WEBVTT

00:04.429 --> 00:06.855
>> As I'm sure you are aware,

00:06.855 --> 00:08.940
dial-up communications
were replaced

00:08.940 --> 00:11.729
>> by the idea of
VPNs and tunneling.

00:11.729 --> 00:13.815
>> When we talk about VPNs,

00:13.815 --> 00:15.360
Virtual Private Network,

00:15.360 --> 00:16.830
that's the whole idea.

00:16.830 --> 00:19.140
That even though you're
in a remote location,

00:19.140 --> 00:21.270
it seems as if you have
your own private network

00:21.270 --> 00:22.590
>> into your local office

00:22.590 --> 00:24.764
>> or some resource
across the Internet.

00:24.764 --> 00:27.180
>> The idea is that
this encapsulation

00:27.180 --> 00:29.544
>> provided is passing
through a tunnel.

00:29.544 --> 00:31.730
>> We already talked
about encapsulation

00:31.730 --> 00:34.180
when discussing the
OSI reference model.

00:34.180 --> 00:36.290
What happens with encapsulation

00:36.290 --> 00:38.599
>> is you get a protocol
within a protocol,

00:38.599 --> 00:40.910
>> or you get some
additional headers

00:40.910 --> 00:42.050
>> that are added that protect

00:42.050 --> 00:44.289
>> the original
data in its format.

00:44.289 --> 00:46.405
>> With Virtual
Private Networks,

00:46.405 --> 00:48.170
we have to have
tunneling protocols

00:48.170 --> 00:50.400
that allow this protection.

00:50.660 --> 00:53.180
Your tunneling
protocols are either

00:53.180 --> 00:54.800
going to provide encapsulation,

00:54.800 --> 00:56.480
encryption, authentication,

00:56.480 --> 00:57.574
>> all of these things,

00:57.574 --> 00:59.630
>> or just some of these things.

00:59.630 --> 01:02.885
It really is driven by the
protocol that you choose.

01:02.885 --> 01:04.970
The question then
sometimes is why

01:04.970 --> 01:07.460
>> would I not want
encryption and authentication

01:07.460 --> 01:09.859
>> if I'm tunneling
across the Internet?

01:09.859 --> 01:11.765
>> The answer to that is that,

01:11.765 --> 01:13.550
some tunneling
protocols just help

01:13.550 --> 01:15.020
>> traffic moves
from one network

01:15.020 --> 01:16.489
>> across the different network.

01:16.489 --> 01:19.745
>> For instance, an
IP version 4 packet

01:19.745 --> 01:22.835
can't travel across an
IP version 6 network.

01:22.835 --> 01:25.370
You can create or use
a tunneling protocol

01:25.370 --> 01:28.339
>> where the IPB for
traffic is given transport

01:28.339 --> 01:31.749
>> as encapsulated
into IP version 6.

01:31.749 --> 01:34.670
>> Ultimately,
encapsulation provides us

01:34.670 --> 01:36.260
with a lot more than
just encryption

01:36.260 --> 01:37.759
>> and authentication.

01:37.759 --> 01:40.190
>> It really allows just
one type of traffic

01:40.190 --> 01:42.994
>> to traverse a different
type of network.

01:42.994 --> 01:46.160
>> Of course, this
process of encapsulation

01:46.160 --> 01:48.304
>> and perhaps encryption
authentication,

01:48.304 --> 01:50.795
>> is created through
the use of protocols.

01:50.795 --> 01:52.670
There are other protocols

01:52.670 --> 01:54.199
>> that can be used
for tunneling.

01:54.199 --> 01:56.140
>> These are the most common.

01:56.140 --> 01:58.280
You have a protocol
that's based off

01:58.280 --> 01:59.810
>> of a Point-to-Point Protocol

01:59.810 --> 02:01.354
>> that we saw with the dial up.

02:01.354 --> 02:03.970
>> It's called Point-to-Point
tunneling protocol.

02:03.970 --> 02:06.675
We also have L2TP,

02:06.675 --> 02:09.560
which stands for Layer
2 Tunneling Protocol.

02:09.560 --> 02:12.375
We can create a
tunnel with IPsec.

02:12.375 --> 02:15.920
GRE is Generic Routing
Encapsulation.

02:15.920 --> 02:18.155
Then we have Secure
Sockets Layer.

02:18.155 --> 02:22.610
We can create SSL tunnels
really today, TLS tunnels.

02:22.610 --> 02:24.530
If we start off by looking at

02:24.530 --> 02:26.410
Point-to-Point
Tunneling Protocol,

02:26.410 --> 02:28.560
this was developed by Microsoft.

02:28.560 --> 02:30.500
Again, we're really getting away

02:30.500 --> 02:31.850
>> from dial-up communication,

02:31.850 --> 02:32.990
>> because of the expense,

02:32.990 --> 02:34.444
>> not the security.

02:34.444 --> 02:36.830
>> What we wanted to
do is allow users

02:36.830 --> 02:38.480
>> to connect
across the Internet

02:38.480 --> 02:41.019
>> as opposed to
having to dial it.

02:41.019 --> 02:44.100
>> That's what PPTP
was all about,

02:44.100 --> 02:46.923
because it's some
Point-to-Point Protocol,

02:46.923 --> 02:49.594
>> if you'll remember,
we talked about PAP,

02:49.594 --> 02:52.880
>> CHAP, and EAP
for authentication.

02:52.880 --> 02:57.215
It uses a new protocol
called MPPE for encryption.

02:57.215 --> 02:59.030
Some of the same ideas,

02:59.030 --> 03:00.845
but it provides the tunneling,

03:00.845 --> 03:02.390
the connection to connection.

03:02.390 --> 03:05.330
It's the creation of
this virtual network.

03:05.330 --> 03:08.330
One of the drawbacks
to PPTP is that

03:08.330 --> 03:11.044
>> it only works across
IP based networks,

03:11.044 --> 03:13.100
>> which is okay at
the time because we're

03:13.100 --> 03:15.290
communicating across
the Internet today.

03:15.290 --> 03:16.835
But back in our time,

03:16.835 --> 03:20.215
we had a frame relay
networks and ATM networks.

03:20.215 --> 03:22.340
We really needed
something more flexible

03:22.340 --> 03:24.350
that worked across
different network types,

03:24.350 --> 03:27.605
which is exactly why
L2TP was developed.

03:27.605 --> 03:29.510
Cisco came out with a protocol

03:29.510 --> 03:32.499
>> called L2F,
Layer 2 Forwarding.

03:32.499 --> 03:36.020
>> But Cisco likes to keep
their good ideas proprietary.

03:36.020 --> 03:37.940
We basically took
what was good about

03:37.940 --> 03:40.700
L2F and what was
good about PPCP,

03:40.700 --> 03:42.635
and came up with L2TP,

03:42.635 --> 03:44.710
Layer 2 Tunneling Protocol.

03:44.710 --> 03:46.855
Because it's a Layer 2 Protocol,

03:46.855 --> 03:49.160
it doesn't require a
specific network type.

03:49.160 --> 03:51.509
It's agnostic, so it's not bound

03:51.509 --> 03:53.030
>> to an IP network the way that

03:53.030 --> 03:55.450
>> Point-to-Point
Tunneling Protocol is.

03:55.450 --> 03:57.980
The problem with L2TP is that

03:57.980 --> 04:01.295
it's just the encapsulation
in and of itself.

04:01.295 --> 04:03.290
It can be used to
have one type of

04:03.290 --> 04:06.070
traffic traverse a
dissimilar network type.

04:06.070 --> 04:08.595
But if you're using
it's create a tunnel,

04:08.595 --> 04:12.045
IPsec is going to
be used with L2TP.

04:12.045 --> 04:15.689
IPsec will actually
provide the security.

04:16.450 --> 04:18.410
With that being said,

04:18.410 --> 04:20.390
>> you can actually
just use IPsec

04:20.390 --> 04:22.624
>> in and out of itself
to create a tunnel.

04:22.624 --> 04:25.030
>> That way, it's really
most common today.

04:25.030 --> 04:26.240
Is that for instance,

04:26.240 --> 04:28.250
>> if I'm doing site-to-site VPN

04:28.250 --> 04:30.200
>> from one location to another,

04:30.200 --> 04:31.910
>> I have VPN concentrators

04:31.910 --> 04:33.230
>> and they communicate across

04:33.230 --> 04:35.619
>> a unsecured
network with IPsec.

04:35.619 --> 04:38.390
>> IPsec really is an
interesting protocol,

04:38.390 --> 04:41.675
because it was designed as
a part of an IP version 6.

04:41.675 --> 04:43.940
One of the things about IPV6

04:43.940 --> 04:45.890
>> is that this was
going to finally give us

04:45.890 --> 04:48.550
>> a protocol that was
integrated with security.

04:48.550 --> 04:50.300
Now, we've seen the masses

04:50.300 --> 04:52.399
>> have not flocked to IPV6.

04:52.399 --> 04:55.190
>> I almost feel
like we'd see IPV6

04:55.190 --> 04:57.424
>> as soon as we see
that metric system.

04:57.424 --> 05:01.135
>> But IPsec was designed
as part of IPV6.

05:01.135 --> 05:03.200
It is made to work backwards

05:03.200 --> 05:05.074
>> or be backwards compatible.

05:05.074 --> 05:07.700
>> You can use it
with IP version 4.

05:07.700 --> 05:10.625
But even though IPV6 isn't
everywhere you look,

05:10.625 --> 05:12.560
IPsec is very popular.

05:12.560 --> 05:14.270
It is the framework of choice

05:14.270 --> 05:16.160
>> for encryption,
authentication,

05:16.160 --> 05:18.570
>> and encapsulation.

05:18.939 --> 05:22.960
>> Let's talk a little bit
about configuring IPsec.

05:22.960 --> 05:24.795
When you set up IPsec,

05:24.795 --> 05:26.840
one of the first choices
that you have to make

05:26.840 --> 05:29.749
>> is the mode in which
IPsec should operate.

05:29.749 --> 05:31.550
>> Now, you have Tunnel Mode

05:31.550 --> 05:33.139
>> and you have Transport Mode.

05:33.139 --> 05:34.760
>> Whichever one of
those you choose

05:34.760 --> 05:37.219
>> is going to determine
what gets encapsulated.

05:37.219 --> 05:39.110
>> For instance,
if we think about

05:39.110 --> 05:41.210
typical IP version 4 packet,

05:41.210 --> 05:43.835
we have a header,
data, and a trailer.

05:43.835 --> 05:48.170
In Tunnel Mode, the entire
IPV4 packet is encapsulated.

05:48.170 --> 05:50.330
You can see with
the diagram here,

05:50.330 --> 05:53.330
IPsec adds a header
before the IP header.

05:53.330 --> 05:57.350
The entire IPV4 packet
is the IPsec payload,

05:57.350 --> 06:00.475
and then there's an IPsec
trailer at it as well.

06:00.475 --> 06:02.640
The whole packet is wrapped up.

06:02.640 --> 06:04.170
This is in Tunnel Mode.

06:04.170 --> 06:06.320
Again, when you think
about tunneling,

06:06.320 --> 06:09.200
it's transmitted across
an unsecured network.

06:09.200 --> 06:12.995
It makes sense the whole
IP packet is encapsulated.

06:12.995 --> 06:14.770
But with Transport Mode,

06:14.770 --> 06:17.375
we might be using
transport mode internally.

06:17.375 --> 06:19.280
Maybe we want to protect traffic

06:19.280 --> 06:21.815
going to and from our
payroll database.

06:21.815 --> 06:24.485
We don't want that stuff on
the network on encrypted,

06:24.485 --> 06:27.050
so you might use IPsec
and Transport Mode

06:27.050 --> 06:28.774
>> to protect internal traffic,

06:28.774 --> 06:30.920
>> because Transport
Mode is only going to

06:30.920 --> 06:33.980
encapsulate the IP
payload, the data.

06:33.980 --> 06:37.295
It doesn't encapsulate the
IP header and trailer.

06:37.295 --> 06:39.110
What you get when you add

06:39.110 --> 06:40.460
some security services

06:40.460 --> 06:42.784
>> is less security
in Transport Mode.

06:42.784 --> 06:44.330
>> But the understanding that

06:44.330 --> 06:45.770
>> you're not really
tunneling across

06:45.770 --> 06:47.554
>> the Internet and
Transport Mode,

06:47.554 --> 06:50.150
>> so you get greater
security in Tunnel Mode.

06:50.150 --> 06:53.370
But you always treat
performance for a security.