Building Secure Virtual Private Networks

Course Overview

VPNs can provide significant business benefits by allowing remote users and multiple sites to communicate securely across shared networks, including the Internet. IPsec and SSL provide the technology to implement secure VPNs.

You learn to apply the standards and technologies required to build secure VPNs. In hands-on exercises, you configure client software, server operating systems, IPsec-enabled routers, firewalls and SSL clients.

Audience

This course is valuable for those involved in selecting, implementing or auditing secure solutions for access into the enterprise. Course 450, " Introduction to Networking ", or equivalent experience is assumed. Knowledge of information assurance issues at the level of Course 468, " Introduction to System and Network Security ", is helpful.

Skills Gained

• Design, install and configure secure virtual private networks (VPNs)
• Employ tunnelling to create wide area links across shared networks
• Secure site-to-site VPNs with IP Security Protocols (IPsec)
• Apply IPsec and SSL to safeguard remote-access VPNs
• Authenticate VPN users and gateways with certificates
• Incorporate VPNs into your existing network architecture

Course Outline

Introduction and Overview

VPN scenarios

• Connecting remote users
• Business partners
• Branch offices
• Hub and spoke architecture
• Fully meshed topology
• Comparing trusted and secure VPNs

VPN comparisons

• Legacy VPNs
• IP VPNs
• Trusted VPNs
• Secure VPNs
• MPLS
• Tunnelling
• IPsec
• SSL

Information assurance requirements

• Privacy
• Data confidentiality
• Data integrity
• Authentication
• Maintaining availability
• Role of cryptography

Building VPN Tunnels

Comparing tunnelling types

• Compulsory
• Voluntary
• Layer 2
• Layer 3

Implementing site-to-site tunnels

• Generic Routing Encapsulation (GRE)
• Defining MTU, routing and security issues
• Allowing Internet access

Creating tunnels for access VPNs

• L2F
• PPTP
• Layer 2 Tunnelling Protocol (L2TP)
• Implementing PPP authentication
• Selecting PAP, CHAP or EAP
• RADIUS servers

Applying Cryptographic Protection

Hashing

• Message digests
• MD5
• SHA1
• Keyed message digests
• HMAC
• Checking integrity and authenticity

Symmetric encryption

• DES
• 3-DES
• AES
• CBC mode and IVs
• Shared secrets

Asymmetric cryptography

• Diffie-Hellman (DH) key agreement
• Public and private keys
• RSA
• Authentication with public key encryption

Managing certificates and PKI

• Certification authorities
• Digital signatures
• Enrolling VPN devices

Implementing IP Security

Securing IP

• Building security associations
• IPsec modes
• Deploying security gateways
• Packet formats
• ESP
• AH

Applying transport mode

• Securing existing tunnels
• Applying IPsec to GRE and IPIP
• IPsec and L2TP

Building tunnels with IPsec

• Applying tunnel mode
• Employing IPsec filters
• Harnessing pure IPsec for access VPNs

Managing keys for IPsec

• IKE (Internet Key Exchange)
• Distinguishing IKE modes and phases
• IKE security associations
• Extensions for access VPNs
• Xauth
• Mode configuration

Deploying Virtual Private Networks

The enterprise hub

• Employing VPN concentrators
• Integrating firewalls
• Controlling access
• Comparing intranets and extranets

Connecting branch offices

• Using VPN-capable routers
• VPN hardware
• Exploring operating system solutions

Supporting remote users

• Deploying client software
• Split tunnelling
• Clientless (SSL) VPNs
• Remote management
• Surmounting Network Address Translation (NAT) issues
• IPsec over wireless LANs