sees that packet going through they’re not going to have any idea what the actual IP destination is because all of that information is encrypted when you’re using passage mode let’s take a look at the authentication header that’s used with an IPSec this provides integrity of the data that’s being send through the network customarily IPSec will make the IP header and the data combine that with a shared key and provide a hash and usually the hash is one based on md5 sha-1 or sha two and it’s adding that authentication header to the beginning of the packet the part of IPSec that’s providing the encryption is done through the encapsulation insurance payload or ESP it’s using triple deaths are frequently AES for encryption and it supplements a header trailer and an integrity check cost that means that you can encrypt the IP header the data and you have an ESP trailer inside of this encrypted information materials and on the outside you have not only your brand-new IP header but the ESP header and soundnes check significance this means that you can authenticate almost all of the data when you’re running this IPSec Datagram and using ESP to encrypt the data in most IPSec implementations you’re not only utilizing the ESP for the encryption but you’re using the authentication header at the same time this means that you can have this encrypted data inside of your container but you can authenticate the part IP packet that means that you can do this either in a vehicle state and a tunnel state are responsible for ensuring that not only is your traffic protected and encrypted but now you can also be assured that’s exactly what was sent by the original terminal you

You May Also Like