Tip:
Highlight text to annotate it
X
I used to laugh at my father, because he's one of those that just doesn't buy things
online because of course if he puts his credit in,
people will steal his identity and take over his life.
And so, he always have me buy things on Amazon for him and things like that and I would laugh
until one day, I went to go buy something on eBay and I was using my PayPal account
and I went to select the card I buy everything with
and it wasn't there, it wasn't under my account. It's like that's weird, I look at it maybe
it expired and I'm kind of searched my house and I was like okay well I'll try to put the
card back in and the PayPal page says "I'm sorry, you can't add this card to your
account, please contact the customer service." So I'm like, oh, frustrating.
Okay, I'm like I just did a buy it now, come on I got to pay for this and so I called PayPal
and I talked to the gal and I said "I'm trying to add this card, it's saying I can't"
and kind of-- and she goes "Okay, well, actually you can't add that card
to your account" and I said "Why not?" And she-- I can't even remember the name but
she was "Do you know Abdul Jabar in Iran?" And I said "No."
And she goes "Well, the reason you can't add that card to your account is
because that card is actually under his account." Right then quick call, the credit card company
was already too late. Stuff had already been purchased on that,
they're like, you know, "We were going to call you for blah blah blah."
But so long story short, I was a victim of credit fraud.
It wasn't that bad, you know, they-- credit card companies I guess do this all the time
and I'm like "Yeah, no worries." I'm sure there was more to it than that but
when I see a topic like virtual private networks nowadays, the
thought immediately crosses my mind, if like okay, virtually private or private?
Is this really so-- I mean VPNs probably is the term you've heard plenty of times
but really, I mean is it really secure? Is this trustworthy?
Is somebody going to steal our lives? That's what I'm all about in this chapter,
not stealing lives but defining what VPNs are,
why they're secure and why you can feel a little more comfortable using this
to connect to your networks. I want to start at the ground level here 'cause
I don't want to assume anything. What is a VPN?
The answer may surprise you especially if you think you know what a VPN is.
A Virtual Private Network is officially described as any network
that you are assuming as private. Now, I'm putting Jeremy language in there
but that's essentially the definition. So for example, if you have a WinLink, you've
got a T1 line from office A to office B that is a type of VPN because it's run by
an entity other than you. You just happened to trust them, you know,
for instance here's your office A and office B. Somewhere in the middle maybe
it's AT&T or Sprint or *** or Quest or Centrelink or-- you know, the list goes
on of all the carriers that are out there. You're trusting that they're not stealing
your stuff. When I have a voice over IP phone call from
office A to office B, I'm trusting that there's not some angry employee
there capturing all that data and stealing it and putting together my phone
calls and selling them to-- I don't know whoever would want my phone call
right? So it's a type of VPN.
So the reason I bring this up, 'cause number one that brought in your mind to think,
okay well a VPN doesn't just have to be the internet.
A VPN is defined as something that we are assuming as private or it's virtually private.
So okay, if when we sign up for a Win link, we're trusting the carrier right,
that their employees aren't going and stealing our stuff.
Who are we trusting when we use the internet to carry our stuff?
Well, I wouldn't say it's who you are trusting, it's what you are trusting as in what kind
of technology are you employing to make sure that I can send data over the internet
and it can't be captured by somebody else. Okay, so let's talk about what a VPN is.
A VPN is using the all plentiful everywhere existing internet connectins
to link your sites together. There are really two different kinds of VPN
so though you could probably say well, there's more but I'll say two primary types.
There is a remote access and site to site VPN.
Remote access means you've got people out there that are working from home or they're
on the road with their laptop or they're wherever they are in the world and they need
to connect in to your corporate network. Let's say this is-- well, let me give myself
a little room. Let's say over here 'cause that's a lot more
room is corporate network A right and I've got a server over here with all the
files that they need, they're going to connect through the internet to get those files and
I want to make sure that nobody in the internet, all of this non controlled networks that they're
passing through can get their data. So that's what a VPN is so I can have a remote
access VPN where my employees or customers can connect from wherever they
are in the world that over this network securely and get the resources or I can have a site
to site VPN to where I have let's say an office in,
it could be anywhere to Japan, connecting there is a corporate office in Arizona
and I'm actually sending all of that through the internet.
A site to site VPN replaces a Win connection. Now what's the advantage in doing that?
Why wouldn't I just buy a Win connection huge amount cheaper.
It's always cheaper to get connected to the internet because it's so available and it's
so everywhere and it's so not dedicated to you.
Meaning, when I am in Japan I can get an internet connection far cheaper
than I could get a least line coming over here to Arizona,
I mean you can even compare those two cause. So second thing is the internet is available
everywhere. You know, I kind of bite my tongue when I
say that but it's-- all right, it's hard for me to say it's not
because I actually went with my church, this is some number of years ago.
Down to Honduras, we went to kind of like a mission, so like help people with food and
water and building structures and all that.
And so, I mean we're driving on this bus to this town that has no roads, you know,
infrastructure is virtually nothing and so we're here to, you know, trying to help
and build things up and sure enough as we pull in, I'm sitting there
and we passed a little building and it says internet cafe, flashing neon sign.
It turned out they had a 28.8 kilobit per second modem that they were sharing for about
five or 6 PCs that they had connected in there
and people would pay per hour to come share a 28-kilobit per second modem,
but my point is I'm sitting here where they're like okay, running water is something that
we're trying to work with and there, you know, I'm doing this next to a flashing internet
cafe sign. So I'm really like "okay the internet is available."
It's all over the place. We have these connections available to us
so that makes it very ritual. So what I can do is if I'm in Japan, maybe
I can't get at least I know what Japan is, you know, high technology but, you know, and
well say Honduras right, I want to connect Honduras to Arizona and
I'm, you know, I'm into a location where I just--
there's no least lines available. The internet's probably available there.
Now, these connections are encrypted and secured. Now, I kind of in my rough drawing dr--
you know, you'll always see VPNs drawn kind of like this.
You'll see, yu know, router A over on the left, you know, here and it shows, you know,
the cloud and you've got this tunnel going through over here to router B. What is the
tunnel? The tunnel is a perception of what you're
doing. It's like you're saying "Okay, I've got my
private network here" let's say it's 10.1.1.0/24 and my private network here 10.1.2.0/24 and
I'm going to send that private network through the internet and the way that I'm
going to do it is to take that packet before I send in, you know, here's
all my private stuff and put a header on it that is public.
You know that says, it goes form this public IP address
to this public IP address over here in Honduras. But then all of this stuff goes-- through
the blender. To where if somebody captured that data, you
know, some rogue entity in the middle of the internet captured that data, they will
see where it's coming from and where it's going
but all of the meat of it, they won't be able to understand.
I'm talking about how that's possible in a moment.
The last benefit of VPNs is the mini to mini connections, meaning everything can connect
to everything, that's connected to the internet. So, you know, we'll talk about frame relay
or we're talking about, you know, lease lines. If I buy a lease line from Honduras to Arizona
then I've got, you know, that connection period. But with VPNs I can have Honduras go to Missouri.
I can have a remote access VPNs coming into Honduras,
I mean any to any connectivity is there. Now, you might look at all this, anyway, so
well what's the drawback then? Why would we not want [inaudible].
Why do people do lease lines at all? Well, anytime the internet enters into the
picture, we have this big, I'll just say quality of service gap.
As in non-guaranteed and I'm not just talking quality of service as in voice
over IP although that definitely is a factor. But I'm just talking about it's just not guaranteed
I mean on the internet you're going through all kinds of entities and if all of
a sudden your VPN connection slows down to a crawl, I mean who do you call and
say hey, our VPN is down, I mean people are going
to be like well, okay is your internet connection running?
Yes. Okay well then we've done our job, you know, we've delivered an internet connection.
So it's really not guaranteed service. You may get-- and I'll say most of the time
you'll do great sometimes depending on what storm is going on in the internet
and any one time you may slow down or speed up or anything like that.
So for companies that need that level of guarantee or they need to have somebody
that they can call and say, "Hey this is not performing the way that we want to."
VPNs probably aren't the direction they want to go.
Now, even with that drawback, I'm kind of hesitating because internet connections are
so much reliable nowadays and bandwidth-- luscious, I don't have a lot of bandwidth,
that-- that VPNs really are a valid alternative to a lot of the WinLinks
that people are used to paying too. So you know, really think about that before
you go, you know, pay the expense of a dedicated WinLink but
if you are an organization considering that, if I'm the owner of that company and I'm saying
"Okay I'm sending all my stuff over the what, the internet?"
I want to make sure that somebody out there is not going
to be stealing my stuff 'cause I know everybody knows the internet is a wild place.
There is no central authority controlling anything so your stuff could get stolen.
Now, brief assign to that. Let me just-- I want to throw this out there,
if I have an e-mail, let's say that I created that-- I'm sending
my friend over here. Let's say my friend doesn't have an eBay account
and I want him to post something because he can use my feedback rating.
So I send him-- let's just say I send my friend around the world my eBay user name and password
via e-mail. So first off, that is not secure, you know,
if you do that, we're not using any kind of encryption for that e-mail which most people
do not, does that mean the eyes of the internet are watching and they will
see your eBay user name and password come in
and they are like "bam, you're gone buddy" and now somebody is buying all kinds
of stuff using your eBay account. Chances are no, here's why.
The internet is a glut of information, I mean just information constantly so, you know,
sending a single e-mail over the internet, number one, you are obscure by the sheer amount
of information being processed every single second on the internet.
You're just one of a billion different packets that are happening at any given time.
So number one here [inaudible] by that. Number two, when you do this, I mean you're
actually going into your service provider and they're going to theirs and they're going
to theirs, so it's just a link of all these different service providers unless
you have a service provider who is corrupt in the middle like-- like there is that guy,
oh man, they went AWOL and they've got an employee capturing data
and he just found your eBay username and password. I mean is there chance there?
I want to make sure you guys-- is the chance there?
Yes. Is there a chance of Boeing 747 plane could crash into my house
at this moment as I'm talking to you? Yes there is that chance but it's so slim,
why? 'Cause my house is one among billions of houses,
planes don't fly every single day and crash and why would they use choose me?
Why would they hit my house? I mean it's that kind of argument that you're
talking about when you say-- now let me show you what is a lot more likely.
It's more likely that your friend is infected with some kind of Malware or some kind
of remote access, you know, they're running Java and I'm just throwing Java under the
bus because there's just a security update.
Sometimes it goes saying Java is now unsecure and they can't fix it and now everyone is
like "Oh, don't use Java," you know, every time I go to oracle site and I see they're
like Java and used by billions of customers and like
not anymore, you know, that stuff. Anyway now I heard down at Java now everybody's
got their own security flaws right? But it's far more likely that this guy gets
infected with something and he gets your e-mail opens it and somebody
else is looking over his shoulder, or they are actually watching all the e-mail
that comes into his computer 'cause his computer is infected
and now they get your eBay account. So the internet gets blamed for a lot when
really it's people's computers that have been hacked and Malwared up and
virus and Trojan-ed and key logger and blah, blah,
blah and that's where a lot of the theft comes into play.
So that's number one. So keep that in mind.
Now, let's talk about how do we make sure that the eyes of the internet don't, you know,
if what if the Boeing 747 hit your house? What if the service provider's capturing your
data? How do we make sure that it's secured?
You know, I'm not and nobody should be comfortable in just saying well,
the sheer amount is out there I doubt you're going to get [inaudible] I mean
that doesn't make you feel comfortable. So VPNs must provide number one, authentication.
Authentication is I know that you are the person I'm supposed to be talking to right.
So when I'm speaking from-- let's say I have my computer right here
and this is a corporate center A and I VPN in,
you know from the corporate center A's perspective, they're like I really want to know
that you are who you say you are. And I was going to talk about the solution
but let me just talk about things we have to provide for now right.
Second thing is we have to provide data integrity. I want to make sure that when you send me
a message, you know, so we'll just say happy computer A sends an
e-mail, sends a file, sends whatever that the file that you sent
is the exact same file that I'm receiving, you know, somebody in the middle hasn't grabbed
your data and changed it in some way, you know,
maybe you did a bank account transfer of 500 dollars and they come in there
and they say "Actually let's do 50, 000, you know let's modify that in some way."
So I want to make sure that what you sent is really what you sent then it get changed.
Okay, third thing is confidentiality, I want to make sure that when you send to me something,
the eyes of the internet cannot see it at all.
You know, it's one thing to change the transfer to 50, 000 dollars
but I'm like I don't even want you see that we transferred 500 bucks to begin with,
how about we just encrypt that data that falls under the confidentiality side of things.
And then finally anti-replay, I want to make sure that if you send your username and password
and it's authenticated and it's, you know, integrified, I just make up words right,
it's integrified, it's encrypted, I know-- you know so this packet that has your user
name and password, I know that is completely secured.
I want to make sure that somebody can't capture that packet and they--
even though they may not be able to decrypt it, even though they might not be able to
change it, I want to make sure they can't replay it in
another time so if they know that packet even though they don't know what
it is, you know, inside of there, if they know they can send that packet and
it gets them in, right, that's considered a replay.
So I don't want people to be able to replay old packets and have
that breach my security in some way. The answer to all of those questions lies
in this one protocol that we call IPSEC. now IPSEC is not just a protocol it's a suite
of protocols that go together to build security. Now the neat thing about IPSEC is that it
was designed with the future in mind. See, until IPSEC came along, different encryption
methods would come and go, you know, just over to I mean think about, how long
have we been concerned about security, right? And since the beginning of time I actually
went to an encryption seminar and they actually went back and showed all
of the ciphers that were created for a lot of the wars.
I mean even before computers were reality, there was the different codes and methods
that people would use, you know, from like Alexander the great to send messages
to his army so that wouldn't be intercepted. So we've always been doing encryption but
the problem is, as technology increases on focus just on computing as technology increases,
our computers and our processors become more and more powerful
to where brute force attacks become a reality. So encryption, let me just talk about that
and I actually I'm going to dedicate the whole next Nugget encryption
to really understand what's going on. But it all lies in a key, right?
You have a key that is used to-- think of your key as a mathematical formula that is
used to take this data and scramble it, you know,
to put it in the mathematical formula. So if somebody figures out what that key is,
they are able to descrambler your data right? That's the idea behind the encryption.
Now, our processors I mean nowadays we've got, you know, whatever quad-- eight octopal--
Zion quad core-- you know, processors are the same, they just keep coming out with bigger
and bigger processors to the point where it's possible for computers to try millions
and millions of keys every single second to try and break that,
I mean something that wasn't even fathomed back in the 60's
when early encryption methods are being created. They're like, you know, when somebody would
think oh yeah there's something out there, they can try millions of keys a second.
Yeah, that will never happen I mean Bill Gates hadn't even been born, you know,
it's like of those, one of those, you know, they're not even thinking on that scale of
things. So as time goes on and this kind of possibilities
are there, we have to increase our encryption standards
to where this keys become more and more and more sophisticated to the point where
there's so many possible keys that within a fathomable lifetime we wouldn't
be able to try enough of them to break that key.
So that's what encryption standards are. So-- what was that?
Okay, I was saying until now we have all these different encryption standards that it's kind
of like okay, we say whereas, you know, using the standard and you know,
release software that everybody uses that standard and now, you know,
it's time to upgrade, yu know because that standard is now no longer considered secure.
So they got tired of that, the people that created IPSEC
and I said "let's create something that's swappable."
Here's what I mean, my kids, they have this little, I guess I could call it a house
and they have all these little holes in it, they've got like a circle, a triangle, a square,
a star, you know, all of these kinds and they got these little pieces that they can put
in the house and it falls and then there's a door on the other side.
They get them out. Think of this house like IPSEC to where essentially
IPSEC does not define like the protocol suite itself does not define
an encryption standard. It just says there is an encryption standard
and you can swap that out based on what is the latest and greatest one available.
Now, right now I would say AES is one of-- I consider it one of the strongest systems
of security AES, you know, 256 bit, you know strongest levels
of what's called symmetric encryption that you can use.
But, you know, down the road we'll fast forward 10, 12 years, that's probably going to be
like, okay that was the strongest but now we've
come up with I don't know JES right, and JES now does have 512 bit encryption,
you know, it's just even stronger than AES used
to be and let's say well, why don't we do that nowadays?
Well, because our processors are in at the level that they will be in 12 years.
So that level of encryption would really slow down our communication 'cause it's very hard
to decrypt things that big with our current processors and all that kind of stuff.
So IPSEC is created in such a way that every single one of the pieces,
you can see the negotiation protocol encryption, authentication, the protection,
they're all swappable and they were really thinking when they did this because, you know,
security changes every single day somebody figures
out something new, some new vulnerability. So they had to design IPSEC for the future
to where you're not changing out the whole engine
of VPNs, but rather you are creating something that scales to the future.
So in [inaudible] we've got encryption which is our confidentiality, you know, it
scrambles thing. This goes from weakest to strongest, you know,
kind of building block that we can slide in to IPSEC when we're using our VPN connections.
Now you might say well, why do we even have the weak standards anymore?
Aren't they like disbanded? Well keep in mind, we live in an interesting
world where a lot of times government want to make sure that their citizens are doing
what they're suppose to be doing. So there are governments in the world that
say we do not allow you to use any stronger that we'll say DES encryption.
Why? Because the government can't break it and they--
at least not efficiently and they want to be able to easily see what's going
on in their org-- in their world. So there are countries that are restricted
to just use DES or even weaker than that. So when you're talking about these encryption
standards, it's not only a technology barrier but sometimes you can get into political barriers
with what you're using now in America, you know, I don't know to their, you know,
greatness or to their demise, they don't have restrictions on the level
of encryption that you're able to use. So you can use whatever strength you want.
Now, you can see authentication, MD5. This is your integrity.
The authentication will ensure that the packets are who they say they are and, you know,
I should even bleed this into other areas as well.
You can also use things like pre-shared keys. To make sure that one side is who they say
they are. You can use something called the public key
infrastructure to make sure that one side is who they say they are.
So think of this as your authentication and confidentiality, you know, it kind of does
both and I'll explain that when we dive deep into
what these things do. So MD 5 and shot 1 are different levels of
confidentiality, different levels of authentication.
You also have protection. Protection against people stealing your encryption
keys, again next Nugget I'm going to fully depact-- unpack encryption in all
its glory. This is where I will start talking about Diffie-Hellman
in a symmetric encryption and what that can do.
Finally, I think I'm going to jump all the way back to the beginning
and IPSEC is also the negotiation protocol itself.
The negotiation protocol is really what other things are inside of there.
So somebody created IPSEC with the foresight of you know what?
We may come up with different security methods in the future-- excuse me--
beyond just encryption, authentication, protection, confidentiality,
I want to replay all of those-- excuse me-- kind of things that-- I mean--
maybe someday it's necessary that when you authenticate to a remote access VPN,
you have to do a thumb prick and, you know, do a blood test.
I don't know, I don't know what the future holds, retinal scans and I'm trying to come
up with things that don't exist, those are all just different levels of authentication.
But somebody comes up with a totally new method of security
that we haven't even thought about today. IPSEC will be ready for it because you can
even change the negotiation protocols again AH
which is authentication header or ESP encapsulated security payload,
these are different engines of IPSEC and for instance ESP is the one that says
to negotiate encryption, it says to negotiate authentication and all that kind of stuff.
Authentication header does not negotiate encryption, you know, so again I'm diving
into some of the depth that I don't want to get to at this point but my point is down
the road, they could come out with another engine.
We'll just call it a 454 all right, that negotiates some other security standard
that I can't even think about, you know, like some other method
of security that doesn't even exist today. IPSEC can be prepared for it because you can
even change the entire engine out. Now, once you open the lid on security, there
is just so much to talk about. So yes, that last slide was high level, if
you're like well, I'm just seeing all these standards that are
out there. In the next Nugget, I'm planning on unpacking
encryption and authentication so you really can see what those standards
are and what the differences are in all that. For now, I just wanted to give you that broad
brush stroke overview of this is what makes our VPN secure.
My goal is to convey to you that it's not like you're going to put something in there
and somebody is just going to be able to get it from your network.
You know VPNs in the technology that makes them secure are so strong that it's not even
an area where hackers really go after okay?
People know for instance nowadays that AES 128 bit encryption which is very decent standard
but I would say not even the strongest one out there.
They know that if you see something encrypted with that it's like okay game over.
Chances are extremely unlikely like a lightning striking while the Boeing 454 is crashing
on the ground at the same-- I mean it's just, it's so unlikely that people
like I'm not even getting a focus on trying to break the encryption, all right?
So when you're thinking about your VPNs, the VPN in your concern of security should not
be in the traversal of the data because with
all the security that I just showed you on that last slide, that is considered very
secure where you want to focus your security efforts is more or
so like I was saying before on the PCs inside of the organization.
Make sure that they don't get infected with something that even though it's secured
in this transmission when it ends up on that computer it's infected
with something allowing people to see everything that's going on.
That's where the security vulnerability is coming to play for the most part nowadays.
So next Nugget, we're going to start unpacking even more.
What is the levels of encryption? Why can't I feel good sending things across
the VPN over the internet, all that's to count for
now. I hope this have been informative for you
and I'd like to thank you for viewing.