Cisco CCIE Security 350-701 – Remote Access VPN

1. Remote Access VPN

Remote access VPNs. Now Remote Access VPN allows a user to connect remotely to a corporate network. To a VPN gateway typically can be a router or a firewall and access the resources in the land as if he is sitting in the land. Because technically the user may be in a different place, maybe he is sitting in a home or maybe somewhere outside the city for some work. But using Remote Access VPN you can connect to your corporate network and access the resources as if you are sitting in the lab securely. So there are two different options to do that. So we can use either with an IPsec protocols.

So IPsec protocol is just like we will install some IPsec VPN client software on the PC and this will allow the user to connect to the VPN gateway, typically the router or a firewall. And then he can access the resources of the corporate network and this tunnel or whatever the tunnel is built with the help of IPsec protocols more similar to side to side. But still IPsix and VPNs are more commonly used for side to side but international networks, these are not preferable for the Remote Access VPNs. So we have an alternate way to connect where we’ll be using something like SSL VPNs.

Now, the SSL VPNs allows a user to connect to the gateway probably remotely through a web browser, where we can use any web browsers to connect to the gateway and access the resources through a web browser. So it is trying to access some basic web applications. So you don’t need to install the web browser, but it can also install some software like any connect client which is also used to connect a full tunnel mode where the user can actually access all the resources in the land remotely. So there are two different ways the Remote Access VPNs can be implemented. Either by using IPsec VPN, which is an old way of doing the things still supported, but most commonly in two DS networks.

2. What is SSL-TLS

SSL stands for Secure Socket secured Socket Layer. So it is actually a technology used for establishing an encrypted connection while a user is trying to access a web browser. So typically if you are trying to access any of the banking websites, you generally see something like Https. So it is like establishing Http connection over and it is secured by SSL protocol. So SSL provides some encryption. So which means all the web traffic on the web page is actually secured with a strong encryption algorithms. So that’s what Https refers to, Http over SSL.

So it’s a protocol initially which was initially developed to secure the web traffic. So still we use securing the web traffic, still we use for most of the web transactions. So it was developed by Netscape in 1994 mainly for securing the web transactions. So there are different versions of SSL, like one, two, three versions. Now the three dot version was also deprecated in June 2005, 2015 by the RSC 7568. Now, in today’s networks, we use something called TLS transport layer security. It’s nothing but an updated version of SSL. So it’s like after one, two, three dot, the later on versions we can refer it as TLS. So even though the name has been changed to Transport Layer Security, but still most of the time we still refer it as SSL, but it’s something standardized by IETF with this name TLS. And currently there are different versions of TLS. Like 11213 is still in the draft versions.

You can go to Wikipedia to see the basic differences between the different versions of SSL or TLS. Now this SSL or TLS is commonly used for securing your web traffic, but in today’s networks it is not only used for securing the web traffic, it is also used for securing your SNMP over SSL. Or we can say IMAP or Pop, three applications which are used for emails, securing the emails or an FTP connection or LDAPS. So mostly our focus here, it’s going to be based on the VPN traffic because we’ll be using something like Remote Access VPNs, and for Remote Access VPNs we’ll be using SSL or TLS protocols instead of using IPsec.

3. How SSL-TLS Works

Now, the SSL or the TLS sessions works in two phases more similar to the IPsec VPNs, what we discussed. Now the first phase is more like establishing a secured channel or the secured tunnel between the two endpoints, like building a data plane. And by default it’s actually established on port number 443, which can also be changed. And once the secure tunnel is established, probably the next step is the actual forwarding of the traffic securely over the SSL or the TLS tunnels. Now, the traffic means the data can be either a user is trying to open up Https secure connection or it can be some kind of VPN or maybe using some other application like IMAP S or maybe SNMPs or any of the traffic which I discussed already in the previous sessions. Now, in both the faces TSL or the SSL uses something called Record Protocol. And this Record Protocol is responsible for secure application data by using some keys during the handshake process.

Now, this record protocol is responsible for binding some messages or building some messages into blocks while it is sending outside and then on the receiving side and also reassembling those messages, just like fragmentation, reassuring those messages, all the incoming messages, and also doing some kind of compression, compressing the messages, outgoing messages and decompressing on the receiving site. And then applying some hashing algorithms like for integrity and applying some encryption algorithms when it is sent outside and then probably on the receiving side again decrypting the information. So in simple words, Record Protocol is responsible for securing the application data and it uses some different algorithms, like we’ll talk about algorithms anyway. But main thing, this protocol is responsible for secure application data between the two endpoints.

Now, the next thing is, let’s say the first phase, like the first phase again, further divided into four steps, the tunnel negotiation, like the first thing they need to negotiate the SSL or the TLS version to use. Now, again, so both the client, the SSL client and the server has to negotiate the common version to use because based on the version they are negotiating algorithms and the other capabilities are supported and it depends. So that’s the reason, either they will be using SSL versions like SSL one two or three dot versions or using TLS 1011 or one two versions depends. Now, once they successfully negotiate the version they use, then the next step is they need to authenticate with each other. Now, the server needs to get authenticated. So server typically gets authenticated using some digital certificates and these are some of the supported algorithms. Whereas the client may be authenticated, may get authenticated based on the digital certificates or based on the username and the passwords you use while you log in. Or maybe you might be using both the methods in general. Now, the next step is once they negotiate the SSL or the TLS versions, once they authenticate each other. Now, the final two steps in the tunnel negotiation is like they need to negotiate the keys. Now, this is more similar to the IPsec key management using some kind of deficiency algorithms like in the IPsec phase one.

In general, if you remember, they need to negotiate the keys. They need to negotiate the keys by using some kind of proficient algorithms. Similarly here also in the fourth step, they will be negotiating the algorithms, what they use. And these algorithms are used for securing the database traffic. But in order to use algorithms, they will be using some keys and the keys actually negotiated in this in the third step. So typically these are the supported algorithms, like defihamme algorithm or Defeatme or RSA, or you can use elliptical curve defihmi algorithms. So any one of these algorithms will be used for negotiating the keys. So once they successfully negotiate the keys, then probably the next step they will be negotiating the algorithms. What they are going to use for securing your data, plant traffic. Like what is the encryption algorithm they will be using and what is the integrity algorithm or the hashing algorithms they will be using to secure your data.

Plan traffic in the next phase. Now, the next thing is, so these are the four substrates we can say in the first phase. So technically there is no phase one, phase two here like IPsec. But for negotiating the SSL tunnel, they need to negotiate the versions, authenticate each other server and clients and then they need to negotiate the key exchange and then negotiating the algorithms which are actually used for securing the data plan traffic. Now finally, once they negotiate these things, once they negotiate and build a secure tunnel between the two endpoints, now you’re actually securing your data authors over this SSL or the TLS tunnel which is established previously. So once the tunnel is built, all the data need to be protected and they will be using the algorithms which are actually negotiated in the previous step. Now, the data transfer can be either a TCP or UDP.

Now again, the client when it is connecting, so it can use the TCP traffic, the data transfer or it can be a UDP, depends upon the type of the traffic we use. It’s like a bidirectional tunnel which it creates between the two endpoints and the TCP traffic. So in general, if it is a Tcpbased applications, then probably it uses either SSL or TLS, because SSL again, I’m talking about one dot, two dot and three dot versions which are duplicated. And the SSL only supports the TCP based traffic. But whereas if you’re using TLS, TLS uses something like DTLs, DTLs tunnels, so it’s going to build something like DTLs tunnels which are mainly used for UDP traffic, UDP traffic typically they are like connection, lesser overhead and no Acknowledgments. So which is more suitable for some real time traffic like multicasting or any kind and of video conferencing applications.

Now, basically the SSL works in the same thing. Like initially they send some hollows where they actually negotiate the same thing like versions or the different algorithms they are going to use or the compression methods and then the server is going to reply back with a hello where they will negotiate these things.

4. What is SSL VPN

Now the next thing we’ll try to understand what is SSL VPN like in the previous sessions we talked about SSL or the TLS protocol which is mainly used for secure connection between the client and the server. And typically this protocol can be used for securing your web traffic, which is commonly used like for the web access. But here our, our main focus will be on using the same accessor or the TLS for accessing remotely, the Remote access VPNs. So in order to connect remotely, maybe if you want to connect a user who is on a remote place, maybe in a home, sitting in a home or maybe outside for some work.

So we want the user should be able to connect to our gateway, that is our router or the as firewalls and then he should be able to access the resources in our corporate network. So this is what we call as Remote access VPNs. Now, to use this now for remote access VPNs we can either use IPsec or we can also use SSL protocols. And here our focus will be on using the VPNs or establishing remote access VPNs using SSL. Now, the process or the steps are almost the same thing as we discussed earlier.

Because whether you are establishing Http connection or whether you’re establishing a VPN connection still the protocols, algorithms, the step still remains the same. But the main focus here will be on using SSL for remote access VPNs over Internet. It’s an alternative for IPsec remote access VPNs because in today’s network we still use IPsec for side to side VPNs commonly.

But for the remote access we prefer to use SSL VPN. And why we use because maybe in some countries you have an access to Internet only for Http and Https. In that case, probably what they do is they do filtering of IC ESP authentication protocols over Internet. In that case, you cannot use remote VPNs using IPsec probably if you have a limitation like that where the service portals don’t allow you to allow you to use these protocols over internet, in that case it is more applicable or maybe you just want a remote access through some web browser without actually installing a software.

Because if you’re using IPsec for remote access VPNs, then probably you need to install IPsec VPN client software and slightly it is more complicated configurations on the devices and slightly overhead as well. But whereas SSL VPNs are like you don’t need to install any client in some basic access, you just need a web browser which allows you to connect to the gateway and you can access the resources, most of the web based resources by using some kind of clientless VPNs.

The devices which supports SSL VPNs. Now most vendor supports SSL VPNs like including Cisco supports SSL VPN for remote access because typically on Cisco devices we use IPsec for side to side VPNs and for remote access VPNs, we prefer to use SSL over IPsec VPNs. So some vendors may also use SSL for side to side VPNs, but Cisco doesn’t support SSL for site to site. Probably here we’ll be using SSL for only remote access. So Cisco supports this on both iOS routers. So which means when you’re connecting from an SSL client.

5. SSL VPN – Modes

Now SSL VPN can be configured in three different modes. So basically if you basically there are two modes we can say one is clientless mode and the second one is client client mode. We can say now there’s nothing but client list or client mode where we call it as tunnel mode. Also. Now the basic difference is in the client list mode when we are trying to connect a connection, let’s say VPN connection to my gateway, maybe a router on as a firewall.

Now, the device which we are using as a VPN client, this do not have any application installed. So we can just use a web browser. And using a web browser I can type in the URL or a specific IP address, let’s say something like whatever the IP and I can connect to my gateway and I can access all the resources of the company network, but only the web based applications. Not all, it supports only some of the web based applications. But you cannot access each and every application or each and every you cannot access any server remotely. But most of the web based application works like I got here the browser based where you don’t need any kind of software installed.

Like you can access all Http and Https applications. Like if you are accessing some emails through web browser or maybe Outlook web access using some Http or Https connections. You can also do some kind of file sharing as long as it is based on web server, where you have a portal page and you got a list of file servers, you can browse the network, you can do a lot of tasks. It depends upon again how you configure the particular VPN gateway or the servers. So this is what typically we call as client list mode, but whereas in the client mode also referred as a tunnel mode, in the case of tunnel mode we use a VPN client, VPN client will install a software called Cisco, AnyConnect VPN client software.

And then we connect to our gateway, the VPN gateway. And then it’s going to establish a full tunnel between the two endpoints and which allows you to access all the resources on the network. So it’s almost like as if you are sitting in the land, not sitting in the home. So the tunnel mode allows you to access all the options like full client mode. Again you need to install some kind of software, VPN client software or next generation SSL VPN client software. It allows a client to get a network level access virtually for anything.

Like you might be sitting in your home, but virtually it looks like as if you are sitting in the office and you can access all the resources as if you are sitting in the office. So basically you can either use a client list mode where you just need a web browser to access most of the web based applications, or you can use a full access by using a client mode or the tunnel mode. Now, the intermediate of this, because in some documentation you see three modes, but basically there are two modes because the second mode is actually extension to the first one. Now the second one you can see the tin client mode. It’s also called as port forwarding or smart tunnels.

So in this, what we are doing is once a user connects through a web browser, through clientless mode, and once it connects, we can actually configure this gateway with some kind of additional features like port forwarding or smart tunnels. Port forwarding is like an old method to do it smart tunnels which allows you to access some TCP based applications. Like you can create some kind of BOOKMARKS in the weakened gateway probably through graphical interface on the ASA or on the routers. And once you create this bookmark, let’s say I want to allow a user should be able to tell net to my switch, let’s say. So I can create a bookmark saying that telnet to switch one. And whenever the user clicks on this particular bookmark, it will initiate a telenet connection to the switch.

So there are some additional features supported like Telnet or SSH or Pop. Three SMTP or IMAP applications can be supported apart from the web based applications by using thin client mode. So basically generally we can say two modes, but if you see most of the documentation it refers as three modes. So we need to go with three modes again here like client test mode where a user just use a web browser to connect and most of the web based applications are allowed.

And if you want to allow some web based applications along with some TCP applications, we can configure with a thin client mode which is an extension to the client mode. A thin client mode which allows you to access some TCP applications by adding some additional features like port forwarding and smart tunnels. Or you can configure again it downloads some Java applet. There’s a lengthy process I’ll be discussing that more in detail when we get into individual modes.