4 avg. rating (80% score) - 3 votes
Are you willing to explore your career in Networking sector? Are you have an engineering degree in Software or Networking then logon to www.wisdomjobs.com. Virtual Private Network extends a private network across a public and private network. It is a way of connecting a computer to a remote network. It enables a computer to send and receive data across shared or public network. A VPN connection across the Internet is similar to WAN link between the sites. VPN allow employees to securely access their company intranet while travelling outside the office. Similarly VPN securely and cost effectively connected geographically disparate s offices of an organisation. So explore your career as Network engineer, Network test manager, Networking System Administrator by looking into Virtual Private Network job interview question and answers given.
Well, IPSEC - real IPSEC as it exists today - is still morphing, but not so much that one shouldn't require it as a basis for a VPN.
So we might have:
With firewalls, we went from a very small number of security-wise companies using real firewalls to firewalls becoming a "must have" on a checklist. But somehow, having a firewall became synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started off that way too. There has been a lot of "When we have IPSEC on the desk top we won't need firewalls." This is nonsense. VPNs cannot enforce security policies, they cannot detect misuse or mistakes, and they cannot regulate access. VPNs can do what they were meant to do: keep communications private.
Privacy from end to end. The cryptography used, generally speaking, is very good. Whatever you do, that is encrypted, is very well hidden from sniffers on the net. Whatever is not encrypted, you may as well shout from the rooftops or post on your web page.
VPNs are typically handled as just another job by the network or system administrator staff. Whoever is managing the firewall today can easily add VPN management to the plate because once a VPN is set up there is little else to do on most implementations.
Well, the perimeter security issues mentioned above, plus a firewall should give the option of VPN with or without trust. For example, I would prefer all sessions between my firewall and my clients and business partners to be encrypted - to be VPNs. But, I want all of them to run up against my firewall if they try to do anything besides what I permit. On the other hand, if I dial in from the speaker's lounge at a conference, I would like a private connection (that is to say, encrypted) that also looks and feels like a virtual "inside" connection, just as if I was sitting in the office.
While VPNs were available before firewalls via encrypting modems and routers, they came into common use running on or with firewalls. Today, most people would expect a firewall vendor to offer a VPN option. (Even though most people today don't use VPNs.) Also, they want it managed via the same firewall management interface. But then, users today seem to want nearly everything on the firewall: mail server, name server, proxy servers for HTTP, FTP server, directory server, and so on. That's terrible and a subject in itself.
Only the things you want everyone to be able to eavesdrop on. In general, the answer is "no," but if a VPN is in use from a system behind a firewall to a system outside the firewall, the firewall cannot enforce an organization's security policy beyond connection rules.
VPNs should be used for all information exchange. I don't want to have to "go encrypted" when something secret is about to be sent. I want everything to be encrypted. It should be as commonplace as people sending postal mail in sealed envelopes. It will also ensure that the VPN mechanism is working.
Businesses who understand the use of crypto for privacy in electronic documents also understand the need for the emergency recovery of that data. Whether this is done by saving an individual's private key information, encrypting it with a trusted third party's key, or saving all keys used to encrypt all documents, it is well understood that some mechanism is needed for the recovery of encrypted files owned by an individual, by the individual, or a company, by the company for business or law enforcement reasons. Key recovery of session keys used to encrypt a network connection is a requirement of law enforcement. VPNs must use the strongest crypto available and feasible given the hardware on which it is being run. Weak cryptography (for example, 40 bit key length) should be completely avoided.
Encryption takes more horsepower than sending data in the clear. It really shows up on mobile PCs transmitting large hunks of data - for example, a PowerPoint presentation - over a dial-up phone line. Firewalls and other server systems should employ hardware crypto engines. With these there are no performance issues. I expect that this functionality for mobile PCs will migrate to PC cards with crypto engines. When will this happen? Within the next 18 months.
Aventail is a leader in this market. All the major firewall vendors and router vendors are in it as well. On the client side, Timestep and V-ONE are big.
Many vendors claim to be IPSEC-compliant. The real requirement should be "list the other products with which you can communicate" Also, a customer should want to know how automatic the key exchange mechanism is In a perfect world - in an IPSEC world - it would be automatic. If a Virtual Network Perimeter (VNP, not VPN) is used, how easy is it to deploy the software to mobile PC users How much does it interfere with normal network operation from a mobile PC.
Even though VPNs provide ubiquitous, perimeter security, firewalls are still needed. Walls around cities went away because it became inexpensive to bring them in closer to individual homes. Only a perimeter enforcement mechanism can guarantee adherence to an organization's security policies. However, as part of policy enforcement, a firewall might need to be able to look at the information in a packet. Encryption makes that rather difficult. VPNs - improperly deployed - take away a firewall's ability to audit useful information, or to make decisions beyond the level of "who is allowed to talk to whom." There are ways around this. The easiest way is to make the firewall a trusted third member of the conversation. People who value privacy above everything else chafe at this. But people who value the security of their organization realize that this is a necessity.
VPNs directly protect the privacy of a communication, and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.
VPNs are long-term solutions. VPNs may become ubiquitous and transparent to the user, but they will not go away. Because the problem VPNs address - privacy over a public network - will not go away. VPNs will exist from the desktop to the server, and at the IP packet level as well as the application data level.
Those companies who were early adopters of firewalls are the ones using VPNs today. VPNs are still early in the use cycle. Three years ago, they hardly existed. Then firewall products started to include them - first ANS Interlock, then TIS Gauntlet. Soon, customers started demanding VPN functionality in their firewalls, even though few of them actually used it. But the Security Architecture for Internet Protocol (IPSEC) standard is changing that - with IPSEC-compliant off-the-shelf products, using encryption to protect the privacy of communications will be an automatic decision. It may take awhile. I predicted that 1998 would be the "Year of the VPN," but maybe 1999 is more realistic. Look, over four years after the famous Internet password sniffing incident, most people still seem to be working with reusable passwords.
The term Virtual Private Network (VPN) means "an encrypted connection from one point to another over any network giving the illusion of being a private network." Originally, Marcus Ranum and I coined the term "virtual network perimeter," which in today's language means a VPN with trust - i.e., a network security perimeter extended to include other offices and remote users through a VPN link plus common name space, security policies, and management. Of course, networks are not private unless encryption is being employed. To put it plainly, unless you own the space around every wire, fiber, or radio signal used in the communication path, your connection is not private unless it is encrypted.
Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication.
Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing Algorithm includes MD5, SHA.
Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).
In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It is also referred as shared key or shared secret encryption. Symmetric encryption algorithms include DES, 3DES, AES.
In Asymmetric encryption two keys are used to encrypt and decrypt traffic, one for encryption and one for decryption. The most common asymmetric encryption algorithm is RSA.
IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.
IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.
IPSec only supports unicast IP traffic.
Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP payload including user data).
Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP payload (user data)).
IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.
IPsec offers the following security services:-
Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the authenticity of the sender.
Authorization is a security mechanism used to determine user/client privileges or access levels related to network resources, including firewalls, routers, switches and application features. Authorization is normally preceded by authentication and during authorization, It’s system that verifies an authenticated user’s access rules and either grants or refuses resource access.
A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the Internet.
Remote Access VPN allows Remote users to connect to the Headquarters through a secure tunnel that is established over the Internet. The remote user is able to access internal, private web pages and perform various IP-based network tasks.
There are two primary methods of deploying Remote Access VPN:-
1.Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses port 50 for communication between IPsec peers. ESP is used to protect the confidentiality, integrity and authenticity of the data and offers anti-replay protection.
Drawback - ESP does not provide protection to the outer IP Header
2.Authentication Header (AH) - It is also an IP-based protocol that uses port 51 for communication between IPsec peers. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection.
Unlike ESP, AH provides protection to the IP header also.
Drawback - AH does not provide confidentiality protection.
Both ESP and AH protocols provide an anti-reply protection based on sequence numbers. The sender increments the sequence number after each transmission, and the receiver checks the sequence number and reject the packet if it is out of sequence.
It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH protocols.
IKE uses UDP port 500.
IKE is a two-phase protocol:
IKE phase 1 negotiates the following:-
1.It protects the phase 1 communication itself (using crypto and hash algorithms).
2.It generates Session key using Diffie-Hellman groups.
3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.
4.It also protects the negotiation of phase 2 communication.
There are two modes in IKE phase 1:-
Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.
Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure.
At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.
IKE phase 2 protects the user data and establishes SA for IPsec.
There is one mode in IKE phase 2:-
Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.
At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data—one for sending and another for receiving encrypted data.
Phase 1 - Main Mode
MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).
MESSAGE 2: Responder presents policy acceptance (or not).
MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.
MESSAGE 4: Responder sends the Diffie-Helman key and nonce.
MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication.
MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication.
Only First Four messages were exchanged in clear text. After that all messages are encrypted.
Phase 2 - Quick Mode:
MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.
MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.
MESSAGE 9: Initiator sends signature, hash, ID.
All messages in Quick mode are encrypted.
DH is a public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley.
Each side have a private key which is never passed and a Diffie-Hellman Key (Public Key used for encryption). When both side wants to do a key exchange they send their Public Key to each other. for example Side A get the Public Key of Side B, then using the RSA it creates a shared key which can only be opened on Side B with Side B's Private Key So, even if somebody intercepts the shared key he will not be able to do reverse engineering to see it as only the private key of Side B will be able to open it.
The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP).
An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
Crypto access lists specifies which IP traffic is protected by crypto and which traffic is not protected by crypto. To protect IP traffic "permit" keyword is used in an access list. If the traffic is not to be protected than "deny" keyword is used in access list.
Crypto map is used to pull together the various parts used to set up IPsec SAs including:-
Multiple interfaces can share the same crypto map set in case we want to apply the same policy to multiple interfaces.
If more than one crypto map is created for a given interface than use the sequence number of each map entry to rank the map entries, the lower the seq-num argument the higher the priority.
SSL VPN can be deployed in one of the following three modes:-
1.Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and web-based content. This mode can be used for accessing most content that you would expect to access in a web browser such as Internet, databases and online tools. Clientless mode also supports common Internet file system (CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP connections such as SSH or Telnet.
2.Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.
3.Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick client mode provides extensive application support through dynamically downloaded SSL VPN Client software or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3) access to virtually any application.
SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web browsing, e-mail and other traffic. It uses TCP port 443.
SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose VPN client software, only a web browser is required.
Generic Routing Encapsulation Protocol is a tunneling protocol developed by Cisco designed to encapsulate IP unicast, multicast and broadcast packets. It uses IP protocol number 47.
It is a Layer 2 protocol which is used to map a tunnel IP address to an NBMA address. It functions similar to ARP. Hub maintains NHRP database of the public addresses for each spoke. When the spoke boots up, it registers its real address to the hub and queries the NHRP database for real addresses of other spokes so that they can build direct tunnels.
Phase 1 - In phase 1 we use NHRP so that spokes can register themselves with the hub. Only Hub uses a multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces which means that there will be no direct spoke-to-spoke communication, all traffic has to go via hub.
The only advantage of the phase I setup is the fact the hub router’s configuration is much simpler. Summarization is possible in phase 1.
Phase 2 - In phase 2 all spokes routers also use multipoint GRE tunnels so we do have direct spoke to spoke tunneling. When a spoke router wants to communicate to another spoke it will send an NHRP resolution request to the hub to find the NBMA IP address of the other spoke. Summarization is not possible in phase 2.
1.Spoke 1 forwards a packet with a next hop which is another spoke (spoke 2). There is no NHRP map entry for this spoke so an NHRP resolution request is sent to the hub.
2.The request from spoke 1 contains the tunnel IP address of the spoke 2 so the hub relays the request to spoke 2.
3.Spoke 2 receives the request, adds its own address mapping to it and sends it as an NHRP reply directly to spoke 1.
4.Spoke 2 then sends its own NHRP resolution request to the hub that relays it to spoke 1.
5.Spoke 1 receives the request from spoke 2 via the hub and replies by adding its own mapping to it and sending it directly to spoke 2.
Spoke to Spoke tunnel is established.
Phase 3 - In phase 3 NHRP redirect configured on the hub tells the initiator spoke to look for a better path to the destination spoke. On receiving the NHRP redirect message the spokes communicate with each other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
NHRP Shortcut configured on the spoke updates the CEF table. It basically changes the next-hop value for a remote spoke from the initial hub tunnel IP address to the NHRP resolved tunnel IP address of remote spoke.
Summarization is possible in phase 3.
DMVPN allows IPsec VPN networks to better scale hub-to-spoke and spoke-to-spoke topologies optimizing the performance and reducing latency for communications between sites.
It offers following benefits:-
Remote Access VPN when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up, with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN device upon connection.
Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site to site VPNs.
Dynamic crypto maps are used with networks where the peers are not always predetermined. It is basically used in IPSEC Remote Access VPNs.
There are two types of IPsec VTI interfaces:
IPSec VTI is the concept of using a dedicated IPsec interface called IPsec Virtual Tunnel Interface for highly scalable IPsec-based VPNs. IPsec VTI provides a routable interface for terminating IPsec tunnels. VTI also allows the encrypting of multicast traffic with IPsec.
Use following commands to check the status of tunnel phases:-
Phase 1 - show crypto isakmp sa
Phase 2 - show crypto ipsec sa
Virtual Private Network (VPN) Related Tutorials
Virtual Private Network (VPN) Related Interview Questions
|Networking Interview Questions||Hyper-V Interview Questions|
|Computer Network Security Interview Questions||Routing Protcol Interview Questions|
|CWNA (Certified Wireless Network Administrator) Interview Questions||Border Gateway Protocol (BGP) Interview Questions|
|Enhanced Interior Gateway Routing Protocol (EIGRP) Interview Questions||Cisco Network Engineer Interview Questions|
|Multiprotocol Label Switching (MPLS) Interview Questions||OSPF Interview Questions|
|Voip Telephony Interview Questions||Windows Troubleshooting Interview Questions|
|Wireless Lan Interview Questions||Ccnp Routing Interview Questions|
Virtual Private Network (VPN) Related Practice Tests
|Networking Practice Tests||Hyper-V Practice Tests|
|Computer Network Security Practice Tests||Routing Protcol Practice Tests|
|CWNA (Certified Wireless Network Administrator) Practice Tests||Border Gateway Protocol (BGP) Practice Tests|
|Enhanced Interior Gateway Routing Protocol (EIGRP) Practice Tests|
The Osi Model
Wired And Wireless Networks
Wan And Remote Access Technologies
Network Access And Security
Fault Tolerance And Disaster Recovery
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.