Private WAN services provide security either by tagging traffic so only authorized groups can access it, or the security is built-in by merit of the fact that traffic is being transmitted on private lines that nobody else has access to.
However, when using the Internet as a WAN there is no built-in security. Unless countermeasures are taken, it would be fairly easy for anyone to intercept and view traffic.
One way we can secure data transmissions over the Internet with with Virtual Private Networks (VPNs)
Let’s talk about two particular kinds of VPN:
- Site-to-site IPsec VPNs
- Remote-access TLS VPNs
Site-to-Site VPNs (IPsec)
A site-to-site VPN spans between two devices, connecting them together over the Internet.
In IPsec, packets are fully encrypted before transmission so that they cannot be read by anyone without the encryption keys. Then the encrypted packet is encapsulated with a VPN header and a new IP header, before being transmitted to the other device. This point A to point B stream of encrypted packets — data that nobody can meaningfully access — is called a ‘VPN tunnel’.
Note
Being a point-to-point connection, IPsec does not support broadcast or multicast traffic. Therefore, routing protocols like OSPF cannot be used over tunnels. This problem can be solved with GRE over IPsec (next section)
Note
Configuring a full mesh of IPsec tunnels would be labor intensive. There are solutions to this problem as well, e.g. Cisco’s DMVPN.
GRE over IPsec
Generic Routing Encapsulation (GRE) creates tunnels like IPsec, but it does not encrypt the packets, therefore it is not secure.
That said, it can encapsulate a variety of Layer 3 protocols and broadcast and multicast messages.
GRE over IPsec gives us the best of both worlds; we can encapsulate many kinds of data with a GRE header, then encrypt it and transmit it securely.
DMVPN
Dynamic Multipoint VPN (DMVPN) is a Cisco-proprietary solution to allow routers to dynamically create a full mesh of IPsec tunnels without having to manually configure them one-by-one.
The engineer/admin does still need to manually configure some of the tunnels.
- First all routers need to be configured to tunnel to a single router, the hub site.
- The hub router then gives each other router information to form IPsec tunnels with each of the other routers.
- While this means that multiple tunnels must still be manually configured, you can potentially avoid manually configuring the majority of tunnels in the network.
Remote-Access VPNs
Remote-access VPNs are used to allow end devices to access a company’s internal resources securely over the Internet. Remote-access VPNs typically use Transport Layer Security (TLS).
VPN client software (e.g. Cisco AnyConnect) is installed on end devices (e.g. company laptops) that employees use to work remotely. With this software, the devices can form a secure tunnel to one of the company’s routers/firewalls acting as a TLS server.