WEBVTT 0:00:02.220000 --> 0:00:07.220000 Welcome to this video titled VPNs on endpoints. 0:00:07.220000 --> 0:00:11.140000 In this video I'm going to talk about three major things. 0:00:11.140000 --> 0:00:15.680000 I'm going to talk about the different categories of virtual private networks. 0:00:15.680000 --> 0:00:19.760000 And we're going to go into the differences between site to site VPNs and 0:00:19.760000 --> 0:00:22.120000 remote access VPNs. 0:00:22.120000 --> 0:00:27.840000 Now, keep in mind this presentation is going in the context of content 0:00:27.840000 --> 0:00:29.480000 and end point security. 0:00:29.480000 --> 0:00:34.980000 So we're really focusing on VPNs that terminate on an actual endpoint, 0:00:34.980000 --> 0:00:40.800000 like such as a tablet or a smartphone or a laptop or PC. 0:00:40.800000 --> 0:00:43.640000 So as a review in case that you're not really familiar with this term 0:00:43.640000 --> 0:00:49.960000 of VPN, VPN stands for virtual private network and data in motion. 0:00:49.960000 --> 0:00:51.360000 What do we mean by data in motion? 0:00:51.360000 --> 0:00:53.960000 We're talking about we're not talking about the data that's being stored 0:00:53.960000 --> 0:00:58.580000 in your laptop on your hard drive or somewhere else or in a USB thumb 0:00:58.580000 --> 0:01:02.580000 drive. We're talking about data that's leaving your laptop and going out 0:01:02.580000 --> 0:01:04.240000 across a network. 0:01:04.240000 --> 0:01:07.100000 It's moving from point A to point B. 0:01:07.100000 --> 0:01:09.440000 That's why we call it data in motion. 0:01:09.440000 --> 0:01:13.820000 So one way probably the most popular way to protect data in motion and 0:01:13.820000 --> 0:01:18.120000 keep it confidential is to send it through a virtual private network. 0:01:18.120000 --> 0:01:24.360000 Now at real high level VPNs can be categories in a couple of different 0:01:24.360000 --> 0:01:31.120000 ways. Some VPNs were designed from the ground up to provide confidentiality. 0:01:31.120000 --> 0:01:33.940000 Remember when we're talking about that term confidentiality, what we're 0:01:33.940000 --> 0:01:37.540000 really talking about is encryption, encrypting your data so that if someone 0:01:37.540000 --> 0:01:41.460000 happens to eavesdrop on it, they can't tell what it is. 0:01:41.460000 --> 0:01:45.280000 So some VPNs were designed expressly for that purpose. 0:01:45.280000 --> 0:01:46.980000 Other VPNs were not. 0:01:46.980000 --> 0:01:51.420000 So for example, here we see on the left some VPN technologies that don't 0:01:51.420000 --> 0:01:56.140000 natively provide you with encryption, with confidentiality. 0:01:56.140000 --> 0:02:02.260000 PPTP, the layer two forwarding protocol, L2TP, generic routing, encapsulation 0:02:02.260000 --> 0:02:09.780000 and MPLS VPNs. So if you use any one of those, some of them are quite 0:02:09.780000 --> 0:02:14.200000 complex to configure, but one thing they don't have inherent in the technology 0:02:14.200000 --> 0:02:17.220000 itself is encryption, is confidentiality. 0:02:17.220000 --> 0:02:20.780000 Now you might be wondering, well then why would I use a VPN technology 0:02:20.780000 --> 0:02:25.820000 such as that? Well there's two reasons, two primary reasons that people 0:02:25.820000 --> 0:02:28.000000 typically would select one of these. 0:02:28.000000 --> 0:02:31.900000 The first reason would be maybe you have some sort of data that's riding 0:02:31.900000 --> 0:02:36.540000 in a certain protocol, like for example you have data inside of an IPv6 0:02:36.540000 --> 0:02:42.720000 packet, but the network you need to use to transport that IPv6 packet 0:02:42.720000 --> 0:02:44.960000 doesn't support IPv6. 0:02:44.960000 --> 0:02:47.740000 Maybe it only supports IPv4. 0:02:47.740000 --> 0:02:51.160000 So we have something here where the native protocol I'm using for transportation 0:02:51.160000 --> 0:02:55.660000 is not supported on this intervening network right here. 0:02:55.660000 --> 0:02:57.000000 So I need to tunnel it. 0:02:57.000000 --> 0:03:00.840000 I need to put it inside of a VPN so they can actually get across that 0:03:00.840000 --> 0:03:02.880000 network to the other side. 0:03:02.880000 --> 0:03:06.240000 That's one very big reason for example, GRE tunneling. 0:03:06.240000 --> 0:03:10.060000 That's a big reason why people choose GRE because it's very easy to do 0:03:10.060000 --> 0:03:15.560000 that. Another reason why people sometimes choose VPNs in this side, excuse 0:03:15.560000 --> 0:03:21.920000 me, this side of the list as we can see here is because we have multiple 0:03:21.920000 --> 0:03:27.020000 streams of data going through a common shared network, but those multiple 0:03:27.020000 --> 0:03:30.180000 streams of data we need to keep them separate from each other. 0:03:30.180000 --> 0:03:35.360000 So for example, think of an ISP and an ISP is selling services to both 0:03:35.360000 --> 0:03:37.700000 company A and company B. 0:03:37.700000 --> 0:03:41.960000 Now maybe company A and company B are competitors of each other. 0:03:41.960000 --> 0:03:46.640000 Company A says, hey, if I put my data into your network, I only want that 0:03:46.640000 --> 0:03:51.280000 data going to my other remote office location 15, 20 miles away from me. 0:03:51.280000 --> 0:03:56.480000 I never want my packets accidentally or inadvertently ending up in company 0:03:56.480000 --> 0:04:01.780000 B's network. And I'm a little concerned because both of us use your common 0:04:01.780000 --> 0:04:04.680000 shared network to transport our packets. 0:04:04.680000 --> 0:04:08.580000 So how can I make sure that I get basically like a virtual path through 0:04:08.580000 --> 0:04:11.980000 your network that will only go between my two sites. 0:04:11.980000 --> 0:04:16.480000 And I never have to worry about my data accidentally ending up where it's 0:04:16.480000 --> 0:04:17.840000 not supposed to go. 0:04:17.840000 --> 0:04:22.040000 So this is another reason where these types of VPN technologies can provide 0:04:22.040000 --> 0:04:27.560000 that. However, what we're talking about here is using VPNs on endpoints 0:04:27.560000 --> 0:04:30.420000 to provide confidentiality to encrypt my data. 0:04:30.420000 --> 0:04:32.620000 So I probably would not want to use one of these. 0:04:32.620000 --> 0:04:36.700000 I'd want to use one of these that has inherent confidentiality built into 0:04:36.700000 --> 0:04:42.620000 it. And the three most popular ones here are IPsec, which is IP security, 0:04:42.620000 --> 0:04:47.580000 or you could use secure socket layer or transport layer security. 0:04:47.580000 --> 0:04:54.980000 So SSL and TLS are very common VPN technologies when the endpoint is using 0:04:54.980000 --> 0:04:57.380000 a web browser to initiate the VPN. 0:04:57.380000 --> 0:05:01.960000 So typically, if you're bringing up Google Chrome or Microsoft Edge or 0:05:01.960000 --> 0:05:05.460000 something like that, and then you're going to be sending your data through 0:05:05.460000 --> 0:05:09.880000 your web browser out into the world wide or into the wide web, whatever 0:05:09.880000 --> 0:05:10.900000 you want to call it. 0:05:10.900000 --> 0:05:12.460000 And it's going to be encrypted. 0:05:12.460000 --> 0:05:17.420000 You're going to be using SSL or TLS, probably TLS because TLS is newer 0:05:17.420000 --> 0:05:22.440000 than SSL and it's pretty much taking over SSL. 0:05:22.440000 --> 0:05:27.320000 The downsides with SSL and TLS is that usually those are only designed 0:05:27.320000 --> 0:05:30.340000 for encrypting TCP segments. 0:05:30.340000 --> 0:05:35.060000 They can encrypt UDP, but they're not really meant for that originally. 0:05:35.060000 --> 0:05:40.300000 So if I want to encrypt UDP and TCP and maybe other stuff as well, like 0:05:40.300000 --> 0:05:45.060000 maybe I want to encrypt OSPF packets or EIGRP packets, then I'm not going 0:05:45.060000 --> 0:05:46.960000 to want to use SSL or TLS. 0:05:46.960000 --> 0:05:49.240000 I'm going to want to use IPsec. 0:05:49.240000 --> 0:05:53.660000 IPsec can pretty much encrypt anything that's carried in an IPv4 or an 0:05:53.660000 --> 0:05:59.460000 IPv6 header, regardless of what's behind that IPv4 or IPv6 header. 0:05:59.460000 --> 0:06:03.840000 So those are a couple of ways of categorizing VPNs. 0:06:03.840000 --> 0:06:08.040000 Those that have built-in confidentiality and those that don't. 0:06:08.040000 --> 0:06:12.400000 And then lastly, some other ways that we can categorize VPN are by these 0:06:12.400000 --> 0:06:13.280000 two different names. 0:06:13.280000 --> 0:06:15.740000 One is called site-to-site VPNs. 0:06:15.740000 --> 0:06:20.520000 Now this is not something that you would do on your endpoint. 0:06:20.520000 --> 0:06:26.020000 A site-to-site VPN means I have some remote office that has maybe several 0:06:26.020000 --> 0:06:29.520000 dozen or maybe even several hundred employees in it. 0:06:29.520000 --> 0:06:33.640000 And I'm going to need all of them to have their packets encrypted as it's 0:06:33.640000 --> 0:06:37.600000 going from as it's leaving that remote office and going to the corporate 0:06:37.600000 --> 0:06:41.180000 office where the packets will be decrypted and then send it to the corporate 0:06:41.180000 --> 0:06:42.480000 office's network. 0:06:42.480000 --> 0:06:47.020000 So in that particular case, we're talking about a site-to-site VPN. 0:06:47.020000 --> 0:06:50.760000 And usually the VPN endpoints, and we say VPN endpoint, we're talking 0:06:50.760000 --> 0:06:54.880000 about the actual device that's encrypting and decrypting the data. 0:06:54.880000 --> 0:06:59.580000 Usually in a site-to-site VPN, the VPN endpoint would not be the employee's 0:06:59.580000 --> 0:07:03.820000 laptop or PC. It would be a dedicated hardware appliance like a router 0:07:03.820000 --> 0:07:09.020000 or a firewall that's doing the VPN. 0:07:09.020000 --> 0:07:11.920000 That's doing the encryption and decryption. 0:07:11.920000 --> 0:07:16.060000 Another thing about site-to-site VPNs is as you see here, it's transparent 0:07:16.060000 --> 0:07:17.380000 to the end users. 0:07:17.380000 --> 0:07:21.160000 So they have no idea that their packets are being encrypted. 0:07:21.160000 --> 0:07:25.200000 As a matter of fact, in a lot of cases, you'll have a situation where 0:07:25.200000 --> 0:07:30.020000 when users on your company's network are sending data to the internet, 0:07:30.020000 --> 0:07:33.480000 like they're browsing for a new car or checking their Gmail or something 0:07:33.480000 --> 0:07:36.140000 like that, that will not be encrypted. 0:07:36.140000 --> 0:07:38.300000 That will not go across a VPN tunnel. 0:07:38.300000 --> 0:07:41.820000 But if their data is leaving the remote office and headed towards the 0:07:41.820000 --> 0:07:46.060000 corporate office, then it will go across the VPN tunnel so that router 0:07:46.060000 --> 0:07:49.940000 or firewall will have to distinguish between traffic that's going to the 0:07:49.940000 --> 0:07:54.140000 internet, leave that alone, don't encrypt that, versus traffic that's 0:07:54.140000 --> 0:07:57.140000 going to the corporate headquarters, we need to put that into the VPN 0:07:57.140000 --> 0:07:59.340000 tunnel and encrypt it. 0:07:59.340000 --> 0:08:02.780000 Another thing about site-to-site VPNs is that typically we're talking 0:08:02.780000 --> 0:08:05.960000 about VPN tunnels that are always up. 0:08:05.960000 --> 0:08:07.940000 They're not on demand. 0:08:07.940000 --> 0:08:11.580000 So when someone configured the router or configured the firewall, so the 0:08:11.580000 --> 0:08:14.760000 last thing they did was configure the VPN tunnel, they hit the enter key. 0:08:14.760000 --> 0:08:18.640000 The VPN tunnel was negotiated between the firewall and the remote office 0:08:18.640000 --> 0:08:21.180000 and probably some other firewall in the corporate office. 0:08:21.180000 --> 0:08:26.940000 Once the VPN tunnel comes up, it's always up 24 by 7, 365 days a year, 0:08:26.940000 --> 0:08:30.420000 it's available to encrypt and decrypt. 0:08:30.420000 --> 0:08:33.900000 But when we're talking about VPNs on endpoints, we're talking about a 0:08:33.900000 --> 0:08:39.160000 technology where the VPN is initiated on the laptop or on the tablet or 0:08:39.160000 --> 0:08:40.200000 on the smartphone. 0:08:40.200000 --> 0:08:43.760000 And we're talking about an on-demand VPN tunnel, not something that you 0:08:43.760000 --> 0:08:47.880000 need up all the time, but you just need temporarily for some specific 0:08:47.880000 --> 0:08:52.200000 reason. So those are called remote access VPNs. 0:08:52.200000 --> 0:08:56.260000 So these are used, for example, for people working from home in order 0:08:56.260000 --> 0:09:00.240000 to have a secure confidential connection back to remote office or maybe 0:09:00.240000 --> 0:09:02.960000 back to the company headquarters. 0:09:02.960000 --> 0:09:07.440000 And this will require some sort of special software in the laptop in order 0:09:07.440000 --> 0:09:08.660000 to make it happen. 0:09:08.660000 --> 0:09:14.140000 Now, if the VPN is using like SSL or TLS, it could just be all built into 0:09:14.140000 --> 0:09:19.000000 the browser. Browsers like Chrome and Microsoft Edge and those things 0:09:19.000000 --> 0:09:24.040000 inherently have built into them the ability to do SSL and TLS. 0:09:24.040000 --> 0:09:27.260000 As Matt, you may not have known this, but every time you go to a website 0:09:27.260000 --> 0:09:34.180000 and the website begins with HTTPS, you are doing an encrypted basically 0:09:34.180000 --> 0:09:40.120000 VPN session to that website using SSL or TLS. 0:09:40.120000 --> 0:09:43.760000 Or you might need to download some sort of special software in order to 0:09:43.760000 --> 0:09:44.880000 make this happen. 0:09:44.880000 --> 0:09:54.380000 For example, Cisco software, which I'll show you right here, called Cisco 0:09:54.380000 --> 0:09:59.860000 AnyConnect. So there we go. 0:09:59.860000 --> 0:10:04.760000 So this is an example of the Cisco AnyConnect client, what they call the 0:10:04.760000 --> 0:10:07.680000 Cisco AnyConnect Secure Mobility client. 0:10:07.680000 --> 0:10:09.920000 Now this has got a lot of other stuff built into it. 0:10:09.920000 --> 0:10:12.360000 For example, this can do web security. 0:10:12.360000 --> 0:10:16.080000 This can be connected to advanced malware protection. 0:10:16.080000 --> 0:10:17.620000 I'm not using any of that. 0:10:17.620000 --> 0:10:20.520000 I simply use this just to connect to a VPN. 0:10:20.520000 --> 0:10:24.400000 So up here at the top is where you type in your VPN name and you would 0:10:24.400000 --> 0:10:29.460000 point it to the VPN server, which is probably a firewall or a router. 0:10:29.460000 --> 0:10:32.320000 And then when you connect to that, it's going to prompt you for a username 0:10:32.320000 --> 0:10:36.480000 and a password. And if I typed in my password right now, then it would 0:10:36.480000 --> 0:10:42.180000 connect me to my VPN and start encrypting and any connect is certainly 0:10:42.180000 --> 0:10:43.320000 not the only one. 0:10:43.320000 --> 0:10:47.980000 There's lots of VPN applications you can download for laptops and PCs 0:10:47.980000 --> 0:10:51.300000 and notebooks to give you that functionality. 0:10:51.300000 --> 0:10:56.400000 So that concludes this video. 0:10:56.400000 --> 0:10:57.200000 Thank you for watching.