How VPNs work

in #technology7 years ago (edited)

To continue my guides on networking, this post will cover VPNs. Now many people with basic technical knowledge understand the basic concept of VPNs. VPN in the most simplest of terms is simply connecting one to another network for either accessing the resources on that network or for routing through that VPN server/router for security purposes also allowing clients to bypass any restrictions. Generally speaking there are 2 kinds of VPNs. SSL and IPsec. They both have the same idea of connecting a host to a designated server/router and all that however the way they go about doing it is different. SSL generally is used for end devices such as laptops, or phones and is usually used for individual employees working remotely. IPsec is generally setup to on a site-to-site level. So if a company has multiple offices in different locations they will connect there sites over an IP sec VPN allowing them to share resources across offices. 

IPsec is configured on two routers, (usually firewalls) at the end points of the sites, these routers must be configured for each others peer IPs. Added to this, everytime a new tunnel is created a VPN map needs to be added to the ACL rules, Encryption Domain with the allowed subnets need to be configured as well. Note this needs to be done for EVERY single IPsecsec tunnel created. Refer back to the post I made about OSI model, IPsec runs on the network layer (layer 3). Some of you may have already realized the issue with IPsec, it requires a lot of configuration and is a nightmare to setup for multiple clients and wouldn't be feasible for every new employee, and each of there devices. Imagine if they got a laptop replaced, or one of them quit you would have a massive list of rules and configuration that would need to be added and removed all the time. 

Enter SSL VPN. SSL generally run at the browser level means as some of you migtht have guessed means SSL runs at the layers 4-7 (transport up to application) depending on the kind of implementation. SSL has become the go to method of setting up tunnels due to its use as well as scalability. SSL allows VPN connections to be created and turned off in real time with little to no headache. If you've ever worked in the corporate life you might be familiar with the popular Cisco any connect, while it can use both SSL and IPsec companies usually use SSL. SSL in general is not as secure, due to regulation concerns many companies are forced to use IPsec between sites. SSL has been known to have multiple security vulnerabilities over the years and in fact is on its way out in favor of TLS. Many of the vulnerabilities in SSL wouldn't have been possible under IPsec simply because of the different layers IPsec and SSL operate at. 

SSL has its place, and it excels at allowing employees to connect into the company networks. IPsec as you can probably guess by now excels at configuring site-to-site VPN tunnels and ensuring better security over the tunnels however requires more technical knowledge and things can get complicated when you have multiple tunnels running and you start getting ACLs involved. 

I hope everyone is enjoying these networking posts, if there is a particular topic you would like me to cover please message below and let me know.