Need some advice on learning networking

[rthonpm]

PKI = Public Key Infrastructure. It's a security method based on a public and private key exchange. It's how HTTPS and most online encryption works.

In an AD network for any internal TLS connection it makes sense to use an internal Certificate Authority since Active Directory member computers will implicitly trust anything using certs issued by it. For connections over the internet, a public CA would be a better option

At this point, most VPN instances in any business are through an appliance of some kind as opposed to a homebrew solution that you used to see in the past. Once the core config is set, the appliance manages almost everything. Cisco has a pretty good solution, though it comes with a hefty price tag.

Sent from my BlackBerry using Tapatalk

[rthonpm]

One other point I forgot to mention: almost every business customer we have with a VPN has turned off split tunneling. The additional bandwidth costs were worth not needing to worry about people transferring company data to their personal network devices, or malware moving from a personal device to a company owned one that was part of the same network.

Sent from my BlackBerry using Tapatalk

[BillyCarpenter]

PKI = Public Key Infrastructure. It's a security method based on a public and private key exchange. It's how HTTPS and most online encryption works.

In an AD network for any internal TLS connection it makes sense to use an internal Certificate Authority since Active Directory member computers will implicitly trust anything using certs issued by it. For connections over the internet, a public CA would be a better option

At this point, most VPN instances in any business are through an appliance of some kind as opposed to a homebrew solution that you used to see in the past. Once the core config is set, the appliance manages almost everything. Cisco has a pretty good solution, though it comes with a hefty price tag.

Sent from my BlackBerry using Tapatalk

I've continued to do my homework on VPN's and I know I've thanked rthonpm a million times but I need to thank him again. He has really helped to point me in the right direction and save me a lot of time.

This is by far the best tutorial I've seen to date on explaining AH v. EDP and ISAKMP in IPSec tunnels and it hits on many of the concepts that rthonpm talked about.

Warning: It's really detailed and very technical.




<font color="#030303"><span style="font-family: Roboto">

[BillyCarpenter]

Here's my understanding about site to site VPN's and IPSEC.


Let's say that we have 2 offices. One is in Las Vegas and the other is in Nebraska. The Las Vegas is a 192. network and the Nebraska is a 10. network. How can we get connectivity between the 2 networks over the internet?


First we're gonna need a router or firewall that's capable of implementing IPsec and we're gonna need one on each network.


Note: By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.


How does it all work? Well, it's pretty straight-forward:


We have an edge router in Las Vegas that's on the 192. network and we "tell" this router that if a packet is sourced from the 192. network and it's destined for the 10. network, here's what I want you to do: I want you to take that packet and instead of just forwarding it to your default gateway, I want you to encrypt it and then encapsulate it inside of another packet and send it over to the edge router in Nebraska.


In conclusion, all the internet is gonna see is the public IP addresses of the 2 internet routers because the private IP address are all encapulated inside of the IPsec packets.

Hope that made sense.



EDIT: IPsec supports automated generation and negotiation of keys and security associations using the IKE protocol. You can dig into that if you wish but for now I'm gonna chalk it up to magic. lol

[BillyCarpenter]

One thing that I failed to mention is this:


There's actually 2 tunnels that are built when implementing a VPN/IPsec.

The first tunnel is the IKE tunnel. IKE stands for INTERNET KEY EXCHANGE. You can think of the IKE tunnel as a personal private party line that allows the 2 routers to communicate with each other. They're also gonna use the IKE tunnel to build the IPsec tunnel. That's the tunnel that the packet is gonna be encrypted on and sent between the 2 routers.

There are a lot of moving parts but the Phase 1 tunnel (IKE) is used to exchange secret security keys and we're building another tunnel (IPsec) where data is encrypted, sent over and then decrypted.

[BillyCarpenter]

Learning how to connect 2 remote sites is turning in to a very complex job that requires some in-depth knowledge.


First, I needed to understand the theory behind site-to-site VPN. I have the theory down. The next step is to actually learn to set it up. This is where a person is gonna run into some problems. At least if you're using Cisco routers/firewalls. I suspect the same is true for other brands.


NOTE: Because your company information is going out over the internet to a remote site, security is paramount. And that's a big part of setting up a VPN.

Let's continue....


In order to set this up, it must be done via command line. The syntax looks impossible to remember if you ask me. Unless you're doing this every day. Anyway, that's another story.


Here's an easy way to remember what you need to negotiate between the 2 routers for the Phase 1 tunnel. Remember that IKE (Internet Key Exchange) is the Phase 1 tunnel and this is all about agreeing to security parameters between the 2 routers. If everything isn't the same for both routers, it will not work.


You need to remember the word: HAGLE

H- Hash (Hash is used to check data integrity. Popular hashing algorithms are MD5 and SHA.
A- Authentication (how do we want to make the other device prove who it is: pre-shared keys or digital certificates)
G - Group (Group refers to DH. DH stands for Diffie Helman Group - which is the 2 men who wrote the protocol that is responsible for generating secret security keys.)
L - Lifetime (how long should this tunnel stay up? The shorter the more secure. Default on a Cisco router is 1-day.)
E - Encryption (What type of encryption method do we want to use?)


To accomplish all of those things it requires typing in a LOT of command lines that I won't bore you with at the moment.


As you can see, I still have a ways to go before I really know how to set this up.

[rthonpm]

This is just showing why I stay in system administration instead of networking. Congratulations on getting some of this down, and even if you don't get all of it burned into your memory, most network engineers I know usually have to lookup command syntax unless they do the same stuff every day.

Sent from my BlackBerry using Tapatalk

[BillyCarpenter]

This is just showing why I stay in system administration instead of networking. Congratulations on getting some of this down, and even if you don't get all of it burned into your memory, most network engineers I know usually have to lookup command syntax unless they do the same stuff every day.

Sent from my BlackBerry using Tapatalk

You're probably smart to stay away from this stuff because I really don't think I'll ever use most of this knowledge because if a company is big enough to implement this...they probably have an IT staff and won't need me to do it.


I really didn't understand what I was getting into when I decided to learn routers and switches. But I do find it interesting and I think I've become addicted to seeing it through to the end. If it doesn't kill me first.

[skynet]

PKI = Public Key Infrastructure. It's a security method based on a public and private key exchange. It's how HTTPS and most online encryption works.

I have got a raspberry pi that I log into with ssh using public / private keys, no password. The odd thing is you generate the pub/priv keys on the computer that you're logging in from and do this on each computer that you want to access the pi, the odd thing is this seems the opposite to how the internet works.
Explained at about 8 minutes into this video
5 Steps to Secure Linux (protect from hackers) - YouTube

[rthonpm]

I have got a raspberry pi that I log into with ssh using public / private keys, no password. The odd thing is you generate the pub/priv keys on the computer that you're logging in from and do this on each computer that you want to access the pi, the odd thing is this seems the opposite to how the internet works.
Explained at about 8 minutes into this video
5 Steps to Secure Linux (protect from hackers) - YouTube

Which is fine in an unmanaged environment. Essentially, SSH is using self-signed certificates, which is why on your initial connection you're asked if you want to accept the key. In some larger environments we support, they go as far as having all of their SSH keys generated and signed by an internal certificate authority so that they are implicitly trusted. It takes out the possibility of a rogue server in the environment.

Sent from my BlackBerry using Tapatalk