WEBVTT

00:00.120 --> 00:04.830
One of the big challenges we have with local area networks is sometimes people want to connect to our

00:04.830 --> 00:07.590
local area network but they're not very local.

00:07.740 --> 00:14.220
Now what I'm talking about here is you are in a airport in Denver and you want to connect to the local

00:14.220 --> 00:16.070
area network in Houston.

00:16.080 --> 00:20.820
Now when I say connect to the local area network I'm saying that you connect as though someone ran an

00:20.880 --> 00:24.620
ethernet cable from your switch all the way to your computer in Denver.

00:24.780 --> 00:30.780
If I'm in Denver I want to have the same IP addresses as the computers that are within my local area

00:30.780 --> 00:31.490
network.

00:31.530 --> 00:34.000
I want to be within the same broadcast domain.

00:34.020 --> 00:38.310
I want to be able to do everything as though I was connecting directly to that local your network.

00:38.310 --> 00:43.800
This is important folks because a lot of people hear me say something like this and they're like oh

00:43.800 --> 00:46.610
you're talking about remote desktop or something like that.

00:46.800 --> 00:48.320
That's a very different animal.

00:48.450 --> 00:54.030
When we talk about remote desktops what we're talking about is emulating the desktop of the computer

00:54.030 --> 00:57.570
that's in that local area network from far away.

00:57.960 --> 01:04.140
If I want to connect to something and be in that network I can copy files from a file server and it's

01:04.140 --> 01:10.770
going to go onto my laptop here in the Denver Airport just as if I was in that actual network.

01:10.770 --> 01:15.330
When you do remote desktop what you're doing is you're connecting to a computer far away and if you

01:15.330 --> 01:21.300
copy a file from a server it's not coming in your laptop it's coming into that one computer that is

01:21.300 --> 01:28.680
actually on the local area network so never confuse this type of jumping into the network with remote

01:28.680 --> 01:29.310
desktop.

01:29.310 --> 01:34.910
Now there's two ways to connect to a remote local network number one.

01:34.940 --> 01:41.320
And this is the expensive way to do it is that you can lease your own line you can lease a T-3 line

01:41.320 --> 01:45.710
or whatever you want and people will do it if you want.

01:45.720 --> 01:46.260
Did they.

01:46.250 --> 01:51.430
It costs tens of thousands of dollars a month but you can run a dedicated line from your local area

01:51.430 --> 01:57.430
network all the way out to the airport in Denver and that would be really expensive and not a good way

01:57.430 --> 01:58.060
to go.

01:58.060 --> 02:04.270
So the cool part to all this is that we already have a connection between my laptop and the airport

02:04.270 --> 02:09.670
in Denver and my office in Houston and that connection is the Internet itself.

02:09.670 --> 02:15.730
Now the downside to the Internet is that it's a public network pretty much anybody who wants to can

02:15.730 --> 02:17.780
sniff and observe what you're doing.

02:18.040 --> 02:22.840
And we don't want to see people as we're grabbing critical files and things like that we don't want

02:22.840 --> 02:24.420
people grabbing that stuff.

02:24.430 --> 02:30.550
So what we want to do is we want to take a public network the Internet and virtualize it in essence

02:30.550 --> 02:36.520
or we're going to we're going to treat it like a virtual private network or a VPN and that's what this

02:36.520 --> 02:39.500
episode is all about the ends.

02:39.520 --> 02:44.830
Now before we get into this in too much detail I need to warn you for the exam they're really looking

02:44.830 --> 02:47.560
for conceptual answers overview stuff.

02:47.560 --> 02:52.150
So we're going to keep it fairly light in terms of understanding and a broad spectrum of VPN is.

02:52.150 --> 02:56.940
But I will also tell you that actually setting up a VPN can be a real pain.

02:56.950 --> 03:02.950
So we're going to keep it light for here but be warned it can be a challenge to understand ends.

03:03.010 --> 03:07.590
The most important thing you need to wrap your head around is the concept of endpoints.

03:07.600 --> 03:08.750
Let me show you what I mean.

03:08.950 --> 03:12.450
Here's a local area network that this is my home base.

03:12.490 --> 03:18.270
So just for fun I'm going to say that my local area network has an internal IP address range of 192

03:18.280 --> 03:26.090
168 for dot whatever so anybody inside my local area network is going to have that IP address.

03:26.110 --> 03:30.850
Now on the other end here is some computer in an airport in Denver.

03:30.850 --> 03:36.130
Now this computer in an airport in Denver is going to have an IP address whatever the wireless network

03:36.130 --> 03:38.260
there Denver gives them so for fun.

03:38.260 --> 03:39.910
I'm just going to say it's 10 ten.

03:40.070 --> 03:42.290
Dot whatever.

03:42.360 --> 03:43.010
OK.

03:43.270 --> 03:50.430
Now what I want to do is I want to make this computer in Denver have the same IP address as all these

03:50.430 --> 03:53.190
computers at my local area network.

03:53.190 --> 04:03.480
So to do this I am going to create a VPN tunnel a VPN tunnel is a connection between two VPN end points.

04:03.510 --> 04:10.410
Now in this case my VPN end point on the landside could be here on my router itself it could have some

04:10.440 --> 04:16.500
extra VPN software built into it or I could have a computer inside my local area network and the router

04:16.500 --> 04:22.820
passes through VPN traffic to this little computer inside my network and he could be the end point.

04:22.920 --> 04:25.010
I could even have a dedicated box.

04:25.030 --> 04:32.610
We call it a VPN concentrator whose only job is to take incoming VPN data and then do something with

04:32.610 --> 04:34.180
it which I'm about to explain.

04:34.380 --> 04:35.820
So that's one end point.

04:35.910 --> 04:37.660
On the other side here's my laptop.

04:37.670 --> 04:40.340
He's going to be the other VPN end point.

04:40.350 --> 04:46.290
So what takes place is this I have to go through the process of making a connection on my laptop.

04:46.290 --> 04:50.630
I'm going to click on something and I'm going to say create a VPN connection.

04:50.790 --> 04:56.730
And what we're actually making is a tunnel so it looks kind of like a pipe between my laptop here and

04:56.730 --> 04:59.920
whatever VPN endpoint I happen to be using here.

05:00.150 --> 05:07.970
So when I make that connection the VPN end point the VPN concentrator gateway it has so many different

05:07.970 --> 05:14.090
names is actually going to use his public IP connection on the laptop.

05:14.090 --> 05:20.250
So whatever that is and he will create this connection to get to the local area network.

05:20.360 --> 05:28.190
But then the VPN concentrator the VPN end point in my local area network will pass my laptop an IP address

05:28.460 --> 05:35.530
that makes it part of my network so will say the laptop is now $192 168 at 4.1 hundred.

05:35.540 --> 05:41.810
So this type of example where we have a single computer that's trying to phone home to a local network

05:42.080 --> 05:45.080
is what we call a remote access VPN.

05:45.080 --> 05:47.140
But there's another very cool way to do it.

05:47.150 --> 05:48.890
And that's called site to site.

05:48.920 --> 05:50.360
Let me show you how that works.

05:50.360 --> 05:56.360
So going back to our earlier diagram what I want to do is instead of having one computer that wants

05:56.360 --> 06:02.780
to connect to a local network I want to have an entire second local area network that wants to connect

06:02.780 --> 06:04.810
to my primary local or network.

06:05.000 --> 06:08.120
So let's pretend like my local network here is in Houston.

06:08.150 --> 06:13.270
So now we've got a bunch of computers in a field office in Dallas that want to connect to Houston.

06:13.430 --> 06:18.030
So in this case what I'm going to create is what's called a site to site VPN.

06:18.050 --> 06:23.750
In this case I'm usually going to have to VPN end points except on each side.

06:23.750 --> 06:32.270
They'll manifest as either a router or a VPN concentrator or some software running on a dedicated server

06:32.270 --> 06:33.330
or something like that.

06:33.530 --> 06:41.780
So that all these computers here in Dallas can get that 192 168 for address like the folks do in Houston.

06:41.780 --> 06:49.130
Now as you might imagine a VPN compared to an actual Ethernet local area network connection is very

06:49.130 --> 06:52.220
very slow and this can be a challenge with the.

06:52.250 --> 06:59.180
Because you're asking some internet connection to act like a gigabit ethernet connection that's in your

06:59.180 --> 07:00.430
local area network.

07:00.470 --> 07:05.120
So things like showing all your network computers can be very very slow.

07:05.210 --> 07:11.090
File copying can be very very slow but it at least lets you get onto your local area network.

07:11.090 --> 07:13.940
They are wildly popular and total seminars.

07:13.940 --> 07:16.650
We have a VPN we use all the time.

07:17.030 --> 07:21.560
So speed is a big issue we're always looking at ways to speed things up.

07:21.560 --> 07:29.420
And one of the biggest problems we have particularly with remote access VPN ends is the concept of split

07:29.450 --> 07:30.760
versus full tunneling.

07:30.860 --> 07:31.970
Let's talk about that.

07:31.970 --> 07:36.500
So here's my laptop in Denver and here's my local area network.

07:36.500 --> 07:41.670
Now normally when I'm sitting in the Denver airport I want to go to google.com I just typed WWE I googled

07:41.670 --> 07:43.790
dot com and he goes through.

07:43.820 --> 07:47.770
However the Denver airport gets him to the Internet and goes straight to Google.

07:48.080 --> 07:51.310
But now let's go ahead and put that tunnel in now.

07:51.650 --> 07:57.800
So now this laptop is connected to my local area network.

07:57.830 --> 08:02.660
So if he wants to transfer files or anything that's no problem within the local network.

08:02.720 --> 08:04.070
But what happens if he types.

08:04.110 --> 08:06.670
Www.youtube.com right now.

08:06.860 --> 08:11.210
Well let me show you what happens instead of going straight to google through the ISP at the Denver

08:11.210 --> 08:12.030
airport.

08:12.110 --> 08:18.930
He goes through the VPN over to the local area network the local area network then sends it out the

08:18.930 --> 08:25.380
router the router and your local area network in Houston goes to Google it comes back to the local area

08:25.380 --> 08:33.900
network and gets sent out to the VPN endpoint and back over to my laptop in Denver as you can imagine

08:34.050 --> 08:38.180
this process is a real pain and we don't want to do that.

08:38.190 --> 08:46.500
In fact when the VPN client the laptop in Denver sends the data through like that we call that a full

08:46.500 --> 08:49.160
tunnel and it's something we usually avoid.

08:49.290 --> 08:54.680
Normally what we'll do instead is called a split tunnel and a split tunnel is very simple.

08:54.840 --> 09:00.960
The VPN endpoint on the laptop itself recognizes the type of traffic that's going out.

09:00.960 --> 09:07.210
So if traffic is going to my local or your network on 192 168 for in this example it goes in sends it

09:07.210 --> 09:08.220
to the VPN tunnel.

09:08.220 --> 09:09.380
That's a good thing.

09:09.390 --> 09:13.890
However if I do anything else it's going to different IP addresses.

09:14.040 --> 09:18.670
A well-designed VPN is going to go oh no no no ignore the tunnel for now.

09:18.780 --> 09:24.900
Just go ahead and use the regular connection and split tunnel's speed things up dramatically.

09:24.900 --> 09:25.480
All right.

09:25.560 --> 09:30.990
So what I want to do now is talk about the different ways we can do VPN.

09:30.990 --> 09:38.480
Now VPN has been around for a quarter of a century and as you might imagine the technologies had changed

09:38.480 --> 09:40.190
and improved quite a bit over the years.

09:40.190 --> 09:43.250
In fact there's a number of different ways to do VPN.

09:43.250 --> 09:49.010
So what I'd like to do is take a moment and go through the different processes the different technologies

09:49.010 --> 09:53.090
the different protocols we can use to set up a VPN.

09:53.120 --> 09:58.220
The biggest thing you need to keep in mind here is that when you're setting up a VPN.

09:58.220 --> 10:02.960
In most cases not all but in most cases you've got two separate steps.

10:02.960 --> 10:08.000
Number one you have to have some kind of protocol that actually sets up the tunnel itself makes the

10:08.000 --> 10:12.560
connection makes everything happy and then the second thing you're going to be doing is you'll have

10:12.560 --> 10:17.660
another protocol involved that handles the authentication and the encryption because we want the stuff

10:17.660 --> 10:20.000
encrypted we don't want anybody looking at it.

10:20.000 --> 10:25.610
So what I'd like to do right now is do a quick run through of the many popular VPN protocols that are

10:25.610 --> 10:26.730
out there.

10:26.750 --> 10:33.530
One of the oldest VPN protocols out there is known as point to point tunneling protocol or p p p p p

10:33.530 --> 10:37.070
T-P Is the old PDP protocol as the tunnel.

10:37.070 --> 10:42.560
And it doesn't really have any kind of serious authentication and just uses a password and very very

10:42.560 --> 10:46.030
basic encryption P.P. T-P is very old.

10:46.040 --> 10:53.650
It uses TZP Pt. 1 7 2 3 and most people don't like it anymore it's just a little bit too easily hacked.

10:53.660 --> 10:58.310
Second is Layer 2 tunneling protocol or L to t.p.

10:58.310 --> 11:01.460
This is Cisco proprietary stuff.

11:01.460 --> 11:09.070
It's very similar to Peepy T-P but it uses an L2 T-P tunnel and then upset for encryption it is good.

11:09.100 --> 11:15.610
It is so fast and it also uses UDP ports 500 and 4500.

11:15.620 --> 11:22.130
Now if you really want to get fancy you can go to an SEC VPN or better just a what I call a pure obsessed

11:22.520 --> 11:28.010
pure etcetc uses upset both for the tunnel as well as all the authentication encryption.

11:28.010 --> 11:31.430
It also uses UDP ports five hundred and forty five hundred.

11:31.430 --> 11:37.280
And it's very good for IP V-6 networks next is SSL TLM.

11:37.290 --> 11:40.870
Yes this is the same stuff we use on secure web pages.

11:40.910 --> 11:43.390
It's going to use TZP port 443.

11:43.610 --> 11:49.130
It's kind of cool in that it often will work with a web browser so your laptops don't even need client

11:49.130 --> 11:50.740
software in many cases.

11:50.810 --> 11:53.890
So we call it a client list type of VPN.

11:53.930 --> 11:59.250
It uses what's known as a n slash THP virtual network driver tunnel.

11:59.250 --> 12:06.950
This are built into every operating system and uses good old Teall less for encryption last is a kind

12:06.950 --> 12:15.440
of an interesting one it's called Open VPN open VPN is a program but it has its own type of unique tunnel

12:15.650 --> 12:18.980
and encryption that's based on the SSL TS protocol.

12:19.130 --> 12:24.230
It's an open standard which is very handy but no one else quite does it the way open VPN does.

12:24.320 --> 12:33.280
It uses TZP port 1 1 9 4 but you can easily change that if you want setting up a VPN can be a real challenge

12:33.280 --> 12:37.200
and I don't even need to cover that to make sure we catch what's on the exam.

12:37.210 --> 12:43.000
However I do want to mention a few things if you're going to do a VPN you need to think about how you're

12:43.000 --> 12:47.770
going to set that up in particular are you going to do remote access which most people do or you might

12:47.770 --> 12:48.900
want to do a site to site.

12:48.910 --> 12:50.830
Just depends on what your needs are.

12:50.830 --> 12:56.630
Also keep in mind the client itself is very very important especially on a remote access.

12:56.800 --> 13:04.330
Windows Macs Linux to a lesser degree all have some form of VPN client built within them but they have

13:04.330 --> 13:05.350
limitations.

13:05.440 --> 13:10.510
So that can be a bit of a problem for folks so you really have to think about this a little bit now

13:10.690 --> 13:12.550
persevered total seminars.

13:12.670 --> 13:13.870
We love open VPN.

13:13.870 --> 13:15.810
We've been using it for a long long time.

13:15.820 --> 13:18.240
It's robust and it's powerful and it's free.

13:18.310 --> 13:25.090
So for the exam make sure you think about where I would be using the ends and make sure you're comfortable

13:25.090 --> 13:37.000
with the different protocols.