00:00:00
Welcome back and in this lesson,
00:00:01
I want to cover IPsec fundamentals.
00:00:04
So I want to talk about what
IPsec is, why it matters,
00:00:08
and how IPsec works at
a fundamental level.
00:00:11
Now we have a lot of theory to cover
00:00:13
so let's jump in and get started.
00:00:15
At a foundational level,
00:00:17
IPsec is a group of protocols
which work together.
00:00:21
Their aim is to set up
secure networking tunnels
00:00:24
across insecure networks.
00:00:26
For example, connecting
two secure networks
00:00:29
or more specifically
their routers called peers
00:00:32
across the public internet.
00:00:34
Now you might use this
if you're a business
00:00:36
with multiple sites, spread
around geographically
00:00:39
and want to connect them together
00:00:41
or if you have infrastructure in AWS
00:00:43
or another cloud platform
00:00:45
and want to connect to
that infrastructure.
00:00:48
IPsec provides authentication.
00:00:50
So that only peers which
are known to each other
00:00:53
and can authenticate with
each other can connect.
00:00:55
And any traffic which is
carried by the IPsec protocols
00:00:59
is encrypted, which means
to onlookers the secure data
00:01:03
which has been carried is ciphertext,
00:01:05
it can't be viewed
00:01:06
and it can't be altered
without being detected.
00:01:09
Now, architecturally, it looks like this.
00:01:12
We have the public internet
00:01:14
which is an insecure network,
00:01:16
full of goblins looking
to steal your data.
00:01:19
Over this insecure network,
00:01:21
we create IPsec tunnels between peers.
00:01:24
Now, these tunnels exist
as they're required.
00:01:28
Within IPsec VPNs,
00:01:31
there's the concept of
interesting traffic.
00:01:34
Now interesting traffic is simply traffic
00:01:36
which matches certain rules.
00:01:38
And these could be based
on network prefixes
00:01:41
or much more complex traffic types.
00:01:44
Regardless of the rules if
data matches any of those rules
00:01:48
it's classified as interesting traffic
00:01:51
and a VPN tunnel is
created to carry traffic
00:01:54
through to its destination.
00:01:56
Now, if there's no interesting traffic
00:01:58
then tunnels are eventually torn down only
00:02:01
to be re-established
00:02:02
when the system next
detects interesting traffic.
00:02:06
The key thing to understand is that even
00:02:07
though those tunnels
use the public internet,
00:02:10
the transit any data within
the tunnels is encrypted
00:02:15
while transiting over that
insecure network, it's protected.
00:02:19
Now to understand the
nuance of what IPsec does
00:02:23
we need to refresh a few
key pieces of knowledge.
00:02:26
In my fundamental section
00:02:28
I talked about the different
types of encryption.
00:02:31
I mentioned symmetric and
asymmetric encryption.
00:02:35
Now symmetric encryption is fast,
00:02:37
it's generally really easy
to perform on any modern CPU
00:02:41
and it has pretty low overhead.
00:02:44
But exchanging keys is a challenge.
00:02:47
The same keys are used
to encrypt and decrypt.
00:02:50
So how can you get the key
00:02:51
from one entity to another securely?
00:02:54
Do you transmit it in advance
over a different medium
00:02:57
or do you encrypt it?
00:02:58
If so you run into a Catch-22 situation,
00:03:01
how do you securely
transmit the encrypted key?
00:03:05
That's why asymmetric
encryption is really valuable.
00:03:09
Now it's slower,
00:03:10
so we don't want to be
using it all of the time
00:03:12
but it makes exchanging keys really simple
00:03:15
because different keys are used
00:03:17
for encryption and decryption.
00:03:19
Now a public key is used
to encrypt data and only
00:03:23
the corresponding private
key can decrypt that data.
00:03:27
And this means that you can
safely exchange the public key
00:03:30
while keeping the private key private.
00:03:33
So the aim of most protocols
00:03:34
which handle the encryption
of data over the internet
00:03:37
is to start with asymmetric encryption,
00:03:40
use this to securely
exchange symmetric keys
00:03:44
and then use those for ongoing encryption.
00:03:47
Now I mentioned
00:03:48
that because it will help
you understand exactly
00:03:50
how IPsec VPN works.
00:03:53
So let's go through it.
00:03:55
IPsec has two main phases.
00:03:58
If you work with VPNs,
you're going to hear a lot
00:04:01
of talk about phase one or phase two.
00:04:04
It's going to make sense
why these are needed
00:04:06
by the end of this lesson.
00:04:07
But to understand there are two phases
00:04:09
in setting up a given VPN connection.
00:04:12
The first is known as IKE phase one.
00:04:15
IKE or internet key exchange,
00:04:18
as the name suggests is a protocol
00:04:21
for how keys are exchanged
in this context within a VPN.
00:04:25
There are two versions version,
00:04:26
IKE version one and IKE version two,
00:04:29
version one logically is older,
00:04:31
version two is newer and
comes with more features.
00:04:34
Now you don't need to know
all of the detail right now.
00:04:36
Just understand that the protocol
is about exchanging keys.
00:04:40
IKE phase one is the slow and
heavy part of the process.
00:04:44
It's where you initially
authenticate using
00:04:46
a pre-shared key.
00:04:47
So a password of sorts or a certificate.
00:04:50
It's where asymmetric encryption
is used to agree on, create
00:04:55
and share symmetric keys,
which are used in phase two.
00:04:59
The end of this phase
00:05:00
is what's known as an Ike phase one tunnel
00:05:03
or a security association known as an SA.
00:05:06
There's lots of jargon being thrown around
00:05:08
and I'll be showing you
how this all works visually
00:05:11
in just a moment.
00:05:12
But at the end of phase one,
you have a phase one tunnel
00:05:16
and the heavy work of moving
towards symmetric keys
00:05:20
which can be used for
encryption has been completed.
00:05:23
The next step is IKE phase two
00:05:25
which is faster and much more agile,
00:05:28
because much of the heavy lifting
00:05:30
has been done in phase one.
00:05:32
Technically the phase one keys
00:05:34
are used as a starting
point for phase two.
00:05:38
Phase two is built on top of phase one
00:05:40
and is concerned with
agreeing encryption methods
00:05:43
and the key is used for
the bulk transfer of data.
00:05:47
The end result is an
IPsec security association
00:05:50
a phase two tunnel, which
runs over phase one.
00:05:55
Now, the reason why these
different a split up
00:05:58
is that it's possible for
phase one to be established
00:06:01
then a phase two tunnel created used
00:06:04
and then torn down when no
more interesting traffic occurs
00:06:08
but the phase one tunnel stays.
00:06:10
It means that establishing
a new phase two tunnel
00:06:14
is much faster and less work.
00:06:16
It's an elegant and
well-designed architecture.
00:06:19
So let's look at how this
all works together, visually.
00:06:22
So this is IKE phase one.
00:06:24
The architecture is a simple one.
00:06:26
Two business sites,
00:06:28
site one on the left with a user Bob
00:06:30
and site two on the right
with the user Julie,
00:06:33
and in the middle, the public internet.
00:06:35
The very first step of this process
00:06:37
is that the routers, the
two peers at either side
00:06:40
of this architecture need to authenticate,
00:06:42
essentially prove their identity,
00:06:45
which is done either using
certificates or pre shared keys.
00:06:49
Now it's important to understand
00:06:50
that this isn't yet about encryption.
00:06:53
It's about proving identity.
00:06:55
Proving that both sides agree
00:06:57
that the other side should
be part of this VPN.
00:07:00
No keys are exchanged,
it's just about identity.
00:07:05
Once the identity has been confirmed
00:07:07
then we move onto the next
stage of IKE phase one.
00:07:11
In this stage,
00:07:12
we use a process called
Diffie-Hellman key exchange.
00:07:15
Now, again, I'm sorry about the jargon
00:07:17
but try your best
00:07:18
to remember Diffie-Hellman known as DH.
00:07:22
What happens is that each side creates
00:07:25
a Diffie-Hellman private key.
00:07:28
This key is you wished to
decrypt data and to sign things.
00:07:32
You should remember
00:07:33
this from the encryption
fundamentals lesson.
00:07:36
In addition, each side
uses that private key
00:07:39
and derives a corresponding public key.
00:07:43
Now the public key can
be used to encrypt data
00:07:46
that only that private key can decrypt.
00:07:49
So at this point, each
side has a private key
00:07:52
as well as a corresponding public key.
00:07:55
At this point, these
public keys are exchanged.
00:07:58
So Bob has Julie's public key
00:08:01
and Julie has Bob's public key.
00:08:03
Remember these public
keys are not sensitive
00:08:06
and can only be used
normally to encrypt data
00:08:09
for decryption by the
corresponding private key.
00:08:12
The next stage of the process
00:08:14
is actually really complicated mathematics
00:08:16
but to fundamental level each side takes
00:08:19
its own private key and the
public key of the other side
00:08:24
and uses this to derive
00:08:26
what's known as the Diffie-Hellman key.
00:08:29
This key is the same at both sides
00:08:31
but it's been independently generated.
00:08:34
Now again, the maths is something
00:08:35
that's well beyond this lesson,
00:08:37
but it's at the core of
how this phase VPN works.
00:08:41
In turn at this point
it's used to exchange
00:08:43
all the key material and agreements.
00:08:46
This part you can think
of as a negotiation.
00:08:49
The result is that each side
again, independently uses
00:08:54
this DH key plus the
exchanged key material
00:08:58
to generate a final phase
one symmetrical key.
00:09:02
This key is what you use
to encrypt anything passing
00:09:06
through the phase one tunnel known
00:09:08
as the IKE security association.
00:09:11
Now, if that process seems slow and heavy
00:09:14
that's because it is,
00:09:15
it's both complex and in some
ways simplistically elegant
00:09:19
at the same time.
00:09:20
But it means that both sides
have the same symmetric key
00:09:24
without that ever having
been passed between them.
00:09:27
And the phase ends with this
security association in place,
00:09:31
and this can be used at phase two.
00:09:34
So let's talk about that next.
00:09:36
So in phase two, we have a few things.
00:09:39
First a DH key on both sides
00:09:42
and the same phase one symmetric
key also on both sides.
00:09:46
And then finally, the
established phase one tunnel.
00:09:50
During this phase, both
of the peers are wanting
00:09:54
to agree how the VPN
itself will be constructed.
00:09:57
The previous phase was about
allowing this exchanging keys
00:10:00
and allowing the peers to communicate.
00:10:03
This phase, so IKE phase
two is about getting
00:10:06
the VPN up and running, being
in a position to encrypt data.
00:10:10
So agreeing how, when and what?
00:10:13
So the first part of this,
00:10:14
is that the symmetric
key is used to encrypt
00:10:17
and decrypt agreements
00:10:20
and pass more key material
between the peers.
00:10:23
The idea is that one peer
is informing the other
00:10:27
about the range of cipher
suites that it supports,
00:10:30
basically encryption methods
which it can perform.
00:10:33
The other peer, in this
example the right one
00:10:36
will then pick the best shared one.
00:10:39
So the best method, which it also supports
00:10:42
and it will let the left peer know
00:10:44
and this becomes the agreed
method of communication.
00:10:48
Next, the DH key
00:10:50
and the key material exchanged above
00:10:52
is used to create a new key,
a symmetrical IPsec key.
00:10:57
This is a key which is designed
00:10:58
for large scale data transfer.
00:11:01
It's an efficient and secure algorithm.
00:11:04
And the specific one is
based on the negotiation
00:11:07
which happened above in steps
one and two at this phase.
00:11:11
So it's this key, which
is used for the encryption
00:11:14
and decryption of interesting
traffic across the VPN tunnel.
00:11:19
Across each phase one tunnel,
00:11:20
you actually have a pair
of security associations,
00:11:24
one from right to left and
one from left to right.
00:11:28
And these are the security associations
00:11:30
which are used to transfer the data
00:11:32
between networks at either side of a VPN.
00:11:36
Now there are actually
two different types of VPN
00:11:39
which you need to understand,
00:11:41
policy-based VPNs and route-based VPNs.
00:11:45
The difference is how they
match interesting traffic.
00:11:48
Remember this is the traffic
which gets sent over a VPN.
00:11:52
So with policy-based VPNs,
00:11:55
there are rules created
which match traffic.
00:11:58
And based on this rule
traffic is sent over a pair
00:12:01
of security associations,
00:12:03
one which is used for
each direction of traffic.
00:12:07
It means that you can have different rules
00:12:09
for different types of traffic.
00:12:11
Something which is great
00:12:13
for more rigorous security environments.
00:12:16
Now, the other type of
VPN are route-based VPNs
00:12:20
and these do target
matching based on prefix.
00:12:23
For example, send traffic for
192.168.0.0/24 over this VPN.
00:12:31
With this type of VPN,
you have a single pair
00:12:34
of security associations
for each network prefix.
00:12:38
This means all traffic types
00:12:40
between those networks use the same path
00:12:43
of security associations.
00:12:45
Now this provides less functionality
00:12:48
but it is much simpler to set up.
00:12:50
To illustrate the differences
00:12:51
between route-based and policy-based VPNs,
00:12:54
it's probably worth looking visually
00:12:56
at the phase one and
phase two architectures.
00:13:00
Let's start with a simple route-based VPN.
00:13:04
The phase one tunnel is established using
00:13:07
a phase one tunnel key.
00:13:09
Now, assuming that we
using a route-based VPN
00:13:12
then a single path of security
associations is created,
00:13:16
one in each direction
using a single IPsec key.
00:13:21
So this means that we have a
pair of security associations
00:13:24
and essentially a single phase two tunnel,
00:13:26
running over the phase one tunnel.
00:13:29
Note phase two or IPsec tunnel
00:13:32
which is how we talk about the pair
00:13:33
of security associations can be dropped
00:13:36
when there is no more interesting traffic
00:13:38
and recreated again on top
of the same phase one tunnel
00:13:42
when new traffic is detected.
00:13:44
But the key thing to understand
00:13:46
is that there's one
phase one tunnel running
00:13:49
one phase two tunnel based on routes.
00:13:53
Running a policy-based VPN is different.
00:13:56
We still have the same phase one tunnel
00:13:58
but over the top of this,
each policy match users
00:14:02
an SA pair with a unique IPsec key.
00:14:06
And this allows us
00:14:07
to have for the same network
different security settings
00:14:14
for different types of traffic.
00:14:15
In this example infrastructure at the top,
00:14:16
CCTV in the middle
00:14:18
and financial systems at the bottom.
00:14:20
So policy-based VPNs are
more difficult to configure
00:14:24
but do provide much more flexibility
00:14:26
when it comes to using
different security settings
00:14:29
for different types of traffic.
00:14:31
Now that at a very high
level is how VPN functions.
00:14:36
So the security architecture
of how everything interacts
00:14:39
with everything else.
00:14:40
Elsewhere in my course, you'll
be learning how AWS use VPNs
00:14:44
within their product set,
00:14:46
but for now that's everything
that I wanted to cover.
00:14:49
So go ahead and complete this video
00:14:50
and then when you're ready,
00:14:51
I look forward to your
joining me in the next.
