IP Sec VPN Fundamentals

00:14:54
https://www.youtube.com/watch?v=15amNny_kKI

Zusammenfassung

TLDRAquest vídeo proporciona una introducció als fonaments d'IPsec, un conjunt de protocols per crear túnels de xarxa segurs a través de xarxes públiques com internet. S'explica la seva importància per a empreses amb diversos llocs geogràficament dispersos i per aquelles que utilitzen serveis de núvol, ja que IPsec garanteix que només els dispositius autenticats es connectin i que les dades transmeses siguin xifrades i protegides contra alteracions. El vídeo cobreix els conceptes de trànsit interessant, les fases del protocol (IKE fase 1 i IKE fase 2), i compara VPNs basades en polítiques amb VPNs basades en rutes, destacant com gestionen el tràfic interessant i la seva configuració.

Mitbringsel

  • 🔐 IPsec crea túnels segurs sobre xarxes insegures.
  • 🔑 Utilitza un esquema de xifratge asimètric i simètric.
  • 🌐 Connecta xarxes de manera segura, important per a empreses.
  • 📑 Hi ha VPNs de polítiques i de rutes per gestionar el trànsit.
  • 🧑‍💼 Fase 1 d'IPsec implica autenticació i canvi de claus.
  • 🚀 Fase 2 és més ràpida, centrada en acordar mètodes de xifrat.
  • 🔍 'Trànsit interessant' activa túnels VPN.
  • 🛠 Difícil de configurar, però amb alta seguretat.
  • 📊 Les VPN de polítiques ofereixen més flexibilitat.
  • 🌈 Les VPN de rutes són més simples de configurar.

Zeitleiste

  • 00:00:00 - 00:05:00

    IPsec és un conjunt de protocols que treballen conjuntament per establir túnels de xarxa segura a través de xarxes insegures, com per exemple, connectant dues xarxes segures a través d'internet. IPsec proporciona autenticació, de manera que només els iguals coneguts poden connectar-se, i xifra el trànsit per garantir la seguretat i la integritat de les dades durant la seva transmissió. Els túnels IPsec es creen en funció del tràfic "interessant", que compleix certs criteris, i es desfan quan ja no hi ha trànsit.

  • 00:05:00 - 00:14:54

    IPsec és un procés que es divideix en dues fases principals: IKE fase un, que és el procés més lent i complex on s'inicia l'autenticació i es creen i intercanvien claus simètriques mitjançant xifrat asimètric, i IKE fase dos, que és més ràpid i es centra en establir els mètodes de xifrat per al transferiment massiu de dades. A cada fase s'estableixen associacions de seguretat que permeten la transferència de dades i la comunicació segura. Les VPN poden ser basades en política o en ruta, oferint diferents nivells de control sobre el trànsit segons el tipus de configuració.

Mind Map

Mind Map

Häufig gestellte Fragen

  • Què és IPsec?

    IPsec és un conjunt de protocols que treballen junts per establir connexions de xarxa segures a través de xarxes insegures.

  • Per a què serveix IPsec?

    IPsec s'utilitza per connectar xarxes de manera segura, permetent que només els dispositius autenticats puguin comunicar-se i protegint les dades transmeses de mirades indiscretes o alteracions.

  • Quines són les fases principals d'un túnel IPsec?

    IPsec consta de dues fases: IKE fase 1, on es realitza l'intercanvi de claus i s'autentica la identitat, i IKE fase 2, que tracta l'acord sobre mètodes de xifrat i l'ús de claus per a la transferència de dades.

  • Quina és la diferència entre VPNs basades en polítiques i basades en rutes?

    Les VPNs basades en polítiques fan el seguiment del trànsit segons regles específiques i ofereixen més flexibilitat. Les VPNs basades en rutes utilitzen prefixos de xarxa per identificar el trànsit, i són més fàcils de configurar però amb menys funcionalitats.

  • Què són les associacions de seguretat en IPsec?

    Les associacions de seguretat (SA) són connexions lògiques utilitzades per protegir la transferència de dades en un túnel IPsec, normalment n'hi ha una per direcció de trànsit.

  • Com es protegeixen les dades en un túnel IPsec?

    Les dades en un túnel IPsec són xifrades, la qual cosa significa que qualsevol observador extern només pot veure el codi xifrat, que no pot ser llegit o modificat sense ser detectat.

Weitere Video-Zusammenfassungen anzeigen

Erhalten Sie sofortigen Zugang zu kostenlosen YouTube-Videozusammenfassungen, die von AI unterstützt werden!
Untertitel
en
Automatisches Blättern:
  • 00:00:00
    Welcome back and in this lesson,
  • 00:00:01
    I want to cover IPsec fundamentals.
  • 00:00:04
    So I want to talk about what IPsec is, why it matters,
  • 00:00:08
    and how IPsec works at a fundamental level.
  • 00:00:11
    Now we have a lot of theory to cover
  • 00:00:13
    so let's jump in and get started.
  • 00:00:15
    At a foundational level,
  • 00:00:17
    IPsec is a group of protocols which work together.
  • 00:00:21
    Their aim is to set up secure networking tunnels
  • 00:00:24
    across insecure networks.
  • 00:00:26
    For example, connecting two secure networks
  • 00:00:29
    or more specifically their routers called peers
  • 00:00:32
    across the public internet.
  • 00:00:34
    Now you might use this if you're a business
  • 00:00:36
    with multiple sites, spread around geographically
  • 00:00:39
    and want to connect them together
  • 00:00:41
    or if you have infrastructure in AWS
  • 00:00:43
    or another cloud platform
  • 00:00:45
    and want to connect to that infrastructure.
  • 00:00:48
    IPsec provides authentication.
  • 00:00:50
    So that only peers which are known to each other
  • 00:00:53
    and can authenticate with each other can connect.
  • 00:00:55
    And any traffic which is carried by the IPsec protocols
  • 00:00:59
    is encrypted, which means to onlookers the secure data
  • 00:01:03
    which has been carried is ciphertext,
  • 00:01:05
    it can't be viewed
  • 00:01:06
    and it can't be altered without being detected.
  • 00:01:09
    Now, architecturally, it looks like this.
  • 00:01:12
    We have the public internet
  • 00:01:14
    which is an insecure network,
  • 00:01:16
    full of goblins looking to steal your data.
  • 00:01:19
    Over this insecure network,
  • 00:01:21
    we create IPsec tunnels between peers.
  • 00:01:24
    Now, these tunnels exist as they're required.
  • 00:01:28
    Within IPsec VPNs,
  • 00:01:31
    there's the concept of interesting traffic.
  • 00:01:34
    Now interesting traffic is simply traffic
  • 00:01:36
    which matches certain rules.
  • 00:01:38
    And these could be based on network prefixes
  • 00:01:41
    or much more complex traffic types.
  • 00:01:44
    Regardless of the rules if data matches any of those rules
  • 00:01:48
    it's classified as interesting traffic
  • 00:01:51
    and a VPN tunnel is created to carry traffic
  • 00:01:54
    through to its destination.
  • 00:01:56
    Now, if there's no interesting traffic
  • 00:01:58
    then tunnels are eventually torn down only
  • 00:02:01
    to be re-established
  • 00:02:02
    when the system next detects interesting traffic.
  • 00:02:06
    The key thing to understand is that even
  • 00:02:07
    though those tunnels use the public internet,
  • 00:02:10
    the transit any data within the tunnels is encrypted
  • 00:02:15
    while transiting over that insecure network, it's protected.
  • 00:02:19
    Now to understand the nuance of what IPsec does
  • 00:02:23
    we need to refresh a few key pieces of knowledge.
  • 00:02:26
    In my fundamental section
  • 00:02:28
    I talked about the different types of encryption.
  • 00:02:31
    I mentioned symmetric and asymmetric encryption.
  • 00:02:35
    Now symmetric encryption is fast,
  • 00:02:37
    it's generally really easy to perform on any modern CPU
  • 00:02:41
    and it has pretty low overhead.
  • 00:02:44
    But exchanging keys is a challenge.
  • 00:02:47
    The same keys are used to encrypt and decrypt.
  • 00:02:50
    So how can you get the key
  • 00:02:51
    from one entity to another securely?
  • 00:02:54
    Do you transmit it in advance over a different medium
  • 00:02:57
    or do you encrypt it?
  • 00:02:58
    If so you run into a Catch-22 situation,
  • 00:03:01
    how do you securely transmit the encrypted key?
  • 00:03:05
    That's why asymmetric encryption is really valuable.
  • 00:03:09
    Now it's slower,
  • 00:03:10
    so we don't want to be using it all of the time
  • 00:03:12
    but it makes exchanging keys really simple
  • 00:03:15
    because different keys are used
  • 00:03:17
    for encryption and decryption.
  • 00:03:19
    Now a public key is used to encrypt data and only
  • 00:03:23
    the corresponding private key can decrypt that data.
  • 00:03:27
    And this means that you can safely exchange the public key
  • 00:03:30
    while keeping the private key private.
  • 00:03:33
    So the aim of most protocols
  • 00:03:34
    which handle the encryption of data over the internet
  • 00:03:37
    is to start with asymmetric encryption,
  • 00:03:40
    use this to securely exchange symmetric keys
  • 00:03:44
    and then use those for ongoing encryption.
  • 00:03:47
    Now I mentioned
  • 00:03:48
    that because it will help you understand exactly
  • 00:03:50
    how IPsec VPN works.
  • 00:03:53
    So let's go through it.
  • 00:03:55
    IPsec has two main phases.
  • 00:03:58
    If you work with VPNs, you're going to hear a lot
  • 00:04:01
    of talk about phase one or phase two.
  • 00:04:04
    It's going to make sense why these are needed
  • 00:04:06
    by the end of this lesson.
  • 00:04:07
    But to understand there are two phases
  • 00:04:09
    in setting up a given VPN connection.
  • 00:04:12
    The first is known as IKE phase one.
  • 00:04:15
    IKE or internet key exchange,
  • 00:04:18
    as the name suggests is a protocol
  • 00:04:21
    for how keys are exchanged in this context within a VPN.
  • 00:04:25
    There are two versions version,
  • 00:04:26
    IKE version one and IKE version two,
  • 00:04:29
    version one logically is older,
  • 00:04:31
    version two is newer and comes with more features.
  • 00:04:34
    Now you don't need to know all of the detail right now.
  • 00:04:36
    Just understand that the protocol is about exchanging keys.
  • 00:04:40
    IKE phase one is the slow and heavy part of the process.
  • 00:04:44
    It's where you initially authenticate using
  • 00:04:46
    a pre-shared key.
  • 00:04:47
    So a password of sorts or a certificate.
  • 00:04:50
    It's where asymmetric encryption is used to agree on, create
  • 00:04:55
    and share symmetric keys, which are used in phase two.
  • 00:04:59
    The end of this phase
  • 00:05:00
    is what's known as an Ike phase one tunnel
  • 00:05:03
    or a security association known as an SA.
  • 00:05:06
    There's lots of jargon being thrown around
  • 00:05:08
    and I'll be showing you how this all works visually
  • 00:05:11
    in just a moment.
  • 00:05:12
    But at the end of phase one, you have a phase one tunnel
  • 00:05:16
    and the heavy work of moving towards symmetric keys
  • 00:05:20
    which can be used for encryption has been completed.
  • 00:05:23
    The next step is IKE phase two
  • 00:05:25
    which is faster and much more agile,
  • 00:05:28
    because much of the heavy lifting
  • 00:05:30
    has been done in phase one.
  • 00:05:32
    Technically the phase one keys
  • 00:05:34
    are used as a starting point for phase two.
  • 00:05:38
    Phase two is built on top of phase one
  • 00:05:40
    and is concerned with agreeing encryption methods
  • 00:05:43
    and the key is used for the bulk transfer of data.
  • 00:05:47
    The end result is an IPsec security association
  • 00:05:50
    a phase two tunnel, which runs over phase one.
  • 00:05:55
    Now, the reason why these different a split up
  • 00:05:58
    is that it's possible for phase one to be established
  • 00:06:01
    then a phase two tunnel created used
  • 00:06:04
    and then torn down when no more interesting traffic occurs
  • 00:06:08
    but the phase one tunnel stays.
  • 00:06:10
    It means that establishing a new phase two tunnel
  • 00:06:14
    is much faster and less work.
  • 00:06:16
    It's an elegant and well-designed architecture.
  • 00:06:19
    So let's look at how this all works together, visually.
  • 00:06:22
    So this is IKE phase one.
  • 00:06:24
    The architecture is a simple one.
  • 00:06:26
    Two business sites,
  • 00:06:28
    site one on the left with a user Bob
  • 00:06:30
    and site two on the right with the user Julie,
  • 00:06:33
    and in the middle, the public internet.
  • 00:06:35
    The very first step of this process
  • 00:06:37
    is that the routers, the two peers at either side
  • 00:06:40
    of this architecture need to authenticate,
  • 00:06:42
    essentially prove their identity,
  • 00:06:45
    which is done either using certificates or pre shared keys.
  • 00:06:49
    Now it's important to understand
  • 00:06:50
    that this isn't yet about encryption.
  • 00:06:53
    It's about proving identity.
  • 00:06:55
    Proving that both sides agree
  • 00:06:57
    that the other side should be part of this VPN.
  • 00:07:00
    No keys are exchanged, it's just about identity.
  • 00:07:05
    Once the identity has been confirmed
  • 00:07:07
    then we move onto the next stage of IKE phase one.
  • 00:07:11
    In this stage,
  • 00:07:12
    we use a process called Diffie-Hellman key exchange.
  • 00:07:15
    Now, again, I'm sorry about the jargon
  • 00:07:17
    but try your best
  • 00:07:18
    to remember Diffie-Hellman known as DH.
  • 00:07:22
    What happens is that each side creates
  • 00:07:25
    a Diffie-Hellman private key.
  • 00:07:28
    This key is you wished to decrypt data and to sign things.
  • 00:07:32
    You should remember
  • 00:07:33
    this from the encryption fundamentals lesson.
  • 00:07:36
    In addition, each side uses that private key
  • 00:07:39
    and derives a corresponding public key.
  • 00:07:43
    Now the public key can be used to encrypt data
  • 00:07:46
    that only that private key can decrypt.
  • 00:07:49
    So at this point, each side has a private key
  • 00:07:52
    as well as a corresponding public key.
  • 00:07:55
    At this point, these public keys are exchanged.
  • 00:07:58
    So Bob has Julie's public key
  • 00:08:01
    and Julie has Bob's public key.
  • 00:08:03
    Remember these public keys are not sensitive
  • 00:08:06
    and can only be used normally to encrypt data
  • 00:08:09
    for decryption by the corresponding private key.
  • 00:08:12
    The next stage of the process
  • 00:08:14
    is actually really complicated mathematics
  • 00:08:16
    but to fundamental level each side takes
  • 00:08:19
    its own private key and the public key of the other side
  • 00:08:24
    and uses this to derive
  • 00:08:26
    what's known as the Diffie-Hellman key.
  • 00:08:29
    This key is the same at both sides
  • 00:08:31
    but it's been independently generated.
  • 00:08:34
    Now again, the maths is something
  • 00:08:35
    that's well beyond this lesson,
  • 00:08:37
    but it's at the core of how this phase VPN works.
  • 00:08:41
    In turn at this point it's used to exchange
  • 00:08:43
    all the key material and agreements.
  • 00:08:46
    This part you can think of as a negotiation.
  • 00:08:49
    The result is that each side again, independently uses
  • 00:08:54
    this DH key plus the exchanged key material
  • 00:08:58
    to generate a final phase one symmetrical key.
  • 00:09:02
    This key is what you use to encrypt anything passing
  • 00:09:06
    through the phase one tunnel known
  • 00:09:08
    as the IKE security association.
  • 00:09:11
    Now, if that process seems slow and heavy
  • 00:09:14
    that's because it is,
  • 00:09:15
    it's both complex and in some ways simplistically elegant
  • 00:09:19
    at the same time.
  • 00:09:20
    But it means that both sides have the same symmetric key
  • 00:09:24
    without that ever having been passed between them.
  • 00:09:27
    And the phase ends with this security association in place,
  • 00:09:31
    and this can be used at phase two.
  • 00:09:34
    So let's talk about that next.
  • 00:09:36
    So in phase two, we have a few things.
  • 00:09:39
    First a DH key on both sides
  • 00:09:42
    and the same phase one symmetric key also on both sides.
  • 00:09:46
    And then finally, the established phase one tunnel.
  • 00:09:50
    During this phase, both of the peers are wanting
  • 00:09:54
    to agree how the VPN itself will be constructed.
  • 00:09:57
    The previous phase was about allowing this exchanging keys
  • 00:10:00
    and allowing the peers to communicate.
  • 00:10:03
    This phase, so IKE phase two is about getting
  • 00:10:06
    the VPN up and running, being in a position to encrypt data.
  • 00:10:10
    So agreeing how, when and what?
  • 00:10:13
    So the first part of this,
  • 00:10:14
    is that the symmetric key is used to encrypt
  • 00:10:17
    and decrypt agreements
  • 00:10:20
    and pass more key material between the peers.
  • 00:10:23
    The idea is that one peer is informing the other
  • 00:10:27
    about the range of cipher suites that it supports,
  • 00:10:30
    basically encryption methods which it can perform.
  • 00:10:33
    The other peer, in this example the right one
  • 00:10:36
    will then pick the best shared one.
  • 00:10:39
    So the best method, which it also supports
  • 00:10:42
    and it will let the left peer know
  • 00:10:44
    and this becomes the agreed method of communication.
  • 00:10:48
    Next, the DH key
  • 00:10:50
    and the key material exchanged above
  • 00:10:52
    is used to create a new key, a symmetrical IPsec key.
  • 00:10:57
    This is a key which is designed
  • 00:10:58
    for large scale data transfer.
  • 00:11:01
    It's an efficient and secure algorithm.
  • 00:11:04
    And the specific one is based on the negotiation
  • 00:11:07
    which happened above in steps one and two at this phase.
  • 00:11:11
    So it's this key, which is used for the encryption
  • 00:11:14
    and decryption of interesting traffic across the VPN tunnel.
  • 00:11:19
    Across each phase one tunnel,
  • 00:11:20
    you actually have a pair of security associations,
  • 00:11:24
    one from right to left and one from left to right.
  • 00:11:28
    And these are the security associations
  • 00:11:30
    which are used to transfer the data
  • 00:11:32
    between networks at either side of a VPN.
  • 00:11:36
    Now there are actually two different types of VPN
  • 00:11:39
    which you need to understand,
  • 00:11:41
    policy-based VPNs and route-based VPNs.
  • 00:11:45
    The difference is how they match interesting traffic.
  • 00:11:48
    Remember this is the traffic which gets sent over a VPN.
  • 00:11:52
    So with policy-based VPNs,
  • 00:11:55
    there are rules created which match traffic.
  • 00:11:58
    And based on this rule traffic is sent over a pair
  • 00:12:01
    of security associations,
  • 00:12:03
    one which is used for each direction of traffic.
  • 00:12:07
    It means that you can have different rules
  • 00:12:09
    for different types of traffic.
  • 00:12:11
    Something which is great
  • 00:12:13
    for more rigorous security environments.
  • 00:12:16
    Now, the other type of VPN are route-based VPNs
  • 00:12:20
    and these do target matching based on prefix.
  • 00:12:23
    For example, send traffic for 192.168.0.0/24 over this VPN.
  • 00:12:31
    With this type of VPN, you have a single pair
  • 00:12:34
    of security associations for each network prefix.
  • 00:12:38
    This means all traffic types
  • 00:12:40
    between those networks use the same path
  • 00:12:43
    of security associations.
  • 00:12:45
    Now this provides less functionality
  • 00:12:48
    but it is much simpler to set up.
  • 00:12:50
    To illustrate the differences
  • 00:12:51
    between route-based and policy-based VPNs,
  • 00:12:54
    it's probably worth looking visually
  • 00:12:56
    at the phase one and phase two architectures.
  • 00:13:00
    Let's start with a simple route-based VPN.
  • 00:13:04
    The phase one tunnel is established using
  • 00:13:07
    a phase one tunnel key.
  • 00:13:09
    Now, assuming that we using a route-based VPN
  • 00:13:12
    then a single path of security associations is created,
  • 00:13:16
    one in each direction using a single IPsec key.
  • 00:13:21
    So this means that we have a pair of security associations
  • 00:13:24
    and essentially a single phase two tunnel,
  • 00:13:26
    running over the phase one tunnel.
  • 00:13:29
    Note phase two or IPsec tunnel
  • 00:13:32
    which is how we talk about the pair
  • 00:13:33
    of security associations can be dropped
  • 00:13:36
    when there is no more interesting traffic
  • 00:13:38
    and recreated again on top of the same phase one tunnel
  • 00:13:42
    when new traffic is detected.
  • 00:13:44
    But the key thing to understand
  • 00:13:46
    is that there's one phase one tunnel running
  • 00:13:49
    one phase two tunnel based on routes.
  • 00:13:53
    Running a policy-based VPN is different.
  • 00:13:56
    We still have the same phase one tunnel
  • 00:13:58
    but over the top of this, each policy match users
  • 00:14:02
    an SA pair with a unique IPsec key.
  • 00:14:06
    And this allows us
  • 00:14:07
    to have for the same network different security settings
  • 00:14:14
    for different types of traffic.
  • 00:14:15
    In this example infrastructure at the top,
  • 00:14:16
    CCTV in the middle
  • 00:14:18
    and financial systems at the bottom.
  • 00:14:20
    So policy-based VPNs are more difficult to configure
  • 00:14:24
    but do provide much more flexibility
  • 00:14:26
    when it comes to using different security settings
  • 00:14:29
    for different types of traffic.
  • 00:14:31
    Now that at a very high level is how VPN functions.
  • 00:14:36
    So the security architecture of how everything interacts
  • 00:14:39
    with everything else.
  • 00:14:40
    Elsewhere in my course, you'll be learning how AWS use VPNs
  • 00:14:44
    within their product set,
  • 00:14:46
    but for now that's everything that I wanted to cover.
  • 00:14:49
    So go ahead and complete this video
  • 00:14:50
    and then when you're ready,
  • 00:14:51
    I look forward to your joining me in the next.
Tags
  • IPsec
  • xifratge
  • seguretat de xarxa
  • VPN
  • IKE
  • túnels segurs
  • xarxa
  • protocols
  • trànsit interessant
  • AWS