1
00:00:00,510 --> 00:00:03,150
Virtual private networks or VPNs.

2
00:00:03,150 --> 00:00:04,980
In this lesson, we're going to dive deeper

3
00:00:04,980 --> 00:00:08,070
into VPNs, known as virtual private networks,

4
00:00:08,070 --> 00:00:09,390
and we're going to cover all the things you need

5
00:00:09,390 --> 00:00:11,820
to know about a VPN for your exam.

6
00:00:11,820 --> 00:00:14,100
First, what is a VPN?

7
00:00:14,100 --> 00:00:16,440
Well, a VPN is a virtual private network,

8
00:00:16,440 --> 00:00:18,690
and it's going to be used to extend a private network

9
00:00:18,690 --> 00:00:21,300
across a public network, and enable users to send

10
00:00:21,300 --> 00:00:24,060
and receive data across that shared or public network

11
00:00:24,060 --> 00:00:26,610
as if their computing devices were directly connected

12
00:00:26,610 --> 00:00:28,110
to the private network.

13
00:00:28,110 --> 00:00:31,500
Now with a VPN, your users can work in a remote office

14
00:00:31,500 --> 00:00:33,870
or work from home, and they can telecommute simply

15
00:00:33,870 --> 00:00:35,490
by logging into their laptop

16
00:00:35,490 --> 00:00:37,620
and establishing a secure VPN tunnel

17
00:00:37,620 --> 00:00:39,300
to the organization's network,

18
00:00:39,300 --> 00:00:41,730
regardless of where it sits in the world.

19
00:00:41,730 --> 00:00:43,110
To do this, they're going to connect

20
00:00:43,110 --> 00:00:45,930
to a VPN device sitting at the headquarters data center,

21
00:00:45,930 --> 00:00:48,210
and then they're going to establish a secure tunnel

22
00:00:48,210 --> 00:00:49,800
using a VPN protocol

23
00:00:49,800 --> 00:00:51,450
in order to allow a secure connection

24
00:00:51,450 --> 00:00:54,990
for that corporate user over an untrusted or public network,

25
00:00:54,990 --> 00:00:56,580
something like the internet.

26
00:00:56,580 --> 00:00:58,140
Now, this allows them to then reach

27
00:00:58,140 --> 00:01:00,990
into the corporate network and be connected to the intranet

28
00:01:00,990 --> 00:01:04,319
as if they were sitting right at their desk in their office.

29
00:01:04,319 --> 00:01:07,050
VPNs can be configured as a site to site VPN,

30
00:01:07,050 --> 00:01:09,930
a client to site VPN or a clientless VPN.

31
00:01:09,930 --> 00:01:11,370
With a site to site VPN,

32
00:01:11,370 --> 00:01:13,350
we can connect two offices together.

33
00:01:13,350 --> 00:01:14,880
With a client to site VPN,

34
00:01:14,880 --> 00:01:17,310
we're more concerned with connecting a single remote user

35
00:01:17,310 --> 00:01:19,830
back to a corporate network, as I described earlier

36
00:01:19,830 --> 00:01:21,570
with the user who needed a telecommute.

37
00:01:21,570 --> 00:01:23,370
When we talk about a clientless VPN,

38
00:01:23,370 --> 00:01:25,950
these are usually going to be used with web browsing.

39
00:01:25,950 --> 00:01:27,630
Alright, let's dive a little bit deeper

40
00:01:27,630 --> 00:01:30,030
and talk about a site to site VPN.

41
00:01:30,030 --> 00:01:33,210
Now, a site to site VPN is used to interconnect two sites

42
00:01:33,210 --> 00:01:34,890
and provide an inexpensive alternative

43
00:01:34,890 --> 00:01:36,630
to dedicated lease lines.

44
00:01:36,630 --> 00:01:38,040
For example, let's pretend

45
00:01:38,040 --> 00:01:39,690
I have a branch office in California

46
00:01:39,690 --> 00:01:42,240
and my headquarters is in Washington, DC.

47
00:01:42,240 --> 00:01:44,370
Now, if I want to be able to connect my remote regional office

48
00:01:44,370 --> 00:01:47,580
in California to my headquarters office in Washington, DC,

49
00:01:47,580 --> 00:01:49,380
I could buy a dedicated lease line

50
00:01:49,380 --> 00:01:51,060
from a telecommunications provider,

51
00:01:51,060 --> 00:01:52,620
and they would give a direct connection

52
00:01:52,620 --> 00:01:55,110
that covers over 3,000 miles in distance

53
00:01:55,110 --> 00:01:56,700
between these two sites.

54
00:01:56,700 --> 00:01:59,040
Even if I got a low speed T1 connection,

55
00:01:59,040 --> 00:02:01,110
this would be very expensive.

56
00:02:01,110 --> 00:02:04,080
Now, on the other hand, I could use a site to site VPN

57
00:02:04,080 --> 00:02:05,730
and I can save a lot of money.

58
00:02:05,730 --> 00:02:07,620
Instead of using that dedicated lease line,

59
00:02:07,620 --> 00:02:10,860
I could simply create a VPN tunnel from the regional office

60
00:02:10,860 --> 00:02:13,290
back to the headquarters over the public internet

61
00:02:13,290 --> 00:02:14,850
using the internet connectivity

62
00:02:14,850 --> 00:02:16,620
that's already in that office.

63
00:02:16,620 --> 00:02:19,560
This solution might cost me 50 or $100 per month

64
00:02:19,560 --> 00:02:20,730
for a standard cable modem

65
00:02:20,730 --> 00:02:23,610
or a fiber modem service from the local ISP.

66
00:02:23,610 --> 00:02:25,440
Once that VPN tunnel is established,

67
00:02:25,440 --> 00:02:26,640
it's going to take all the traffic

68
00:02:26,640 --> 00:02:28,320
from the regional office in California

69
00:02:28,320 --> 00:02:31,080
and run it back to the headquarters in Washington DC

70
00:02:31,080 --> 00:02:33,450
over the internet within this secure tunnel.

71
00:02:33,450 --> 00:02:35,910
And then once it gets to Washington DC,

72
00:02:35,910 --> 00:02:37,080
it's going to be decrypted

73
00:02:37,080 --> 00:02:39,990
and put back inside of my corporate network.

74
00:02:39,990 --> 00:02:41,640
Now, when a California user wants

75
00:02:41,640 --> 00:02:43,380
to go to google.com, for instance,

76
00:02:43,380 --> 00:02:46,830
that data's going to go from California to Washington, DC,

77
00:02:46,830 --> 00:02:49,440
out the Washington DC's office internet connection

78
00:02:49,440 --> 00:02:52,680
to visit that website, get the information, send it back

79
00:02:52,680 --> 00:02:55,110
to the Washington, DC's office internet connection,

80
00:02:55,110 --> 00:02:58,230
and then back through the VPN to that California user

81
00:02:58,230 --> 00:03:00,750
where they'll be able to view the website they requested.

82
00:03:00,750 --> 00:03:03,390
By using this site to site VPN, all the traffic

83
00:03:03,390 --> 00:03:06,180
that goes back and forth between California and Washington

84
00:03:06,180 --> 00:03:08,130
is going to be encrypted and secure,

85
00:03:08,130 --> 00:03:10,920
so no one can see the internal network traffic that's going

86
00:03:10,920 --> 00:03:13,980
through this external public internet connection.

87
00:03:13,980 --> 00:03:16,140
Now, when we deal with a client to site VPN,

88
00:03:16,140 --> 00:03:18,180
on the other hand, we're going to be sending data

89
00:03:18,180 --> 00:03:19,890
from a single host like a laptop

90
00:03:19,890 --> 00:03:21,870
or cell phone or smartphone or tablet,

91
00:03:21,870 --> 00:03:24,360
and connecting it back to our headquarters office.

92
00:03:24,360 --> 00:03:26,160
This is going to be done instead of going

93
00:03:26,160 --> 00:03:27,420
from router to router.

94
00:03:27,420 --> 00:03:29,460
We're going from client to router.

95
00:03:29,460 --> 00:03:31,410
This allows a remote user to be able to connect

96
00:03:31,410 --> 00:03:32,610
back to the head office,

97
00:03:32,610 --> 00:03:34,980
and that's why we call it a client to site.

98
00:03:34,980 --> 00:03:36,570
Now, in addition to site to site

99
00:03:36,570 --> 00:03:38,970
and client to site VPNs, we also have to decide

100
00:03:38,970 --> 00:03:40,830
whether or not we're going to use a full tunnel

101
00:03:40,830 --> 00:03:43,230
or a split tunnel VPN configuration.

102
00:03:43,230 --> 00:03:46,080
Both full tunnel and split tunnel VPNs can be used

103
00:03:46,080 --> 00:03:48,900
with either a site to site or client to site model.

104
00:03:48,900 --> 00:03:51,450
Now, a full tunnel VPN is usually used by default

105
00:03:51,450 --> 00:03:52,830
in most organizations,

106
00:03:52,830 --> 00:03:54,510
and it's what I described earlier.

107
00:03:54,510 --> 00:03:55,770
With a full tunnel VPN,

108
00:03:55,770 --> 00:03:58,170
we're going to route and encrypt all the traffic requests

109
00:03:58,170 --> 00:04:00,750
through the VPN connection back to the headquarters

110
00:04:00,750 --> 00:04:02,310
regardless of where the destination

111
00:04:02,310 --> 00:04:03,990
of that service is located.

112
00:04:03,990 --> 00:04:05,760
This is considered more secure.

113
00:04:05,760 --> 00:04:08,280
But when we're connected using a full tunnel,

114
00:04:08,280 --> 00:04:10,170
the clients are considered to be fully part

115
00:04:10,170 --> 00:04:12,480
of the headquarters network when they're connected.

116
00:04:12,480 --> 00:04:15,420
This means if you're trying to access a local area resource

117
00:04:15,420 --> 00:04:17,339
like a wireless printer in your home office,

118
00:04:17,339 --> 00:04:18,720
you're not going to be able to do that

119
00:04:18,720 --> 00:04:20,820
because that wireless printer in your home office

120
00:04:20,820 --> 00:04:22,950
is not connected to the headquarters network

121
00:04:22,950 --> 00:04:26,340
like your laptop is over that client to site VPN.

122
00:04:26,340 --> 00:04:28,170
Conversely, though, you could still print

123
00:04:28,170 --> 00:04:30,060
to the printers in the headquarters office

124
00:04:30,060 --> 00:04:32,790
even if you're connected using a full tunnel VPN,

125
00:04:32,790 --> 00:04:34,380
because you could be sitting in a hotel room

126
00:04:34,380 --> 00:04:35,460
halfway around the world,

127
00:04:35,460 --> 00:04:38,310
but logically, you're still sitting in your office

128
00:04:38,310 --> 00:04:40,140
at the corporate headquarters.

129
00:04:40,140 --> 00:04:42,270
Now, a split tunnel VPN, on the other hand,

130
00:04:42,270 --> 00:04:44,520
is going to divide your traffic and network requests

131
00:04:44,520 --> 00:04:45,480
and then route them

132
00:04:45,480 --> 00:04:47,580
to the appropriate connection or network.

133
00:04:47,580 --> 00:04:49,680
With a split tunnel VPN, we're going to route

134
00:04:49,680 --> 00:04:51,150
and encrypt the traffic bound

135
00:04:51,150 --> 00:04:53,160
for the headquarters over the VPN,

136
00:04:53,160 --> 00:04:54,600
and we're going to send all the other traffic

137
00:04:54,600 --> 00:04:56,160
out the regular internet.

138
00:04:56,160 --> 00:04:58,650
So let's pretend that I'm using a client to site VPN

139
00:04:58,650 --> 00:05:01,170
on my laptop with a split tunnel configuration

140
00:05:01,170 --> 00:05:02,550
from my home office.

141
00:05:02,550 --> 00:05:04,920
The VPN here is going to decide which traffic goes

142
00:05:04,920 --> 00:05:08,190
back over the VPN and gets sent over to the headquarters,

143
00:05:08,190 --> 00:05:10,200
and what traffic goes over the internet.

144
00:05:10,200 --> 00:05:12,510
So if I'm trying to access a file server

145
00:05:12,510 --> 00:05:14,430
or a Microsoft Exchange mail server

146
00:05:14,430 --> 00:05:16,290
that's back on the headquarters network,

147
00:05:16,290 --> 00:05:17,790
those packets will get encrypted

148
00:05:17,790 --> 00:05:20,070
and routed over the VPN to the headquarters.

149
00:05:20,070 --> 00:05:22,530
But if I need to attend a Zoom conference

150
00:05:22,530 --> 00:05:26,460
or access Office 365, or traffic outbound for the internet,

151
00:05:26,460 --> 00:05:29,880
I'm simply going to bypass that encrypted VPN connection

152
00:05:29,880 --> 00:05:31,890
and go directly out my internet connection

153
00:05:31,890 --> 00:05:33,750
to those public websites.

154
00:05:33,750 --> 00:05:35,970
Now, this is why we call it a split tunnel,

155
00:05:35,970 --> 00:05:38,040
because we have an encrypted VPN tunnel for traffic

156
00:05:38,040 --> 00:05:39,450
that needs to go to the headquarters,

157
00:05:39,450 --> 00:05:42,510
and another unencrypted tunnel that takes a direct path

158
00:05:42,510 --> 00:05:45,210
out to the internet from your ISP.

159
00:05:45,210 --> 00:05:47,070
The challenge when using a split tunnel is

160
00:05:47,070 --> 00:05:48,630
that they can be less secure

161
00:05:48,630 --> 00:05:49,860
because there is a possibility

162
00:05:49,860 --> 00:05:51,720
that an attacker could connect to your device

163
00:05:51,720 --> 00:05:53,670
over that unencrypted internet tunnel,

164
00:05:53,670 --> 00:05:56,130
and then they could pivot through your laptop

165
00:05:56,130 --> 00:05:59,760
and send data over the VPN back to the headquarters network.

166
00:05:59,760 --> 00:06:02,160
For this reason, if you're connecting the VPN

167
00:06:02,160 --> 00:06:03,540
over an untrusted network

168
00:06:03,540 --> 00:06:06,000
like wifi at a hotel or a coffee shop,

169
00:06:06,000 --> 00:06:07,980
you should never use a split tunnel,

170
00:06:07,980 --> 00:06:10,830
and instead, you should be using a full tunnel.

171
00:06:10,830 --> 00:06:13,320
Now, a split tunnel does give you better performance

172
00:06:13,320 --> 00:06:15,570
because it's going to route all your internet-based traffic

173
00:06:15,570 --> 00:06:16,860
directly to those servers

174
00:06:16,860 --> 00:06:19,680
and bypass the entire company headquarters network.

175
00:06:19,680 --> 00:06:22,170
So as you see, it becomes a trade off

176
00:06:22,170 --> 00:06:24,120
between security and performance.

177
00:06:24,120 --> 00:06:27,060
If you want more security, use a full tunnel VPN.

178
00:06:27,060 --> 00:06:30,120
If you want better performance, use a split tunnel VPN.

179
00:06:30,120 --> 00:06:33,540
So at this point, we've talked about two main types of VPNs,

180
00:06:33,540 --> 00:06:36,360
a site to site VPN, and a client to site VPN.

181
00:06:36,360 --> 00:06:39,450
But there is one more type of VPN that we need to discuss,

182
00:06:39,450 --> 00:06:41,700
and it's known as a clientless VPN.

183
00:06:41,700 --> 00:06:43,230
Now, a clientless VPN is used

184
00:06:43,230 --> 00:06:45,840
to create a secure, remote access VPN tunnel

185
00:06:45,840 --> 00:06:48,540
using a web browser without requiring any software

186
00:06:48,540 --> 00:06:50,400
or hardware clients to be used.

187
00:06:50,400 --> 00:06:52,320
In fact, using this type of VPN

188
00:06:52,320 --> 00:06:55,350
is something you do every day without even knowing it.

189
00:06:55,350 --> 00:06:57,840
A clientless VPN is used by your web browser

190
00:06:57,840 --> 00:07:00,150
when it makes a secure connection to an e-commerce

191
00:07:00,150 --> 00:07:03,210
or other secure website using HTTPS.

192
00:07:03,210 --> 00:07:06,270
This can be done using an SSL or TLS tunnel

193
00:07:06,270 --> 00:07:07,860
by using those protocols.

194
00:07:07,860 --> 00:07:10,230
Now, SSL, or the secure socket layer

195
00:07:10,230 --> 00:07:12,540
is going to provide cryptography and reliability

196
00:07:12,540 --> 00:07:14,730
using the upper layers of the OSI model,

197
00:07:14,730 --> 00:07:17,580
specifically layers five, six, and seven.

198
00:07:17,580 --> 00:07:20,280
In recent years, SSL has become a bit outdated

199
00:07:20,280 --> 00:07:21,330
and less secure.

200
00:07:21,330 --> 00:07:24,600
So most clientless VPNs are now using TLS,

201
00:07:24,600 --> 00:07:26,370
which is transport layer security

202
00:07:26,370 --> 00:07:29,490
to provide secure web browsing over HTTPS.

203
00:07:29,490 --> 00:07:32,610
So when you logged into this website to watch this video,

204
00:07:32,610 --> 00:07:34,560
you had to enter your username and password,

205
00:07:34,560 --> 00:07:36,210
and you saw that little green padlock

206
00:07:36,210 --> 00:07:38,250
in the upper left corner of the address bar.

207
00:07:38,250 --> 00:07:41,880
That's how you knew you had a secure connection using HTTPS.

208
00:07:41,880 --> 00:07:44,880
That means you are using either SSL or TLS

209
00:07:44,880 --> 00:07:47,580
to create that secure clientless VPN tunnel

210
00:07:47,580 --> 00:07:49,650
from your web browser and your computer

211
00:07:49,650 --> 00:07:52,650
to my servers so you can pull these videos.

212
00:07:52,650 --> 00:07:55,680
Now, SSL and TLS both use TCP

213
00:07:55,680 --> 00:07:57,450
to establish their secure connections

214
00:07:57,450 --> 00:07:59,010
between a client and a server,

215
00:07:59,010 --> 00:08:00,990
but this can slow down your connection

216
00:08:00,990 --> 00:08:03,210
because TCP has a lot more overhead

217
00:08:03,210 --> 00:08:04,890
than a UDP connection does.

218
00:08:04,890 --> 00:08:08,730
So if you want, you can instead opt to use DTLS

219
00:08:08,730 --> 00:08:10,980
or the Datagram Transport Layer Security,

220
00:08:10,980 --> 00:08:13,140
which is essentially a UDP-based version

221
00:08:13,140 --> 00:08:14,850
of the TLS protocol.

222
00:08:14,850 --> 00:08:17,370
This provides the same level of security as TLS,

223
00:08:17,370 --> 00:08:19,320
but it does operate a bit faster

224
00:08:19,320 --> 00:08:22,590
because there's less overhead inside the UDP protocol.

225
00:08:22,590 --> 00:08:25,020
Now, DTLS is an excellent choice to use

226
00:08:25,020 --> 00:08:27,180
when you're wanting to do things like video streaming,

227
00:08:27,180 --> 00:08:28,890
and things like voiceover IP

228
00:08:28,890 --> 00:08:30,990
over secure and encrypted tunnels.

229
00:08:30,990 --> 00:08:33,750
This provides the end user with security over UDP,

230
00:08:33,750 --> 00:08:36,840
and prevents eavesdropping, tampering, and message forgery

231
00:08:36,840 --> 00:08:39,390
inside that clientless VPN connection.

232
00:08:39,390 --> 00:08:41,520
Now, there are a few older VPN protocols

233
00:08:41,520 --> 00:08:42,929
you need to be aware of as well.

234
00:08:42,929 --> 00:08:47,490
This includes things like L2TP, L2F and PPTP.

235
00:08:47,490 --> 00:08:50,430
L2TP is the Layer 2 Tunneling Protocol.

236
00:08:50,430 --> 00:08:52,437
L2TP was a very early VPN

237
00:08:52,437 --> 00:08:55,440
and was invented all the way back in the '80s and '90s.

238
00:08:55,440 --> 00:08:58,500
Unfortunately, L2TP lacks the security features

239
00:08:58,500 --> 00:09:00,300
like encryption by default.

240
00:09:00,300 --> 00:09:03,390
So if you're going to use L2TP, you have to combine it

241
00:09:03,390 --> 00:09:05,430
with another protocol to provide encryption

242
00:09:05,430 --> 00:09:08,850
for your VPN tunnel when you're using L2TP.

243
00:09:08,850 --> 00:09:11,010
Even though it's an older protocol, it's still used

244
00:09:11,010 --> 00:09:13,170
by a lot of modern networks by combining

245
00:09:13,170 --> 00:09:15,360
with that extra encryption layer for protection.

246
00:09:15,360 --> 00:09:18,510
L2F or layer two forwarding is a VPN protocol

247
00:09:18,510 --> 00:09:19,890
that was originally developed by Cisco

248
00:09:19,890 --> 00:09:21,300
to provide a tunneling protocol

249
00:09:21,300 --> 00:09:24,060
for the point-to-point protocol or PPP.

250
00:09:24,060 --> 00:09:26,490
Unfortunately, it also lacks the native security

251
00:09:26,490 --> 00:09:27,540
and encryption features,

252
00:09:27,540 --> 00:09:29,490
just like the Layer 2 Tunneling Protocol.

253
00:09:29,490 --> 00:09:32,670
For this reason, L2F has lost most of its popularity,

254
00:09:32,670 --> 00:09:35,280
and it's not used in most modern networks.

255
00:09:35,280 --> 00:09:38,190
PPTP or the Point-to-Point Tunneling Protocol is

256
00:09:38,190 --> 00:09:40,560
an older version of the VPN protocol as well,

257
00:09:40,560 --> 00:09:42,600
and it was used for dial-up networks.

258
00:09:42,600 --> 00:09:45,480
PPTP also lacks the native security features,

259
00:09:45,480 --> 00:09:48,480
but Microsoft Windows has added security features

260
00:09:48,480 --> 00:09:51,090
to their implementation of PPTP.

261
00:09:51,090 --> 00:09:54,480
Therefore, if you're using a VPN through Windows with PPTP,

262
00:09:54,480 --> 00:09:57,180
you can still consider this to be pretty secure.

263
00:09:57,180 --> 00:09:59,730
All these VPN types can still be used today.

264
00:09:59,730 --> 00:10:01,050
It's just a matter of how secure

265
00:10:01,050 --> 00:10:02,670
you need your implementation to be,

266
00:10:02,670 --> 00:10:05,040
and if you need to add an additional layer of encryption

267
00:10:05,040 --> 00:10:06,930
to provide a more secure tunnel.

268
00:10:06,930 --> 00:10:10,800
But in most modern VPNs, you're going to see overwhelmingly

269
00:10:10,800 --> 00:10:14,100
that IPSec or IP security is being used.

270
00:10:14,100 --> 00:10:16,680
Now, IPSec is used in virtual private networks

271
00:10:16,680 --> 00:10:19,260
to provide authentication and encryption of packets

272
00:10:19,260 --> 00:10:21,570
to create a secure encrypted communication path

273
00:10:21,570 --> 00:10:22,770
between two computers

274
00:10:22,770 --> 00:10:24,780
over an internet protocol-based network.

275
00:10:24,780 --> 00:10:27,180
Remember, there are three main types of VPNs:

276
00:10:27,180 --> 00:10:30,030
site to site, client to site and clientless.

277
00:10:30,030 --> 00:10:31,740
Also, remember, there are two methods

278
00:10:31,740 --> 00:10:33,570
of communication using a VPN.

279
00:10:33,570 --> 00:10:36,090
You can use full tunnel or split tunnel.

280
00:10:36,090 --> 00:10:38,850
Finally, remember there are several VPN protocols

281
00:10:38,850 --> 00:10:41,160
you can use to establish those VPNs.

282
00:10:41,160 --> 00:10:46,160
You can use the L2TP, L2F, PPTP and IPSec.