Virtual Private Networks

VPNs allow us to encapsulate network traffic and pass it across another network. VPNs can have many properties, such as encryption/privacy and signing/non-repudiation. Traffic can include cryptographic properties so that it cannot be tampered with or changed. We create an overlay network, a network built on top of another network.

IPsec Tunnels

IPsec or Internet Protocol Security is a framework of open standards defined by the IETF to support private and secure communications over the Internet; “IPsec creates a boundary between unprotected and protected interfaces, for a host or a network”. There are several modes of operation. IPsec can operate in tunnel mode, where the transport is security gateway to security gateway and where the security gateway may provide transport for an entire network. Alternatively, it can operate in transport mode, where the communications occur between the end-point devices in a Layer 2 Tunnelling Protocol (L2TP) tunnel. Finally, it can act between a security gateway and a security client, where we want to give access to a network for external staff who are travelling.

There are many other applications for this technology. For example, I can make any Windows file server encrypt its traffic using IPsec. A domain client will encrypt all communications with this file server. I have done this in the past in LAN environments where the LAN may be hostile.

SSL Tunnels

A standard technique for securing sessions between a web client and a web server is to use Secure Sockets Layer (SSL), which is deprecated or Transport Layer Security (TLS). SLL was originally developed by Netscape c. 1994 and reached its ultimate version in 1996. It served as a basis for TLS, currently on version 1.3 [3]. The concept behind SSL was to develop a protocol to run between the lower network and transports layers and the upper application layers. It allows a user’s browser to confirm a server’s identity using a public key issued by a certificate authority which is trusted by the client. SSL Client Authentication works in the same manner. Encryption is also supported, allowing both privacy and prevention of tampering.

SDWAN

Modern solutions tend to have more complex functionality remain proprietary. The Software Defined WAN (SD-WAN) is a term which is poorly defined, but in many implementations does include into site connectivity with micro-segmentation.