1
00:00:00,530 --> 00:00:06,350
As mentioned there are some major advantages to using digital signatures rather than preset keys.

2
00:00:06,350 --> 00:00:12,570
There is however one major stumbling block when Peter sends his public key to Sarah.

3
00:00:12,680 --> 00:00:20,750
Joe hacker could intercept that public key and replace it with his own public key and send that on to

4
00:00:20,750 --> 00:00:23,530
Sarah pretending to be Peter.

5
00:00:23,750 --> 00:00:31,220
That means that Sarah believes that traffic coming from Joe hacker is actually Peter in this case.

6
00:00:31,280 --> 00:00:39,260
She needs a mechanism to prove that PETA is who he says he is and that he hasn't been replaced with

7
00:00:39,260 --> 00:00:40,180
someone else.

8
00:00:41,660 --> 00:00:46,230
And that allows us to introduce the concept of a certificate of authority.

9
00:00:46,310 --> 00:00:54,080
Now in brief the easiest way to understand this is to think of the typical of a 30 as a trusted party.

10
00:00:54,440 --> 00:01:01,400
When you connect a Web site like Amazon Dot Com you trust that Web site because of a trusted third party

11
00:01:01,400 --> 00:01:10,700
like is sign or thought essentially a certificate of authority is introducing Peter to Sarah and allowing

12
00:01:10,700 --> 00:01:17,820
them to receive each other's public keys knowing that that public key actually belongs to that person.

13
00:01:18,870 --> 00:01:26,670
What happens in brief is Peter will send his public key to the certificate of authority and a certificate

14
00:01:26,670 --> 00:01:33,510
of authority will issue Peter with a certificate stating that the public key contained in the certificate

15
00:01:33,750 --> 00:01:37,100
is actually Peter's public key.

16
00:01:37,620 --> 00:01:44,550
The certificate of authority does that by taking some of Peter's information these public key ashing

17
00:01:44,550 --> 00:01:52,150
that data and then signing it with a certificate of authority private key putting that into certificate

18
00:01:52,300 --> 00:01:59,740
and issuing that certificate to Peter the certificate of authority will do the same with Sarah taking

19
00:01:59,740 --> 00:02:08,590
Sarah's data taking her public key hashing that information and signing it with the certificate of authorities

20
00:02:08,590 --> 00:02:10,260
private key.

21
00:02:10,490 --> 00:02:18,800
This whole infrastructure known as the public key infrastructure or Piquet I relies on businesses trusting

22
00:02:19,210 --> 00:02:26,180
the certificates issued by the certificate of authority before setting up a VPN.

23
00:02:26,200 --> 00:02:28,600
Peter and Sarah will exchange certificates.

24
00:02:28,900 --> 00:02:31,690
So Peter will send he's a terrific get to Sara.

25
00:02:32,170 --> 00:02:39,070
Sarah trusts the information contained in the certificate from Peter because the certificate has been

26
00:02:39,070 --> 00:02:45,950
signed by a trusted third party let's say in this case there's a sign and she trusts the bearer a sign

27
00:02:46,880 --> 00:02:56,900
so because Sarah trusts very sign and sign trusts Peter Sarah now trusts Peter by the same token Sarah

28
00:02:56,900 --> 00:03:06,220
sends his certificate to Peter Petah trusts Sarah because he trusts very sign and there assigned trusts.

29
00:03:06,220 --> 00:03:14,480
Sarah beris sign or whichever certificate of authority you use is the trusted third party allowing for

30
00:03:14,480 --> 00:03:18,440
the secure exchange of public keys.

31
00:03:18,450 --> 00:03:19,960
Now what is the SEC.

32
00:03:20,120 --> 00:03:24,360
I DiCicco the security is a network layer protocol.

33
00:03:24,360 --> 00:03:29,990
In actual fact it's a suite of protocols that protects and syndicates IP packets.

34
00:03:30,240 --> 00:03:36,940
It's a framework of open standards that is algorithm independent and thus can use multiple algorithms.

35
00:03:37,640 --> 00:03:40,670
They are three main IP protocols.

36
00:03:40,760 --> 00:03:48,050
The first one is Internet key exchange or ICQ which provides a framework for negotiating security parameters

37
00:03:48,410 --> 00:03:51,880
and establishing a syndicated keys.

38
00:03:51,950 --> 00:03:57,670
A lot of the information I've just covered about pre-shared keys and digital signatures relies on ICQ.

39
00:03:57,740 --> 00:04:04,220
We also have a syndication head or or H which does not provide encryption but provides a thin dictation

40
00:04:04,310 --> 00:04:05,550
and integrity.

41
00:04:05,930 --> 00:04:11,870
And then thirdly we have what's called encapsulating security payload or use P which provides for encryption

42
00:04:12,050 --> 00:04:15,080
authentication and integrity.

43
00:04:15,110 --> 00:04:18,110
There are two modes that can be used in basic the paeans.

44
00:04:18,290 --> 00:04:24,950
The first one is transport mode where the original IP head of the packet being encrypted is used to

45
00:04:24,950 --> 00:04:26,530
transport the packet.

46
00:04:26,900 --> 00:04:33,380
And the second one is Tunnel mode where the original IP packet being encrypted is not used to transport

47
00:04:33,380 --> 00:04:37,470
the packet a new IP header is tagged on the front.

48
00:04:37,790 --> 00:04:45,200
So you have double IP addresses the head is used for writing the packets of the IP addresses of the

49
00:04:45,200 --> 00:04:51,700
peer devices involved in the VPN not the originating host and destination host.

50
00:04:51,860 --> 00:04:55,590
So he has an example of a site to site VPN.

51
00:04:55,790 --> 00:05:02,230
And we going to use Espey with Tunnel mode which is very common.

52
00:05:02,240 --> 00:05:07,550
Please note we have a MacBook with an IP address of 10 one on one and a server with an IP address of

53
00:05:07,550 --> 00:05:09,060
10 1 to 1.

54
00:05:09,620 --> 00:05:16,160
But we also have two routers Router one with Oculus quadruple one and router two with IP address quadruple

55
00:05:16,170 --> 00:05:22,480
T and the IP SEC a VPN is going to be set up between Route 1 and route.

56
00:05:23,090 --> 00:05:28,700
So if we look at the IP headers when the MacBook sends traffic to the server the source address will

57
00:05:28,700 --> 00:05:36,080
be 10 1 1 1 and the destination address will be 10 1 to 1 on the local LAN that traffic will then be

58
00:05:36,080 --> 00:05:41,360
routed to Rotto 1 when that traffic is sent through the basic tunnel.

59
00:05:41,640 --> 00:05:50,210
Notice all the information so the data and the original IP headers and other sources trace 10 1 1 1

60
00:05:50,360 --> 00:05:59,330
and destination 10 1 to 1 are encrypted and non readable on the Internet and ECP header is tagged onto

61
00:05:59,330 --> 00:06:06,140
the front as well as a new source IP address and destination IP address.

62
00:06:06,140 --> 00:06:13,340
So if Joe hacker were sniffing packets on the Internet he would see traffic from router one going to

63
00:06:13,340 --> 00:06:14,390
route it to.

64
00:06:14,450 --> 00:06:18,500
He would not see who was actually involved in the conversation.

65
00:06:19,930 --> 00:06:28,840
When Ratatouille receives those encrypted packets routed to will strip off the outside headers decrypt

66
00:06:28,840 --> 00:06:35,890
the packets as per what we've discussed previously and then send the original packets on towards the

67
00:06:35,890 --> 00:06:36,750
server.

68
00:06:37,060 --> 00:06:43,960
So the source IP address will be 10:01 on one destination will be 10 1 to 1 if sniffed on the local

69
00:06:43,960 --> 00:06:44,830
LAN.

70
00:06:45,280 --> 00:06:54,150
So this once again is an example of a site to site VPN using USP in tunnel mode.

71
00:06:54,180 --> 00:06:57,710
It is if you remember provides encryption.

72
00:06:58,040 --> 00:07:03,820
So confidentiality data integrity and authentic action.

73
00:07:03,890 --> 00:07:11,770
Notice also that we're using tunnel mode because we have inserted new IP headers now when using IP sec

74
00:07:12,030 --> 00:07:15,460
you have various options to choose from.

75
00:07:15,510 --> 00:07:19,510
The first thing to choose is which are basic protocol are you going to use.

76
00:07:19,790 --> 00:07:26,830
Are you going to use XP while you're going to use H or are you going to use them together.

77
00:07:27,210 --> 00:07:32,450
Now firstly it provides encryption but A-H doesn't.

78
00:07:32,490 --> 00:07:34,510
So if you need confidentiality.

79
00:07:34,680 --> 00:07:38,540
Don't use age or authentication headed by itself.

80
00:07:38,880 --> 00:07:48,740
Use is P However it is combined with H provides for stronger affinity cation and encryption and therefore

81
00:07:48,740 --> 00:07:55,280
for example in banking environments they may choose to use both ISP and A.H. together.

82
00:07:55,700 --> 00:07:58,940
The next thing to choose which I haven't got on the slide is which mode are you going to use.

83
00:07:58,940 --> 00:08:02,740
Are you going to use tunnel mode or are you going to use transport mode.

84
00:08:03,570 --> 00:08:10,920
Please remember if the devices setting up the VPN on not the actual devices communicating you need to

85
00:08:10,920 --> 00:08:12,380
use tunnel mode.

86
00:08:12,420 --> 00:08:18,960
So in this example because the routers are not the source and destination of the actual traffic they

87
00:08:18,960 --> 00:08:21,380
are configured in tunnel mode.

88
00:08:22,270 --> 00:08:24,650
You need to choose an encryption algorithm.

89
00:08:24,650 --> 00:08:27,360
So are you going to use days or couple days or a.

90
00:08:27,430 --> 00:08:34,340
It's recommended today to use a s what authentic cation and integrity are you gonna use.

91
00:08:34,390 --> 00:08:36,970
Is it M.D five Wilshaw.

92
00:08:37,300 --> 00:08:43,420
Also are you going to use pre-shared keys or are you going to use digital signatures and therefore digital

93
00:08:43,420 --> 00:08:49,680
certificates digital certificates are harder to implement but are more scalable.

94
00:08:49,680 --> 00:08:56,070
So for a very small VPN you matías appreciate keys for authentication but in a large environment you

95
00:08:56,070 --> 00:08:59,530
may decide to use digital certificates.

96
00:08:59,730 --> 00:09:04,290
Which version of Diffie Helman are you going to use Diffie Hellman one or DIFI home and two or Diffie

97
00:09:04,290 --> 00:09:06,120
home and five.

98
00:09:06,130 --> 00:09:11,490
Now I'm hoping at this point that you have a good understanding of the various protocols and that's

99
00:09:11,490 --> 00:09:18,160
why I spend a lot of time discussing the various protocols because we don't cover the ground work.

100
00:09:18,180 --> 00:09:19,660
The slide will mean nothing.

101
00:09:21,360 --> 00:09:29,130
So what tops a VPN is can you expect to encounter the first time the site to site where you for instance

102
00:09:29,130 --> 00:09:36,870
have a remote office or home office with a local router connecting back to the head office which may

103
00:09:36,870 --> 00:09:41,290
be using a router or NASA or another type of device.

104
00:09:42,140 --> 00:09:51,110
The basic VPN tunnel is set up directly between Route 1 and router to the advantage of this is firstly

105
00:09:51,110 --> 00:09:59,870
that the devices like the MacBook and server do not need to run any corruption software from their point

106
00:09:59,870 --> 00:10:00,860
of view.

107
00:10:01,250 --> 00:10:07,340
It's as if there is a leased line or direct connection between the two lands.

108
00:10:07,340 --> 00:10:12,960
Another advantage of using IP sic is because it runs at the network level they always side model.

109
00:10:12,980 --> 00:10:16,120
It can encrypt all Hialeah protocols.

110
00:10:16,430 --> 00:10:22,700
So rather than just being able to encrypt for instance HTP it can encrypt Oracle traffic sequel traffic

111
00:10:22,910 --> 00:10:26,670
HGP traffic traffic and so forth and so on.

112
00:10:26,780 --> 00:10:32,580
The second type of VPN you'll probably encounter is a remote access like the sick VPN.

113
00:10:32,650 --> 00:10:41,470
In this case a remote client like a Windows laptop has installed the Cisco VPN client and a VPN has

114
00:10:41,470 --> 00:10:49,620
been configured and set up between the laptop and HQ router directly the advantage of this method is

115
00:10:49,620 --> 00:10:52,110
that the user could be roaming.

116
00:10:52,290 --> 00:10:58,800
So in other words the user could be in a hotel and can connect securely across a public wireless network

117
00:10:58,920 --> 00:11:01,420
in the hotel to the head office.

118
00:11:01,530 --> 00:11:07,070
The user could also be in an internet cafe or a Starbucks or some way connecting to a wireless network

119
00:11:07,180 --> 00:11:12,540
but because they are running the VPN client software they traffic is encrypted and a syndicated and

120
00:11:12,540 --> 00:11:19,790
so forth directly from the laptop to the central site router there's an example of a Cisco VPN client

121
00:11:19,790 --> 00:11:21,940
software running on my laptop.

122
00:11:22,530 --> 00:11:28,250
Well I would need to do to connect back to the office for instance would be to double click on the VPN

123
00:11:28,250 --> 00:11:34,100
entry put in my syndication information like my username and password and I'll be able to connect back

124
00:11:34,190 --> 00:11:36,870
to the corporate environment.

125
00:11:36,900 --> 00:11:42,060
The disadvantage of this method is that you have to install the Cisco VPN client.

126
00:11:42,270 --> 00:11:43,710
So it's not client lists.

127
00:11:43,740 --> 00:11:47,770
You have to install a piece of software.

128
00:11:47,990 --> 00:11:55,300
The next type of remote access VPN is an SSL or secure sockets like a VPN these days there are two variants

129
00:11:55,300 --> 00:12:02,710
of this you first look up the client list SSL tunnel where you could be in an internet cafe or somewhere

130
00:12:03,190 --> 00:12:13,460
and you can connect securely to the HQ router without installing any software on your PC or client.

131
00:12:13,470 --> 00:12:18,380
There were some restrictions originally with which applications and protocols could be used.

132
00:12:19,400 --> 00:12:26,990
These days Cisco have something called the connect client which allows you to connect via SSL but download

133
00:12:26,990 --> 00:12:32,510
a Java applet that allows more applications to be used through the SSL tunnel.

134
00:12:32,510 --> 00:12:34,810
No software has to be installed locally.

135
00:12:34,930 --> 00:12:41,500
Any connect client can automatically be downloaded and installed when connecting to the central site.

136
00:12:41,510 --> 00:12:43,280
So for this cost just be away.

137
00:12:43,460 --> 00:12:49,200
The advantage of an SSL VPN is that you do not need to install any software.

138
00:12:50,350 --> 00:12:57,590
Now which devices support BP and Cisco routers do Cisco firewalls like the Cisco Assaidi.

139
00:12:57,700 --> 00:12:59,500
They are various clients that can be used.

140
00:12:59,500 --> 00:13:06,330
The first one is the SOTY compliant which can be used on wireless PDA use and other devices.

141
00:13:06,330 --> 00:13:12,270
We have a legacy device called the VPN to hardware client which is a physical device that would be installed

142
00:13:12,270 --> 00:13:18,450
at a remote site but would allow for easy VPN connections back to a central site and then as I've shown

143
00:13:18,450 --> 00:13:25,350
me you have the Cisco VPN software client These days you also have the connect client that can be downloaded

144
00:13:25,380 --> 00:13:28,760
automatically when connecting by an SSL VPN.

145
00:13:29,130 --> 00:13:36,940
So to sum up what are the benefits of using VPN a major driver for VPN is cost savings because VPN is

146
00:13:36,940 --> 00:13:38,110
all compatible.

147
00:13:38,940 --> 00:13:46,050
With broadband technologies like DSL and cable rather than having to install expensive leased lines

148
00:13:46,560 --> 00:13:52,440
to other private networks a virtual private network can be established across a public infrastructure

149
00:13:52,440 --> 00:14:01,560
like the Internet the paeans provide security in that they provide encryption syndication data integrity.

150
00:14:01,650 --> 00:14:10,390
Non-reaction anti replay protection and so forth and the peahens are very scalable DDNS can scale to

151
00:14:10,390 --> 00:14:11,980
many many countries.

152
00:14:11,980 --> 00:14:15,880
And I've been involved in DPN that spanned 50 countries.

153
00:14:15,880 --> 00:14:22,720
Now it's a level you're not expected to know how to configure and set up like basic the peahens but

154
00:14:22,720 --> 00:14:29,140
I'm going to demonstrate the set up of an idea like VPN by using the VPN config generator which you

155
00:14:29,140 --> 00:14:32,640
may have got depending which package you've purchased.

156
00:14:32,670 --> 00:14:39,690
So let's look at setting up a side to side DPN the tween Rotto one and routed to with networks 10 1

157
00:14:39,690 --> 00:14:42,580
1 0 and 10 1 2 0.

158
00:14:42,690 --> 00:14:49,810
As private networks that need to be encrypted so launch the site to site VPN wizard.

159
00:14:50,070 --> 00:14:56,010
In our example both sides of the Pacific tunnel ARADAS will click next.

160
00:14:56,010 --> 00:14:59,890
In this case we are requiring basic encryption.

161
00:14:59,980 --> 00:15:04,570
Are we going to go for an encrypted tunnel.

162
00:15:04,570 --> 00:15:11,510
We are not running dynamic routing protocols or multicasting cetra Celtic next day in our example its

163
00:15:11,510 --> 00:15:19,930
just a see that we're using static IP addresses on both sides and not dynamic IP addresses so click

164
00:15:20,010 --> 00:15:20,600
next.

165
00:15:22,860 --> 00:15:25,540
So this is sort of what our diagram looks like.

166
00:15:25,650 --> 00:15:36,280
We're going to encrypt traffic from 10 1 1 0 going to 10 1 0 and 2 are out as kid races.

167
00:15:36,510 --> 00:15:38,610
Quadruple one and quadruple T.

168
00:15:40,160 --> 00:15:41,830
And when sitting up I'd be sick.

169
00:15:42,670 --> 00:15:44,620
You've got to specify your ick.

170
00:15:44,670 --> 00:15:47,130
Well I say KMP options.

171
00:15:47,170 --> 00:15:53,960
So for example let's be really secure and go for a 256.

172
00:15:54,180 --> 00:15:56,250
In this example we going to use appreciate keys.

173
00:15:56,250 --> 00:16:03,300
I'm just going to leave that at Cisco 2:59 and then I'm going to click on the generate button and this

174
00:16:03,300 --> 00:16:05,750
is what that configuration would look like.

175
00:16:06,150 --> 00:16:10,120
You have to create an access list specifying which networks are going to be encrypted.

176
00:16:10,230 --> 00:16:13,080
This is known as an interesting traffic access list.

177
00:16:13,840 --> 00:16:20,860
So traffic from 10 1 1 0 to 10 1 to zero would be encrypted because we're looking at router one is sort

178
00:16:20,860 --> 00:16:23,100
of the configuration.

179
00:16:23,130 --> 00:16:28,070
Now notice here we are using empty five hashing we could change that to use Shaw.

180
00:16:28,290 --> 00:16:37,670
We're using a 256 encryption we're using Diffie Hellman group to we're using pre-shared authentication

181
00:16:39,930 --> 00:16:41,800
noticed when talking to Ratatouille.

182
00:16:41,850 --> 00:16:47,890
We're using a pasada Cisco 2:59 from an artistic point of view.

183
00:16:48,160 --> 00:16:50,090
We're using ECP.

184
00:16:50,700 --> 00:16:51,470
Yes.

185
00:16:51,490 --> 00:17:01,480
So encapsulating security payload using A-S with M.D 5 and we're using tunnel mode we are specifying

186
00:17:01,480 --> 00:17:09,500
who are P-A is OPSEC we are binding the access list so the router knows which network should be encrypted

187
00:17:09,950 --> 00:17:10,870
and so forth.

188
00:17:11,120 --> 00:17:17,870
I hope that gives you an idea of how to configure an IP sic VPN once again for CCMA.

189
00:17:17,960 --> 00:17:23,420
It's not expected that you know this configuration but I've just put it in for completeness on router

190
00:17:23,450 --> 00:17:24,070
2.

191
00:17:24,290 --> 00:17:27,810
We we just have a mirror image of that configuration.

192
00:17:27,830 --> 00:17:32,780
So I noticed the same password but going to IP Address quadrupole one.

193
00:17:33,350 --> 00:17:39,770
So whatever we covered we looked at an overview of VPN as I explained various VPN components.

194
00:17:39,770 --> 00:17:46,010
We discussed basic discuss a lot of options including encryption authentication and integrity.

195
00:17:46,010 --> 00:17:50,720
Please remember that the scores level you're not expected to know commands but you expected to have

196
00:17:50,720 --> 00:17:56,400
an appreciation and an understanding of the various IP VPN technologies.

197
00:17:56,420 --> 00:17:57,220
Thank you for watching.